[HN Gopher] Google says hackers could silently own your phone un...
___________________________________________________________________
Google says hackers could silently own your phone until Samsung
fixes its modems
Author : dutchbrit
Score : 149 points
Date : 2023-03-17 12:27 UTC (10 hours ago)
(HTM) web link (www.theverge.com)
(TXT) w3m dump (www.theverge.com)
| jeffbee wrote:
| As an industry, if we can consider software broadly as one
| industry, it is disappointing that we simply do not have a
| quality and correctness and safety culture. It has been true for
| decades and still appears to be true that the more hidden a
| program is from the user, the more slapdash its implementation
| will be. Device firmware is universally garbage. It's just like
| that TPM 2.0 reference implementation thing that was on HN
| earlier this week. It's just written by clowns in clown language
| and when they find the flaws instead of fixing the process that
| led to the flaws they just put in one more line of ClownLang to
| hack around it. Something from outside the industry needs to come
| in with some reform mandates.
| _trampeltier wrote:
| Just pure and real pain will bring changes. So the only way is
| more ransomeware.
| baal80spam wrote:
| Well...
|
| Microsoft ditched its QA unit a while ago.
|
| My employer posts multiple (10+) marketing and sales job
| openings currently on Linkedin but there is no money for an
| additional "QA resource".
|
| The list goes on, and this is one of the effects.
| wkat4242 wrote:
| Yes. Over-reliance on automated tests and telemetry (aka
| testing on the users) is a problem in the industry and
| Microsoft is big into these.
|
| Unit tests are great but mainly look for things you expect
| and focus on the low having fruit. Not complex interactions
| between components.
|
| Their QA teams used to test on all kinds of hardware but most
| of it was replaced by automated VM stuff.
| jeffbee wrote:
| The firmware industry has a variety of problems and "over-
| reliance on automated tests" is decidedly not among them.
| neuromason1 wrote:
| Samsung always has a grand vulnerability each year. Like
| clockwork!
|
| In 2015, a vulnerability in Samsung's SwiftKey keyboard was
| discovered that allowed attackers to remotely execute code on the
| device.
|
| In 2016, researchers discovered a flaw in Samsung's Knox security
| software that could allow an attacker to escalate privileges and
| gain root access to the device.
|
| In 2017, a vulnerability was discovered that allowed attackers to
| take control of Samsung's SmartCam cameras.
|
| In 2018, researchers found a flaw in Samsung's Secure Boot
| feature that allowed attackers to install malicious firmware on
| the device.
|
| In 2019, researchers discovered a vulnerability in Samsung's
| Galaxy S10 fingerprint scanner that allowed anyone to unlock the
| phone with a 3D printed fingerprint.
| webdoodle wrote:
| It's almost like it's planned obsolescence...
| [deleted]
| fencepost wrote:
| I believe the Samsung keyboard was linked with Swype, and I
| believe it predated SwiftKey (or at least predated swipe-based
| input in SwiftKey).
| narrator wrote:
| The 3d-printed fingerprint one is not scary since it requires
| physical access, a 3-d printer and your fingerprint.
| ChuckNorris89 wrote:
| Sure, but which consumer products don't have security
| vulnerabilities discovered? That's like pointing at water and
| blaming it it's wet.
|
| Vulns are part and parcel of products running any kind of SW.
| As long as the manufacturer acknowledges it and pushes a prompt
| fix we should be good.
| imchillyb wrote:
| No.
|
| Critical system vulnerabilities are few and far between for
| most companies.
|
| Samsung has much greater than average occurrences of critical
| root level vulnerabilities.
| Spark_Ed wrote:
| I've stopped buying anything Samsung because their quality
| control has become non-existant.
|
| My S22 ultra has a major bug that causes the screen to no
| longer update until I screenshot my way to the restart
| button. (Their response is trade in for an S23, but at my
| expense).
|
| I've never had a TV fail before, much less within two
| years. When I first put it together, it seemed like it was
| designed to fail. When they do, repair means either be
| charged $300 for a $10 fiber optic cable or $400 for a new
| output box.
|
| Any appliance repair person worth their salt would tell you
| to never buy Samsung appliances. They're the most prone to
| failure, most expensive to repair. They try to appeal to
| consumers by appearing like a luxury brand, while having
| bottom of the barrel engineering inside.
|
| I am avoiding anything Samsung until their track record
| turns around completely.
| lwhi wrote:
| I've had absolutely no problem with my Samsung since the
| S8 ( followed by S10 plus, S22 plus)
| lwhi wrote:
| Yeah right .. I still remember when you could gain access
| to a MBPs root account using a blank password.
| zamalek wrote:
| Even if it was common, _90 days_ without so much as a
| squeak? That is certainly incompetent _cough_ uncommon.
| ChuckNorris89 wrote:
| _> Samsung has much greater than average occurrences of
| critical root level vulnerabilities._
|
| I get it you dislike Samsung but citation needed for such
| claims other than "trust me bro".
|
| Also, since Samsung is possibly the world's biggest, or at
| least one of the biggest makers and sellers of electronics,
| serving a wide variety of markets and price points, it's
| inevitable that their name pops up more often than other
| brands.
|
| The target on your back from hackers and security
| researchers is proportional to your size as a company.
| Everyone would like to gloat they hacked a Samsung device.
| Nobody cares you hacked a TCL device.
|
| So a better metric would be severe vulnerabilities per
| number of devices sold .
| palata wrote:
| IMO the metric should also consider how long it took them
| to patch it. Everyone has zero days, that's life. But
| there is no excuse for not patching a critical
| vulnerability.
| SketchySeaBeast wrote:
| Possibly, but Samsung is the 2nd most popular phone
| manufacturer on the planet. It stands to reason that with
| the level of visibility they'd have a lot of eyes on them
| to find these things. That list provided at the top is also
| a bunch of different devices and entirely different types
| of electronics, which again is an argument that the bigger
| the market the more likely that something will be found.
| kube-system wrote:
| The reason that most software does not have known
| vulnerabilities is not because it is secure, but because
| nobody has looked.
| bell-cot wrote:
| Sadly, it sounds like Samsung has little interest in "fix",
| and no interest whatever in "prompt".
| prox wrote:
| But why are they so reluctant? What's the issue here? They
| aren't a poor backwater company afaik.
| lockhouse wrote:
| They want you to buy the Samsung Galaxy S24 when it comes
| out.
| lallysingh wrote:
| Apparently that clock stopped for a few years.
| RealStickman_ wrote:
| They took a Corona break
| ChuckNorris89 wrote:
| Which would be ironic as the pandemic WFH years saw a huge
| spike in cybercrime and security related incidents on all
| fronts.
| thinkingemote wrote:
| Why is this? Id be interested to read the reasons why.
|
| At the top of my head it's WFM opening up attack surfaces
| but it could be that hackers with more free time hacked
| more. Sociological reasons are more interesting for me.
| wongarsu wrote:
| Multiple industries laid off large parts of their
| workforce. US unemployment trippled, and more tourist
| heavy countries fared even worse. One of the biggest
| drivers of crime is "it was the best option available at
| the time", and most cybercrime isn't highly skilled and
| fairly accessible.
|
| To make matters worse, "regular" crime struggled at the
| same time. It's harder to break into people's homes if
| they are at home all day, and you can't mug them in a
| dark alley either, neither can you pickpocket tourists.
| shzhdbi09gv8ioi wrote:
| Because more users online for more hours, more stuff
| happened online due to lockdown etc etc etc.
| giancarlostoro wrote:
| My guess is with lockdowns you had a lot of people bored
| at home stuck with nothing but digital screens for
| entertainment. People with remote jobs or no jobs could
| be scanning sites for exploits in the background whilst
| doing other things since they have literally nothing
| better to do to keep them occupied, not like they can go
| outside very often.
|
| This is a guess though, but now think of the millions
| upon millions of people bored at home who might think "I
| wonder if..."
| cronix wrote:
| In some forums I lurk in there was some hubub about
| massive holes in security that were opened up via people
| who are used to working in an environment with IT support
| (somewhat secure, depending), etc, to people trying to
| figure everything out at home on their own and using new
| tools (both software and hardware) to do it. Don't know
| how accurate it is but it makes some logical sense to me.
| yaomtc wrote:
| Huh? SwiftKey was never owned by Samsung. I don't think they
| even had Samsung-specific builds
| mburns wrote:
| context: https://techcrunch.com/2015/06/17/no-its-samsung-
| not-swiftke...
| asciii wrote:
| > Although Samsung told NowSecure in March that it had sent
| wireless carriers a fix which could be transmitted to the
| phones, and not to go public on it for three months,
| Samsung did nothing about it.
|
| As if written today, even though it's 8 years ago lol!
| DeathArrow wrote:
| [flagged]
| ecmascript wrote:
| How do I know if my model has this chipset? I have the S22 Ultra
| but I cannot find what chipset it's using from the settings.
|
| Ordered it from their website and I am located in Sweden.
| vanilla_nut wrote:
| Exynos chipsets contain the Samsung-designed modems with
| problems. Qualcomm's Snapdragon chipsets use integrated
| Qualcomm-designed modems (usually) that should be safe (from
| this vulnerability).
|
| If you still have the box or possibly a receipt, Exynos S22Us
| have the model number SM-S908B or SM-S908B/DS. Every other
| model is Snapdragon.
|
| If you just have the phone itself, try the Geekbench or CPU-Z
| apps. They're benchmarking apps for the most part, but they
| also contain pretty detailed hardware reports.
| fathyb wrote:
| It has been a while since I used Android, but I believe you
| can view the model number in the About section in the
| Settings app?
| Idiot_in_Vain wrote:
| You do have this chipset.
|
| To confirm you can install AIDA64 from the Play Store.
| rofo1 wrote:
| CPU-Z, the Android app, can tell you this (along with a bunch
| of other information that you might find useful)
| [deleted]
| izacus wrote:
| This is a duplicate of
| https://news.ycombinator.com/item?id=35190811 with a clickbait
| title.
| jeroenhd wrote:
| Previously discussed here:
| https://news.ycombinator.com/item?id=35190811
| micromacrofoot wrote:
| Samsung is remarkably good at making Android worse.
| gaudat wrote:
| Does that mean we can get free (as in freedom) rooting that does
| not trigger Knox? I will take that any day.
| pxoe wrote:
| [dead]
| myself248 wrote:
| How many carriers require VoLTE for voice now? I keep getting
| nastygrams from my carrier telling me to upgrade my old non-
| VoLTE-capable phone or I'll lose voice 'any day now', with a
| drop-dead date that's moved several times.
| kube-system wrote:
| Are you outside of the US?
|
| T-Mobile, ATT, and Verizon have all shut down 3G networks as of
| 2022.
| sangnoir wrote:
| LTE is 4G, as is VoLTE. US carriers haven't shutdown 4G
| networks AFAIK.
| kube-system wrote:
| I understand, the person above says they have a non-VoLTE
| phone, which will make voice calls on 2G or 3G.
| dhosek wrote:
| This kind of feels like I stopped building my own computers and
| moved to the Apple ecosystem with prebuilt systems. It was always
| easy for everyone to point their fingers somewhere else when
| something didn't work. It's a problem with the hardware, no the
| OS, no the software, no those two peripherals conflict...
|
| There are still issues that crop up from time to time now that
| I'm on a Mac, but there's also _one_ place to turn to when
| there's a problem and they generally do a pretty good job of
| resolving things (although the last big issue I had--which
| ultimately ended with my laptop going through a Ship of Theseus
| complete replacement took a while but that was also in November-
| December of 2020 when everything was pretty messed up & the
| service person was able to give me my choice of anything from the
| Apple store under $200 as compensation).
| londons_explore wrote:
| And all that was available under $200 was a branded mousemat...
| jacooper wrote:
| They will fix this, its already fixed in the pixel 7 pro, and
| it should be fixed on any gpone with march 2023 patch level.
| hot_gril wrote:
| This is how I feel at work too. Someone's system is
| misbehaving, and I report a bug. They say it's some
| dependency's issue and direct me to ask someone there. No,
| that's your responsibility, not mine. I don't know the
| intricacies of _your_ s2s interaction.
| gchokov wrote:
| Why are people still buying these phones? - They fake your
| pictures - i.e. replacing the real moon with a fake one; - Full
| of vulnerabilities in the wild.. all the time; - Shady
| connections with Asia
|
| the list goes on and on.
| [deleted]
| hummus_bae wrote:
| [dead]
| lwhi wrote:
| I have zero problems with my phone.
| lyu07282 wrote:
| > Shady connections with Asia
|
| Wtf??
| Smar wrote:
| Well, Samsung _is_ korean.
| sangnoir wrote:
| The _humanity!_
| aydyn wrote:
| There are phones that fake the moon, but saying Samsung does
| that is a lie.
| theshrike79 wrote:
| It just fakes it with AI :D
| sangnoir wrote:
| Is there a top-tier phone model on the market that doesn't
| enhance photos in some way using AI? Not too long ago,
| there was an HN discussion on AI artifacts on iPhone photos
| thet are readily apparent when viewed from a large/hi-res
| display, despite looking "better" than non-enhanced
| pictures on the phone display.
| another_story wrote:
| I'd wager all your electronics contain a majority if parts from
| Asia.
___________________________________________________________________
(page generated 2023-03-17 23:02 UTC)