Skip to content
Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Samsung on the topic of losing their Android cryptographic signing key since 2016: "We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability"   (arstechnica.com) divider line
    More: Fail, Google, Android, Google Voice, Facebook, Nexus One, developer's cryptographic signing key, Google Chrome OS, Florida Keys  
•       •       •

564 clicks; posted to STEM » on 05 Dec 2022 at 11:55 PM (7 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



17 Comments     (+0 »)
View Voting Results: Smartest and Funniest
 
2022-12-05 9:06:25 PM  
Wow, this means my cat pics might not be safe if I hadn't backed them up already.  Close call there.
 
2022-12-06 12:40:11 AM  
'We realized we've left the bank vault door open, and people have been taking money out of it for 6 years, but we've decided that no action is really necessary'.
 
2022-12-06 2:16:00 AM  
Back to the topic of leaving your primary device and wallet at home before doing illegal things, right?
 
2022-12-06 4:17:57 AM  
The real sign that Samsung isn't the one that released the security update for your phone... Is that Samsung doesn't release updates and security patches pretty much at all. If your Samsung phone is more than a few months old, it's not Samsung releasing an update.
 
2022-12-06 4:40:40 AM  

Quantumbunny: The real sign that Samsung isn't the one that released the security update for your phone... Is that Samsung doesn't release updates and security patches pretty much at all. If your Samsung phone is more than a few months old, it's not Samsung releasing an update.


Samsung is probably the best OEM for getting Android updates in a timely fashion. I have gotten a security update about every six weeks over the life of my phone and my phone also got Android 13 a few weeks ago. Pixel owners can get in a beta program, but Samsung is very good about getting updates out in full release.

I'm not defending anyone for losing a crypto key though. That's just someone being a moron.
 
2022-12-06 5:13:29 AM  
I would love it if this was put to good use. I have a stack of abandoned Android devices that would run an alternate operating system very nicely if it were possible to load it. This isn't the key to the bootloader but it still has some potential for slightly modernizing landfill hardware.
 
2022-12-06 7:07:42 AM  

jakedata: I would love it if this was put to good use. I have a stack of abandoned Android devices that would run an alternate operating system very nicely if it were possible to load it. This isn't the key to the bootloader but it still has some potential for slightly modernizing landfill hardware.


Samsung devices can  be unlocked freely. I have a Galaxy S4 with LineageOS 18 on it.
 
2022-12-06 7:17:28 AM  
likefunbutnot:

Samsung devices can  be unlocked freely. I have a Galaxy S4 with LineageOS 18 on it.

Ya, My Galaxy Tab A will work with that, but I have a stack of abandonware Dell Venue tablets that have an Intel Atom CPU rather than an ARM chip. Not much to be done with them without a full unlock.
 
2022-12-06 8:26:22 AM  
So the update I downloaded from fone-update.xyz isn't legit?
 
2022-12-06 8:35:52 AM  

jakedata: Dell Venue tablets that have an Intel Atom CPU rather than an ARM chip. Not much to be done with them without a full unlock.


I have a couple of Windows-based Venues as well, and a Surface RT. The RT is actually a pretty solid MS Office terminal even now but the Venues have low resolution 8" screens and don't have the storage to even accept the upgrade to Windows 8.1 without a LOT of fiddling. It's pretty hard to think of a use for them.

Android tablets other than Samsung's can be extremely frustrating. My nVidia Shield tablet actually got 3 OS updates (and actually my OG Shield STB from 2015 is running Android 11 right now), but in general, they get zero upgraded OSes and may not get security patches either. That's probably not a big deal for the $75 POS tablet that a kid plays games on but moderate or high end devices from Huawei, Lenovo or Asus really shouldn't have that problem. Amazon upgrades theirs but Kindles are trash hardware other than the HDX model they only made for 18 months in the mid-2010s; I think the most recent Fire HDs only JUST surpassed that old guy.

ChromeOS is actually a lot better; every device gets seven years of updates and can at least be switched to Linux.
 
2022-12-06 8:42:25 AM  

Quantumbunny: The real sign that Samsung isn't the one that released the security update for your phone... Is that Samsung doesn't release updates and security patches pretty much at all. If your Samsung phone is more than a few months old, it's not Samsung releasing an update.


So i found an Xperia Z5 or something in the trash the other day (not a Samsung, obviously, but an Android phone). It was introduced in Oct 2015, just before my iPhone 7 (Sep 2016). The Xperia last had an update in 2017 (no more are available). My iPhone only just went EOL with iOS 16 (Oct 2022). That's an additional 4 years of support (6 years total) that the iPhone had vs. an average Android device (about 2 years total) from about the same era.

I don't really care for the iPhone but I'll take double the supported lifetime over a typical Android any day. Especially if manufacturers decide to just allow glaring security holes to exist through their negligence.

And no, even LineageOS quit working on the X5 Compact with 14.1, based on Android 7.1.
 
2022-12-06 10:05:10 AM  

sensitive yet dangerous: I don't really care for the iPhone but I'll take double the supported lifetime over a typical Android any day. Especially if manufacturers decide to just allow glaring security holes to exist through their negligence.


Any iOS device from IIRC the iPhone 5 to 10 has a boot time unlock vulnerability that bypasses all security and allows it to be reset and resold. There is no fix for this. Whoops.

Google says five rounds of OS updates for new Pixel Devices. Samsung says two OS updates for sure. Both continue to issue security updates over the life of the last supported OS version, which PROBABLY means even Samsung phones get four-ish years of life in full security from date of release, although most people aren't buying new devices the day they're released, but even then, four years is a long time to keep the same phone. Chances are that you've already pawned off your 3+ year old phone on somebody else so you can upgrade, or you're the lucky recipient of someone else's 3+ year old phone. I'm going to go ahead and say that the people getting old devices who continue to use them probably aren't all that bothered by what software those devices can and can't use.

Also, here are some instructions for getting AOSP 12 on an Xperia X5, a release of Android that is up to date as of 2022. Sony isn't great about updates, but its devices are also pretty rare in North America anyway.
 
2022-12-06 11:59:24 AM  
Actually, I have to correct myself: Samsung S and Z series phones now get four rounds of OS updates. A5x phones get three years.

I hate to sound like a Samsung fanboy. I'm definitely not; I chose LG devices for as long as I could simply because those could be repaired and had the full range of ports and hardware features I wanted. LG was never as friendly as Samsung to modding or software changes. Even now, I plan to use my almost three year old Galaxy S20 in preference to anything that doesn't have an SD card slot for at least the next couple years.
 
2022-12-06 2:39:37 PM  

likefunbutnot: sensitive yet dangerous: I don't really care for the iPhone but I'll take double the supported lifetime over a typical Android any day. Especially if manufacturers decide to just allow glaring security holes to exist through their negligence.

Any iOS device from IIRC the iPhone 5 to 10 has a boot time unlock vulnerability that bypasses all security and allows it to be reset and resold. There is no fix for this. Whoops.


What are you going on about? What device doesn't allow for factory reset when you have physical access?

The key point here is that your data isn't accessed in the process, its wiped. Which is not the case with android .This allows for users to install apps they think are safe, that are malware and give remote access to all your data. Samsung, LG, etc al would have to revoke their current keys and issue new ones to fix this. Which is going to be a nightmare for the users, which is why they haven't done it.
 
2022-12-06 4:35:57 PM  

Intone: What are you going on about? What device doesn't allow for factory reset when you have physical access?


Look up checkm8. The important thing is that the vulnerability allows crackers to bypass all the security and encryption on the device. As I understand it, newer Apple devices have to be unlocked before they can be reset through special Apple magic, but up to the relatively recent iphone 10, this is not the case. In those cases, the vulnerability is at least as severe and makes root-level access for whatever purpose trivial to obtain.

Intone: Samsung, LG, etc al would have to revoke their current keys and issue new ones to fix this.


I know what private keys are. I am also aware that every computer system has at least some vulnerabilities that haven't been fixed for one reason or other, just like the the extremely severe checkm8 thing on iOS. "Glaring negligence" is a common trait to every company that makes consumer OSes.
 
2022-12-06 7:04:02 PM  

likefunbutnot: Look up checkm8. The important thing is that the vulnerability allows crackers to bypass all the security and encryption on the device.


LOL, No.  Checkmate does not bypass security or encryption, but does offer a way to jailbreak the device so you can sideload apps.

Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits

The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.

Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.
 
2022-12-06 11:30:09 PM  

Intone: What are you going on about? What device doesn't allow for factory reset when you have physical access?


Apple, as an anti-theft measure.
https://support.apple.com/en-us/HT201365
 
Displayed 17 of 17 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.