Hi all,

About a month ago, we learned that there was a vulnerability in the
WiFi firmware on many phones [1]. I didn't know until then that the
WiFi device has its own system-on-a-chip (SoC) that runs its own code,
and has access to system RAM. The vulnerability apparently allows an
attacker to execute arbitrary code in the SoC, and from there take
over the entire device [2][3].

Apple, to their credit, patched a range of obsolete devices in
addition to current ones [4]. Google seems to only be patching current
devices, and it seems unlikely that other Android manufacturers will
push out an update to old devices either. The response from the
Android community seems to be to bury their heads in the sand [5].
When I asked in #lineageos about it, I got the impression that they
couldn't include the patched firmware for my device (although things
may have changed).

I find this all incredibly frustrating. I have an otherwise perfectly
good Nexus 5, which now has to have WiFi permanently disabled.
Effectively I need a new phone. A pox on proprietary firmware and
impractical update mechanisms!

A user on Slashdot said to "vote with your wallet". But there doesn't
seem to be a good option: iPhone, which isn't remotely open but at
least seems to get patched, or Android, which claims to be open but is
closed where it really counts. Is there a practical third option that
I'm missing?

Sorry for the rant. Is anyone else as frustrated by this as I am?

Alex

[1] 
https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
[2] 
https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html
[3] 
https://security.stackexchange.com/questions/157336/does-a-compromised-kernel-give-complete-control-over-a-device
[4] https://it.slashdot.org/comments.pl?sid=10454409&cid=54183761
[5] 
https://android.stackexchange.com/questions/172993/ota-wifi-vulnerability-what-can-be-done
_______________________________________________
Free-software-melb mailing list
Free-software-melb@lists.softwarefreedom.com.au
http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb


Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/

Reply via email to