Security → Poor Android - ARM Backdoor

quote:

---

Thanks to Allwinner, a Chinese ARM system-on-a-chip maker, which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in root backdoor.

---

»thehackernews.com/2016/0 ··· g%29&m=1

What the hell do you want from the Chinese? They are a country that's not to be trusted.
--
Tom
Tom's Tech Blog

article
That has happened so many times over the years, no matter where in the World. Sometimes is definitely malicious, other times is just ignorance in the review of the final product code.
--
Journalism is printing what someone else does not want printed. Everything else is public relations. -George Orwell
Knowledge and curiosity are not crimes and those who are curious should not be treated like criminals. »www.eff.org/https-everywhere

Considering how long it takes for updates to reach end points, this should be interesting.

Sloppy at best - I've shared this socially.

Poor Android? More like 'Poor Cheap Chinese Crap Gear'.

2015 security reports are in. MAC and iOS had the most exploits. Some pretty huge ones in there, like the iOS contact/photo compromise exploit, etc. I know it's hard for Apple fanbois to grasp but it's been a rough few years with them.

»venturebeat.com/2015/12/ ··· d-flash/
Software with the most vulnerabilities in 2015: Mac OS X, iOS, and Flash

Yes, I have heard of the iOS contact/photo compromise exploit in iOS 9.3.1 but Apple fixed that bug really damn quick. They did something server-side to Siri and fixed the issue in record time.

I know that some of the Apple exploits for iOS have been some real doosies and I understand that but let's face facts here, Apple does tend to patch them pretty quickly and not only that but it doesn't matter who your carrier is, what country you're in, what model phone you have, or if your phone is more than two years old, you will get that security patch the same day that everyone across the world gets it. Your device will always get the latest iOS version. You're not left wondering if your iPhone will get patched or not.

The same thing can be said about Windows. A security issue comes up, Microsoft patches it, releases a Windows Update KB article and associated patch, and your system gets it. It doesn't matter if your computer is made by Dell, HP, Lenovo, or your Frankenstein box that you built from pieces and parts that you bought at Microcenter, Fry's, NewEgg, or Amazon.com; your Windows system will get that security patch the same day that everyone across the world gets it. You're not left wondering if your Windows system will get patched or not.

Now let's look at Android. Google patches an exploit and now because your phone is a year or even older, you're sitting back wondering if your device will get patched or not. If you're extremely lucky you're going to be waiting months, maybe even a year until your OEM and carrier decides to grace your device with an update. In you're unlucky your device will never see that security patch. In most cases you're going to be waiting until hell freezes over.

As much as I love punching the Microsoft punching bag (who doesn't?), at least they get patches out quickly. Same goes for Apple and the iPhone. Not so with Android. Who do you think is doing security the right way? If you guessed Apple and Microsoft, you would be right.
--
Tom
Tom's Tech Blog

It's quite simple really.

Android phones come out every year, with carrier and peer-pressure incentives to upgrade. Computers in general, not so much.
Why spent Dev monies on upgrades or patches for "old" phones when they are focused on selling NEW gear?

Add to that the endless variants of phones from many makers and many carriers globally, it's a ridiculous situation.
Phones are basically disposable now. Even the high-end ones.

Andoid IMO, just doesn't have the invested legacy support like Apple or to a lesser extent now, Microsoft, so you get what you get. If you want actual Android support, you buy a Nexus phone or root your own and have fun at your own risk.

Hell, I'm happy my $50 used 2013 MotoX even got 5.1 updated at all...and it was pushed from Motorola. Irony, since they had been a Google-owned company for a bit there. Perhaps they still get some preference?

--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages

Perhaps one of the biggest differences is the Apple exploits where bugs, while the Android ones where on purpose. Big difference there.

Except who uses cheap chinese arm chips?

Considering there's at least a dozen of them listed on Amazon, with dozens of reviews I would say a lot of PEOPLE; a lot of Americans. The sub 100 dollar tablets sell very well...

Your agenda is showing, and I don't even use Apple products.
--
Opera reborn -- »vivaldi.com

a) "American components, Russian components, all made in [insert here]!!"

b) considering how every consumer wants everything at the cheapest price, and every mfr is looking to cut
costs as much as possible and maximize profits as much as possible, is this any surprise we're now in this boat?

And some food for thought about your initial comment trparky , "so the NSA and US Telecom industry is more
worthy of trust?" Just playing Devil's Advocate here.

At this point, all I want to know is which SPECIFIC device(s) are affected -- the article didn't do so good a
job of identifying that -- and what AS A USER Joe Blow off the street can do to fix / mitigate this.

My 00000010bits

Regards

Just gotta say your assessment of Android would be spot on if it was still 2012. In those four years Google really has done some great work on correcting the nightmare that was Android security. Sure there is more to do, but updates via play services is one good example. In any case it's not like the big 'G' threw their collective arms in the air, shrugged their shoulders and gave up. Today my list of companies "doing security right" is 1)Google, 2)Apple, 3)Microsoft.

Updates from Google Play Services are good, I'm not denying that but if you have a Samsung phone you're completely at the mercy of Samsung and your carrier to decide if your device is going to get an update. Same goes with the other OEMs. If something at the kernel level or library vulnerability Google can't patch it, it's up to the OEM that made your device to patch that. Case in point, Stagefright.

And Samsung is absolutely the WORST when it comes to updates and there's no denying that. Hell, most of the OEMs don't give a damn but most of all Samsung is at the top of the "don't care" list.
--
Tom
Tom's Tech Blog

Again you're living in the past. "Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month."
»news.samsung.com/global/ ··· bilities

I'll believe that shit when I see it. Until I see people posting that they are getting monthly security patches delivered via OTA updates here in the States, I won't believe it for one damn second.
--
Tom
Tom's Tech Blog

Crap, they have to work with the carriers? Oh yeah, that'll be fun. The same very carriers in the States that couldn't be bothered to push out even the regular updates. How the hell do you expect them to push out necessary security patches? If the carriers are involved you can guarantee the whole thing will be a complete circus.
--
Tom
Tom's Tech Blog

^^^^ This

That is, and has always been, the problem for Android. Google has publicly discussed this and is one of the items they would seek to change if they were to do it all over again.

Google releases updates (security or otherwise) for Android.

Each hardware manufacturer in turn must integrate those updates into the code base for each of their devices.

Then, each carrier must integrate those changes into their distributions (if applicable) and actually push those out to the respective devices on their respective networks.

Google -> HW Manufacturer -> Carrier -> End User Device.

Some hardware manufacturers are looking to take the carriers out of the loop, but in the end Google would prefer to eliminate even the hardware manufacturer at least for security updates.

As to the original topic, Allwinner is just one of a few (several?) producers of ARM chips. Mobile phones are not the only ARM-based devices. Tablets, home media, SBCs, network equipment (routers, switches), and more all use these each sourced from various fabs. Each manufacturer's parts differ from the others, even slightly, requiring specific support by the given OS or device software. That support itself is not always "open" or provided in source form.

Thanks for the history lesson, probably at least one person on the planet that didn't already know this.

Geez - If visionaries like trparky and Shady Bimmer ran the world we'd still be riding horses, women couldn't vote and I couldn't buy Cuban cigars. Things change. Have fun.

Sigh.

No, I'd make sure that everything is as streamlined as possible with as limited overhead as possible. Keep the processes simple so that things get done as fast as possible with the least amount of headaches.
--
Tom
Tom's Tech Blog

Ignore the troll and perhaps he'll go away. If one had actually read the standard marketing drivel referenced by the URL posted by the troll one would have noted:

quote:

---

Samsung is currently in conversation with carriers around the world to implement the new approach

---

(Emphasis mine)

So again I refer back to my reference that in current methodologies updates progress Google -> HW Manufacturer -> Carrier -> End User Device.

Also as I noted both Google and the device manufacturers are indeed interested in improving this (perhaps even eliminating the involvement of the carriers) but we're not there yet.

But none of this has anything to do with the topic of the OP. Allwinner parts are more commonly used in SBCs than in phones such as those from Samsung. Further, how many non-rooted android devices actually provide access to /proc?

It is amazing how such issues get so overblown. Yes this is a concern, but the scope of that concern is a relatively small audience. Plus that audience is more likely able to address such an issue when it arises - again this is not something that impacts typical consumer devices.

Part of the problem with Allwinner is that they are somewhat less-than-transparent with respect to their solutions and offerings.

Troll? Obviously you don't know the (internet) meaning of the word. I was simply trying to enlighten a couple people who seem to choose to remain ignorant regarding the current and future state of Android security updates. Admittedly my attempt at humor failed.

In any case it's already begun: »www.phonearena.com/news/ ··· _id81067

I'll watch this thread for any signs of intelligence, otherwise I'm off to more fruitful pursuits. hope ya'll have a good day.

Galaxy S7 phones. But what about S6 and S5 versions of the devices? Hell, what about the Note 5 and 4?

There are still people using those devices either because they're happy with it or they can't afford a new one. Again, I come back to my original rant... Why is it that if the device is more than a year old it suddenly means jack shit to the OEM?
--
Tom
Tom's Tech Blog

FWIW, just got a security update on my Moto X XT1060.

Updating to Software Version: 222.201.1.ghost_verizon.Verizon.en.US

It was an OTA pushed out by Motorola and/or Verizon, seems to be working fine. Not sure what security fixes it contains.

Posts about it: »forums.androidcentral.co ··· 6-a.html

--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages

When was the last time it got updated?

March 9th of 2016, it was an update to 222.26.7 (Lollipop) from KitKat.

It's a VZW branded MotoX, but it's on a PagePlus $30/mo. 4G-LTE plan.

I'm just wondering what fixes are included, like this issue, but can't seem to find out much about the update. The phone runs a Krait 300 dual-core 1.7ghz cpu with the Qualcomm MSM8960DT Snapdragon S4 Pro. So, ARM vulns may affect it, not sure.

Specs: »www.gsmarena.com/motorol ··· 5601.php

That's impressive. Good turn around for updates.

As long as they work.

Better then releasing updates that brick your device or cause even more issues. Apple seems to be pros at that lately.

»www.forbes.com/sites/gor ··· d8945db7