Hacker News new | past | comments | ask | show | jobs | submit login
Vulnerabilities in chips in 37% of smartphones (checkpoint.com)
172 points by T-A 5 months ago | hide | past | favorite | 59 comments

There are so many attack vectors now on phones ranging from the SIM Card (which has an OS as well) to all the baseband chips to the actual OS and the different app privileges (like the old SMS listening port).

What's interesting to me about the Taiwanese tech industry is their nimbleness and how MediaTek pivoted from a primarily DVD chip maker to dumb phone chip provider running on Pluto OS to now a smartphone chipmaker. Surprised the folks at Intel never tried to acquire them.


There are quite a few “Mediateks” - Intel never had any interest in them - and they willingly sold off just about every embedded asset they had. Maybe look into the history of StrongARM and xscale to start.

Mediatek was also strongly tied to ADUPS FOTA.

This is not an ARM environment designed for high security.


They are good and reliable, but they are not cutting age. The Toyota to M1's Ferrari. There is no point for Intel to acquire them when right now what Intel needs above all is tech and manufacturing advancements.

MediaTek's latest D9000 is pretty cutting edge.


Should also be more affordable than the Qualcomm equivalent.

So this would probably be the first MediaTek chip that isn't crap, then? Whenever I looked at the options in the past, MediaTek was always the "it's cheap alright but don't expect it to be good" option.

It will still be crap because Mediatek. At least if you are interested in installing solid aftermarket firmware/ROMs and not some haphazardly mixed together 'mods' based on obsolete and vulnerable versions. It's an uphill battle, even steeper than with the other players on the market. I'd avoid it. Until they change their policy regarding openness, open source, and so on. But why would they? Has worked for them so far.

I’d much prefer Toyota’s sales to Ferrari’s.

And Toyota's reliability, pricing, parts availability, practicality and comfort.

(Yes, ) But without the current privacy policies, thanks. (Context: I was informed two years ago, by resellers, that Toyota was sending data from the cars to their own servers - just this very capability embedded in the car already some find completely unacceptable - and that they intended to demand the signature of agreements loose about privacy.)

Agreed. That's why I bought an old car and restored it to new state rather than to go with the more current crop. A couple of near misses on account of software bugs that tried to kill me were enough to convince me to opt out, and that's before I got into tracking the vehicle and sending other data.

> near misses on account of software bugs that tried to kill me


Engineering issues (samples of episodes reported): * steering wheel not responding (and user driving on motorway); * car unlock mechanism not responding (and user in the desert); * necessary electronics placed in external rear view mirror... Security issues: * steering wheel remotely hijackable through BT security hole... Now add the privacy issues.

This is largely OT in the current submission, but we should have a good exploration and discussion about these matters in other pages. The big issue is: alternatives. Surely many of us have been finding themselves with a problem of options.

The analogy does not stretch that far

> what Intel needs above all is tech and manufacturing advancements.

Intel needs a reliable door into the phone industry. Currently they don't have anything to offer and people will think twice before choosing Intel chipsets if it's not sure Intel will even stay in the market. Acquiring MediaTek would bypass that.

> Intel needs a reliable door into the phone industry.

Intel had 100 reliable doors in the past, and they foregone all of them.

Even today, Intel would have no problem making something well sellable.

Could Intel acquire, and then leave them alone (not mess with success)?

Theoretically. But my experience with acquisitions is that "leave them alone" never ever happens.

they are most certainly capable to license arm standart cores and make an soc themselves, they made a decision that they will not do that. why would they buy someone who does not so well?

> why would they buy someone who does not so well?

IIRC, MediaTek is the largest SoC vendor by volume. Hardly the definition of "doing not so well".

Yes, the MediaTek quality is ... not exactly the greatest, I agree. But that is where Intel could shine... Intel would save the money to invest in starting in a green field, and provide MediaTek with a (desperately needed) injection of quality.

MediaTek is the local industry's largest fabless chip designer. I am not quite sure the Taiwanese government would allow it to be acquired.

Nice to see you on HN. Been following your channel from the early days.

Do esims mitigate or eliminate an attack vector?

SIM attacks target vulnerable/unnecessary applets that some clueless providers leave there, which can also affect esims according to some articles. And since no one bothers to setup actual SIM PINs anymore that too probably doesn't help.

I guess they didn’t look hard enough at the other 63%

My approach with phones is to install apps only from very mainstream well known publishers (for Android, I limit apps mainly to those from Google). Other than the stock Google apps for web browser, email, maps, and phone/contacts/calendar I don't find I need many apps.

All computing devices have vulnerabilites. If you feel you need to use them regardless, you can avoid a lot of exploits by not installing random apps from publishers you've never heard of.

> you can avoid a lot of exploits by not installing random apps from publishers you've never heard of.

That is a false sense of security. Bluetooth, web browser, messaging, wifi networks are all very powerful vectors and likely the main vectors for attacking devices.

If the vulnerability is in the chip it doesn't matter what apps you install. Even with a bare OS you're vulnerable.

Vulnerable from what though?

- leaking your location

- having your conversations intercepted

- having your messages intercepted

- having yourself impersonated

- having your contacts lifted

There are so many options.

That's the same 'logic' that anti-maskers use. It's not about absolutes, just because something is theoretically vulnerable doesn't mean you need to throw caution to the wind.

I was just saying that installing supposedly "safe" apps gives a false sense of security if your hardware is compromised.

Somehow firmware updates should be enforced by consumers.

It doesn’t help, that there are so many different smartphone vendors, and the most of them are pursuiting only for sales. New chips are coming constantly, and old ones get forgotten, left unpatched.

Is the future of the smartphone market of secure phones only in the hands of big ones (Apple et al)?

What's really needed here is for the tech press to make this a priority when reviewing devices, which they currently don't. Right now consumers aren't aware of how important it is for the device to have drivers in the mainline kernel tree to avoid getting pwned.

Not having that should be an absolute bar to a device making it onto anyone's "recommended" list.

At which point device makers would prioritize not getting panned by reviewers and losing many sales just because they couldn't be bothered to get their drivers into the kernel tree.

> Right now consumers aren't aware of how important it is for the device to have drivers in the mainline kernel tree to avoid getting pwned.

Customers are actively hostile to updates, because they hate UI changes.

If you want customer uptake of updates to be higher, uncouple them from UI updates.

Or just stop making pointless UI changes. But that's not really the point.

Right now most Android devices come with a custom Linux kernel, and you can't just use the vanilla kernel instead because it doesn't have the drivers for the hardware. Which means that when the OEM stops supporting the custom kernel and it has vulnerabilities in it, you can't replace it with anything on that hardware, so your choices are to stay vulnerable or throw away the hardware.

If they'd spend a minimum effort to get their drivers into the mainline kernel tree, the hardware would work with any version of the kernel without needing special support from the OEM, so then it would keep working with new third party kernels indefinitely -- even if the OEM goes out of business.

But reviewers don't distinguish between the devices that have this and the ones that don't, and don't tell consumers why it's important, so consumers buy devices as if it doesn't matter, when it does.

That would be the free market way. Apple has a track record of patching even low level issues for a very long time after sale. If that is something you care about, then you buy the product that supports that.

Perhaps we should also block malware infected devices from using the internet as well to stop there negative external effect on the rest of us.

I care about phone security but also about privacy from corporate entities and control of my own devices. Our sorta-free market does not serve this demand. Voting with money just doesn't do anything to counter supply-side solidarity. I.e. leveraging the indisputable utility of their products to force hostile spyware and dark patterns onto people and abuse them.

As for disconnecting malware hosts, we could only block what we could identify & verify as malicious.

For voting with money, consider Librem 5: https://puri.sm/librem-5.

The time for open source chips is now.


Er, why do we think open source chips enhance security, when vendors spend $100mns trying to secure their devices?

I worked at an electronics place a while back and I remember there were issues in an old chip in some older products. Not talking anything major here but a few known bugs that could have been fixed. But usually nobody had the time allowed to go fix up the old firmware on old products because there were always other things to deal with that were deemed to be a higher business priority. Unfortunately there's often more money to be made by the manufacturer by making the costs of these bugs externalities on the entire market than there is to be made by fixing them. Even when vendors have large budgets to work on security work done on end of life products ends up being typically abandoned because there's just more money to be made elsewhere at the moment. Open source chips could help deal with this end of life issue.

The biggest problem we have right now is that someone finds a vulnerability in a chip which is at the same time in widespread use and no longer supported by the manufacturer. If everything is open source, anyone can patch the vulnerability even if the OEM won't, and then someone does.

Clickable link: https://Efabless.com

Anyone familiar with ASICs? If I wanted a 8 x AND gate, what would that cost, ballpark figure? I'm just trying to get a handle on the costs and figure that might be a good measure.

If you wanted an 8xAND gate I would recommend the 74LS30. There, saved you a bunch of money.

I was asking the question to get a handle on base process pricing and experiences for a design currently utilising 500k LUTs and residing in a fpga. But I didn't want to get too bogged down in details.

Do you still recommend the 74LS30 for that?

No, then you should contact a fab that does shuttle runs and take it from there.

I think maybe GP means 'what does it cost to get a simple design on a die say for sake of argument 8xAND', i.e. something very small and simple like that, so that it's all fixed cost.

You'd be correct.

I, too, consider it naive to think that a relatively unorganized bunch of people are going to make good chips, write good drivers and support the whole lot for free, and deliver a product that's competitive. There's so much stacked against it. Case in point: Linux on the desktop.

> I, too, consider it naive to think that a relatively unorganized bunch of people are going to make good chips,

It's naive to thing that relatively unorganized bunch of people wrote the most popular OS in existence.

It's much less of a consumer choice, and it's backed by some pretty deep pockets.

It is consumer choice, without any doubt.

If IT people didn't like Linux, it wouldn't have chances.

> Linux on the desktop

You mean it's fully doable and going to become a standard in practice for our peers?

But unfortunately ignored by the masses...

That's fine. At least they have the choice.

Sure, but the complaint was about drivers for 37% of the phones. That's going to stay, even if chip design and/or manufacturing becomes open source. And Linux for the Desktop kind of proves that: the choice is there, but very few take it.

I work on a website that gets responses from a representative sample of the population (age, gender, education, geographical spread, are all balanced; other factors unfortunately not). Linux usage is about 2%.

> Linux usage is about 2%

Considering the amount of very casual users, the usual paretian distribution, the heavy introduction of mobile OS in accessing the web, and the (witnessed) presence of engineers who adopt the motto "Outside work I want to use a Mac to convince me that no issues ever exist", the number makes some sense. I would have computed double as an estimation.

The kernel group is extremely well organized, and lots of other groups are too.

I think it's fair to say that at least 75% of Android phones currently in consumer hands will never receive another security update.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact