The write-up is excellent! Well worth the read for anyone operating at the hardware-software interface coal-face.
A security researcher has turned up new ways to silently hijack and infect Android devices via malicious Wi-Fi packets over the air. Scotty Bauer, a Linux kernel developer, described in detail on Monday how he found a bunch of exploitable programming blunders in the qcacld Wi-Fi driver that supports Qualcomm Atheros chipsets. …
please can I have a patch for my phone? Tnx.
Dear Reg readers... is there ANY brand of <200quid phones that actually provides long term (> 2year) patch support?
Or, put another way, what are the chances of me ending up with a non-bricked, fully-functional phone if I try installing lineageOS on it?
"Dear Reg readers... is there ANY brand of <200quid phones that actually provides long term (> 2year) patch support?"
Any phone officially supported by lineageOS will likely have longer term patch support. In terms of <200quid phone, there are a number of brands that have phones at that price like asus, sony, LG, xiaomi, etc. It'll be better to search it yourself. If you can't decide, start searching from their second to first recent released phone.
"Or, put another way, what are the chances of me ending up with a non-bricked, fully-functional phone if I try installing lineageOS on it?"
If you picked a phone from the lineageOS official support list, then you'll have the highest chance of getting a non-bricked near fully-functional lineageOS rom. Otherwise, if you find your phone under xda-developers with threads of users tested the rom, then you'll have the second highest chance of getting a non-bricked near fully-functional lineageOS / custom rom. If you search around and only found one thread, a video or a website with a lineageOS / custom rom link, unless it gave you clear instruction, it'll have the lowest chance of not bricking your phone OS (if you didn't physically break the phone, you can reflash and try another rom).
*near fully-functional because some developers will tell you some roms have known-issues.
Since it sounds like you haven't flashed a lineageOS before, here are a few key tips if you are interested in flashing lineageOS / custom rom.
- Unlock bootloader - Most OEM locks your phone so your phone can only install their rom. Unlocking it is required to install lineageOS and other custom rom. Different phone has different ways to unlock them. Search them first.
- Phone driver - some phones require specific driver to be recognized by a PC before installing/ booting a custom recovery. Some phones may need it. Search them next.
- Custom recovery - this is a different recovery from the OEM recovery, and it let's you wipe your phone and flash your firmware, lineageOS rom, root manager, and gapps. One known custom recovery is twrp recovery. Search for the device specific custom recovery should it be required.
- rooting - this is to get admin right of phone. LineageOS should now come with it, but you'll need a "root manager" like Magisk to manager your apps for root. Most root manager needs to be flash in custom recovery and some need the apk installed afterward for it to work.
- gapps - this is a google apps bundle. The bundle is device cpu specific and will not flash if you downloaded the wrong one. The bare minimum is gapps pico. This is optional for lineageOS but you might need it if you use google apps and apps that dependent on google api.
- backups - if you haven't backed up before flashing lineageOS, well... do it now. Google backup only goes so far in terms of phone backup, so do test the backups before wiping the phone.
tl;dr research lineageOS rom ahead to ensure no phone brick.
But if I want to buy a new/recent phone, how will I know whether lineageOS will eventually support it? There are (eg) lots of Moto phones suppported atm, but if I decide to buy a G5 it looks as if I'll just have to buy and hope! AFAICS each different generation seems to have a randomly chosen chipset/cpu, so it's not even like I can say "ah, the G5 seems to have a similar chipset to the G4, so it's a good bet I'll be ok"
No, you have to spend money to get support. Software support is expensive (but you could argue they are getting the OS for free and should have diverted savings to software support)
Premium Sony (not the mid range)
These all get monthly or bi montly patches.
Does anyone know if there's ever been an attempt to force long term support through consumer rights? Could security bugs be classed as a defective product, giving (in theory) six years to claim. I don't know if there's any actual legal grounds for it, but it would be interesting to pursue, and would have the added benefit of making electronics firms take security seriously.
@Dr Mantis Toboggan, price has nothing to do with it. Even the Samsung Galaxy devices we have, which are premium devices, lag seriously behind.
None of the devices we have, have received Oreo yet and the "best" devices have a patch level from Nougat August 2017... That's 3 months of patches out of date, including no KRACK patch.
"is there ANY brand of <200quid phones that actually provides long term (> 2year) patch support?"
Well depending on how you want to interpret "ANY" there is, well was. I bought my Microsoft 640XL for £122 at the end of June 2015. It got its last feature update in April 2017. It will continue to get monthly support patches till 11th June 2019. So monthly patches for a couple of weeks under 4 years.
Microsoft managed to cock up a lot of things with their phone offering but they got the patching side right.
Amazon will sell you a used Samsung S5 in good nick for considerably less than 200 quid. (Other tat-vendors are available...) The S5 is one of the most widely used phones with Lineage (https://www.lineageoslog.com/statistics) so it won't just be you if something goes wrong. You don't have to root the phone (https://wiki.lineageos.org/devices/klte/install). If you are particularly doubtful of the procedure, you could try it on an even older phone. The S4 Mini is about a third of the price and also works OK.
I'm citing these two Samsungs because I've actually done it with them. (I haven't looked back.) It shouldn't be taken as an endorsement of Samsung. (I put Lineage on because Samsung's support was so crap.) A glance at the stats will show that other brands also have thousands of users out there and your current handset may even be among them.
Edit: If you do switch, give some thought to how you will transfer things like address books and saved media/messages/etc. Mostly these aren't terribly difficult as long as you plan ahead but are obviously nigh-on impossible after you've nuked the old contents of your storage. :)
If only someone had the foresight to engineer a system where signed driver and system patches could be applied to existing devices, without needing to affect any OEM specific bits.
I mean you'd think by this stage some sort of proper update system might have been added, it's not like they haven't existed for years.
Though I guess if forced obsolescence is your goal this isn't exactly a priority.
We need a FSF phone OS that works on all phones => problem solved. Ideally, the system would have some sort of hardware detector to activate drivers ... I mean GNU/Linux does it quite nicely, we need that for phone OS' and I do not care if it is android based, it HAS TO BE FSF so we can apply patches as we see fit ... just like GNU/Linux.
EDIT: so miffed I originally wrote FFS iso FSF ...
A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.
The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.
Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.
Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.
Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.
Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.
Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.
In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].
Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.
The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.
Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.
A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.
For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.
This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."
Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.
If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.
First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.
Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.
QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.
The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.
The previous attacks occurred in January, March, and May.
Biting the hand that feeds IT © 1998–2022