Is Snapdragon note 4 at risk with Meltdown & Spectre? - Galaxy Note 4 Q&A, Help & Troubleshooting

In other words, am I using a device which will leak my passwords and personal info and will get filled with rootkits and malware in the near future?
Thanks for responses.

I think it is vulnerable. Isn't it curious that Intel knew about these vulnerabilities 5 months ago and Samsung decided to stop providing security updates to the Note 4 right after the August security patch. We are now vulnerable to KRACK, Meltdown, and Spectre. Manufacturers and carriers should be required to support phones longer than they do now. I think they should be legally required to provide security updates for at least 5 years after the date they quit selling the phone.

Verizon Galaxy Note 4's have started receiving a security update!!!! Within the past half-hour (currently 1/17/2018 at 10:45pm) I received a notification to install the update. Hopefully this update will address the KRACK, Meltdown, and Spectre vulnerabilities.
---------- Post added at 11:35 PM ---------- Previous post was at 10:50 PM ----------
The update is confusing. After applying the update I looked in Settings, About Phone and the Security Patch level still shows as August 1, 2017 (suggesting that none of the security vulnerabilities like KRACK, Meltdown, or Spectre have been addressed). The Kernel version and SE for Android status now show December 6, 2017, so something has changed.
Under Settings, System updates shows that the last system update was a software update to N910VVRU2CQL1 and that it was applied today (Jan 17,2018). So far I haven't found any documentation for this update so it is totally unclear what has been changed or fixed.

Verizon just posted that
Software Version: MMB29M.N910VVRU2CQL1
Android® Security Patch Level: 2017-08-01, including Blueborne and Krack security patches
The current software update gives you the most up to date Android security patches on your device.
( See https://www.verizonwireless.com/support/samsung-galaxy-note-4-update/ )
Hopefully we will soon receive the Meltdown and Spectre security patches. Wouldn't it be nice if Verizon/Samsung would post an ETA for these kinds of critical security patches.?

According to this page, Note 4 will not get the Meltdown and Spectre updates. Ever. Unless there are enough complaints that Samsung changes its mind.
Search for: "How-to: Check whether your Android device will get updated against Meltdown and Spectre"
I'm wondering; if we don't do anything financial on our phones, and don't otherwise have high-value passwords, what is the real risk? Like, if we have some gmail accounts on the phone that have app passwords (so that I never have to manually enter a password), are those app passwords somehow vulnerable to a Spectre or Meltdown attack? My understanding is that these problems do not expose your phone to infection, but rather, if the phone has *already* become infected, these defects can allow the hostile code to cross application boundaries and filch data from other processes on the device.
So, can anyone comment on what the risk might be if someone decided to just keep on using a Note 4 despite the lack of a Meltdown / Spectre update?

Related

security patch

Hi, did anyone recieve march 18. security patch yet? Samsung and BlackBerry devices are receiving April 2. patch and we are still sucking with march 1. update.. Can anyone tell me what is going on?
They're different devices, they're on completely different update schedules. The patch they're receiving is probably actually months old by now.
nope, they are receiving april 2. patch from Google..
Source please?
This is being reported on crackberry with 2nd April security patch. However, that doesn't mean much other than the security for a particular phone, and it is a very particular phone that is still on lollipop.
I'd say this is a little bit of conflation and the fact of lollipop and BB's locked out kernel, bootloader and security makes it a nonstarter in terms of Nexus lines.

I heard Verizon's Pixel Got a Software update yesterday Sept security patch

I hear Verizon and Google have released a ota of the Sept security patch for Verizon's pixels yesterday.. if you have a Verizon be sure to check for update manually in settings, about phone, software update..
I saw it on my Pixel XL this morning but not on my wife's Pixel. I have no details except the size of ~55MB since that is all that shows. It is not available for download in the OTA images or the factory images section. I assume it will not work over the standard OTA mechanism since the phones are rooted, and I have no interest in taking the patch blindly anyways.
The september 2017 Security Patch should have been released already. But due to some reasons, Google has delayed the upcoming monthly security update. The reason for the delay could be the release of a new stable Android 8.0.0 Oreo firmware update for Google Pixel and Nexus phone. Under the AOSP project, Google released 3 sets of monthly updates. One for the latest Android 8.0 Oreo, another for 7.1 Nougat, and finally the Marshmallow. Today, the Google Pixel XL device is receiving the September 2017 security patch OTA.
The first Google devices to receive the September 2017 Security Patch are the Unlocked Pixel XL 128 GB on AT&T and Verizon. That means, the US carriers shall receive the OTA update before the global roll out. The international variant of Pixel, Pixel XL, Nexus 6P, and Nexus 5X may receive the next security patch as soon as today. So stay tuned as we will list the update here.
The OTA update for AT&T Pixel XL brings the firmware build number OPR3.170623.007 dated September 5th 2017 level based on Android 8.0.0 Oreo. This an upgrade over the previous OPR6.170623.012 August 5th 2017 8.0.0 Patch.
This September OTA update comes in a very small OTA package. It weight about 50.61 MB in size. The changelog states the following.
This update fixes critical bugs and improves the performance and stability of your Pixel XL. If you download updates over the cellular network or while roaming, additional charges may apply. Update size 50.6 MB
Note: Google Pixel XL users have reported that the OTA notification shows that it is based on Android 7.1.2 Nougat, whereas the Pixel devices are already running 8.0.0 Oreo. However, upon update, the Android version is based on 8.0.0 Oreo and September 2017 security patch level. So it could be an error from Google’s side.
Download Google Pixel (XL) September 2017 Security Patch OTA update
One of the users for Google Pixel XL have managed to capture the latest OTA update from the LogCat file. September 2017 security patch.
AT&T Google Pixel XL 128 GB | OTA Download | google_marlin_marlin
Verizon carrier Pixel XL | OTA download |
8.0.0/OPR3.170623.007 from 8.0.0/OPR6.170623.012
Android 8.0 – Oreo for Pixel XL
Official factory images
Official full OTA images
Build for Global, Bell, Telus, Telstra, TMoUS, Sprint, USCC, Rogers/Fido
Android 8.0 – Oreo for Pixel
Official factory images
Official full OTA images
Build for Global, Bell, Telus, Telstra, TMoUS, Sprint, USCC, Rogers/Fido
Soon the official factory images for September 2017 Security Patch will show up. Also, download OTA update image from above and install it via ADB sideload method.
What's in the security patch
There are 30 issues resolved in the security patch dated 2017-09-01 and 51 in the 2017-09-05 one. Google notes that the two security patch level strings provide “Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.”
Google devices will receive the latter patch, while devices from other manufacturers will also feature OEM-specific fixes. This month’s bulletin also includes a new section that lists patches that are specific to Google devices.
Vulnerabilities range from moderate to critical, with the most severe possibly enabling remote code execution when browsing, using email, or MMS. However, Google notes that there are no reports of customers being affected by these security issues.
Still not interested? Some people are willing to give up root for a little while in order to improve their security... Only someone who thinks having root 24/7 is better than improving security is something different.. I know with this patch it stops people from remotely controlling you're device... I think if I was rooted I'd unroot and add this security protection...
Pixelxluser said:
Still not interested? Some people are willing to give up root for a little while in order to improve their security... Only someone who thinks having root 24/7 is better than improving security is something different.. I know with this patch it stops people from remotely controlling you're device... I think if I was rooted I'd unroot and add this security protection...
Click to expand...
Click to collapse
If someone is rooting, why not apply the update and reroot. We all do that every month. I just did mine for this update. I get the loss of security if you root but you dont need to give up root to update.
Pixelxluser said:
The first Google devices to receive the September 2017 Security Patch are the Unlocked Pixel XL 128 GB on AT&T and Verizon. That means, the US carriers shall receive the OTA update before the global roll out.
The OTA update for AT&T Pixel XL brings the firmware build number OPR3.170623.007 dated September 5th 2017 level based on Android 8.0.0 Oreo. This an upgrade over the previous OPR6.170623.012 August 5th 2017 8.0.0 Patch.
AT&T Google Pixel XL 128 GB | OTA Download | google_marlin_marlin
Click to expand...
Click to collapse
I would like to know where you copied & pasted this info since at&t does not sell the pixel, so, I can't see them releasing a ota.
Last I knew, google controls this
Sent from my Pixel using XDA-Developers Legacy app
I was rooted on Oreo and updated to this new build and my service still sucks? I'm right next to a cell tower and my phone is going from -64 to -80dbm and its making my battery tank. I'm about to go back to 7.1.2.
I think a big misconception is trying to pull people away from improving their own security and safety by using the whole oh you will lose root if you do that and may lock you're bootloader.. just because you personally don't care about you're own safety doesn't mean you should try to prevent someone else from improving their own safety.. come on the fact is it's just root you will be fine to live without it for a little while it's not going to hurt you to give it up for a few...
And another thing is all the new pixels and Pixel XL are gonna come preinstalled with these new security patchs so you all might as well get used to it...
I don't understand why Google doesn't post these on their website immediately. I have a Pixel on Verizon and have no way of accessing it until they finally publish the update to their site or zi just start receiving it. It's always this awkward way with a lot if confusion. It would also be nice if they fixed the few small bugs in Oreo (i.e. picture in picture mode causing reboots when you turn the screen off/back on). It's just a little annoying.
The Sept security patch also fixes a Bluetooth problem. It's recommend to update to any software with Sept security patch and later security patch
Google is still working on getting the September security patches out the door, but it has posted a security bulletin detailing the changes. Several of the flaws noted in the bulletin are part of an enormous Bluetooth vulnerability discovered by Armis Labs, which bills itself as an IoT security firm. The "BlueBorne" attack exposes billions of Android devices to complete takeover by hackers, but it's not only Android. The same flaw exists in Windows, Linux, and some versions of iOS.
BlueBorne is dangerous because most devices have Bluetooth active even when it's not actively being used, and an attacker does not need to pair with the target device to completely take it over. There are eight vulnerabilities listed by Armis, four of which are critical (though Google's classifications differ). The most severe issues are the two remote code executions, which allow an attacker to completely own a device without the user even knowing. These flaws are present in the Bluetooth Network Encapsulation Protocol (BNEP) service, which is used for internet sharing and networking.
You don't even need an internet connection to infect a device, and the Android demo above is wild. If one of the affected devices has Bluetooth on, it's a target. The attacker can gain complete control of the phone to launch any app, install malware, and exfiltrate data. Armis estimates that about 8 billion devices are vulnerable, including 2 billion Android phones, tablets, set top boxes, and watches. There are another 2 billion Windows devices and around 1 billion iOS phones and tablets affected. BlueBorne doesn't work on iOS 10, so the damage is mitigated there.
BlueBorne vulnerabilities in the security bulletin
Most of the vulnerabilities in Android reported by Armis affect all recent builds of the OS, so Google is adding a lot of patches to AOSP. It's up to OEMs to push those out to devices, though. Anything with a patch level of September 1st, 2017 or later will have the necessary fixes. It's going to take time for this patch to roll out, and in the meantime, there are a lot of vulnerable devices.
This was took from Android polices website
It's also recommend that the devs here on xda get rid of the software which is vuneralable to theses problems.. it doesn't really show good faith of a Dev if they know there's security problems in the roms but yet keep them posted for someone to download and install...
Pixelxluser said:
It's also recommend that the devs here on xda get rid of the software which is vuneralable to theses problems.. it doesn't really show good faith of a Dev if they know there's security problems in the roms but yet keep them posted for someone to download and install...
Click to expand...
Click to collapse
Boring.......
Pixelxluser said:
It's also recommend that the devs here on xda get rid of the software which is vuneralable to theses problems.. it doesn't really show good faith of a Dev if they know there's security problems in the roms but yet keep them posted for someone to download and install...
Click to expand...
Click to collapse
Do you even know what the ... ah not worth it
Sent from my Pixel using XDA-Developers Legacy app

KRACK Attack Vulnerability

In recent news, a new vulnerability came to light that affects Wifi on OS's like Windows, Linux, and more specifically: Android 6.0 and higher
https://www.krackattacks.com/
Just wanted to put it out, because this could most likely also affect our devices.
It seems like there are already patches/software updates rolling out.
What are your thoughts?
(Might be in the wrong place, feel free to move this post)
The official ROM still runs September 1st 2016 security patch, I doubt we will ever see the november 2017 patch that will fix this

"QualPwn' Critical Security Flaws in Qualcomm Snapdragon Chips, Mi A2 affected

Highlights:-
An attacker would need to be on the same Wi-Fi network as the target
Qualcomm has released updates to hardware OEMs and through Google Android Security Patch.
All Android users are advised to download the August 2019 security patch
Details:-
The Android Open Source Project (AOSP) website has published its Security Bulletin for August 2019, in which details of two high-severity issues affecting Android devices powered by Qualcomm processors are described. The two security flaws, together known as 'QualPwn', have been patched in the August 2019 over-the-air Android security update. At least one of the two issues affects Qualcomm's Wi-Fi and cellular hardware in a number of popular current and retired smartphone SoC models including the Snapdragon 855, 845, 835, 820, 730, 712, 710, 675, 670, 660, 665, and 636. The Snapdragon 850 and 8CX which are designed for laptops, and several other special-purpose processors aimed at the automotive, IoT, and smart speaker segments, are also affected.
Mi A2 has been affected as Snapdragon 660.
Flaws Details:-
Flaws can be exploited over the air and do not require hands-on access to a target device, but they do need proximity since an attacker would need to be using the same Wi-Fi network.
By sending a maliciously modified data packet to the target device, over either a Wi-Fi or cellular connection, the attacker could use these two flaws to create a chain of events that can compromise the device's Android kernel. No action would be required on the part of the device user. On its own, the first flaw could still allow an attacker to spy on a device's communications.
The flaws were first uncovered in February by Tencent Blade, the security arm of Chinese gaming company Tencent. Tencent Blade informed Google, which then roped Qualcomm in.
Qualcomm says it has already released a patch to its partners OEMs in early June. Google has added the security patch in August 2019 Android security patch.
Tencent Blade is only now disclosing this information because enough time has passed for the update to make its way into the August 2019 Android patch.
So when will Mi A2 have the patch?
@bluishguru it's a part of the August security patch from Google, so we should be getting this in the next update.
Some custom ROMs already have the update, though.
enapah said:
@bluishguru it's a part of the August security patch from Google, so we should be getting this in the next update.
Some custom ROMs already have the update, though.
Click to expand...
Click to collapse
So we have a known security risk for at least 2 more weeks (roughly)
At best. Last year, when Xiaomi started preparing the release of Android 9, they stopped the monthly updates until that version was finally out.
Those are the "joys" of Android, at least here we know that *eventually* we'll get the update (unlike the vast majority of other Android devices).

Security updates

My phone is on the latest (Feb) stock firmware, it has been unlocked, and then rooted with Magisk. After that, the only other things that I did was to deny a bunch of permissions to a bunch of apps (altogether too many to list, but the only app to complain about anything is 'Play Store Services' )
That's the background. Now, when I go to Settings->About phone->Android version the "Android security patch level" shows "February 5, 2020" which, obviously, is not the latest security patch for Android 10, and I was convinced that because PH-1 was a Project Treble phone, it would be getting security directly from Google, so what am I missing (or have I messed up with the intended flow of things by blocking too much from Google)?
As far as I know, security updates are still delivered via OEM patches. If you want security updates for this phone, you have to flash another ROM.
MarSOnEarth said:
I was convinced that because PH-1 was a Project Treble phone, it would be getting security directly from Google, so what am I missing (or have I messed up with the intended flow of things by blocking too much from Google)?
Click to expand...
Click to collapse
From what I know about Treble, it does NOT mean the security updates are provided directly by Google. It only makes it easier and faster (by separating the OS framework from the hardware-dependent vendor code) for vendors to prepare and release updates. But the updates are still packaged and released by the vendors.
The Project Mainline changes that, so the security updates would be delivered straight through Google Play. But we are out of luck with the PH-1 here...
kt-Froggy said:
From what I know about Treble, it does NOT mean the security updates are provided directly by Google. It only makes it easier and faster (by separating the OS framework from the hardware-dependent vendor code) for vendors to prepare and release updates. But the updates are still packaged and released by the vendors.
The Project Mainline changes that, so the security updates would be delivered straight through Google Play. But we are out of luck with the PH-1 here...
Click to expand...
Click to collapse
Ahh. Thank you for this clarification.
With my (paranoid) online hygiene + AFWall I'm still very comfortable using this phone as is, and the feedback from the Android 11 thread is reassuring that there will be another lifeline for this hardware. Life's good.
Hopefully with Android 11 we will be able to some how load in monthly security updates.
I'm using LinageOS right now. Works really good including monthly security updates. There is only one problem with the microphone in voice calls when the loudspeaker is on.
Essential delivered security updates. They closed up shop in February. Only way to get security updates is via 3rd party ROM.
You can get Google Play security updates OTA, but they're not thorough like normal security updates.

Categories

Resources