It's 2019 – and you can completely pwn millions of Qualcomm-powered Androids over the air

Re: Can Google do something...think of the users!

"Seriously, could Google mandate updates be sent out by handset manufacturers (maybe refuse them access to newer versions if they don't)...how many Android's will go unpatched because hardware manufacturers can't...be bothered."

Not 100% sure of this, but Play Services is probably technically capable of arbitrarily modifying what's on the phone - the questions are whether Google wants to annoy the manufacturers and carriers that much, and whether they would be able to do it without falling over some weirdness the manufacturer left in the hardware (resulting in a brick, of whatever hardness).

Re: Can Google do something...think of the users!

It's not Google's fault. It's the carriers / manufacturers.

The carriers are worse than the manufacturers.

What needs to happen is standardisation of mobile equipment and isolation of vendor specific crapware into standalone optional applications.

Or at least ban carriers from interfering with firmware.

I haven't had a carrier supplied phone for decades now and it's been bliss...but then, I'm not at the low end of the market nor do I buy kit second hand. I refresh every 3 or so years because of wear and tear.

Re: Can Google do something...think of the users!

"Can't they think of the planet...whales or even future children as an incentive to reduce electrical waste."

Saving the environment is not profitable to shareholders.

Re: Can Google do something...think of the users!

What a time to be alive.

What's wrong with Apple's patching?

stopping patching perfectly good working phones is unfair

So how long should they keep supporting them, forever? The iPhone 5S first sold in September 2013, six years ago, is still supported by the latest iOS though it will not get iOS 13.

Not only that, but recently they produced patches for iOS 10 & 11, patching all the way the back to the iPhone 4 released in September 2010, to fix the "GPS rollover" issue that hits all devices using GPS every 19 years.

If they were trying to "obsolete" older devices as some like to claim they would have left that unfixed and allowed the GPS to stop working on those older phones.

Re: No word on the possible impact on Apple?

See Project Treble, which Google mandated be on all phones that shipped with Android Pie. It is a more modular Android, making updates much easier for OEMs to roll out, potentially removing the need for OEMs to do much at all.

Google did learn from the historical issues with Android that led to a reliance on OEMs. Chromebooks, for example, can be updated on the fly by Google without any ODM input.

Re: No word on the possible impact on Apple?

Apple have not used QC chips for a few years so more recent devices should be safe enough from this vuln, plus we don't know how the BSD driver differs from the Linux one. It'd be nice if Apple came out and said something about it but as the articles are all around Android and not Apple it is a fair bet that they are not vulnerable.

Re: No word on the possible impact on Apple?

Apple have no major issues in pushing out patches, unlike Google, so even if they are affected it should be quickly mitigated, perhaps already considering that it's fixed by QC.

Re: No word on the possible impact on Apple?

Apple uses Broadcom for its wifi, not Qualcomm, so it isn't vulnerable to this particular issue.

I like the way your thinking there.

If the NSA has some 'plants' on Qualcomm's staff, surely they are capable of coming up with something a lot more clever and difficult to find than a buffer overflow.

Never attribute to malice what can easily be explained by incompetence. Why be suspicious of just THIS bug, and not the hundreds of other stupid buffer overflows that get CVE advisories across the whole spectrum from smartphones to Windows Server?

”All this talk of miscreants - the cynic in me thinks more likely five eyes would be making more use of this than some low life thinking they can run some scam.“

Five Eyes fits the definition of miscreant in my book.

Re: The bad news

"What's unclear? Many, maybe most, of the vulnerable devices won't be fixed -- ever."

Yeah, but it is also clear most handsets wont also be pwned, and most users wont care or know either way.

I know us lot like to think that everyone should be super security savvy and fully alert about their data, but most people just don't care - unless it has an explicit and noticeable effect upon them.

Certainly, I don't think your solution is the right one. Shutting yourself off from the world is not the answer, and neither is overplaying the threat.

Are the risks of someone getting some/all of your data proportional to your actions?

I don't think so personally. But hey, each to their own.

The worse news

Is that since the driver is open source, it is easy for miscreants to compare what has changed and immediately develop an exploit. This seems tailor made for attacking people in airports, cafes and other places with public wifi. Since it is driver level it would allow capturing wifi traffic before it is encrypted, so to prevent snooping the traffic would need to already be encrypted (i.e. SSL, VPN etc.)

It seems to be limited to wifi/cellular p0wning, so is really more of a targeted attack thing as a general "p0wn whoever is out there" but if it were paired with another exploit that leveraged that control to give it full control over the phone then it becomes a general untargeted exploit.

Re: Same old

Formally Verified Code has been around as a concept since the 1970s, but it is only recently that people are looking at using it.

It is very hard to do, apparently, but the cost of not doing so ( in this world of internet banking, computer controlled cars and drones etc) is making people look at it again. Tools are being developed to make it easier, bit it remains difficult.

https://www.quantamagazine.org/formal-verification-creates-hacker-proof-code-20160920/

Re: What can a user do ? Use multiple devices ?

Lots of people have multiple devices e.g. "work" phone and "personal" phone (typically with different SIMs)

Employer has number of your "work" phone which you have turned on when not in the office or when on call. i.e. you control when that number is available based on work needs (similarly if self employed, customers have this phone number)

Your "personal" phone number NOT given to employer, but is used by friends and family to contact you.

Re: What can a user do ? Use multiple devices ?

Maybe a really paranoid smartphone user should have a selection of handsets for the same reason ?

Epoxy should handle the problem of too many physical units. But the user may need bigger pockets to hold the resulting "device". ... or a good sized purse.

And the chargers ... My God -- the cords ... All those cords ...

Re: What can a user do ? Use multiple devices ?

People look at me funny when I tell them I don't have a "smart" phone.

Samsung "sorta" provides this

They sell some phones with their own Exynos SoC, not Qualcomm's, so it wouldn't be vulnerable to this. The problem is that those phones don't support US cellular very well, but it may be an option for some in Europe - you'd have to check the specs to see what LTE etc. bands it supports.

Of course, that doesn't guarantee that a similar or worse vulnerability isn't found in Exynos tomorrow, but at least the odds of a quick fix for it are higher.

Re: LineageOS

That's only relevant if Lineage for your particular device is updated.

For many, it won't be.

Re: Secure code enforcement issues

The gubmint won't be fixing anything.

They may fine some companies in an attempt to be seen to be doing "something" but every year the number of compromised devices will increase.