Most active commenters

    ←back to thread

    Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

    (blog.exodusintel.com)
    387 points pedro84 | 15 comments | 26 Jul 17 19:51 UTC | HN request time: 0.32s | source | bottom
    Show context
    shock ◴[26 Jul 17 20:14 UTC] No.14859838[source]
    This is kind of scary :(. How does one ensure that they aren't vulnerable to this bug?
    replies(7): >>14859911 #>>14859922 #>>14859950 #>>14860039 #>>14860460 #>>14860969 #>>14861222 #
    1. ben1040 ◴[26 Jul 17 20:33 UTC] No.14860039[source]
    If your Android OEM has pushed the July 2017 security update to your device, you're patched.

    https://source.android.com/security/bulletin/2017-07-01#broa...

    replies(1): >>14860094 #
    2. yodon ◴[26 Jul 17 20:38 UTC] No.14860094[source]
    Out of curiosity, what fraction of Android OEMs push these security updates promptly (or equivalently what fraction of Android phones receive these kind of updates regularly)?
    replies(2): >>14860468 #>>14860479 #
    3. ben1040 ◴[26 Jul 17 21:18 UTC] No.14860468[source]
    This page has a table of OEMs/devices that, as of the end of May, were fewer than 60 days behind on patches.

    https://android-developers.googleblog.com/2017/06/2017-andro...

    To me, the takeaway from this is that unless you are using a "flagship" device, or one sold directly by Google, you're probably not getting updates in a timely manner.

    replies(3): >>14860737 #>>14861434 #>>14861849 #
    4. mjevans ◴[26 Jul 17 21:20 UTC] No.14860479[source]
    The supported Pixel and Nexus phone lines get things quickly.

    There isn't any third party customization to re-validate.

    5. thrownblown ◴[26 Jul 17 21:57 UTC] No.14860737{3}[source]
    Manufacturer: Device(S)

    BlackBerry: PRIV

    Fujitsu: F-01J

    General Mobile: GM5 Plus d, GM5 Plus, General Mobile 4G Dual,

    General Mobile 4G

    Gionee A1

    Google: Pixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9

    LGE: LG G6, V20, Stylo 2 V, GPAD 7.0 LTE

    Motorola: Moto Z, Moto Z Droid

    Oppo: CPH1613, CPH1605

    Samsung: Galaxy S8+, Galaxy S8, Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6 Active, Galaxy S5 Dual SIM, Galaxy C9 Pro, Galaxy C7, Galaxy J7, Galaxy On7 Pro, Galaxy J2, Galaxy A8, Galaxy Tab S2 9.7

    Sharp: Android One S1, 507SH

    Sony: Xperia XA1, Xperia X

    Vivo: Vivo 1609, Vivo 1601, Vivo Y55

    replies(1): >>14861922 #
    6. JepZ ◴[26 Jul 17 23:49 UTC] No.14861434{3}[source]
    And yet another time we learn why it is better to use Lineage OS. Five year old Samsung S3:

      Android: Version 7.1.2
  Security Patch Level: 5th July 2017
    replies(5): >>14861794 #>>14861921 #>>14862149 #>>14862780 #>>14867992 #
    7. ◴[27 Jul 17 01:02 UTC] No.14861794{4}[source]
    8. zerocrates ◴[27 Jul 17 01:11 UTC] No.14861849{3}[source]
    My TV came with no on-screen menus but a tablet you use to interact with most features and settings: it's on the June... 2016 patch set. It was over half of year out of date before I took it out of the box.
    9. contingencies ◴[27 Jul 17 01:25 UTC] No.14861921{4}[source]
    My phone screen was eaten alive by fungi last week, so I had a look at the field to pick a new device. Discovered Lineage OS, super keen. Unfortunately, its device support is crap.
    10. feikname ◴[27 Jul 17 01:25 UTC] No.14861922{4}[source]
    Just a disclaimer, this isn't the complete list of devices that received the July 2017 update. I, for one, received it for my Moto G4 Play in Brazil.

    This list shows the models with a MAJORITY OF DEPLOYED DEVICES running a security update from the last two months.

    replies(2): >>14862024 #>>14862025 #
    11. thrownblown ◴[27 Jul 17 01:50 UTC] No.14862024{5}[source]
    Yeah I just cut and pasted from the link above
    12. nosajm ◴[27 Jul 17 02:13 UTC] No.14862149{4}[source]
    My five-year-old Samsung S3 for Verizon stopped receiving updates less than 2 years after its release. The bootloader is locked tight, so I am unable to install any custom ROMs such as Lineage OS.
    13. ams6110 ◴[27 Jul 17 04:46 UTC] No.14862780{4}[source]
    Guess I'll have to look at upgrading my diehard old Moto G. It's still on Android 5.1.1.

    Meanwhile I guess disabling WiFi is a mitigation?

    replies(1): >>14887714 #
    14. ihattendorf ◴[27 Jul 17 18:20 UTC] No.14867992{4}[source]
    Note that not all vulnerabilities are/can be patched by LineageOS, regardless of what the security patch level claims. Your device maintainer needs to actively merge patches into the kernel/device (see [0], note that this list relies on maintainers to update it). In addition, binary blob firmware needs to be patched by the manufacturer (e.g. Broadcom wi-fi exploits), which won't happen for devices that are out of support.

    [0] https://cve.lineageos.org/kernels

    15. kbenson ◴[30 Jul 17 20:44 UTC] No.14887714{5}[source]
    > Meanwhile I guess disabling WiFi is a mitigation?

    That's a good question. If it's disabled in firmware and not actually powered down, it might still be susceptible.