back to article It's 2019 – and you can completely pwn millions of Qualcomm-powered Androids over the air

It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices. Specifically, the following two security holes, dubbed Qualpwn and found by Tencent's Blade Team, can be leveraged one after the …

  1. robidy

    Can Google do something...think of the users!

    Seriously, could Google mandate updates be sent out by handset manufacturers (maybe refuse them access to newer versions if they don't)...how many Android's will go unpatched because hardware manufacturers can't...be bothered.

    Oh and the same applies to Apple too (stopping patching perfectly good working phones is unfair)...not that it's Google fault.

    Can't they think of the planet...whales or even future children as an incentive to reduce electrical waste.

    1. Hans 1 Silver badge
      Windows

      Re: Can Google do something...think of the users!

      Oh and the same applies to Apple too (stopping patching perfectly good working phones is unfair)

      Have they stopped the calculatePi function, yet, then ?

    2. S4qFBxkFFg

      Re: Can Google do something...think of the users!

      "Seriously, could Google mandate updates be sent out by handset manufacturers (maybe refuse them access to newer versions if they don't)...how many Android's will go unpatched because hardware manufacturers can't...be bothered."

      Not 100% sure of this, but Play Services is probably technically capable of arbitrarily modifying what's on the phone - the questions are whether Google wants to annoy the manufacturers and carriers that much, and whether they would be able to do it without falling over some weirdness the manufacturer left in the hardware (resulting in a brick, of whatever hardness).

    3. Anonymous Coward
      Anonymous Coward

      Re: Can Google do something...think of the users!

      It's not Google's fault. It's the carriers / manufacturers.

      The carriers are worse than the manufacturers.

      What needs to happen is standardisation of mobile equipment and isolation of vendor specific crapware into standalone optional applications.

      Or at least ban carriers from interfering with firmware.

      I haven't had a carrier supplied phone for decades now and it's been bliss...but then, I'm not at the low end of the market nor do I buy kit second hand. I refresh every 3 or so years because of wear and tear.

      1. dajames Silver badge

        Re: Can Google do something...think of the users!

        Or at least ban carriers from interfering with firmware.

        Yes, this.

        We wouldn't miss it at all if the bug-ridden pile of unlovable bloatware with which most carriers insist on "branding" the devices they sell went away for ever. Really we wouldn't. Not a bit.

        1. Anonymous Coward
          Anonymous Coward

          Re: Can Google do something...think of the users!

          There should be a PSA video to warn of the dangers of manufacturers man in the middling your phone firmware.

          You wouldn't watch porn with your mum sat next to you.

          You wouldn't get your balls out and scratch them in a lift.

          You wouldn't bleed 4 pints of blood and wait 4 years to dial 111.

          YOU WOULDN'T BUY A PHONE RUNNING A VERSION OF SOFTWARE BUILT BY A FUCKWIT JOBSWORTH IN SLOUGH.

          Be phone safe, always get your Android direct and clean.

          1. eldakka Silver badge
            Coat

            Re: Can Google do something...think of the users!

            You wouldn't get your balls out and scratch them in a lift.

            But what if they are really itchy?

            1. Francis Boyle Silver badge

              Re: Can Google do something...think of the users!

              Just stick your hand into your pants. No one could possibly misinterpret that.

            2. Anonymous Coward
              Anonymous Coward

              Re: Can Google do something...think of the users!

              Ask first.

              I find asking for permission to scratch my balls in public works every time.

              People even leave my immediate area to give me privacy...I think.

    4. Tigra 07 Silver badge

      Re: Can Google do something...think of the users!

      "Can't they think of the planet...whales or even future children as an incentive to reduce electrical waste."

      Saving the environment is not profitable to shareholders.

      1. Hans 1 Silver badge

        Re: Can Google do something...think of the users!

        Saving the environment is not profitable to shareholders.

        Of course it is, just not in the short term ... at least, when our habitat collapses, we'll all be equally helpless

    5. J. R. Hartley Silver badge

      Re: Can Google do something...think of the users!

      What a time to be alive.

    6. DougS Silver badge

      What's wrong with Apple's patching?

      stopping patching perfectly good working phones is unfair

      So how long should they keep supporting them, forever? The iPhone 5S first sold in September 2013, six years ago, is still supported by the latest iOS though it will not get iOS 13.

      Not only that, but recently they produced patches for iOS 10 & 11, patching all the way the back to the iPhone 4 released in September 2010, to fix the "GPS rollover" issue that hits all devices using GPS every 19 years.

      If they were trying to "obsolete" older devices as some like to claim they would have left that unfixed and allowed the GPS to stop working on those older phones.

      1. eldakka Silver badge

        Re: What's wrong with Apple's patching?

        So how long should they keep supporting them, forever? The iPhone 5S first sold in September 2013, six years ago, is still supported by the latest iOS though it will not get iOS 13.
        Decade-old cars still get recalls for manufacture-covered repairs to manufacturing defects and/or outright design defects (i.e. it was manufactured to spec, but the spec was rubbish).

        And make no mistake, a bug, such as these classic buffer overflow and not validating input bugs, are defects in the device. So yes, they should still be issuing security patches that fix device defects for quite a while.

        I have no issue with ceasing feature updates/rollouts - unless those are necessary to conform to the advertised capabilities of the device (i.e. they shipped an unfinished device with advertised features missing) after a year. I don't expect new features to be added to a device at all once it has been purchased and meets the advertised feature set.

        1. Lord Elpuss Silver badge

          Re: What's wrong with Apple's patching?

          So far, Apple has stopped supporting 32-bit devices up to iPhone 5. All 64-bit devices from iPhone 5s (launched almost exactly 6 years ago) onward are still supported. The move from 32 to 64 bit architecture is a valid reason to stop support; aside from the cost effectiveness, it’s perfectly possible that some bugs are far more difficult to patch/require a completely different patching solution in 32bit.

          ”And make no mistake, a bug, such as these classic buffer overflow and not validating input bugs, are defects in the device. So yes, they should still be issuing security patches that fix device defects for quite a while.“

          Six years IS a while. Even the EU, one of the world’s strictest champions of consumer rights, indicates ~5years as a reasonable lifespan for expensive consumer electronics.

          Of course the upcoming iOS 13 stops support for much newer devices such as the iPhone 6 and iPad Air; in my view this is harder to justify.

          1. DougS Silver badge

            Re: What's wrong with Apple's patching?

            All the devices not being supported with iOS 13 have 1 GB of RAM. Not sure why a cutoff based on RAM is any harder to justify than a cutoff based on 32 vs 64 bit.

            Apple has issued patches for "unsupported" versions of iOS previously, not only the recent "GPS overflow" patch for iOS 10 & 11, but produced a patch for the "goto fail" bug for iOS 6 after its support had officially expired. If there was ever an iOS bug being actively exploited in the wild, I'm sure Apple would issue a patch for older versions of iOS to close it. But they aren't going to issue patches for every bug that's found forever.

            If I recall, I believe Microsoft adopted a similar stance with Windows XP, there were a couple bugs that had exploits circulated where they released patches after its "end of support" date had passed for all XP installs, not just those getting the high priced extended support. Hopefully they will do the same for Windows 7.

  2. Steve Davies 3 Silver badge

    No word on the possible impact on Apple?

    As they also use QC and Broadcomm components in their iDevices.

    Perhaps those are suffuciently different as not to be affected by this.

    I hope that Google get their act together and make EVERYONE using the Android brand provide security updates for at least 3 years. At the moment it is pot-luck and in that game, the odds are against you getting more than 1 year of updates.

    Android devices are indeed a lot cheaper than those from Apple but not updating them is IMHO a cheapskate move.

    1. Dave 126 Silver badge

      Re: No word on the possible impact on Apple?

      See Project Treble, which Google mandated be on all phones that shipped with Android Pie. It is a more modular Android, making updates much easier for OEMs to roll out, potentially removing the need for OEMs to do much at all.

      Google did learn from the historical issues with Android that led to a reliance on OEMs. Chromebooks, for example, can be updated on the fly by Google without any ODM input.

    2. Anonymous Coward
      Anonymous Coward

      Re: No word on the possible impact on Apple?

      Apple have not used QC chips for a few years so more recent devices should be safe enough from this vuln, plus we don't know how the BSD driver differs from the Linux one. It'd be nice if Apple came out and said something about it but as the articles are all around Android and not Apple it is a fair bet that they are not vulnerable.

    3. Cavehomme_ Bronze badge

      Re: No word on the possible impact on Apple?

      Apple have no major issues in pushing out patches, unlike Google, so even if they are affected it should be quickly mitigated, perhaps already considering that it's fixed by QC.

    4. DougS Silver badge

      Re: No word on the possible impact on Apple?

      Apple uses Broadcom for its wifi, not Qualcomm, so it isn't vulnerable to this particular issue.

  3. Barrie Shepherd

    "Thus, it is possible for a miscreant to join a nearby wireless network, seek out a vulnerable.................."

    All this talk of miscreants - the cynic in me thinks more likely five eyes would be making more use of this than some low life thinking they can run some scam.

    I wonder if Qualcomm let the NSA / FBI / CIA know of this 'vulnerability' some years ago.

    1. Julz Bronze badge

      I like the way your thinking there.

    2. DougS Silver badge

      If the NSA has some 'plants' on Qualcomm's staff, surely they are capable of coming up with something a lot more clever and difficult to find than a buffer overflow.

      Never attribute to malice what can easily be explained by incompetence. Why be suspicious of just THIS bug, and not the hundreds of other stupid buffer overflows that get CVE advisories across the whole spectrum from smartphones to Windows Server?

    3. Lord Elpuss Silver badge

      ”All this talk of miscreants - the cynic in me thinks more likely five eyes would be making more use of this than some low life thinking they can run some scam.“

      Five Eyes fits the definition of miscreant in my book.

  4. _LC_ Bronze badge
    Holmes

    Keep in mind

    Keep in mind that they are still hammering on Huawei. All the while, Cisco and Qualcomm keep their "open door" policy.

  5. vtcodger Silver badge

    The bad news

    Now for the bad news. When exactly these fixes will filter down to actual Android users is not clear

    What's unclear? Many, maybe most, of the vulnerable devices won't be fixed -- ever.

    Let me add that if the number of major flaws potentially affecting security is -- at it appears to be -- very large (I'm thinking maybe 10**8 or so potential CVEs ... and growing daily), patching our way to security is simply unworkable. It won't/can't happen.

    Likewise, expecting manufacturers to always deliver secure code and hardware is expecting the impossible. Probably they could do better, but it's far from clear they can do well enough -- even if they actually try -- to make much difference.

    What's the answer?

    My personal (inadequate) answer is to not own a smart phone, not use on-line banking, avoid PayPal and other digital dens of thieves as much as possible, and to back up my PC every other day. But I'm still exposed to security blunders by merchants, conventional banks, credit card companies, utilities, etc,etc,etc that have a real need for data about me.

    Collectively, I think the answer might be something along the line of rethinking this "everything should be connected" idea. Maybe much less should be connected and what is connected ought to be subject to some rules based on a serious concern for security and user safety. I'm not sure that's enough, but it might be a start.

    1. Tom Paine Silver badge
      Boffin

      Re: The bad news

      10**8 or so potential CVEs ... and growing daily

      Last time I looked there were still fewer than 20,000 CVEs allocated per year. At that rate it would take 100,000,000 / 20,000 == 5000 years to accumulate 100m CVEs.

      HAND.

      1. vtcodger Silver badge

        Re: The bad news

        "5000 years to accumulate 100m CVEs."

        Yep. I'm suggesting that You, and everybody else are vastly underestimating the number of potential security issues in modern hardware and software. Not every bug can be exploited of course. But a lot -- maybe 2% or 3% of the total coding and design flaws -- can. And "flaws" includes things that don't look like problems at all until someone figures out how to use them as attack vectors. Heck, the patch mechanism itself can be (and has been) used as an attack vector -- and probably will be again.

        And keep in mind that if, as in this Android case, a security bug is present in dozens or hundreds of discrete products, it has to be patched and tested by dozens or hundreds different entities, then installed by thousands or tens or hundreds of thousands of entities. How likely is that to actually happen?

        What I'm suggesting is that information security in a highly connected world is very likely Y2K on steroids and nowhere near as easy to fix.

        Think about it for a while. Unlike climate change, specious immigration crises, flesh eating bacteria and other media favorites. Information security just seems to get more frightening the more one thinks about it. For example, point your favorite search engine at the term "data breaches". It's clear that everyone has their own numbers and some of the apparent increases in data breaches are surely due to better reporting. But it certainly seems that the rates of data compromise are increasing substantially over time. And that's just one aspect -- probably not even the most critical aspect -- of information security.

    2. pig

      Re: The bad news

      "What's unclear? Many, maybe most, of the vulnerable devices won't be fixed -- ever."

      Yeah, but it is also clear most handsets wont also be pwned, and most users wont care or know either way.

      I know us lot like to think that everyone should be super security savvy and fully alert about their data, but most people just don't care - unless it has an explicit and noticeable effect upon them.

      Certainly, I don't think your solution is the right one. Shutting yourself off from the world is not the answer, and neither is overplaying the threat.

      Are the risks of someone getting some/all of your data proportional to your actions?

      I don't think so personally. But hey, each to their own.

      1. vtcodger Silver badge

        Re: The bad news

        "I don't think so personally. But hey, each to their own."

        Let's hope you're right. But, let me suggest that you think about the issue from time to time. And remember that the issues include not only information security, but securing infrastructure, ballot security (why would any sane person connect a voting machine to the internet?) and a host of other things.

        I don't think Plan A is working or is likely to work. I'm not wild about my Plan B, but it's possibly doable. What's YOUR Plan B?

        1. amanfromMars 1 Silver badge

          Really Bad Sad Rad Mad Fad News

          ballot security (why would any sane person connect a voting machine to the internet?) .... vtcodger

          No sane person does, vtcodger, therefore ....?

      2. Anonymous Coward
        Anonymous Coward

        Re: The bad news

        A compromised phone means your identity can be stolen. Probably without your knowledge - until the fines / debt collectors / cops arrive at your door.

        Most people assume it can never happen to them. They are wrong.

    3. DougS Silver badge

      The worse news

      Is that since the driver is open source, it is easy for miscreants to compare what has changed and immediately develop an exploit. This seems tailor made for attacking people in airports, cafes and other places with public wifi. Since it is driver level it would allow capturing wifi traffic before it is encrypted, so to prevent snooping the traffic would need to already be encrypted (i.e. SSL, VPN etc.)

      It seems to be limited to wifi/cellular p0wning, so is really more of a targeted attack thing as a general "p0wn whoever is out there" but if it were paired with another exploit that leveraged that control to give it full control over the phone then it becomes a general untargeted exploit.

      1. whitepines Silver badge

        Re: The worse news

        Your average criminal couldn't care less about having source or not. Tools to analyze binaries to see what changed have been available for a very long time, they're just illegal to use on proprietary software. Not like that'll stop the criminals though.

        All your implied suggestion would do is make it so that *only* the criminals know about the bug, and no one else can patch their systems. Great idea, that!

        1. DougS Silver badge

          Re: The worse news

          I wasn't suggesting closed source, I was saying that with open source the universe of people who can construct an exploit is MUCH larger, and open to the more "casual" criminal.

          The problem in this case is that people are getting the source before patches are even released (not even to Pixel yet I don't think?) so they can construct exploits before even those who get their patches quickly have a shot at fixing it.

  6. MacroRodent Silver badge

    Same old

    The theme in all of these seems to be the same: insufficient validation of data coming from an untrusted source (network, or in the case of kernel, from a user-mode process).

    In most cases it would to be possible to automatically generate validation code, given a specification of what data is acceptable. This is really nothing new. It just would require more discipline and attention to correctness than what is the current industry practice.

    1. Dave 126 Silver badge

      Re: Same old

      Formally Verified Code has been around as a concept since the 1970s, but it is only recently that people are looking at using it.

      It is very hard to do, apparently, but the cost of not doing so ( in this world of internet banking, computer controlled cars and drones etc) is making people look at it again. Tools are being developed to make it easier, bit it remains difficult.

      https://www.quantamagazine.org/formal-verification-creates-hacker-proof-code-20160920/

      1. vtcodger Silver badge

        Re: Same old

        "It (formally verified code) is very hard to do."

        It is indeed VERY hard to do. On the positive side, even a failed attempt is likely to be a lot higher quality than typical code. The downsides: It's expensive and quite possibly impractical to do except perhaps for some mission critical components. And it likely won't get you to market very quickly. The management isn't going to like that.

        Then there's the issue of how you know the "rigorous" specification is bug free. If it is, why not write a compiler and compile the specification?

        Nonetheless, it's possibly the best idea currently available for potentially producing "error-free" code. So long as we all understand the "error-free" doesn't always and inevitably mean that it will do what you need it to do.

        BTW Formal Specification was what Edsger Dijkstra was working on when he wrote his "GOTO considered harmful" letter. I think his point -- which I think hardly anyone really understood at the time -- was that practices like jumping in and out of code sequences based on flags was not only likely to add bugs, but was going to make an already extremely difficult verification process much harder.

        https://xkcd.com/292/

      2. NetBlackOps

        Re: Same old

        I've only been doing formal verification since 1985 and, yes, it's difficult. On the other hand, when it comes time to commit the code, it pays off in spades as well as in testing. The latter is still done to guard against compiler,, OS and hardware defects.

  7. Anonymous Coward
    Anonymous Coward

    What can a user do ? Use multiple devices ?

    Used to be the case that for reliability, safety and security, critical systems were triplicated across hardware and software. The underlying premise being that no single flaw would exist in all 3 instances.

    Maybe a really paranoid smartphone user should have a selection of handsets for the same reason ?

    Not convenient, of course. But we know that we trade convenience for security, don't we ?

    1. tiggity Silver badge

      Re: What can a user do ? Use multiple devices ?

      Lots of people have multiple devices e.g. "work" phone and "personal" phone (typically with different SIMs)

      Employer has number of your "work" phone which you have turned on when not in the office or when on call. i.e. you control when that number is available based on work needs (similarly if self employed, customers have this phone number)

      Your "personal" phone number NOT given to employer, but is used by friends and family to contact you.

      1. Tom Paine Silver badge
        Stop

        Re: What can a user do ? Use multiple devices ?

        Er, nope.

        BYOD is taking over as the default for organisations who realise they don't need to procure, issue, track, maintain and recover very expensive smartphones to their staff when the staff mostly already have very expensive smartphones in their pockets.

        1. Dave 126 Silver badge

          Re: What can a user do ? Use multiple devices ?

          And phone vendors such as Samsung and Apple are supporting BYOD devices, with features around partitioning data, giving company admins ability remote wipe those work related partitions, etc.

      2. Dave 126 Silver badge

        Re: What can a user do ? Use multiple devices ?

        The triplication system requires a polling system - i.e if Phone C returns a different answer to the other two, you can hazard a guess that C is wrong and A and B are okay.

        If you simply have three different phones, say iOS running on Apple and Intel hardware, Android running on Qualcomm, and BBOS running on Broadcom, then you run the risk of giving an attacker more attack vectors if each phone has access to your email or banking services.

        Of course you could have multiple phones, each one only turned on for a specific use. It wouldn't be impractical to have your main bank account tied to one phone, which you keep at home in a safe. Your out and about phone would have access to your secondary back account, which would only contain enough funds for each day - limiting how much a miscreant could take.

        1. Loyal Commenter Silver badge

          Re: What can a user do ? Use multiple devices ?

          The triplication system requires a polling system - i.e if Phone C returns a different answer to the other two, you can hazard a guess that C is wrong and A and B are okay.

          See also: Minority Report (the short-story, not the awful film).

          Yup, Philip K Dick beat you to it by about 60 years...

    2. vtcodger Silver badge

      Re: What can a user do ? Use multiple devices ?

      Maybe a really paranoid smartphone user should have a selection of handsets for the same reason ?

      Epoxy should handle the problem of too many physical units. But the user may need bigger pockets to hold the resulting "device". ... or a good sized purse.

      And the chargers ... My God -- the cords ... All those cords ...

    3. Claptrap314 Silver badge

      Re: What can a user do ? Use multiple devices ?

      People look at me funny when I tell them I don't have a "smart" phone.

      1. Anonymous Coward
        Anonymous Coward

        Re: What can a user do ? Use multiple devices ?

        I suspect they'd probably look at you funny even if you didn't have a phone.

        ;)

      2. NetBlackOps

        Re: What can a user do ? Use multiple devices ?

        Same here. Told the bank teller, " no, I don't have a personal surveillance device. " Got a confused look on her face.

    4. DougS Silver badge

      Samsung "sorta" provides this

      They sell some phones with their own Exynos SoC, not Qualcomm's, so it wouldn't be vulnerable to this. The problem is that those phones don't support US cellular very well, but it may be an option for some in Europe - you'd have to check the specs to see what LTE etc. bands it supports.

      Of course, that doesn't guarantee that a similar or worse vulnerability isn't found in Exynos tomorrow, but at least the odds of a quick fix for it are higher.

      1. Anonymous Coward
        Anonymous Coward

        Re: Samsung "sorta" provides this

        Samsung in my experience are not interested in patches for anything they have already had the money for.

        I bought loads of their products before I became aware that they are another android walk away company, surpising me after what they charged.

        As to google's responsibility, I personally would say that whilst they continue to make money from hardware using android then yes they should be maintaining the OS and firmware too.

  8. phuzz Silver badge

    LineageOS

    I can't see anything public about the Lineage OS team patching this, but if you're on a supported device, they should be on this pretty quickly.

    Possibly it's already quietly been patched, but I don't feel like trawling through changelogs for months to find out.

    1. Anonymous Coward
      Anonymous Coward

      Re: LineageOS

      That's only relevant if Lineage for your particular device is updated.

      For many, it won't be.

      1. phuzz Silver badge

        Re: LineageOS

        If you want an Android phone that's updated on the regular, your choices are between spending shed-loads on a Google phone, and getting a new one every two years after the hold one is dropped, or picking a phone that gets regular Lineage updates. AFAIK no manufacturer can be trusted to keep up updates for more than a year or so.

  9. osmarks

    I'm fairly sure that that list includes my phone's SoC. But given that it's somewhat old I'll probably never actually get an update patching this. How wonderful.

  10. amanfromMars 1 Silver badge

    Breaking News ...... Almighty Forces Work, Rest and Play

    Black Hat It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices.

    It is possible to thoroughly hijack all vulnerable Qualcomm-based Android phone, tablet, or similar gadget users, via Wi-Fi. Being nearby is convenient for further practical experimentation with existentialism. With Lives Led and Revealed by SMARTR IntelAIgent Machines Feeding and Seeding Immaculate Source ..... for Core Ore Mining and EMPowering Enrichment Processing.

    Or do you think that is a government or stealthy collective program for Future Operations? They sure kept that quiet. Do you think they realised the impact such information and intelligence does have in minds not yet able to be commanded and controlled?

    cc Black Hat

  11. A random security guy

    Secure code enforcement issues

    Remember: if we don't fix these issues the government will step in. In this case I think this may not be a bad thing.

    What I have seen while working with large organizations, especially SoC vendors:

    1. Code is considered a money pit.

    2. Getting the code out in time is more important than quality.

    3. Huge sections of code are zealously guarded. Try getting access to BRC WiFi code for their WiFi chips.

    4. A flawed view of Performance trumps integer overflow/underflow, null pointer checks, buffer size checks, return value checks. A good CPU can perform these checks with no measurable impact on performance but ...

    5. Static code analysis is generally turned off, especially for kernel and driver level code because software engineers get too many warnings (go figure). In one cellular modem company they turned off Klockwork static code analysis as it was giving too many warnings. In another they would not use it as people were UPSET that their code was being flagged. So it was turned off.

    What Google can do is easier said than done:

    1. Require all drivers go to through third-party code inspection (Samsung and others may not trust Google).

    2. Require all driver vendors to submit static code analysis and other code inspection summaries

    3. Provide a timeline for delivering fixes to Google.

    4. Go public with the issues if the code is not fixed according to schedule.

    5. The cell-phone manufacturers deliver a plan to deliver the fixes on time

    6. Stick to the plan.

    Then do the same for other critical code.

    Problems? Asking Samsung, Qualcomm, and others to do anything is difficult (as in the Japanese way of saying something is difficult). Samsung, after all is the biggest company in S. Korea.

    1. Anonymous Coward
      Anonymous Coward

      Re: Secure code enforcement issues

      The gubmint won't be fixing anything.

      They may fine some companies in an attempt to be seen to be doing "something" but every year the number of compromised devices will increase.

  12. JLV Silver badge
    Black Helicopters

    On their own phones, how does Google’s 3 yr from first sale updates countdown play into this?

    Do they provide security patches past that?

  13. Anonymous Coward
    Anonymous Coward

    Ouch.

    I have to admit, the first thing I thought was "smells like one of those state actor mandated backdoors".

  14. Anonymous Coward
    Anonymous Coward

    My phone says it is all updated - with Dec 2018 security patch

  15. DrBed
    Thumb Up

    Android One is *the* solution.

    I've got Android One (aka stock version) at my Xiaomi Mi A2 Lite (same hw as Redmi 6 Pro, but not MIUI); it came with Oreo (Android 8.1), now it is upgraded to Pie (Android 9) for some time. Patches and upgrades are coming regularly, almost monthly. Last one is security patch of July 1st. Awaiting this new one, I suppose it will be in a week or two.

    https://en.wikipedia.org/wiki/Android_One

  16. Anonymous Coward
    Anonymous Coward

    Android Pie

    On a Samsung Exynos 8895 powered S8. (SM-G950F)

    Don't think there's any Snapdragon in there. Even so - I noticed manufacturers (especially on Pie) are rolling out regular security patches. Mine seem to be monthly at present - and that's over Tesco network in the UK.

    Hopefully these 2 CVE's will be patched soon and pushed out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019