Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Security

Old Qualcomm Vulnerability Exposes Android User Data (securityweek.com) 18

Reader wiredmikey writes: Researchers from FireEye have disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models (Editor's note: the link could have pop-up ads, here's an alternate source). The vulnerability is in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information. While the flaw could expose millions of Android devices, the vulnerability has limited impact on devices running Android 4.4 and later, which include significant security enhancements, and also does not affect Nexus devices. FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March and started reaching out to OEMs to let them know about the issue. Now it's up to the device manufacturers to push out the patch to customers.FireEye said: "The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched."
This discussion has been archived. No new comments can be posted.

Old Qualcomm Vulnerability Exposes Android User Data

Comments Filter:
  • by TheGratefulNet ( 143330 ) on Thursday May 05, 2016 @10:01AM (#52052623)

    Now it's up to the device manufacturers to push out the patch to customers.

    you KNOW that, for the most part, never happens. androids are mostly abandoned after the first year of being on the market. vendors have no reason to care and they don't! they leave us all exposed to the continual android bugs and the ONLY recourse is to root and install a new os or just give in and re-re-re-buy your phone all over again, trading one bug for another.

    google is 100% at fault for not seeing this and not stopping it. its a wild wild west in android land and I fucking hate how bad it is. 'just buy a nexus!'. fuck you! google abandons things too; I have a nexus one that I thought would get support but it had showstopper bugs that were there from day-1 and NEVER got fixed (screen calibration would stop every day; google never cared, etc etc).

    there are so many reasons to hate google, but how they mistandled the whole android and carrier/vendor thing was one of the worst things they've ever done. and the whole architecture of android prohibits piecemeal upgrades. I can't just apt-get update and upgrade. I can't install JUST an ip stack fix or JUST a kernel fix. I have to upgrade a whole monolithic image and that's just SO STUPID its beyhond belief. linux was not that way and you had to do WORK to fuck up linux that badly. they removed the ability to do user level patching and upgrades and to make things worse, most vendors try their best to STOP users from even TRYING to upgrade their own phones.

    people ask me why I don't do phone programming, since I write C code and stuff for a living. my hatred of the whole phone scene is why; its a complete disgrace and I want no part of it. let the 20 somethings mess around with this and that phone; I have no time or patience to keep up with all that crap since its such a moving target.

    I really do wish 'phones' were not like they were today, but the market is ruined and I see no way around it since the carriers and vendors are so used to calling all the shots. they'll never give control back to users. it won't happen and so phones will always suck and never be YOUR computer.

    • It's pretty bad, but Google is patching essential services when it updates 'Google Play Services' in a way that most carriers would have balked at just a year or two.

      The carriers suck, the forcing of signed bootloaders sucks, the update process sucks, the arrangement with MVNO's sucks, and all of it reduces overall security and functionality. Carrier profit is the primary factor that went into all of this. Yet this is exactly what is expected from such a heavily-regulated and regulatory-captured market, s

      • by Karlt1 ( 231423 )

        Yet this is exactly what is expected from such a heavily-regulated and regulatory-captured market, so let's not try to act all surprised and outraged.

        This is completely Google's fault for setting up Android this way. Apple doesn't have to wait on carriers to update the OS.

        But if you want a better comparison, I didn't have to receive Dell's blessing (the manufacturer) or the store I bought the Dell from to update my OS and get patches from Microsoft. I was able to install Windows 7 on my Core Duo Mac Mini (

    • by Rexdude ( 747457 )

      the whole architecture of android prohibits piecemeal upgrades. I can't just apt-get update and upgrade. I can't install JUST an ip stack fix or JUST a kernel fix. I have to upgrade a whole monolithic image and that's just SO STUPID its beyhond belief. linux was not that way and you had to do WORK to fuck up linux that badly.

      Nokia had their own full strength Linux OS for mobile - Maemo [wikipedia.org], which later was merged with Intel's similar venture and renamed Meego [wikipedia.org]. It was a regular Linux distro for ARM and had Nokia

  • Is it just me, or does it seem like barely a week goes by that there isn't yet ANOTHER vulnerability affecting Android?

    Seriously, why is that? What happened to the oft-touted Open Source advantage of "many eyes"?

    I am honestly NOT Trolling here; but it does seem that most, if not all, of these vulnerabilities should be long-since discovered (and hopefully eradicated), rather than the steady drip, drip, drip of "another longstanding vulnerability discovered" many months or even years after the fact.
    • It is just you. That statement is quite an exaggeration. Just as most of the "vulnerabilities" that are found are. Companies like FireEye and Zimperium exist for situations just like this. They have a team of people scouring available source code looking for any little flaw and then when they find something like this they send out press releases and hype it up as the next big doom and gloom phone destroyer so that people will buy their security app. But, when looking into the details you find that this

  • I did not see any mention in the article (I went to the ZDnet one) for how to identify if my devices are compromised and would greatly appreciate any assistance from the lazyweb in methodology for determination.

We are each entitled to our own opinion, but no one is entitled to his own facts. -- Patrick Moynihan

Working...