I have never had an iOS device in my life, but these three paragraphs provide probably the most convincing reason to finally make the switch:
> A billion or more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.
> The vulnerabilities can be exploited when a target downloads a video or other content that’s rendered by the chip. Targets can also be attacked by installing malicious apps that require no permissions at all.
> From there, attackers can monitor locations and listen to nearby audio in real time and exfiltrate photos and videos. Exploits also make it possible to render the phone completely unresponsive. Infections can be hidden from the operating system in a way that makes disinfecting difficult.
I like Apples devices, but aren't they just as vulnerable to CPU bugs?
There's plenty of good reasons to use an iOS device (and some good reasons to avoid one), but I wouldn't think that CPU bug would be a particularly strong reason on either side.
and literally any 10 year old android phone can run not just the latest security patches but even the latest android. you are taking the iphone limitation of 'os must be from hardware manufacturer' and for some reason applying it to android phones.
my 10 year old motorola nexus is running android 10 -which is the current version. you install the new os on android by downloading an app, which installs the new os on reboot. it takes 15 minutes, and gramma can do it.
next you'll tell me mac laptops are better because you can't put windows 10 on your old hp laptop, because hp's system image for it only goes to windows 7.
Sure, installing the updates may be simple, but getting the OS installed in the first place is not quite as simple.
Also, many Android devices don’t even have unlockable bootloaders. This makes your first statement patently false. There is no way for me to install any updates to my abandoned Acer tablet as the bootloader is locked and the device is abandoned.
It may be true to say “many Android devices can be updated through community projects” but you’re glossing over a lot of complexity.
I rarely root devices but I have yet to own an Android device that couldn't (eventually) be rooted using a community tool. This is anecdotal, there must be exceptions, but in my experience "locked bootloader" just means it might be a while before someone finds an exploit.
This is pretty important when we're taking about a billion devices. The amount of people who do this is irrelevant and thus 99% or more of these users will be vulnerable until their phone stops working or the Facebook app no longer supports such an old version, forcing them to get a new one [assuming new Snapdragon chips fix the issue].
this is like saying to only buy mac laptops, because an os is hard to install on your laptop. I guess that's why the corporate world and other people don't run a bunch of linux. because it's a "community project." redhad and ubunty are community projects. gotcha. they are. just like lineageos. supported by hundreds of paid developers and many huge companies.
installing an os on your phone is not simple. but it is harder than installing it on your laptop. and because installing it on a laptop is hard, people don't buy copies of windows and never have.
i am not glossing over complexity. but this is not complexity. anything apparently is complexity to you if it's not "buy small computer, and literally do nothing." yes, doing something is "complexity." opening a door requires keys. too complex.
us somewhat technical people, like this entire site and literally a third of the population, can follow xda directions. my gramma can watch a 15 minute youtube video and just click exactly what it says. the complexity is not complex.
as far as unlockable bootloaders, there are some. i can count on one hand, out of the hundreds of phones I can buy. if by many you mean 2%, sure. i guess that 2% means don't use 98% of phones. strange how apple is unlockable on 100% of their phones, yet that 2% is "worse."
When you play pretend with fake information, the only thing you are doing with the narrative is making yourself look like you're spreading narrative. this works for fox news watchers like yourself. not on a forum with a bunch of downvoting nerds.
If I asked 90% of folks on the street to “just format your hard drive and install a Linux ISO” I’m going to get blank stares or a million questions.
In addition, it’s not about community projects being inferior. I’m a big believer in FOSS, strive to run nothing but FOSS, and avid contributors and publisher of FOSS. It’s about support. And, for the record, Ubuntu and Redhat are corporate projects though they depend and include many community projects and offer their products for free. Lineage is a community project.
Corporations do heavily use open source, but they also pay vendors for support. The average user also expects support from their vendor. Either their mobile provider or phone manufacturer. If they unlock and install LineageOS, they get none.
Your assumptions are way off base. First about the public’s likelihood to do what you’re recommending and second about me.
For the record, I’m one of the original members of TeamWin, helped write TWRP, have contributed to CyanogenMod. I’m not some uninformed schmuck. I definitely know how to flash a ROM.
if you asked your 90% what iOS was they couldn't answer you either, despite having an iphone in their pocket, so don't see your point. and those people won't have a 4yo phone in the pocket either -it'll be refreshed every couple of years, and still under automated ota updates.
so again you're moving the goalpost. the claim of the op was old phones from apple are superior because they get vendor security patches, and android does not. which is factually false.
But most phones in the United States sold within the last decade had the bootloaders locked so you can’t install another rom even if you knew how to do it.
Is it USA thing or something more common? Seems like technical people around me change firmware with no problem. I only heard that some phones have limits, after which you can't reflash a firmware.
> When the bootloader is unlocked, the device loses certain DRM security keys. That means you can't purchase content from Sony's storefronts and a few licensed features won't work, but it apparently also means basic features of the phone are negatively affected. A Sony rep has confirmed that some advanced camera algorithms on the new generation of devices like the Z3 and Z3 Compact are protected by DRM. If you unlock the phone, those features stop working. Apparently that causes photos in low-light to be noisier and poorly balanced.
> This isn't the first time Sony's bootloader unlock has come with some major drawbacks—unlocking past devices could actually break camera functionality (this was technically a bug). There have always been a few proprietary features that stop working, but the difference in image quality this time is allegedly noticeable.
> Update: Sony has updated the text of the bootloader unlock warning on its website to be clear about the camera impact. It reads, "...the removal of DRM security keys may affect advanced camera functionality. For example, noise reduction algorithms might be removed, and performance when taking photos in low-light conditions might be affected."
go to lineageos, click on your phone. this'll get all your old phines the same type of android.
it's not what i do -i used a fairly weird build.
the generic steps for ine way of doing it: download a recovery program, install it on the phone. pick the android rom you want from the recovery program. click install. it'll reboot your phone and install it. this is the way a gramma can do it.
a prefer hooking it up to my laptop with a usb cable and just typing the commands in the android shell. that is the way gramma cannot do it.
What a selfish way of looking at things. The site guidelines [1] exist for a reason, one of those reasons being that most HN users don't open the comments of an article about a few severe Qualcomm CVEs to read comments randomly laced with "orange man bad".
but they do open them, and see a comparison between trump voter delusions and apple fanboy delusions. making that comparison is not discussing politics. now if you want to pretend trumpers are smart people not made fun of on every corner of popular culture, my comparison would be invalid. this would however mean you yourself are delusional, making the comparison valid.
what we don't want to see is endless discussions about the discussion itself. because it's offtopic spam. if you want to discuss how we discuss things, open a separate post about it, and don't do it in a thread about phone cpus.
Google bricked my Android phone many years ago by deactivating the auth server used for logging into the phone with your Google account. The phone didn’t support Cyanogen so I literally just had to stop using it purely due to Google deciding it was time to kill it.
So don’t give me this nonsense that Android phones live forever.
hmm. google didn't brick mine. i don't have a google account, or any google services on my phone. that's like saying microsoft bricked your windows laptop, so don't buy laptops with linux or bsd.
cyanogen? there are a hundred other builds. google your phone model and custom rom.
they don't live forever but they do live over 10 years on the latest android. which beats apple and their security patches any day.
Google hasn’t bricked your phone (yet) and they bricked mine so you expect me to be excited? You said any old Android phone could run the newest stuff but it’s a lie. I can still use my original iPhone other than it being slow but I literally cannot use my HTC phone that Google deactivated the auth server for. There is no “update to the newest Android” because the hardware is “too old” for modern Android and they cut the phone off from upgrades. Which is fine, except they also cut off the DNS for the “login to Android” feature so it’s bricked. It would have been a great travel phone still as it had been for many years, but Google got greedy.
There was no cyanogen or other alternative supported. It’s not a matter of googling more. They didn’t support the phone model.
so pick a rom that's common and well supported and popular for your phone model. i'm guessing your experience includes zero reading about what rom is best for what phone, before you put it on. kinda like buying a 2 star rated tv on amazon.
oh look, i googled 'best custom rom for nexus 6' and every result has good roms.
In my personal experience, the sole reason for those updates is to cripple your hardware and battery life in order for you to upgrade to newer hardware.
In my experience, my iPhone 6 is perfectly usable, as is an old SE and 6S Plus. Batteries degrade, and after being replaced they work fine. And they’re still getting updates this year.
>Batteries degrade, and after being replaced they work fine.
If the batteries were user replaceable, it would have been a perfect story.
Sending the device back to the manufacturer (authorised service center) can be inconvenience(data formatting, TOTP apps etc.) at best to security breach(malware install, device imaging etc.) at worst.
Also, if indeed a user decides to replace the battery on their own, an iPhone is the least repairable phone out there and getting worse with every iteration.
I can second this. I’m hanging on to my SE for the form factor and it’s still going strong. My wife’s SE is nearing a battery replacement after what feels like half a decade of usage. I dread the day the SE will no longer be supported.
Guess you didn't read the articles explaining that reduced performance on phones with heavily amortised batteries is to be expected. And didn't read the testimonials of people who paid for a new battery and got their device working fast again.
The vast majority of security vulnerabilities and bugs that end users experience are fixed within the first few years of the device's shelf life. Security vulnerabilities tend to go unnoticed by most end users, and therefore don't really play a role in forcing users to upgrade.
Wouldn't it be nice though if users could choose to patch security vulnerabilities without installing updates that deliberately slow down the phone?
Do you have a citation supporting the claim that old bugs don’t affect users? That’s certainly not true in the Windows world.
Similarly, “updates that deliberately slow down the phone” sounds like a conspiracy theory. The closest we’ve come to that being real would have required a caveat “… when your battery has degraded to the point that the phone would otherwise crash”, which is an important distinction.
It's pretty hard to fine a company that has one of the world's largest legal departments €25m based on a conspiracy theory. And no, that caveat isn't even close to the truth. Apple states that they do it "once the battery begins to degrade", which is so ambiguous that it could even apply to brand new batteries, because all batteries begin to degrade upon their first usage. In my case, I had a 9 month old iPhone 6 that drastically slowed down due to the update. When the apple store told me that it only slowed down phones with aging batteries, I asked them to replace my battery for my phone which was still under warranty. They "tested" it and told me my battery life was perfectly fine. Fuck that...have not and will not ever buy an apple product ever again.
Funny you say that, cause apple has had to pay a $53m fine precisely because those oh-so-friendly apple store employees won't even go a normal mile in honoring their warranty, let alone an extra mile. https://arstechnica.com/gadgets/2013/04/apple-poised-to-pay-...
I like Android One devices and the complete freedom of choice they provide me, but the likehood and the severity of CPU vulnerabilites seem to be much higher with Snapdragon chips.
Also, the security patches arrive much slower to Android than to iOS devices.
And I am especially concerned about ARM's TrustZone, which seems to be inferior to Apple's Secure Enclave.
Those are software bugs thoughe except the WLAN one. But Apple has had same kind of WLAN firmware vulns.
The software vulns demonstrate serious failures of the Qualcomm product package of course, and is only relevant from POV of how the fixes can be deployed.
I'm sure there are, remember the bezos hack? Wasnt it a video from snapchat on iphone or something? But mostly the ones coming from Apple seem to be physical access only. You can assume, as with any personal computing device, once it's in someone else's hands, your data is as good as theirs.
Some make it more difficult than others. But 400 remote access vulnerabilities is a completely different ball game.
I’m not sure what your point was: that’s the same article Ars linked, with the same message and no additional information because, as the Ars writer noted, they’re withholding details until the vendors fix it.
No. He's saying that without the technical details, Ars is overblowing this issue. Maybe exploitation requires radio gear of $5k and being present next to the victim while their BLE is turned on. Without the details, you can't say if this is a big issue or just another overhyped Check Point research paper, as this company has a history of doing.
That doesn’t make any sense: he said to trust the researchers, but Check Point is saying nothing different. If the theory was the different one you’re offering, the advice would be not to trust the researchers.
The technical details are withheld for the time being until (presumably) systems are patched. The Ars article includes the CVEs, which is all the technical detail that's currently available.
There are currently so many vulnerabilities in Apple devices that their market value is rather low. Android exploits are currently worth more because they are harder to come by.
I've just read the ARS article and comments, but it's a bug in the DSP library call Hexagon that somehow allows you to screw with the libraries being used. Apple uses Hexagon too.
I continually see these comments that security in Android is crap or Apple is so much better. Right now I find it hard to pick the difference between the two. There is almost none in terms of blow me away "how the fuck can we stop continually doing this to ourselves" type exploits - like the drive by total takeover of iOS China was using to target Uighurs. That is as bad as it gets, and both Android and Apple have had their share.
There is a superficial difference in how tightly they curate their app stores. Obviously, iTunes is better policed, but hyper vigilant police always inject their own opinions into what is allowed and isn't. Some people are happy to forgo a little functionality for peace of mind. But since both iOS and Android provide guaranteed to work (if there are no bloody bugs this week) [Uninstall] button, and both have been known and delete apps they've taking a disliking to without asking or informing you, security wise the outcome is is pretty similar regardless of the app store policy.
Ah, so it's actually pretty simple to avoid this vulnerability: all I need to do is upgrade to an Android phone based on one of the several competitive Snapdragon alternatives that are bound to be widely available given the staggering size of the market.
The new Samsung Galaxy Note 20 Ultra ships with Exynos in the UK and EU but performance drops against the same phone running Snapdragon (shipped in the US).
So whilst the security might be better, we're (tech geeks in EU/UK) don't want to pay the same price for a less performant phone sadly :/
I'm wondering why do people need the "performant phone". All the Android phones that I've had or seen in the last few years run the OS and apps with no issues. The amount of RAM might limit the multi-tasking, but otherwise I can't imagine a real-life use-case where I may want a "performant phone".
Can you maybe shed some light on this for me, please?
It starts to matter a lot with things like AR, video games etc. I work on an AR mobile product and the performance advantage for iOS is substantial. Outside of flagships, the performance of AR on android is pretty bad, while as far back as iPhone 8 you’re maintaining 60fps no problems. I haven’t tested older than that but I tend to believe the oft-quoted 5 year performance lead on the A series chips.
It has nothing to do with performance in all honesty for my own use case.
It has to do with being short-handed when comparing the "same" product in the US to the one I would receive here in the UK. I rarely update my phone so if I spend £1,000+ on a flagship, I expect a flagship especially when it's available elsewhere.
As far as I can tell, in the US market they're almost entirely confined to low-end models and non-phone devices (tablets/Chromebooks/smart TVs). Importing, as a practical matter, seems to mean no support/warranty, and it looks like most models intended for other regions don't have full support for the bands used by US networks.
MTK is open by default (no bootloader lock, easy unbrickable recovery), or at least that's what it was a few years ago when I bought one. Great for the modding scene, but probably not liked by the authoritarian-paranoid.
True, but the larger point is that the monoculture arguably makes the impact of any given vulnerability worse. Similar to how any given CDN/cloud provider probably has much better uptime than old-school web hosts, but now roughly half the Internet can be broken by one provider having an outage.
I'm pretty sure 'dang's referring to snark, which you called out in the comment he's responding to ("but being snarky is against the hn guidelines"), not sarcasm there. Though, I do think you're right that the community often reacts negatively to sarcasm. It usually doesn't add much substance to the conversation.
not clear from the writeup how many devices are affected. They fuzz-tested 'a DSP chip' (sounds like just one) and then say that Qualcomm products are used in 40% of devices.
press release focuses on exfiltrating media + GPS, not clear if this is a rootkit that can access the keyboard or take over your email.
'more than 400 vulnerable pieces of code were found' not clear to me -- maybe I don't know how fuzzing DSPs work? Do they have access to the source code because the image decoder is open source?
The qemu linux userspace implementation for hexagon is recently available and open source, yes. Not sure whether it would've been any harder to do fuzzing with the closed-source simulator that's been available for a long time. But the fuzzer doesn't need the libraries' source, it just makes it easier for the fuzzer if it has access to the source. And the availability of emulator or simulator code is probably independent of this too.
The 400 distinct bugs are the uniquely faulting instructions or paths uncovered by the fuzzer.
Honestly this "report" is similarly devoid of any substantive content despite being the original source. At some point they discuss the dictionary meaning of DSP.
Your best bet for any details is apparently this DEF CON presentation:
Thanks for the link, but the Ars report provides some additional context that I think is informative and useful, and is written in a more readable style than the Checkpoint press release.
If they isolate the memory that each part of the SoC can process, that means large amounts of data (for high definition video) have to be copied from one processor to another, so there's direct access. Then if the DSP's firmware has buffer overrun bugs, craft a suitable video and read/write whatever memory area you want to. (Not sure that this is what the bug is, but it's my guess).
Yes - that’s what iOS devices and modern computers do. The risks of allowing unrestricted DMA started to get publicized in the mid-2000s when FireWire was used to attack locked Macs. IOMMUs are pretty common now but the OS still has to enable them.
IOMMUs aren't the only way to get secure DMA, it's more common for small devices to have a double-ended device where the other end (OS vs. DSP in this case) needs to set up its own pointers itself. Doing it via page mapping is very heavyweight and used for performance reasons when you need both safety AND fast random access to large regions.
Yes - my main reaction was just that it was something of a surprise to see Qualcomm not using any of the common countermeasures for a class of attack which is not new and for which they’ve had problems in the past.
They likely do sandbox it to some extent. It's routine for these devices to have their own SRAM decoupled from main memory, and to have a hardware-managed window to get to OS-visible RAM. Often there's a DMA controller that does that instead, etc...
But all sandboxes can have holes. The phrasing in the article actually makes it sound more like this is a software bug in the firmware and not a hardware thing per se.
GPUs likewise have a somewhat cooked visibility to DRAM and some amount of mapping and hardware DMA intermediate interfaces. But sure, a similar GPU flaw could do the same thing.
If it's in the DSP it may not need to be an app that runs the exploit. Sounds like any malicious audio or video file could do it. Could be something delivered via a streaming site, email, audio embedded in a webpage, etc. This sounds like it could be a very big deal.
It's great that Qualcomm has a fix, but most of the susceptible devices will likely never get it in an update from their manufacturers. And I wonder if there will be a performance or battery life hit like the awful performance hit in the Intel chips. That one cost me a 30% hit on my servers and resulted in 6 figures of unplanned spending to replace that lost capacity.
The fix could also be nothing more than just disable the DSP, a specific functionality or in some other means limit it considerably (for example disabling or heavily restricting its DMA).
So a fix might not be a fix for all, if this bug is in some obscure codec or some extreme edge case that no one uses the fix might be painless, Google might even find a way to soft patch it via GPS but if it’s not then you might have devices either losing key functionality or becoming vulnerable to a pretty severe exploit.
Another question of exploitation is how much hand crafting is required for the payload and does the payload survive common encoders as most social media platforms re-encode or transcode media that is uploaded or shared through their platform even WhatsApp and other messaging apps do it by default (tho those do it to save bandwidth).
If the exploit payload survives common encoders which are used by social media platforms it would be quite a disaster once people understand how it works and can be exploited.
The patch itself also might be bypassable Apple for example fixed an exploit using SEPROM and shortly after that exploit was working again by bypassing the SEPROM boot.
> If it's in the DSP it may not need to be an app that runs the exploit. Sounds like any malicious audio or video file could do it. Could be something delivered via a streaming site, email, audio embedded in a webpage, etc. This sounds like it could be a very big deal.
Seems unlikely to me. DSP data vs DSP code - I think it's in the latter that you'll find vulnerabilities.
It’s not about pay. People that don’t sleep make mistakes - no matter what you pay them. Rest is an essential part of performance. Some people may need more and others less, but there’s no one that doesn’t.
No need to take it so literally. I read "No one sleeps until this is fixed" as "This is the top priority, push everything else aside. Do not screw around, stay late if you can. Everyone who can work on this needs to fix it."
I doubt 2020 Google employees have the same level of drive that the NASA employees of Apollo 13 era had. I doubt NASA employees said "I give them what they give me, 40 hours." Employees now a days show up to collect a pay check just long enough so the job looks good on their resumé for the next job.
Half amused, I wonder if the odd recommendations we get on YouTube from time to time are actually steganographs meant to distribute surveillance malware that leveragea this technique.
That's simply not true. AOSP is open source and you can run a Android phone without google services.
You are generalizing the problem of some phone manufactures which deliver phones with software which spies on you but the OS isn't a surveillance platform - instead it's more open than iOS - you can't look at the source code of iOS as simple as you can look at the Android source code.
> A billion or more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.
> The vulnerabilities can be exploited when a target downloads a video or other content that’s rendered by the chip. Targets can also be attacked by installing malicious apps that require no permissions at all.
> From there, attackers can monitor locations and listen to nearby audio in real time and exfiltrate photos and videos. Exploits also make it possible to render the phone completely unresponsive. Infections can be hidden from the operating system in a way that makes disinfecting difficult.