Technically you’re correct but it really depends on the user’s threat model as to whether this is actually an issue. The remote risk to an unlocked bootloader is very low, so it’s only really an issue if someone actually physically has the phone. The average thief is not going to have the skills, knowledge or even the interest to actually exploit the phone in this way.
They are both potential problems. As I said, it depends on the user whether they are significant concerns. Around half the Android userbase is stuck on 10 or lower, presumably on older devices that haven’t had firmware updates for years. Theoretically there is a risk, but there is no evidence to suggest the likelihood is anything other than very low.
Unless I’m mistaken, there have been firmware RCE vulnerabilities that give successful attackers unrestricted access to the entire system and can be attacked by anyone capable of sending network packets to it. That is not “very low”. That’s insecure to the point that “your” phone is basically the property of some overseas crime ring and they’re letting you borrow it.
Unless you have some evidence that half of the Android userbase is using devices that are “basically the property of some overseas crime ring”, I am going to assume this is just hysteria on your part. Please read the definition of “likelihood” while you’re at it.
I do indeed: the Android Security Bulletins. Bear in mind that most people don’t install a custom operating system after the stock OS stops receiving updates.
Even for those who do, however, those vulnerabilities listed under a heading like “Qualcomm closed-source components”—that is, firmware vulnerabilities—are still present on their devices. See, for example, this list of firmware vulnerabilities fixed in an update as of December 2019. If you have a device that stopped receiving updates before then, it still suffers from those vulnerabilities no matter what OS you run on it, and many of them are RCEs that give successful attackers complete control of the device.
As for “likelihood”, infosec does not work that way. Cybercriminals and hostile foreign intelligence agencies don’t sleep and don’t show mercy. If you have a vulnerability that your adversaries know about and can feasibly exploit, then they are already exploiting it. That’s why vulnerability disclosure embargoes are a thing.
Was there something specific in there that actually backed up your claim? A link to a generic landing page is not what I was asking for. As I have said repeatedly, I do not deny that there are exploits which are theoretically feasible and have been carried out on some scale. What I am asking for is evidence that every old Android device has already been compromised (your claim) and/or for data that proves this is a widespread issue.
What I am asking for is evidence that every old Android device has already been compromised (your claim) and/or for data that proves this is a widespread issue.
Cybercrime groups obviously aren’t going to publish reliable statistics on the crimes they’ve committed. One should generally assume that known vulnerabilities are already actively exploited unless there is evidence to the contrary.
I don’t know why you keep linking examples of known vulnerabilities .This is not what I am asking for, and I have never once denied their existence. If you can’t provide evidence to support your claim that every old Android device has already been exploited and is “the property of an overseas crime ring” then just say so. Stop shifting the goalposts and pretending otherwise - it’s a waste of my time and yours.
Technically you’re correct but it really depends on the user’s threat model as to whether this is actually an issue. The remote risk to an unlocked bootloader is very low, so it’s only really an issue if someone actually physically has the phone. The average thief is not going to have the skills, knowledge or even the interest to actually exploit the phone in this way.
That’s not the problem. Remotely exploitable firmware vulnerabilities, for which no patch will ever be available, are the problem.
They are both potential problems. As I said, it depends on the user whether they are significant concerns. Around half the Android userbase is stuck on 10 or lower, presumably on older devices that haven’t had firmware updates for years. Theoretically there is a risk, but there is no evidence to suggest the likelihood is anything other than very low.
Unless I’m mistaken, there have been firmware RCE vulnerabilities that give successful attackers unrestricted access to the entire system and can be attacked by anyone capable of sending network packets to it. That is not “very low”. That’s insecure to the point that “your” phone is basically the property of some overseas crime ring and they’re letting you borrow it.
Unless you have some evidence that half of the Android userbase is using devices that are “basically the property of some overseas crime ring”, I am going to assume this is just hysteria on your part. Please read the definition of “likelihood” while you’re at it.
I do indeed: the Android Security Bulletins. Bear in mind that most people don’t install a custom operating system after the stock OS stops receiving updates.
Even for those who do, however, those vulnerabilities listed under a heading like “Qualcomm closed-source components”—that is, firmware vulnerabilities—are still present on their devices. See, for example, this list of firmware vulnerabilities fixed in an update as of December 2019. If you have a device that stopped receiving updates before then, it still suffers from those vulnerabilities no matter what OS you run on it, and many of them are RCEs that give successful attackers complete control of the device.
As for “likelihood”, infosec does not work that way. Cybercriminals and hostile foreign intelligence agencies don’t sleep and don’t show mercy. If you have a vulnerability that your adversaries know about and can feasibly exploit, then they are already exploiting it. That’s why vulnerability disclosure embargoes are a thing.
Was there something specific in there that actually backed up your claim? A link to a generic landing page is not what I was asking for. As I have said repeatedly, I do not deny that there are exploits which are theoretically feasible and have been carried out on some scale. What I am asking for is evidence that every old Android device has already been compromised (your claim) and/or for data that proves this is a widespread issue.
My previous comment contains two links. The second one points to a list of vulnerabilities in Qualcomm closed-source firmware that were fixed.
For your convenience, here it is again: [link]
Cybercrime groups obviously aren’t going to publish reliable statistics on the crimes they’ve committed. One should generally assume that known vulnerabilities are already actively exploited unless there is evidence to the contrary.
I don’t know why you keep linking examples of known vulnerabilities .This is not what I am asking for, and I have never once denied their existence. If you can’t provide evidence to support your claim that every old Android device has already been exploited and is “the property of an overseas crime ring” then just say so. Stop shifting the goalposts and pretending otherwise - it’s a waste of my time and yours.