Snapdragon chip flaws put >1 billion Android phones at risk of data theft:
Snapdragon is what’s known as a system on a chip that provides a host of components, such as a CPU and a graphics processor. One of the functions, known as digital signal processing, or DSP, tackles a variety of tasks, including charging abilities and video, audio, augmented reality, and other multimedia functions. Phone makers can also use DSPs to run dedicated apps that enable custom features.
“While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features—they do come with a cost,” researchers from security firm Check Point wrote in a brief report of the vulnerabilities they discovered.
[...] Qualcomm has released a fix for the flaws, but so far it hasn’t been incorporated into the Android OS or any Android device that uses Snapdragon, Check Point said. When I asked when Google might add the Qualcomm patches, a company spokesman said to check with Qualcomm. The chipmaker didn’t respond to an email asking.
Check Point is withholding technical details about the vulnerabilities and how they can be exploited until fixes make their way into end-user devices. Check Point has dubbed the vulnerabilities Achilles. The more than 400 distinct bugs are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
(Score: 1, Informative) by Anonymous Coward on Monday August 10, @07:17AM (2 children)
"Just buy a new phone" kind of flaws.
What is still unknown is what exactly the impact will be. It might be something that most people can live with, like the Intel bugs, or it might be something that really hurts. No way to know until they release details.
(Score: 3, Funny) by Subsentient on Monday August 10, @07:21AM (2 children)
*laughs in PinePhone's Allwinner A64*
(Score: 3, Funny) by Anonymous Coward on Monday August 10, @09:31AM
Can we hear you now? Or is calling not implemented?
(Score: 0) by Anonymous Coward on Monday August 10, @11:58AM
Allwinner is next [soylentnews.org] - it's fabless [wikipedia.org].
(Score: 2) by Runaway1956 on Monday August 10, @07:51AM (12 children)
Apple updates their phones, a couple times, anyway. Android? A buttload or two of those are specced by the telcos, then sold cheap to rope you into a service contract. And, never updated. This could get interesting. A billion consumers demanding a update/upgrade of their phones? I don't think the telcos could ignore that indefinitely. They may have to actually earn some small portion of their rent money.
(Score: 2) by Blymie on Monday August 10, @09:46AM (6 children)
Not sure where you live, but in Modern Times, most new Android phones are patched monthly. This is true of all Oneplus, Google, Samsung, Blackberry phones, as ones I have direct experience with. Why are you spreading disinformation?
(Score: 3, Insightful) by petecox on Monday August 10, @10:14AM (4 children)
But only for 2-3 years? My 2017 model hasn't received an update since Feb 2019.
If by "Modern Times" you mean let's cross our fingers and hope OEMs really actually mean it this time with Project Mainline. Otherwise, it's back to installing a custom ROM such as LineageOS.
Despite its underwhelming specs, I'm sorely tempted by the 3GB Pinephone, which can be built with lifetime updates from kernel.org sources.
(Score: 2) by RS3 on Monday August 10, @12:30PM (3 children)
Agreed, same here. I have several Android phones, the newest with Android 7, and no updates have been available to any of them in the past 2-3 years. Haven't tried LineageOS yet. The PinePhone is looking better and better.
IMHO, manufacturers (including Microsoft) should be forced to provide updates, and my thoughts are based on the fact that the product was flawed from the start.
(Score: 2) by etherscythe on Monday August 10, @04:29PM (2 children)
...or buy back the device at the original sale price. Hit them where it hurts, and they'll find a better solution.
(Score: 2) by RS3 on Monday August 10, @05:01PM
One can only dream of such a world...
Realistically I understand the economic implications of such laws/rules. Pretty much everything software / firmware is done under the "release something now, update someday later" and radically changing that would cause economic disaster. It would have to be phased in.
I personally advocate for 10-20 year warranties on things for inherent defects / flaws (that were there from the beginning but not known until 10-20 years later.) Do people really expect you to buy a new phone or computer every year or two? I'm just getting the thing setup how I like it by then.
The success and stability of Linux proves Linus' system of development / release works well.
(Score: 0) by Anonymous Coward on Monday August 10, @11:46PM
... adjusted for inflation.
(Score: 2) by epitaxial on Tuesday August 11, @02:32PM
My iPhone 6 Plus is close to 6 years old now and is still getting updates for iOS 12. Say what you want about Apple but Android updates are a joke.
(Score: 2) by looorg on Monday August 10, @01:10PM
They tend to only support the phones for a somewhat short time, a few years at best, then your phone is usually out of spec and no long supported. There are a lot of those phones out there, even if they wanted to update them the phones might not be able to be updated (lack of memory, storage etc). So just cause they push a new update large segments of the market might, or wont, apply them. So it really does come down to how serious this flaw is, do you need physical access to the phone or is it enough to just be around them or to send them some properly formatted message of some kind.
(Score: 0) by Anonymous Coward on Monday August 10, @08:51PM (1 child)
Ha, ha! Runaway thinks you can OTA update hardware! What a Maroon! Or, he's babbling off-topic, again.
(Score: 0) by Anonymous Coward on Monday August 10, @09:21PM
It worked for you. They fried your brain out with microwaves from miles away, and replaced them with an oversize vaccuum tube.
(Score: 2) by knarf on Monday August 10, @10:00PM (1 child)
Oh please stop with this silly Apple-fawning... With Android things work more like they work in PC (that is personal computer, not politically correct) land: get an device which is supported by one of the AOSP-derived distributions and you'll be able to keep it updated for at least as long as Apple updates its devices. Since the proof is in the pudding I'll raise you my Samsung SIII which runs Android 9 (i.e. LineageOS 16.0) more or less because I have not felt the need to update it to Android 10 yet. This device is from 2012, it has an OLED screen, runs for 2 days on the original battery and is - apart from the microSD-card which I swapped to get more 'off-line netcast' space - original. Elsewhere I still use several Motorola Defy's from 2011, some of them running bare Linux with MPD as remote controlled media players, another one as wifi-enabled trailer camera (it creates its own car+trailer-area wifi network to which you connect your phone while driving). Oh, let's not forget the Galaxy Tab 3 which runs LineageOS, it might be from 2013 but it still works fine, the battery hold for ~6 hours of screen time, Intel (!) processor notwithstanding.
If you get some fly-by-night Android device without developer support (which is separate from vendor support) you'll be stuck unless you do your own port (which is often possible due to many of those cheaper devices being based on some reference design for which a port already exists) so the solution is to be selective when choosing a device. In this the situation resembles that of the earlier days of Linux, some devices work fine, others are only partly supported while still others are basically unsupported. Choose well and you'll be using the device for a long time with software *you* choose, running services *you* want, connecting to networks *you* allow it to. Not Google. Not Apple. You.
Well, mostly you, there is that closed source proprietary radio firmware blob which could give TLAs a backdoor into your world. This also goes for vendor-supported devices (Android, iOS, no difference here) so for those who *really* mean it the solution is to get something like a Pinephone or a Librem which have hardware switches to disable the radios.
(Score: 2) by etherscythe on Tuesday August 11, @04:57PM
OK. But can it run my banking app? Sure, I can buy a random Chinese-made IoT thing with a screen and run it for awhile, but does it do the real things I want an Android for in the first place?
Otherwise I'll just put Sailfish back on my Sony XA2. (I'm actually about to do this when I get my next phone)
(Score: 2) by etherscythe on Monday August 10, @04:55PM (3 children)
...can I softroot my phone yet? I've got some apps I've been waiting to nuke, and factory image won't let me.
I'm looking at you, Facebook.
(Score: 0) by Anonymous Coward on Monday August 10, @05:26PM (2 children)
Five years or more of updates. And no fucking Facebook.
(Score: 0) by Anonymous Coward on Monday August 10, @06:44PM
only idiots buy an iSlave brand SlaveTracker.
(Score: 2) by etherscythe on Monday August 10, @10:46PM
You know what else has no Facebook? My brand new Nokia 2.3 I got exclusively for work. Great update guarantee, relatively speaking: 2 years of build updates, 3 years of security updates, and that'll keep me ahead of the OS version policy for a good while. But if I want anything else on the market for my personal device, it seems, I'm SOL.
You're missing the point by suggesting a walled garden device. I really rather own what I paid for - not lease it for a one-time fee. You're just trading one big brother for another.
(Score: 1, Informative) by Anonymous Coward on Monday August 10, @05:37PM (1 child)
I love my dumb ass Tracfone.
(Score: 0) by Anonymous Coward on Tuesday August 11, @03:21AM
It is probably a qcom chip in there.
(Score: 2) by Username on Tuesday August 11, @12:00AM
I just swipe on my phone to "unlock" it. I have all my personal information on it as well. All my email, voip, messenger, ftp, vnc, vpn accounts too.
Nothing bad has happened in the last nine years of doing this, since my security comes from myself and the people I choose to associate with.
(Score: 2) by progo on Tuesday August 11, @03:39PM
That's a load of bullshit. They're talking about a second CPU running code for the phone company that doesn't work for you or care about your sovereignty over your own property.
Can we use this news of "flaws" to override things like "no you cannot setup a 4G→Wifi bridge because the phone company doesn't want you to"?