Critical Chipset Bugs Open Millions of Android Devices to Remote Spying

The Hacker News is an Indian clickbait farm which has nothing to do with the high quality Y-Combinator Hacker News. In this case the source is Checkpoint: Largest Mobile Chipset Manufacturers used Vulnerable Audio Decoder, 2/3 of Android users’ Privacy around the World were at Risk - Check Point Software they release the technical details at a conference in mid-end May 2022

Well, let’s skip this debate if THN is trustworthy. The article you post here mentions the exact same things. What remains unclear is what this means for e.g. the FP2 which doesn’t have Qualcomm support anymore. Maybe even the FP3 doesn’t have that anymore since the FP4 has a SoC from 2020, doing some quick math, probably around 2023 its support is dropped too. So it may be so that the FP3 doesn’t get this fix either. I would like to know these things because that gives me an understanding of the security quality ofy FP4 going forward.

Are these questions forbidden? Seems like it sometimes by the way people try to answer it and sugarcoat it.

Forbidden… Bans could basically be pronounced from two sides:

1. from the state side (the complicated law in questions of the Internet would then certainly come into play), which would then affect criminal law.
2. from private side (house right, right on/obligation to the moderation (although that can touch criminal law of course again), …), that would be civil law.

It seems to me that no one here needs to think about possibility 1, and apart from a few authoritarian states, I can’t think of any state actor that would get so involved in a topic like the initial question.
That leaves number 2, but here too there seems to have been no intervention by the moderation and you were not expelled from the forum. In addition, the responding persons are also not known as trolls who would destroy the discussion.

So to answer the question about the ban: to all appearances such questions are allowed. I think you do not have to worry.

I’m not talking about the rules on the forum, I mean that whenever I post something with a reproducible issue or yet unknown answer to a question (like in this thread) some community members jump in and act like a PR department.

Minimizing the issue, refuting the issue or try to answer it by reshaping the question and deflect the real question. And then the thread gets polluted. So this question is not directed to the state or the mods. Sorry if that wasn’t obvious.

No ban but it does all seem a bit over the top. Sure you can ask Fairphone anything but are you asking the forum users to back your concerns re the perceived security ‘news’ or asking users what they think about your action.

It all seems a rather fruitless topic in some aspects but not if you really want user responses.

Some questions can seem a bit weird but not ‘forbidden’ or too OTT but you say there is some sugar coating, maybe there is to your taste but the topic wasn’t really a question to the forum and yes no doubt some will want to play down the fears you anticipate as they truly are not worried…

I’m more worried about you worrying than about any security breach on my phone.

I do get what you mean and it’s interesting that the responses provoke such off topic issues as
a) people being unsupportive of your line of action Re. Faiphone and b) the feeling that people are trying to shut you down.

Neither of which address even one of the ‘millions of bugs’ or ‘spying’, which is really the focus of your concerns

I think I explained why I “chased” you a bit for this and I would appreciate of you would not always call me sugarcoater just because I’m not your opinion.
In my eyes your OP was not a question but a statement, with in my eyes no real information but a luring headline. Not all user might have your knowledge and in my eyes throwing out such scaremongering statements just lead to in my eyes unnessary panic. If you want us to know about each ticket you open, you need to accept comments and other opinions.

That headline is being pulled in from the source, here’s Ars Technicas headline (not a publication known for clickbaitey reporting):

And I wouldn’t call it scaremongering either, that’s a real security flaw easily exploitable with just a prepared ALAC audio file. That is very serious, no way around it.

I see the Internet as a group mind. To inform each other and tackle problems together. I personally think this is one of those things the community should be aware of. How people evaluate it themselves is up to them. But again, so far nothing is confirmed yet. I just share the information, maybe someone already knew more about it and could already answer it. But it went into a different direction.

Insert GIF with “I’ve seen things” I also advocate at the company where I work to offer the Fairphone 4. However, I cannot yet in good faith recommend this phone. I’m sure others are in the same position. Security is paramount, it could doom your personal or professional reputation.

I was talking in general terms of what I see in this thread. Not to you personally. I’ve thrown the word “sugarcoating” on the forum maybe 10 times over the past 6 months. If that happened to be towards you then I’m sorry. I’m not targeting you personally, just the general behavior of ignoring the topic and, well, sugarcoat it.

Exactly. And it could be that this community in general has a different culture. On other tech fora/subreddits it’s normal to dive into these kind of issues, understand them and evaluate. It often results in an interesting exchange of knowledge. But here it often turns into something else.

The comparison is not a great idea. Saying something is normal could mean common or acceptable. The ‘common’ forum user isn’t going to check the validity of all your claims so you will get some ‘sugar coating’ or ‘challenges’ to your ‘unpleasant’ news.

But here we go again, this is more of the same, no focus on the scary bugs just the scary forum users.

I find the headlines to capture the situation quite well, to be honest, and I am glad that the issue is discussed here, because it puts news into the context of using a Fairphone.

Regarding the issue, I find it is important to know how this was/is being patched for FP2 & FP3 because such issues have the potential to seriously undermine the mission of sustainable smartphone use. It shows how in the current state of supplier dependencies and vendor arrangements, any phone, regardless of its material condition and the intents it was build under, may be rendered completely unsafe to use way too early. Even by low security standards…

Am I right to think there is still no statement from Fairphone support about this issue? Regardless of the style of any press articles, it seems to be a matter for reasonable concern. Have you, @UPPERCASE, raised it with them, as you said you would?

Does today’s patch (FP3V.A.0116) address this issue?

I addressed it to FP support. Usually they respond in a week or so. No details known so far. I will relay any communication I get from them.

Then let’s take the headline from the CheckPoint blog.
Criticality is the same but sounds more trivial

And 2 out of 3 are still millions…

2/3 of Android users’ Privacy around the World were at Risk

This is why things get ‘sugar coated’ for want of a better twist.

Security bugs are common all the time but this does not make phones “completely unsafe to use”. They are unlikely to blow up and destroy your house.

It’s the harping on about a potential problem that a few people may, one day, suffer from being build up into how Fairphone are not doing a good enough job, so let’s get on their case.

A concern was posed to Fairphone, which they are likely already aware. So going on about it seems a bit mad.

I can say in 30 years of computing and having phones I have not heard of a single person, friend, family member or myself ever having a security issue. So all this hype seems a little over the top as if there was nothing else more important.

It can be fun seeing how people react, like watching TV, like a soap opera and usually soap operas are full of villains.

Lets not ignote the point I raised and follow proper netiquette: always post the original article. The one you linked provided no value. Yes I know you get fanboys on a community forum, its like thst on every community forum though. I hope you get an answer, I am interested too, but I wouldn’t look much into the criticism you get. I mean, you know of the subject more than the general population who replied.

Are you kidding me so anecdotal lack of evidence is suddenly evidence of the contrary? People get scammed all the time, fake phishing websites. There are security issues all the time and dumb criminals use services like cryptophones, the shooter of Peter R. de Vries allegedly ran one of the most secure OSes in world and the police have been able to unlock it to find out the truth behind the shooting. Source see [1] and link to nu.nl in comment. On top of that we are in a cyberwar with Russia and China right now. Security issues matter, things like NotPetya and WannnaCry happen whether you know victims or not! But if you look up the company Maersk or the country Ukraine you now know two entities who are victims. These entities are huge. So if anything, all this does is tell us something about you. You don’t care about security. OK, cool. Uppercase does, so do I, and I am tired of reading this nonsense from you every single time a security issue is raised. Every single time!! What do you think people who work in this field do for fucks sake?

[1] Politie kraakt GrapheneOS toestel schutter Peter R de Vries - Security.NL

There is really nothing wrong with THN article.

The NCSC rates security vulnerabilities by the easy of exploitation and the impact. This is easy to exploit, even remotely, and the impact is high. This is really no dramatization, this is one to pay attention to.

I think overall some can agree to disagree and thats fine in my eyes, there is no need to always agree and we need to stand different opinions. We always need to consider that there is different level of knowledge around and when we want to help others to understand better, its always good to stick to facts and elaborate them a bit.

As I think the discussion revealed some important information maybe I try to summarize the facts I get out of this and which are in my eyes important to understand

1. Qualcomm stops support for chipsets after a few years, I think it was 3 in the past and recently expanded to 4 or 5? So FP2 is out of support since many years already and FP3 as well mostlikely is since last year, because although FP3 was published around sep 2019 the chipset used, was already around a year old at this time.
2. When support stops, normally the security issues listed under “Qualcomm” in the Android monthly security bulletin are mostlikely not patched to chipsets which no longer have official QC support , i.e. just because I see security update date of 05th Feb 22 on my FP2 it, it does not automatically mean I have the QC updates on my device.
3. The Qualcomm security bulletin has a section named “affected chipsets” which seem to be misleading as it does not list chipsets affected by the issue, but those who got the fix. Scrolling down there is some hint * The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at [www.qualcomm.com/support](http://www.qualcomm.com/support) .
4. For some reason, several months after the issue was detected and “fixed” several IT/tech plattforms are now “reporting” about this issue and also give false feeling of safety by stating e.g. (as Heise did) “if you own an Android device ensure your security patch level date is at least Dec 21”
5. thats all for sure important to know because

6. Even if this issue could be fixed on the FP2 and FP3 as well by Fairphone we need to see that

and Fairphone

7. What are we doing with all this information? Can we do anything to improve and get all stakeholders like chipset manufacturer, smartphone manufacturer and IT/Tech News Plattforms to be more transparent about this topic, because without a change of behaviour at all ends it remains difficult to keep a smartphone longer when you want a real secure device.

Original reply removed and sent as a private message.