Dan GoodinMar 20, 2023

A wide range of Android phones are vulnerable to attacks that fully compromise the devices at their deepest level: the baseband. Fixes have yet to be delivered, except to a subset of vulnerable Pixels. In the meantime, Google and Samsung advise, users should do something that's not possible for most vulnerable devices: turn off VoLTE. Both Google and Samsung declined to provide further, actionable guidance to at-risk customers. Worse, even if/when it's possible to turn off VoLTE, this advice completely neuters most phones of any kind of voice calling capability.

This incident once again underscores the security mess of the Android ecosystem. It also demonstrates the lack of cooperation Google and Samsung regularly exhibit in keeping their customers safe.

Super sad.

https://arstechnica.com/information-technology/2023/03/critical-vulnerabilities-allow-some-android-phones-to-be-hacked/

Google tells users of some Android phones: Nuke voice calling to avoid infection

If your device runs Exynos chips, be very, very concerned.

Ars Technica
Show threadDan GoodinMar 20, 2023

This incident involving the zero-click baseband vulnerability also underscores Google's continuing struggle to deliver timely updates to its Pixel customers. Delays like this one completely undermine the main selling of Pixel devices. What's more, the Project Zero advisory said that "affected Pixel devices have already received a fix." In fact, users of Pixel 6 devices still haven't received a patch, more than 4 days later.

Can someone tell me why Apple can deliver updates for all its iOS customers at once but Google still rolls out Pixel updates piecemeal?

Show threadGraham Sutherland / PolynomialMar 20, 2023

@dangoodin my bet: carrier ROMs are slowing things down

if you're running 100% stock Google-supplied Android, Google can handle the full update path. but if you bought your phone on contract there's a decent chance that your phone came with a carrier ROM with bundled apps and a SIM lock. the carrier has to pull from upstream and rebuild their ROMs for update delivery - Google can't just do that for them. and the carriers are not very good at doing any of this.

Show threadDavid Cantrell 🏏Mar 20, 2023
@gsuberland @dangoodin I wish people wouldn't call this stuff a ROM. If it was an actual ROM then it would explain why upgrades were challenging, but it's not, so calling it a ROM just obscures what's going on.
Show threadDan GoodinMar 20, 2023

@DrHyde @gsuberland Can you say more? If ROM is the wrong word, what's the right word? Also, can you spell out what makes this word different from a ROM?

Genuine questions intended to educate me on a topic I don't know enough about.

Show threadDavid Cantrell 🏏
@dangoodin @gsuberland It's just software installed by the manufacturer. A ROM is a Read Only Memory.
Mar 20, 2023 at 6:13pmWeb
Show threadGraham Sutherland / PolynomialMar 20, 2023
@DrHyde @dangoodin that's the root, for sure, but over the years the term has also become used to refer to any image that is read-only (either by intent or by some technical measure). hence why a signed OS image is referred to as a ROM.
Show threadGraham Sutherland / PolynomialMar 20, 2023

@DrHyde @dangoodin if we were pedantically prescriptive about the term, we wouldn't use "ROM" for almost anything any more, since almost nothing uses OTP fuse style programming these days and the few devices that do are for things like config straps rather than data.

and if you're going to argue about this use of ROM, you definitely need to start sending letters to IC manufacturers, because EEPROM is not read only. or just accept that terms have a rich history 🤷