Navigation

    UBports Robot Logo

    UBports Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    Kr00K and Ubuntu Touch

    General
    5
    15
    744
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WillemHexspoor last edited by

      After reading this article, I was wondering what is or can be done to protect devices running UT from this vulnerability. As far as my knowledge goes, UT uses an android kernel, which uses device specific and mainly closed source hardware drivers. The white paper says that the vulnerability can be mitigated through software or firmware updates, but older devices don't get firmware updates anymore.
      My question is whether UT users will stay vulnerable to Kr00K as long as there is no firmware update available or can it be solved through software and is it just a matter of capacity and priority?

      Basically the same question applies to Spectre, Meltdown and other bugs where the source is in the hardware.

      1 Reply Last reply Reply Quote 1
      • Flohack
        Flohack last edited by

        It all depends if the original vendor would release a new firmware file. Thats the question for older devices, but you can try to spot such an update, e.g. for Nexus 5. From our side there is not much that can be done except waiting for those updates. If they are available they can normally be either loaded by our port (from vendor tree) or they need flashing of a vendor partition.

        My languages: 🇦🇹 🇩🇪 🇬🇧 🇺🇸

        1 Reply Last reply Reply Quote 0
        • dobey
          dobey last edited by

          Radio updates for Android devices tend to be included in the OEM images. Given many of the devices supported by UT no longer receive OEM updates, and are end of life products, it's extremely unlikely for any firmware updates to get released for said devices. Broadcom has already not released new firmware for Nexus 4/5 Bluetooth/WiFi chips for previous vulnerabilities.

          Unless you can get open source firmware written for the chips, it's unlikely to see any updates from manufacturers to fix such vulnerabilities, in older chips.

          1 Reply Last reply Reply Quote 0
          • Mic_
            Mic_ last edited by Mic_

            I also had such an article in my newspapers regarding this WLAN security problem. They wrote that all Nexus phones are hardly effected.

            So I think a lot of Nexus-updates should be developed now - in a short time - but if a 2014-phone will be among them? Maybe we all should write a message to LG 😉

            1 Reply Last reply Reply Quote 0
            • Mic_
              Mic_ last edited by Mic_

              Do we have any lawyer here? I mean, if these N5 phones can be hardly attacked because errors in the drivers-developement - and 1: the producer does not want to develope an update - and 2: a large amount of users still use these devices

              -> isn't that a juristic reason that producers could be pushed to publish the code ?

              Here a lot of articles in german:

              https://www.heise.de/security/meldung/WLAN-Luecke-Kr00k-Sicherheitsforschern-zufolge-1-Milliarde-Geraete-gefaehrdet-4669083.html

              https://www.sueddeutsche.de/digital/kr00k-wlan-wifi-sicherheitsluecke-1.4823507

              https://www.netzwelt.de/news/176275-kr00k-neue-wlan-sicherheitsluecke-gefaehrdet-milliarden-geraete.html

              dobey Flohack 2 Replies Last reply Reply Quote 0
              • dobey
                dobey @Mic_ last edited by

                @Mic_ Nexus 5 is not the only device affected. Nexus 4 is almost certainly affected too. Probably also the OnePlus phones, etc…

                Many of these are also already affected by other vulnerabilities that will remain unfixed, like Broadpwn. Remember also, they are stuck on old kernels which are no longer supported either, and there's not really anyone available to work on backporting fixes and maintaining old kernels.

                1 Reply Last reply Reply Quote 0
                • Mic_
                  Mic_ last edited by

                  Yes I understand - I am just thinking about legislative rules - if something like that is not already in place. This would be easily created.

                  I mean if a company does not want to make further support - ok, no problem - but than they have to publish the code so that people could develop it for themselves. Until nobody reclaims the need nothing would probably happen. But if that would not help because old kernels... I understood that not published drivers is a big problem in the developement of ut!?

                  dobey 1 Reply Last reply Reply Quote 0
                  • dobey
                    dobey @Mic_ last edited by

                    @Mic_ said in Kr00K and Ubuntu Touch:

                    This would be easily created.

                    You've obviously not been paying attention to politics lately. 🙂

                    IMO, all source code should be open, always. Regardless of manufacturer support of hardware. So I would certainly support such regulation, and probably the types of representatives who would state support for it in their election campaigns. But realistically, this is not going to happen anytime soon, and is nowhere near easy to get into law.

                    Mic_ 2 Replies Last reply Reply Quote 0
                    • R
                      rocket2nfinity last edited by

                      legislative action sounds like a longterm goal.

                      But for the immediate need to fix the problem, I wonder if Wireguard or another VPN would do the trick. From what I read, secured traffic (https) cannot be read, just insecure. A VPN could fix that.

                      1 Reply Last reply Reply Quote 0
                      • Mic_
                        Mic_ @dobey last edited by Mic_

                        @dobey Sometimes the right people are only at the wrong places.

                        Look what is beeing discussed - while we discuss that here.

                        https://www.deutschlandfunk.de/klimaschutz-schulze-will-fuer-umweltschutz-laengeres-leben.1939.de.html?drn:news_id=1106702

                        1 Reply Last reply Reply Quote 0
                        • Mic_
                          Mic_ @dobey last edited by Mic_

                          @dobey said in Kr00K and Ubuntu Touch:

                          Regardless of manufacturer support of hardware.

                          It sounds as a nice compromise - source code has to be published when manufacturer will not support hardware anymore.

                          1 Reply Last reply Reply Quote 0
                          • Flohack
                            Flohack @Mic_ last edited by

                            @Mic_ unfortunately this is not a reason for being able to force someone to disclose source code. We live in a legal world that gives the IP and copyright owner very strong assertions about what he can do with his product. So to force someone to do this is like "you are no longer selling your spicy noodle bowls, you need to disclose the recipe so that others can cook it as well". - Well what if I am planning to reuse part of this in my next recipe and therefore would be harmed by others knowing about my previous recipe?

                            Software comes in modules and parts, and just because you do not support hardware A means you wouldn´t use it in hardware B again. Reusability is key and happens every day, and you cannot force someone to reinvent the wheel to get his copyright useful again.

                            My languages: 🇦🇹 🇩🇪 🇬🇧 🇺🇸

                            Mic_ 1 Reply Last reply Reply Quote 1
                            • Mic_
                              Mic_ @Flohack last edited by

                              @Flohack Understand! Thx!

                              1 Reply Last reply Reply Quote 0
                              • Mic_
                                Mic_ last edited by Mic_

                                Here the german environmental minister wants to introduce "a right to repair" for customers owning any smartphone. Of course she means at first the hardware - but what helps hardware without actual software.

                                I guess we will come out with round about 10 years smartphone guaranty. Maybe android has to be staying up-to-date for this time - or something else....

                                https://bizz-energy.com/wie_schulze_digitalisierung_gruen_machen_will?xing_share=news

                                dobey 1 Reply Last reply Reply Quote 0
                                • dobey
                                  dobey @Mic_ last edited by

                                  @Mic_ I suppose this will only apply to devices released after the specified date. And also only in Germany (or perhaps also EU if it gets pushed up to that level).

                                  But longer warranty or support periods don't mean that stuff will get released as open source at the end (or that even if it does, that the license will let you do anything with the source).

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post