following this news, would it be advisable to turn off bluetooth? tbh i am slightly more concerned about my ereader as it hardly gets any updates (android 11, the last patch from June) and I wonder how that bluetooth bug can be exploited - would I see that any external device is being connected?
It may mitigate the risk. I’m not sure if disabling Bluetooth will really solve it though. Location services sometimes enable Bluetooth as well. Not sure if that does the same. But if you find out the answer, make sure to post it here. Thanks!
1 Like
hello, thanks
I found some guidance suggesting disabling bluetooth. See the link below. But still puzzled how it could work in practice.
Disabling bluetooth would mean I can’t use my hearing aids with my phone.
I am not saying I am advising it. I will be using bluetooth on FP myself. I have disabled it on my ereader where it is likely I will not be getting any update any time soon.
It is a 11-years old bug and I find it hard to assess the chances of someone using it now plus am still puzzled how that could work… will it be not noticeable that an uknown device is paired?
I am not sure whether my message was clear 
Just a couple of considerations:
- There is indeed always a security bulletin with vulnerabilities found across the source code of Android and other software components, which are both massive. The vulnerabilities are normally having low-medium severity, with rarely a critical bug being spotted. This can be seen negatively, but it is actually positive, in my opinion, that there is such a good interest in security that Android is constantly inspected for that purpose.
- It is true that Android gives a preview of the security bulletin in advance to manufacturers, but that is, as the word says, a preview. A lot of vulnerabilities highlighted in the preview do not receive a corrective patch until the actual bulletin is released.
- (almost) all the vulnerabilities contained within the security bulletins are under embargo until the bulletin is public, meaning that the general public will not know about the vulnerability (thus, potentially exploit it) until it is publicly announced.
- The beauty of Android is its layered architecture, which makes very difficult (and most of the times impossible) to use a single vulnerability to actually reach a malicious goal; normally, a chain of vulnerabilities across different layers is necessary.
The above points are no excuse, just the reality 
I just checked the release schedule for FP4 and FP5 in the last months, and on average we released the SPL of a certain month around 7-8 days after that month has ended.
As I said, the speed-up of the SPL release pace is on our agenda for next year
16 Likes
Well, in the last couple months the monthly security updates came around the 5th of the following month.
Speaking of which, when will we get the November patches?..
For the FP5 it’s there:
3 Likes
Thanks, saw that. I’m more interested about the FP4 I own.
3 Likes
The November SPL will be shipped along with the patch for the 5G random reboots, likely on Christmas Day.
I know, December SPL would have been better but we had some difficulties in also including those given the extra testing we needed for the random reboot patch.
12 Likes
Can beta testers count on a launch in the next days ?
They can count on it from 5 minutes ago 
6 Likes
Yes, i saw that. Next month i’ll ask sooner 
1 Like
As of today, my FP4 has Security updates until 5.08.2023
This is incredibly bad and negligent!
Other current phones have updates until 01.11.2023 by now.
I don’t even want to start looking for how many dangerous security gaps are open due to the lack of updates. The secret services and hackers are delighted.
I thougt, I bought a modern phone with in time updates.
(My build nr. is FP4.TP1V.C.073.20230905 and no updates are offered.)
Have you manually searched for updates? With Wifi, or with mobile data? What is your provider? Have you set-up anything blocking internet access? Have you checked/searched without SIM? Did you try to clear cache/storage of the updated App?
2 Likes
I always search manually because I am eagerly waiting for the updates.
I only search for updates when I’m on my home wifi.
Provider: yesss (A1 network) in Austria.
I do not remove SIM - why should I?
No cache cleared until now.
I see its not the first time you get updates delayed. did you ever contact support, to see if there is any OTA glitch with your IMEI? Maybe its for whatever reason connected to the provider?
because
3 Likes
While there is little to nothing that can be done (by us) about the zero click that this thread is ultimately about, there are ways of mitigating the fact that you’re behind on updates in other ways.
The most obvious risk is your browser. If you use a browser that supports disabling JIT you’re ultimately a lot more secure.
The downside? The only browser that seems to support that on Android, while also being up to date, is Cromite, which has to be downloaded from F-Droid rather than the Play Store.
But if you’ve got 5 min to spare, you may want to check it out.
Maybe someone should make a dedicated security thread?
1 Like
I tried it now. Switched off SIM and checked for Update.
“Your system is up to date”
Deactivating the SIM did not help.
Furthermore, I did not find any blocking messages for my FP4 in my local pihole.
Is it possible, to manually download the update on phone und start it?