Millions of Android Devices Are Vulnerable Right Out of the Box (wired.com) 67
Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you. From a report: That's the key finding of new analysis from mobile security firm Kryptowire, which details troubling bugs preloaded into 10 devices sold across the major US carriers. Kryptowire CEO Angelos Stavrou and director of research Ryan Johnson will present their research, funded by the Department of Homeland Security, at the Black Hat security conference Friday. The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn't have to be there. [...] "The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error," Stavrou says. "They're exposing the end user to exploits that the end user is not able to respond to." Security researchers found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T.
samsung and others can post roms so not carrier (Score:2)
samsung and others can post roms so you do not need to wait for the carrier rom to be updated.
Re: (Score:2)
samsung and others can post roms so you do not need to wait for the carrier rom to be updated.
They can, but the deals they make with carriers include locking the bootloader so you can't install those roms. That's why you have to buy unlocked phones. Some carriers will eventually unlock devices for you, for example after spending some particular amount on airtime for non-contract phones, or after some number of months for contract phones. But it's better to have no lock from the beginning, obviously.
Not surprising (Score:4)
Re: Not surprising (Score:5, Insightful)
Not only is it crapware it is uninstallable crapware. Let me uninstall samsung mail , calendar I don't use it anyway.
Fine lock me into TouchWiz z but let me uninstall apps I don't actually use.
Bewteen Samsung and att I have 30 unstallable apps
Apps, not settings, or keyboards that I replaced just apps
Re: (Score:2)
Re: Not surprising (Score:4, Insightful)
So name the half decent device that isn't loaded with crapware they should have bought instead?
Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.
Re: (Score:3)
So name the half decent device that isn't loaded with crapware they should have bought instead?
Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.
Easy.
iPhone.
And unlike Android, which only lets you HIDE certain Apps (which you can also do with iOS), you can actually DELETE (as in G-O-N-E GONE!) nearly All preloaded Apps (which will also NOT be any "Carrier" Apps; since Apple doesn't allow that horeshit!) :
https://9to5mac.com/2017/07/17... [9to5mac.com]
Re: Not surprising (Score:1)
Wake me up when you can delete iOS and install Android on it.
Re: (Score:2)
Wake me up when you can delete iOS and install Android on it.
Hardly an "App", now is it?
Re: (Score:2)
Of course, but iOS is locked-down. If you value freedom you have to switch.
Re: (Score:2)
Of course, but iOS is locked-down. If you value freedom you have to switch.
I value my freedom. It is YOU that wants to LIMIT my freedom to CHOOSE.
Re: (Score:2)
I don't. You are indeed free to chose between a locked-down OS and one giving you more freedom.
Some people don't really want freedom and are perfectly happy in jail as long as their cell is comfortable enough. They call it the "walled garden".
Re: (Score:2)
I don't. You are indeed free to chose between a locked-down OS and one giving you more freedom.
Some people don't really want freedom and are perfectly happy in jail as long as their cell is comfortable enough. They call it the "walled garden".
But unlike Jail, which almost NOBODY calls "home", people who have chosen iOS by and large do not refer to iOS as "Walled". This is NOT some cyber-variant of "Stockholm Syndrome" by the way; because, unlike the now-famous Stockholm Hostages, NOBODY is PREVENTING iOS Users from "leaving"; so by definition, there can be no Hostage-Kidnapper relationship under which to form Stockholm Syndrome.
Re: (Score:2)
That's a characteristic of walled gardens. People living in them rarely refer to them as such. Many are not even aware there is a world outside the wall. There is a reason it's a wall and not a fence.
Some others also think they can leave the garden if they want. Yeah sure. You can leave the garden, and lose all your purchased apps, accessories, iMessage, AppleTV, Apple Watch, Apple Music and other iStuff that will either stop working or lose half of their functionality without your iPhone. So no, you are no
Re: (Score:2)
Re: (Score:2)
Honestly I prefer crapware applications than crapware OS. You may not like Samsung's SMS application but at least you can install another one and use it by default. Also there are very good Android phones without crapware (Pixels and few others).
Re: (Score:2)
But I'm already voting against the walled garden with my wallet.
Re: (Score:2)
But I'm already voting against the walled garden with my wallet.
...and voting for no user privacy and constant malware.
Good choice!
Re: (Score:2)
So name the half decent device that isn't loaded with crapware they should have bought instead?
Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.
Google phone from Google FI
Re: (Score:2)
Any unlocked Moto phone. So far, anyway. Everything is removable, and you can unlock the bootloader, root, and blow away the OS install if that changes. So far, anyway :D
Re: (Score:1)
Thanks for playing... I suppose the upside is you mentioned a phone.
Re: (Score:1)
"Pro" reviewers these days are more concerned with the size of bezels above anything else.
Blah blah blah Security Fatigue (Score:2, Insightful)
Yes, let's just keep piling on these alarmist, security-as-a-religion articles. It will only hasten the coming of the post-security world.
Re: (Score:2)
Fuck off and die asshole. We do not worship the ground that Apple walks on. Hell, we don't worship the ground of any manufacturer. Again, fuck off and die fan boi(as in fagot).
Sounds like jealousy to me, eh?
Re: (Score:2)
Complaining about security updates for known vulnerabilities that aren't being installed or made available on many android phones is not the same as an alarmist security as a religion rant. It' not just security updates that you're missing out on it's also feature updates and there is no reason that you should need to purchase a new phone to get all the updates.
If the patch for a vulnerability is out and you didn't install it then don't expect any sympathy when you get exploited...
Re: (Score:2)
As an advanced Slashdot reader, I barely even read the fscking summary. I was just still annoyed from the earlier article about panic hacks.
That's what they get (Score:1)
Re: (Score:1)
The Morris Worm says hi.
Re: (Score:1)
Re: (Score:1)
Panick! Panick! It's Hack0rz! Panick! panick! (Score:1)
Well, no, just shoddy software and stupid excuses.
Like always.
Every Device Is (Score:2)
In the modern world there is effectively no chance that any device shipped will not ship with a vulnerability. This isn't a statement on software or hardware development merely that given the time it takes to ship goods and that we perpetually find issues across the entire stack of software and hardware having a device land in your hands without a day-0 patch (or perhaps the device will never be patched despite this) is never happen.
It wouldn't surprise me if carrier crapware is particularly poorly written
Millions of Devices Are Vulnerable Right Box (Score:1)
There fixed the headline for you.
Foreign governments? (Score:3)
If NSA "customizes" routers meant for foreign customers [theguardian.com], why wouldn't Chinese government seek to do something similar? Unlike NSA, they can flat-out order their own companies to do that, while doing something more subtle with the Korean and Taiwanese manufacturers...
And in the world of spying, if someone can, you can bet that they do...
Carrier branded phones are a big part of this (Score:2)
Gosh, the carrier-branded phones are the bane of today's computing. They come pre-loaded with dozens of non-deletable apps on top of what's installed by OEM. Their update cycle is ridiculously slow because the ROM updates must go through the carrier's customizing and testing. Normally, they're bootloader locked. As result, most of those are behind the unlocked OEM phones in security patch levels. Just say no.
Re: (Score:1)
Just buy a non-carrier branded Android.
US carrier branded devices (Score:1)
is the main problem that I see here. This seems a US specific problem, heavy carrier branding and consumers unwilling to buy carrier free devices. In the EU, where most devices don't have any branding, these problems are much less abundent. And on the 2nd hand carrier branded Sony Android device I bought to replace a defective one I could easily flash a neutral firmware.
Of course, after that I rooted it to remove some of the Sony crapware.
This is why we need competing app stores! (Score:2)
See! Manufacturers and carriers can totally be trusted to bake in their own app stores and browsers!
Re: (Score:2)
Apparently you don't know what cookies are or how to remove them. Thanks for playing!
No updates (Score:2)