[HN Gopher] An Android 8.0-9.0 Bluetooth Zero-Click RCE
___________________________________________________________________
An Android 8.0-9.0 Bluetooth Zero-Click RCE
Author : faebi
Score : 67 points
Date : 2020-04-24 19:16 UTC (3 hours ago)
(HTM) web link (insinuator.net)
(TXT) w3m dump (insinuator.net)
| xkapastel wrote:
| So uh, as someone stuck on Android 8 forever, what am I supposed
| to do? Just get a new phone?
| baybal2 wrote:
| A do remember an "SMS storm" for Sony ericsson A200 from 15 years
| ago.
|
| You get a garbled binary SMS, and then the virus resends itself
| to every number in your phonebook.
| technoplato wrote:
| What was the end goal of the virus?
| CraneWorm wrote:
| To flatten its curve.
| NotSammyHagar wrote:
| I really hate this software world where my phone stack is
| generally hidden away from my ability to fix it or change it.
| It's true for both apple and android generally, even if I can see
| some pieces of android in the public sources it's basically
| impossible to change out alot of the inner stack. I know there
| are endless attempts to let us have control over our phones. But
| we programmers are never the customers. And the vendors never
| open source their drivers. The various open software/hardware
| schemes never seem to reach maturity. Is there any hope here?
| the_pwner224 wrote:
| The two big projects working on this are the Purism Librem 5
| and the PinePhone, both run stock Linux with no binary blobs
| aside from an isolated cellular modem.
|
| The Librem 5 has been delayed for years and the behaviour of
| the company is kind of sketchy, however going by Purism's
| videos the software is pretty good and getting better rapidly
| (and they upstream their changes back to Gnome).
|
| The PinePhone has shipped to some developers and the company
| has a history of actually making functional products, but the
| software is still a WIP, and Pine64's products are cheap (which
| is great for many people, but I would rather have a $400 phone
| than a <$150 phone, especially given that these ones won't
| suffer from software obsolescence).
|
| I can't wait for these things to become at least somewhat
| functional - I personally will be buying one as soon as they
| get phone calling, SMS, and a web browser (the Librem has them,
| and other Gnome applications, but it's still in preorder).
|
| Pinephone: https://www.pine64.org/pinephone/
|
| - https://news.ycombinator.com/item?id=21824962
|
| Librem 5: https://puri.sm/products/librem-5/
|
| - https://news.ycombinator.com/item?id=21369733
|
| - https://news.ycombinator.com/item?id=21303770
|
| - https://puri.sm/posts/librem-5-vs-android-which-boots-
| faster... (stupid comparison vs a 6 year old Android phone -
| how out of touch is their marketing team and CEO to allow this
| to happen???)
| WrtCdEvrydy wrote:
| It's not a bug, it's a feature.
| swiley wrote:
| Mobile phone OSes are unacceptably bad. IMO they're a very good
| example of how the free market doesn't result in better
| software.
| morsch wrote:
| Fixed in
| https://android.googlesource.com/platform/system/bt/+/3cb714...
| of https://source.android.com/security/bulletin/2020-02-01:
| - packet->len = partial_packet->len -
| partial_packet->offset; + packet->len = +
| (partial_packet->len - partial_packet->offset) + packet->offset;
|
| I wonder how many devices are running that patch level.
___________________________________________________________________
(page generated 2020-04-24 23:00 UTC)