Kr00K and Ubuntu Touch

  • After reading this article, I was wondering what is or can be done to protect devices running UT from this vulnerability. As far as my knowledge goes, UT uses an android kernel, which uses device specific and mainly closed source hardware drivers. The white paper says that the vulnerability can be mitigated through software or firmware updates, but older devices don't get firmware updates anymore.
    My question is whether UT users will stay vulnerable to Kr00K as long as there is no firmware update available or can it be solved through software and is it just a matter of capacity and priority?

    Basically the same question applies to Spectre, Meltdown and other bugs where the source is in the hardware.

  • It all depends if the original vendor would release a new firmware file. Thats the question for older devices, but you can try to spot such an update, e.g. for Nexus 5. From our side there is not much that can be done except waiting for those updates. If they are available they can normally be either loaded by our port (from vendor tree) or they need flashing of a vendor partition.

  • Radio updates for Android devices tend to be included in the OEM images. Given many of the devices supported by UT no longer receive OEM updates, and are end of life products, it's extremely unlikely for any firmware updates to get released for said devices. Broadcom has already not released new firmware for Nexus 4/5 Bluetooth/WiFi chips for previous vulnerabilities.

    Unless you can get open source firmware written for the chips, it's unlikely to see any updates from manufacturers to fix such vulnerabilities, in older chips.

  • I also had such an article in my newspapers regarding this WLAN security problem. They wrote that all Nexus phones are hardly effected.

    So I think a lot of Nexus-updates should be developed now - in a short time - but if a 2014-phone will be among them? Maybe we all should write a message to LG 😉

  • Do we have any lawyer here? I mean, if these N5 phones can be hardly attacked because errors in the drivers-developement - and 1: the producer does not want to develope an update - and 2: a large amount of users still use these devices

    -> isn't that a juristic reason that producers could be pushed to publish the code ?

    Here a lot of articles in german:

  • @Mic_ Nexus 5 is not the only device affected. Nexus 4 is almost certainly affected too. Probably also the OnePlus phones, etc…

    Many of these are also already affected by other vulnerabilities that will remain unfixed, like Broadpwn. Remember also, they are stuck on old kernels which are no longer supported either, and there's not really anyone available to work on backporting fixes and maintaining old kernels.

  • Yes I understand - I am just thinking about legislative rules - if something like that is not already in place. This would be easily created.

    I mean if a company does not want to make further support - ok, no problem - but than they have to publish the code so that people could develop it for themselves. Until nobody reclaims the need nothing would probably happen. But if that would not help because old kernels... I understood that not published drivers is a big problem in the developement of ut!?

  • @Mic_ said in Kr00K and Ubuntu Touch:

    This would be easily created.

    You've obviously not been paying attention to politics lately. 🙂

    IMO, all source code should be open, always. Regardless of manufacturer support of hardware. So I would certainly support such regulation, and probably the types of representatives who would state support for it in their election campaigns. But realistically, this is not going to happen anytime soon, and is nowhere near easy to get into law.

  • legislative action sounds like a longterm goal.

    But for the immediate need to fix the problem, I wonder if Wireguard or another VPN would do the trick. From what I read, secured traffic (https) cannot be read, just insecure. A VPN could fix that.

  • @dobey Sometimes the right people are only at the wrong places.

    Look what is beeing discussed - while we discuss that here.

  • @dobey said in Kr00K and Ubuntu Touch:

    Regardless of manufacturer support of hardware.

    It sounds as a nice compromise - source code has to be published when manufacturer will not support hardware anymore.

  • @Mic_ unfortunately this is not a reason for being able to force someone to disclose source code. We live in a legal world that gives the IP and copyright owner very strong assertions about what he can do with his product. So to force someone to do this is like "you are no longer selling your spicy noodle bowls, you need to disclose the recipe so that others can cook it as well". - Well what if I am planning to reuse part of this in my next recipe and therefore would be harmed by others knowing about my previous recipe?

    Software comes in modules and parts, and just because you do not support hardware A means you wouldn´t use it in hardware B again. Reusability is key and happens every day, and you cannot force someone to reinvent the wheel to get his copyright useful again.

  • @Flohack Understand! Thx!

  • Here the german environmental minister wants to introduce "a right to repair" for customers owning any smartphone. Of course she means at first the hardware - but what helps hardware without actual software.

    I guess we will come out with round about 10 years smartphone guaranty. Maybe android has to be staying up-to-date for this time - or something else....

  • @Mic_ I suppose this will only apply to devices released after the specified date. And also only in Germany (or perhaps also EU if it gets pushed up to that level).

    But longer warranty or support periods don't mean that stuff will get released as open source at the end (or that even if it does, that the license will let you do anything with the source).

Log in to reply