Dan GoodinMar 20, 2023

A wide range of Android phones are vulnerable to attacks that fully compromise the devices at their deepest level: the baseband. Fixes have yet to be delivered, except to a subset of vulnerable Pixels. In the meantime, Google and Samsung advise, users should do something that's not possible for most vulnerable devices: turn off VoLTE. Both Google and Samsung declined to provide further, actionable guidance to at-risk customers. Worse, even if/when it's possible to turn off VoLTE, this advice completely neuters most phones of any kind of voice calling capability.

This incident once again underscores the security mess of the Android ecosystem. It also demonstrates the lack of cooperation Google and Samsung regularly exhibit in keeping their customers safe.

Super sad.

https://arstechnica.com/information-technology/2023/03/critical-vulnerabilities-allow-some-android-phones-to-be-hacked/

Google tells users of some Android phones: Nuke voice calling to avoid infection

If your device runs Exynos chips, be very, very concerned.

Ars Technica
Show threadDan GoodinMar 20, 2023

This incident involving the zero-click baseband vulnerability also underscores Google's continuing struggle to deliver timely updates to its Pixel customers. Delays like this one completely undermine the main selling of Pixel devices. What's more, the Project Zero advisory said that "affected Pixel devices have already received a fix." In fact, users of Pixel 6 devices still haven't received a patch, more than 4 days later.

Can someone tell me why Apple can deliver updates for all its iOS customers at once but Google still rolls out Pixel updates piecemeal?

Show threadGraham Sutherland / PolynomialMar 20, 2023

@dangoodin my bet: carrier ROMs are slowing things down

if you're running 100% stock Google-supplied Android, Google can handle the full update path. but if you bought your phone on contract there's a decent chance that your phone came with a carrier ROM with bundled apps and a SIM lock. the carrier has to pull from upstream and rebuild their ROMs for update delivery - Google can't just do that for them. and the carriers are not very good at doing any of this.

Show threadDan GoodinMar 20, 2023
@gsuberland Why can't Google do whatever Apple does with iPhones on contract?
Show threadGraham Sutherland / PolynomialMar 20, 2023
@dangoodin AIUI the whole system for iOS carrier ROM production is in-house at Apple, because they vertically integrate OS and hardware, so carrier mods can just be handled by Apple as a standard deployment process. Whereas with Android it's delegated to both the manufacturers and carriers, so for a given Android OS update it has to go to the manufacturers (to ship hardware-specific KMs and such) and then to the carriers before it can be deployed.
Show threadGraham Sutherland / Polynomial
@dangoodin and the extent of iOS carrier mods is basically app installs, configuration defaults, and branding materials. whereas with Android the manufacturer is often maintaining an entirely custom source tree based on Android with tons of their own features and a lot more hardware support code, so by the time you get to the carrier ROMs there's a geometric growth in the number of ROM images that need patch backports & deployment builds.
Mar 20, 2023 at 5:46pmWeb