Hi, On 03/05/17 23:52, Alex Fraser wrote:
About a month ago, we learned that there was a vulnerability in the WiFi firmware on many phones [1]. I didn't know until then that the WiFi device has its own system-on-a-chip (SoC) that runs its own code, and has access to system RAM. The vulnerability apparently allows an attacker to execute arbitrary code in the SoC, and from there take over the entire device [2][3].
IIUC, [1] is a problem even with WiFi "turned off".
Apple, to their credit, patched a range of obsolete devices in addition to current ones [4]. Google seems to only be patching current devices, and it seems unlikely that other Android manufacturers will push out an update to old devices either. The response from the Android community seems to be to bury their heads in the sand [5]. When I asked in #lineageos about it, I got the impression that they couldn't include the patched firmware for my device (although things may have changed).
Yes, Apple patch and do it reasonably well on the whole; but they often patch and then need to re-patch to fix the patch. They also don't admit problems unless they have no choice and they can still take too long to patch things. Samsung, uggh, we've got lots of perfectly good gear that sold in the 100s of millions of devices each. Samsung won't patch a device that is still otherwise perfectly good if it is "too old", they want you to buy a new phone. Google will patch much more quickly, but they too have sunsets on the life of equipment that doesn't reflect the true possible real life; hence the perfectly good Nexus 5 and very soon Nexus 6 and 9 won't get further updates. I would like for any device that is manufactured in huge quantity, like all these flagship devices, to get updates for 6 years, unless the number of currently active users drops down too low (perhaps down to million users); anything longer than 6 years would probably be too long (I'll admit that), but anything shorter, well, again, they sell 100s of millions of these devices, so giving support for up to 10 years shouldn't cost them much and it would make the devices worth much more before ending up in landfill, as well as getting more life out of them. Most people don't need to replace phones sooner than 3 or 4 years, some will for all sorts of reasons, but most will just because they can and they are getting the devices as part of salary sacrifice or some kind of tax deduction or just because they don't care if they pay through the nose for a phone by paying too much on a "plan" or even if they think, "who cares, work is paying for it" -- perhaps they could get a small pay rise instead of a brand new shiny phone (too often). There are other good reasons to replace mobiles, most significantly because newer ones are more efficient and they can handle the newer in use radios when the older devices end up not working due to the radios they had used being upgraded to 4G or later (heck even GSM to 3G). Not that many devices will be using 3G, not the newer ones anyway, except as a fallback like GSM was a fallback for 3G.
I find this all incredibly frustrating. I have an otherwise perfectly good Nexus 5, which now has to have WiFi permanently disabled. Effectively I need a new phone. A pox on proprietary firmware and impractical update mechanisms!
I absolutely agree, 100%
A user on Slashdot said to "vote with your wallet". But there doesn't seem to be a good option: iPhone, which isn't remotely open but at least seems to get patched, or Android, which claims to be open but is closed where it really counts. Is there a practical third option that I'm missing?
Yes, there are not good options if you want to keep a good device in service longer than the manufacturers would like you too.
Sorry for the rant. Is anyone else as frustrated by this as I am?
Absolutely. Oh and given the Intel chipset mess from the last 10 years (approx), it's a real problem. I don't want to use computer equipment that has otherwise long past it's useful lifetime. What is it, a 12 year old (approx), X200 to use libreboot? I'm wondering how well Librem is going to do out of this latest outing of Intel.
Alex
[1] https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadc...
..
[5] https://android.stackexchange.com/questions/172993/ota-wifi-vulnerability-wh...
I think that given the problem, the only real solution is to junk the phone or at the very least, not trust it more than necessary; of course, for many people the vulnerability won't matter to them at all. But that shouldn't mean that those that care (and are perhaps a little too paranoid, or perhaps justifiably paranoid), should have to suck it up and be vulnerable just because the greedy manufactures couldn't give a hoot, especially when the devices get a little "old" ... even ones in full service that are newer usually fail to get updates in a timely manner. I needed that rant too. Kind Regards AndrewN