Dan GoodinMar 20, 2023

A wide range of Android phones are vulnerable to attacks that fully compromise the devices at their deepest level: the baseband. Fixes have yet to be delivered, except to a subset of vulnerable Pixels. In the meantime, Google and Samsung advise, users should do something that's not possible for most vulnerable devices: turn off VoLTE. Both Google and Samsung declined to provide further, actionable guidance to at-risk customers. Worse, even if/when it's possible to turn off VoLTE, this advice completely neuters most phones of any kind of voice calling capability.

This incident once again underscores the security mess of the Android ecosystem. It also demonstrates the lack of cooperation Google and Samsung regularly exhibit in keeping their customers safe.

Super sad.

https://arstechnica.com/information-technology/2023/03/critical-vulnerabilities-allow-some-android-phones-to-be-hacked/

Google tells users of some Android phones: Nuke voice calling to avoid infection

If your device runs Exynos chips, be very, very concerned.

Ars Technica
Show threadDan GoodinMar 20, 2023

This incident involving the zero-click baseband vulnerability also underscores Google's continuing struggle to deliver timely updates to its Pixel customers. Delays like this one completely undermine the main selling of Pixel devices. What's more, the Project Zero advisory said that "affected Pixel devices have already received a fix." In fact, users of Pixel 6 devices still haven't received a patch, more than 4 days later.

Can someone tell me why Apple can deliver updates for all its iOS customers at once but Google still rolls out Pixel updates piecemeal?

Show threadGraham Sutherland / PolynomialMar 20, 2023

@dangoodin my bet: carrier ROMs are slowing things down

if you're running 100% stock Google-supplied Android, Google can handle the full update path. but if you bought your phone on contract there's a decent chance that your phone came with a carrier ROM with bundled apps and a SIM lock. the carrier has to pull from upstream and rebuild their ROMs for update delivery - Google can't just do that for them. and the carriers are not very good at doing any of this.

Show threadDan GoodinMar 20, 2023
@gsuberland Why can't Google do whatever Apple does with iPhones on contract?
Show threadKevin RiggleMar 20, 2023
@dangoodin @gsuberland Frustratingly Samsung is supposed to be best at this (or at least they troubled to get theirs certified for US government use) and they still suck. It’s to a point where I recommend against the entire platform for security sensitive persons, and have for years
Show threadKevin Riggle
@dangoodin @gsuberland Google moving more hardware first party was supposed to help with this but clearly we’re not there yet
Mar 20, 2023 at 5:23pmWeb