• argv_minus_one@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I do indeed: the Android Security Bulletins. Bear in mind that most people don’t install a custom operating system after the stock OS stops receiving updates.

    Even for those who do, however, those vulnerabilities listed under a heading like “Qualcomm closed-source components”—that is, firmware vulnerabilities—are still present on their devices. See, for example, this list of firmware vulnerabilities fixed in an update as of December 2019. If you have a device that stopped receiving updates before then, it still suffers from those vulnerabilities no matter what OS you run on it, and many of them are RCEs that give successful attackers complete control of the device.

    As for “likelihood”, infosec does not work that way. Cybercriminals and hostile foreign intelligence agencies don’t sleep and don’t show mercy. If you have a vulnerability that your adversaries know about and can feasibly exploit, then they are already exploiting it. That’s why vulnerability disclosure embargoes are a thing.

      • argv_minus_one@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Was there something specific in there that actually backed up your claim? A link to a generic landing page is not what I was asking for.

        My previous comment contains two links. The second one points to a list of vulnerabilities in Qualcomm closed-source firmware that were fixed.

        For your convenience, here it is again: [link]

        What I am asking for is evidence that every old Android device has already been compromised (your claim) and/or for data that proves this is a widespread issue.

        Cybercrime groups obviously aren’t going to publish reliable statistics on the crimes they’ve committed. One should generally assume that known vulnerabilities are already actively exploited unless there is evidence to the contrary.