Qualcomm Security Hole

If I saw right in Qualcomm Documentation our chip set is not listed in the sec bulletin.
Or does our chipset have other names than SM7225?

You mean listed under affected?

I’m not sure FP4 SOC still has QC support

Yes, I meant that list. If we need to rely ob Fairphone to deliver a fix, I am not sure if this will ever happen.

Here is a news article
https://www.golem.de/news/android-geraete-in-gefahr-zero-day-luecke-in-qualcomm-chips-wird-aktiv-ausgenutzt-2410-189708.html

In my eyes the question is, if it can happen

So the question as well is,what was the outcome?

Btw I think Golem as well makes the wrong/misleading conclusion

Als betroffene Chipsätze listet Qualcomm zahlreiche Modelle auf,

If our chipset is out of support, we’ll never get a fix (only Qualcomm can make it).
Unless our chipset uses some known bad configuration/code, we probably won’t even know if we’re affected, because Qualcomm won’t bother checking the old chipsets. For them they’re yesterday’s news, but their code is still closed and under copyright…

I remember Fairphone said “we are in talks with Qualcomm to hopefully guarantee longer support”, but between “in talks” and “hopefully” that’s as vague as in “while at the coffee machine we suggested to them…”, so don’t hold your breath. Fairphone hardly manages the readily available Android security patches.

Please stop blaming Fairphone for everything bad happening in the world. They can’t do here anything. One of the reasons why they have chosen an IoT SoC for the FP5 with longer support by the manufacturer.

When the FP4 launched, I remember reading some random youtube comment criticising Fairphone’s choice of SoC, as apparently it was clear that official support from qc would be short.
And I had that comment bouncing around in my head when the 5’s weirdo SoC was revealed, and the reasons for it’s choice explained.

Unfortunate to see that bad omen come to reality, IF the 4 really has some issue that can’t be fixed without qc’s blessing.

That’s great for the FP5, but not really helping FP4 owners.

One of the reasons I went with a Fairphone is because, at least from the outside, it looked like they were trying their best to keep devices properly supported as long as possible.
That’s honestly not at all what owning a FP4 feels like, it’s been a pretty disillusioning experience so far, and my phone is only 3 years old…

Hi
I feel sorry for the FP4 owners but I also feel that’s the part of the wider discussion with kernels and chipsets.
What other chipsets have longer support?
I remember reading the choice of the one for FP5 ( and Shiftphone chose the same one for their newest phone) was unique and specific given perhaps lower performance but longer support

DivestOS has FP4 patched against this for the pending October update: divestos-build/Scripts/LineageOS-20.0/CVE_Patchers/android_kernel_fairphone_sm7225.sh at a2f68a96c17df1e6065e590696258fa09bf0adaf - divested-mobile/divestos-build - Codeberg.org

FP3 is also likely vulnerable, but needs a better backport.

edit: Patched FP3 too: divestos-build/Scripts/LineageOS-20.0/CVE_Patchers/android_kernel_fairphone_sdm632.sh at b060b683167a5d901ce9f132d8106568ed0b2dad - divested-mobile/divestos-build - Codeberg.org

Of course not, but changing the market is an ongoing process, it wasn’t already done completely when the FP1 was launched.

So it’s good to see, that Fairphone is still learning and making decisions based on the experience they made.

Sure, but I have a FP4 not a FP1.
It might be the case that they are slowly learning/moving things but that doesn’t mean I don’t get to criticize them. This isn’t a charity it’s a business, a business with laudable goals but still a business.

From my perspective I bought 2 Fairphones for me and a family member that were advertised with a 5 year warranty that might end up with an unpatched vulnerabilty after 3. I was already pretty unhappy about the fact that we now only get bi-monthly security updates, which no one indicated beforehand.
And then there’s the whole bricking situation, the hardware/software issues, the severe lack of communication, the list goes on and on…
Look, I’m generally very happy with my FP4 (mostly because I run a custom ROM), a lot of the problems people complain about don’t affect me or I have found workarounds, but I draw the line at security updates, that’s just not negotiable.

My main reason for getting a Fairphone was always to support fair(er) conditions in the industry, but it can’t be the only reason to get one.
I for one can’t afford to replace my phone after 3 years, not at that price, and not at the environmental damage it takes to produce one.

I’m with @hirnsushi on everything said, but especially this ^^^. Security is not negotiable, and no amount of “too bad for you” and “just buy a FP5/FP6” will change that.

Was there any indicator about monthly updates or any official roadmap when you bought the FP4 ? I dont care that much about update/upgrade frequency thus my perceptiont might be wrong, I would say that until recently there was no official roadmap other than marketing phrases “updates planned till… and xyz #of upgrades”?

For me personnally Fairphones biggest issue is their communication, and it degraded with every new device on the market in my eyes, and even if here and there there are hints it could go back in the right direction, this movent is very slow and it feels they have no plan for this and just react here and there on some topics when the community is loud.

To come back to the specific topic @Lars_Hennig did you contact Fairphone about that or will you?

I don’t remember the phrasing when I bought them, I was mostly going by vibes and the fact that I read about Fairphone supporting phones way past their expiration date in the past (which is an error on my part, yes). But you can still buy the FP4 and here’s what the FAQ currently has to say about that:

To realise true longevity, our Fairphone 4 comes with a 5-year manufacturer warranty (subject to terms and conditions) and software support until the end of 2025, with an aim for software support to be maintained up until December 2027, regardless of the support from the chipset supplier expiring.

The Android Security Bulletins are released monthly so in my opinion software support follows that release schedule. Otherwise what is the point? It’s certainly not the case that other areas that aren’t security updates have had great support either…

Absolutely agree, that is also my main pain point. An actual open channel to the community would go a long way.

I’m still pissed about how much time I spent trying to help people with bricked phones when a lot of the problems could have been explained/avoided if someone from FP would have bothered to show up.

No, I didn’t as I did not see a reasonable chance to get a positive response anyway.

And yes, the communication is one of the worst parts of it all. And unfortunately Fairphone does not use this a some kind of unique value proposition as other companies usually are no bit better in their communication.

Hmmm…above I linked the answer to last times request, so I would be not so pessimistic…

However @anon1128606 or @Ioiana_Luncheon you can shed some light?

I honestly struggle a bit to understand the topic here, would be nice if next time someone could include a CVE number to make the conversation clearer

Anyway, if we are talking about CVE-2024-43047 (thanks @SkewedZeppelin for giving some context), it is on its way of resolution/patching for all devices.

I cannot disclose too much information around it, but essentially the preliminary patches released by Qualcomm when the first security advisory was published about the vulnerability did not fit with our kernel(s), so we had to wait for a second patch to be published.

Yes it is CVE-2024-43047 and I am sorry not to have mentioned it in my original post. It was linked in the news I linked, though.

Thank you, Francesco, for joining the discussion and sharing this update.