What happens when holes perfect for spyware are found in the engine room of millions of Qualcomm-based phones? Let's find out In July, the makers of millions of smartphones powered by Qualcomm's Snapdragon system-on-chips received mitigation recommendations to address a bevy of security flaws in their products, all introduced by Qualcomm's technology. Those software-level vulnerabilities, which apparently affect potentially more than 40 per cent of …
More bloody security issues - don't people have procedures in place to catch this sort of thing?
Plus, considering the piecemeal Android updates (often, none at all) these vulnerabilities will last the life of the product. It's like footballers in an Aberdeen bar all over again...!
Remember a while ago (last month...) when, after Intel posted yet more security updates, it was claimed that ARM "is more secure and never have these problems"...
Yeah -_-
There will ALWAYS be insecurity. Why? The inherent complexities of the designs plus human frailty. We simple can't foresee every mode of operation on the complex computational devices that we can currently design; our automated tools to ferret out bugs are only as good as the very people who make them, who's common mindset are shared with the designers of the very products tested.
Re :"Remember a while ago (last month...) when, after Intel posted yet more security updates, it was claimed that ARM "is more secure and never have these problems"..."
While I don't doubt at all the ARM processors have vulnerabilities, this story is about vulns in Qualcomm tech. No evidence they are in the core ARM designs.
That said, I have learned over the years to assume ANY computing device is hackable, but by patching known vulns, and using decent security elsewhere (including security software and securing things like passwords), you can reduce the chances your device(s) will be hacked massively.
On a final note, regarding security, my old Software Engineering Management lecturer liked to use the following phrase to describe the issue: "Features, Ease of Use, Security: Pick two"/
It didn't, but nor is the AMD64 architecture responsible for Intel's many failings. It's not the architecture, but the design. I believe the original post here is responding to comments of the type praising the benefits of ARM when Intel security vulnerabilities are discovered. Those comments, while technically correct in the sense that ARM is not the same as Intel, are making two large mistakes. First, they make an apples-to-oranges comparison between Intel's design and ARM's architecture. Second, they ignore the possibility that an ARM manufacturer might do a similar thing. I interpreted the original post as pointing out these errors and cautioning the writers of such comments that nothing is foolproof.
ARM CPUs seem to be more secure than Intel (admittedly not a difficult target). The DSP is an additional device in the SoC - and even there the problem does not seem to be in the hardware but in the poorly coded Qualcomm driver. Even a perfectly secure bit of hardware can be compromised by a faulty driver.
One thing that all too few companies realise is that it takes a different skill set to write low level software (OS and drivers) than to write application level code. Bugs in applications are far more easily patched and normally only affect the user of the application whereas OS and driver bugs affect every user of the device and are more difficult to patch. Because competent low level programmers are scarce and cost more than an Indian sweatshop programmer many companies do not use them resulting in problems like this.
(For a good example of the difference between good OS code and typical applications - look at the RSX-11 source code (available on the web) and the source of an application like GIMP.)
"these vulnerabilities will last the life of the product."
So, that would be an inherent manufacturing defect which the manufacturer or retailer is directly responsible for under the terms of the guarantee, yes? After all, if software/firmware is designed and "built" by engineers, then it's an "engineering" issue.
You'd be better off with no patches. If these guys are the only ones who have found these holes, or at least the only non state level actor who has, producing patches will only make it easy for bad guys the world over to find the holes by looking at what was fixed.
Since most vulnerable phones will never see patches because the OEM stopped caring as soon as they replaced it with a newer model, that's a big problem since these are apparently worse than a root hole - the DSP exploits give you control over the whole device, including the baseband. This is the sort of hole that lets you turn it into a spy device that silently listens and relays a conversation, with no visible indication.
You'd be better off with no patches. If these guys are the only ones who have found these holes, or at least the only non state level actor who has, producing patches will only make it easy for bad guys the world over to find the holes by looking at what was fixed.
This is security through obscurity. You don't know who else have found the bugs. Or will do, now they know where to look for them.
You are also writing off "state actors" as if they are somehow harmless or inevitable. These can certainly to get access to some people's phones with some effort, but they don't actually have infinite resources or a magic wand, so there is a massive benefit in making it as hard as possible for them.
State actors aren't harmless but they are inevitable. There's no way to fix enough bugs that they can't find any.
Aside from which, state actors doubtless have considerable access to the world wide digital infrastructure, and I suspect its hardware and software are probably just as bug-ridden as the endpoint software and hardware we are familiar with. Bottom line. Today, and for the foreseeable future, you can be connected or you can be secure.-- pick (at most) one.
State actors aren't harmless but they are inevitable. There's no way to fix enough bugs that they can't find any.
I am not sure that is true - there is a finite number of exploitable bugs and the attack surface can be minimized by limiting the number of apps installed. Not all security bugs are exploitable. I doubt each agency has a hundred billion waiting unused exploits waiting to be used, because if that was so there wouldn't be a market in these sort of exploits.
And each exploit costs them time and money and - because bugs get fixed - have a finite life. If you stop patching bugs then their hacks would never stop working and they never have to look for new ones.
If you stop patching bugs then their hacks would never stop working and they never have to look for new ones
That's already the situation for Android for all intents and purposes, since they can get into any phone more than a year or two old that is no longer receiving patches.
My comment about being "better off not patching" was sort of tongue in cheek, but it will be very bad for owners of older/cheaper devices that won't ever see the patches when they come out because of the severity of this class of exploits. Full control of the device, with no user interaction required - they just have to happen to visit a web site with a malicious video. Which can be almost ANY web site, since it could be encoded into a video ad.
Oh, you naive child, Smooth Newt.
The difficult problem is not that it would be possible to eliminate all exploitable security weaknesses in some large piece code, which is clearly just a matter of resources and priorities, but to know when the job is done - i.e. that they have actually been eliminated to the exclusion of the NSA and its competitors.
Perhaps quantum cryptography will eventually provide a solution of sorts, in a scenario ex-filtrating data will inevitably modify it in a detectable manner.
"And exactly how much of that is going to end up on actual people's actual devices?"
it would depend on a LOT of "if's I think.
a) IF your phone maker is good at servicing and updating EXISTING customers with otherwise "legacy" devices,
b) IF your phone service provider provided the phone as well, and put their OWN stuff on it [and preclude the manufacturer updates from accidentally messing with it], THEY also have software updates available for "legacy" devices.
c) IF the phone's effective 'end of life' has not been reached [regardless of whether or not it still works]
and so on. 'IF'fy for sure.
I have this older (cheap) slab I use for 'droid development and portable e-mail access, things like that. I don't think it has a snapdragon processor on it, though. But I haven't seen any updates for that one for YEARS. Still works for what I want.
Giff-Gaff started having ads pushing the benefits of second-hand mobes just when Which(?) brought out a report that millions of old phones are vulnerable to unpatched security holes...
Music Magpie must have had wind of this report and recently started pushing their recycled phones!
When looking for a new SmartPhone or Tablet, the first thing I do is tick everything BUT Snapdragon under CHIPSET:
https://www.gsmarena.com/search.php3?
Qualcomm has long been known for being a nightmare of bugs/backdoors that always lead to full root exploit. Anybody controlling the network (you can buy a “network simulator” for < $200 these days) can drop in via the “bugs” in their driver BLOBs.
As Exynos is dead (with Samsung switching over to Qualcomm), this only leaves Helio (MediaTek) and Kirin (Huawei). Oddly, you also get a better product for your money this way. ;-)
Not really, as they are not running Android. This would be another infrastructure. Where on Android you get most stuff free, you will find that Apple makes you pay. Where on Android the restrictions are annoying and often enough counterproductive - with Apple you get the whole corset, thumb screws included.
Also, Apple's “security” is more of a religious thing. Check out the last BlackHat conventions. They mostly had a laugh at Apple.
Advertisement != truth
Apple computers and phones have never been secure by any means, despite all the efforts to make them appear(!) that way. ;-)
I wouldn't worry too much. Huawei is already selling SmartPhones with MediaTek chipsets. The percentage of those has been rapidly increasing.
On the downside, the processors are slightly less performant. This is hardly an issue to most people, though, considering that they are more than fast enough for everyday's work.
On the upside, Huawei's MediaTek phones offer more for the money. Whereas Huawei has been restricting 4k video to its high-end line and cutting away the SD-slots, MediaTek offers it all. ;-)
Their new Chip is called "Dimensity 1000+" and it doesn't have to hide:
https://www.notebookcheck.net/Snapdragon-865-vs-Dimensity-1000-Qualcomm-s-chip-heads-AnTuTu-s-Android-SoC-performance-chart-but-MediaTek-shows-it-can-compete-with-the-best.484475.0.html
"Snapdragon 865 vs Dimensity 1000+: Qualcomm's chip heads AnTuTu's Android SoC performance chart but MediaTek shows it can compete with the best"
---
https://www.notebookcheck.net/MediaTek-s-latest-Dimensity-1000-chip-nets-a-score-of-530-000-on-AnTuTu.465344.0.html
"MediaTek's latest Dimensity 1000+ chip nets a score of 530,000 on AnTuTu"
---
… and it's packed with everything you can think of – which is very typical for MediaTek:
https://www.mediatek.com/products/smartphones/dimensity-1000-series
.
That said, I'm confident that chip-production will be picked up by a (homeland) Chinese company, eventually. They are making huge steps ahead and, as seen with Huawei, they may surpass their counterparts in little time...
well, for many me it's not when and not if, and not at all, as I happen to use "obsolete" 3yr old phone. But that's allright, because I don't use trusted sources such as google play to install every must-have app that spies on me. But then, if you're in dire need and MUST have those apps, well, I suppose you have to buy a new handset. Every two years or so. Life's so hard in 21st century.
The problem with just applying updates is that many of them can be as bad as the non updated OS. What we need is some sort of third party clearing house to evaluate and certify the updates. Also ALL phone manufactures should be required to maintain security updates for at least 5 years and they should be fined the original retail value of the phone or replace for free that unsecure phone with the current, for retail sale not an older model, phone at no charge.
I doubt that either of these proposals will happen because it will cost the manufacturers too much money.
I realize that completely perfect devices of the complexity of smartphones is impossible but we need to give the manufacturers and the mobile services incentives to get it as close as possible.
Once again we see the dastardly work of all those foreigners at play here - we need to immediately introduce enforced repatriations of all people who are not ethnically from the country in which they reside - or to put them into camps where they can be monitored to ensure they are good citizens.
The above policy should only apply to 5/13 eye countries of course - all people who are from 5/13 eye countries living in countries where they are not ethnically from are - of course - completely reliable and trustworthy.
Operating upgrade have started coming down. Knowing android response to a critical situation (mañana) I'd love to hear the conversion between Def Con and Android/Qualcomm it may be something like this:-
We will withhold this information for 72 hours after witch you can take a match to you empire and watch it burn.
LoL.
Would love to get a Huawei P40 pro which doesn't use the American Qualcomm chip but Trump has buggered up how useful it would due to his attacks on Huawei over security depriving their phones of the play store.
Maybe its a ploy to make us all buy Qualcomm backdoored...erm....vulnerable chipset phones that the NSA and co can have full control of, because this whole political thing is nothing about security.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
