Hacker News new | past | comments | ask | show | jobs | submit login
An Android 8.0-9.0 Bluetooth Zero-Click RCE (insinuator.net)
139 points by faebi on April 24, 2020 | hide | past | favorite | 61 comments

I really hate this software world where my phone stack is generally hidden away from my ability to fix it or change it. It's true for both apple and android generally, even if I can see some pieces of android in the public sources it's basically impossible to change out alot of the inner stack. I know there are endless attempts to let us have control over our phones. But we programmers are never the customers. And the vendors never open source their drivers. The various open software/hardware schemes never seem to reach maturity. Is there any hope here?

The two big projects working on this are the Purism Librem 5 and the PinePhone, both run stock Linux with no binary blobs aside from an isolated cellular modem.

The Librem 5 has been delayed for years and the behaviour of the company is kind of sketchy, however going by Purism's videos the software is pretty good and getting better rapidly (and they upstream their changes back to Gnome).

The PinePhone has shipped to some developers and the company has a history of actually making functional products, but the software is still a WIP, and Pine64's products are cheap (which is great for many people, but I would rather have a $400 phone than a <$150 phone, especially given that these ones won't suffer from software obsolescence).

I can't wait for these things to become at least somewhat functional - I personally will be buying one as soon as they get phone calling, SMS, and a web browser (the Librem has them, and other Gnome applications, but it's still in preorder).

Pinephone: https://www.pine64.org/pinephone/

- https://news.ycombinator.com/item?id=21824962

Librem 5: https://puri.sm/products/librem-5/

- https://news.ycombinator.com/item?id=21369733

- https://news.ycombinator.com/item?id=21303770

- https://puri.sm/posts/librem-5-vs-android-which-boots-faster... (stupid comparison vs a 6 year old Android phone - how out of touch is their marketing team and CEO to allow this to happen???)

That "stupid comparison" shows their phone booting in 13s. I just timed my Pixel 3 and it boots in the same time. That's really impressive any way you slice it.

Yes... but the comparison shows the Android phone taking over a minute. That's what makes it a stupid comparison. If they showed it side by side with your Pixel 3 it wouldn't look as impressive (or so thinks their marketing team).

These things look fun but if they don't get the app support they'll just go the same way that Firefox OS, Ubuntu Mobile and Windows Phone did.

Unfortunately other than the hacker niche that's on this forum you won't get the average consumer using these devices/OSes and therefore you won't get the apps that attract people to use the devices in the first place.

This is why I want Firefox to prioritize Progressive Web App support, and for PWAs to become more popular. Then an open device that can run Firefox can have access to a variety of apps that will work just the same as they would on an Android device. I understand there are drawbacks compared to native, but I really think they're worthwhile tradeoffs to enable new platforms to be immediately compatible with an existing set of cross-platform apps!

Except it is Google and Microsoft that are driving the show in regards to PWAs and their OS integration.

I think this is actually a big advantage of these projects compared to previous smartphone attempts. They are not building a full new OS that developers will have to target; they're running a real, full GNU/Linux distro (GNU being relevant here, because busybox/linux has already been done inside Android).

So, while there will be some effort required to make gui programs work, libhandy supposedly makes this pretty easy. It's an order of magnitude less effort than porting an app from a different platform. Not to mention that everything CLI should Just Work -- this is not relevant to most mainstream users, but it's very relevant to the developer story; I think it's likely that FLOSS developers will start targeting these phones as soon as they become usable enough to developers. Personally, I'm planning to get a Librem 5 as soon as they're off backorder and there are reviews from non-affiliated parties (the latter might be now; I check every couple months and it's been about that long since I checked last).

Previous smartphone attempts like FreeMoko, Maemo, Moblin, Tizen, Ubuntu Touch, Sailfish.

If anything, it proves the point that GNU/Linux doesn't sell phones to make a sustainable business out of it.

I think that as much as the community hates to hear it, these phones need to support sandboxed Android apps at near-native speed, or they're going nowhere fast.

I hope they will target the maker/hacker space like the raspberry pi did. So long as they keep their design and ambitions in check, they should be able to grow slowly over time with additional interest with each new improved version.

The need is not going away anytime soon. I generally like what Apple and Google have done for the mobile phone market, but it’s time for folks to take back some control of their devices which the execs will likely not agree to.

The radios are too locked down and the software too. Despite good intentions, I’m concerned this gatekeeping could become corrupted/corrupting in the future.

If you support the rough and tumble world of open source and systems, you’ll plant a seed that a future generation can grow and compete with gatekeepers. This may reduce the corrupting forces from the gatekeepers. They could point to open systems and say, “Look government, your plan won’t work because 3% use an unrestricted phone, and more will follow if you force us to do X to everyone’s phone.”

I heard FirefoxOS is doing well under a different brand? Does it have interesting apps, I wonder.

It's KaiOS[1]. I think their biggest hit was the JioPhone in theIndian market[2] but the phone lineup is quite impressive for an alternative system.

They've got some funding from Google[3] as well.

[1]: https://www.kaiostech.com/

[2]: https://www.financialexpress.com/industry/technology/relianc...

[3]: https://www.theverge.com/2018/6/28/17513036/google-kaios-inv...

13s boot time is still good regardless of the comparison phone.

RE: prices. Anecdotally I m happy with the ~$150 price tag. Those phones are not going to be daily drivers any time soon. I m much happier to buy a secondary phone for ~$150 than ~$400.

I also suspect that a phone with hardware closer to a ~$400 android phone would be much harder to support with open source software/drivers.

I expect there are more blobs than just the modem, for example the USB controller(s).

> the behaviour of the company is kind of sketchy

Can you elaborate?

Not with smartphones.

There's a reason an old raspeberry pi, a device with a fraction of a smartphone power - and without a screen to booth, it an infinitely more valuable device.

You can buy used smartphones on ebay for nothing. They are being thrown out. Why don't we see those used for something other than alarm clocks and fancy picture frames?

The truth is that you can use a raspberry to do anything you want but converting an old, even unlocked, smartphone to something which is not a screen for a browser is incredibly, INCREDIBLY hard. Getting to run plain linux on these devices and take advantage of the screen or other peripherals is generally a waste of effort due to binary drivers. What you get in most of the cases will be serial access and a flash drive for storage. Keeping android on it only forces you to develop for an OS that doesn't want you to be in control OR get access to the system.

As soon as your typical smartphone gets out of support, it becomes e-waste.

Those bugs seems to be in open source part though. While I agree that open hardware including open drivers are nice to have, it's a much tougher requirement.

What I miss, personally, is some kind of ecosystem along with guides, etc where I can learn how to build Android from sources, put some binary drivers from official image and run it on my phone. May be even some guides how to reverse engineer proprietary drivers and rewrite them as open source.

Some of these exist:

> learn how to build Android from sources

https://source.android.com/setup/start has instructions.

> put some binary drivers from official image

https://source.android.com/setup/build/gsi is a set of builds you can flash on any sufficiently modern Android device alongside their binary drivers.

> May be even some guides how to reverse engineer proprietary drivers and rewrite them as open source.

You're on your own for this, but given the kernel and HAL APIs are both open source you could theoretically figure out how to build a viable implementation, but no matter how you go about it, building something like a GPU driver is a substantial task. You could probably build things like the lights HAL without too much difficulty though.

Mobile phone OSes are unacceptably bad. IMO they’re a very good example of how the free market doesn’t result in better software.

Another good one was the now gone netbooks market, where each OEM had its own distribution.

It's not a bug, it's a feature.

Fixed in https://android.googlesource.com/platform/system/bt/+/3cb714... of https://source.android.com/security/bulletin/2020-02-01:

  -        packet->len = partial_packet->len - partial_packet->offset;
  +        packet->len =
  +            (partial_packet->len - partial_packet->offset) + packet->offset;
I wonder how many devices are running that patch level.

My Google Pixel 1 isn’t running this patch level, because Google dropped support for it entirely. Which just sucks, because there’s no reason not to support it anymore, it’s just planned obsolescence.

The Pixel 1's kernel and drivers are no longer maintained upstream.

Do you mean there's a Linux tree upstream of Google but downstream from Linus who have stopped work outside of Google control?

Yes, sort of. Google depends on Qualcomm to make updated drivers, as Qualcomm owns the intellectual property. All Pixel phones are based on a Qualcomm platform.

Qualcomm stops supporting their processors after a few years, usually three. They can make more money by selling new chips. Although I say this cynically, Qualcomm is actually the best third party vendor in this regard.

They must have the source code for any chipset vendor kernel drivers due to the GPL so they could keep producing security patches, or require them contractually. Some other Linux vendors keep supporting old ketnel versions for 10+ years after all.

Linux kernel drivers don't have to be GPL though. There exist plenty of closed source drivers for GNU/Linux. The "kernel" on Android devices are a small open source kernel and a huge amount of closed source blobs for wireless connectivity, sensors and the GPU.

That legal interpretation has been contested a lot. In any case that wouldn't be a blocker for providing security patches to the kernel, just like other LTS Linux distributions do.

There is this little legal thing called support contracts that Google could easily make use of for their devices, if they actually cared.

Since Google supports Pixel devices longer than the three years Qualcomm gives or used to give, they're probably already doing that. Not saying they care enough, but they care more than any vendor besides Apple.

Do they? I thought they do max(3 years from launch, 18 months after sales ends in Google store), which usually amounts to 3 years.

Edit: J"ust like their predecessors, they'll get Android security updates for three years, until October 2022." says Android Police.

Considering most people don't buy it at launch, this amounts to 2-ish years of support on average.

It's all dependant on Linus' version being maintained.

which is irrelevant for this userspace-only fix

are you saying google cannot afford to maintain it/them?

Basically they could maintain the Android environment but it wouldn't mean much because the system's still not safe, and won't be unless the device gets a new kernel + rebuilt drivers.

Which they could easily do with support contract requirements.

I assume Google can afford a couple of lawyers.

I happily run two Pixel 1's on LineageOS, which recently released Android 10 for these devices. Thats the mainthing select phones by: how is their LineageOS support?

Yeah, There is guaranteed window of many phones/manufactures that the patch will be 6 months or never far away.

Strange that the commit is from 2018 but it was only included in the patch level of February 5?

At least Samsung is pretty good about updating patches. Not android versions, no, but at least I still get monthly patches. My S8 already has this one.

It's not from 2018 -- Thu Apr 18 17:13:49 2019 -- the 18 may have tripped you up, it's the day of month. It's still a year old, though.

It's a cherry-pick (a copy of a commit from related code base, essentially) of this commit, https://android.googlesource.com/platform/system/bt/+/337bd4.... The bug has a different impact in Android 10 (DOS instead of RCE), which was relased in Septemer 2019. So maybe they sort of fixed it in Android 10 and somehow forgot the backport? I'm speculating.

Depends which Samsung you have, my last Samsung update was on the 4th of January. Support for their non-flagship devices isn't great.

A do remember an "SMS storm" for Sony ericsson A200 from 15 years ago.

You get a garbled binary SMS, and then the virus resends itself to every number in your phonebook.

What was the end goal of the virus?

Before monetization through bitcoin was easy, viruses were usually made and released just because you could. To experiment and see how far it could spread. And maybe just to wreak havoc and troll people.


> This virus first appeared in 1988 on earlier versions of Mac OS. Initially, the program displayed a message about Michael Dukakis (Democratic presidential candidate):

> I was created by mischievous 14 year old, and am completely harmless. Dukakis for president in ’88.

That’s awesome, thanks for sharing.

I assume via BTC or any crypto, it’s just a matter of running a “miniminer” of some sort across all effected machines?

It got filtered by cellphone companies

To flatten its curve.

So uh, as someone stuck on Android 8 forever, what am I supposed to do? Just get a new phone?

Disable Bluetooth. Use a cabled connection if you need headphones/mic.

If you need Bluetooth then check whether your phone has the same Broadcom driver - you might be fine depending on hardware. Or check if you can install open source firmware that includes a fixed driver.

There are other things you can do depending on device.

How would one disable Bluetooth?

apple makes it kind of hard; three taps vs. android one swipe and one tap or are you implying it cannot be disabled b/c it is needed?

I am not sure how that is relevant, since this is about a current Android vulnerability.

But it's less of a problem in iOS anyway, because Apple provides updates for iPhones much longer. They are still releasing security updates for the iPhone 5s and 6, which are from 2013 and 2014 respectively.


I heard it’s equally hard on Android

Yet another typical C exploit.

No wonder that Android 11 will require hardware memory tagging and is now introducing GWP-ASan for the devices without it.

Seems like every time there's a new mobile RCE they compel us to buy new phones. And for average person who don't, they'll compound the problem with system level contact tracing.

I give up on technology.

COVID-19 tracing is an entirely different problem from buying a new phone because you don't get updates. And if you want control over what your phone sends to the mothership, you need to actually take control and either install a different OS or root it, that is not new with COVID-19 and also not a planned obsolesce / buy new phone thing.

Just give up on smart phones . iPhones though on the other hand will get updates for about 5 years which is decent

A security crazy person also cannot make use of feature phones as they are already smart enough with networking capabilities.

So it is back to rotary phones and public booth.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact