[throwaway613834]

But your email app will still get updates right? (I guess I'm using Gmail and assuming you are using something like it that gets updates too, but maybe I'm wrong.) Same with SMS - lots of apps that get updates. What's the exact issue?

[Jaepa]

Most will, some will drop support after its X major release behind. But that's not really the issue, the underlying system has a lot of security issues (as all complex systems do).

So just for 2017 there are:

- 326 code execution vulnerabilities

- 221 memory overflow bugs

- 114 memory corruption issues

- 309 privilege escalation bugs

http://www.cvedetails.com/product/19997/Google-Android.html?...

Granted, I'm sure a lot of these CVE are very low risk, and some are duplicates (because CVE). But there were a couple of notable really bad security issues. But this is just the Android, not all the of dependencies Android has.

StageFright was already mentions, and there has been a couple of iterations of this already, stemming from different bugs in a parsing library used with MMS. Included in this is a remote code execution and an privilege escalation.

Another fun one is Broadpwn, which is rather new one and was disclosed as BlackHat US this year. Its effects both iOS and Android and can be wormed trivially. It targets a widely used Broadcomm wifi chipset, and does not require _any_ user interaction. A malformed SSID broadcast allows for remote code execution. And when I say any user interaction, you can walk by something broadcasting this and you're infected.

[throwaway613834]

Regarding Broadpwn: I wasn't aware of it, but at the same time -- has it actually been exploited, and has it been patched in more recent hardware or OSes? If the upgrade doesn't help mitigate an actual, existing threat then upgrading doesn't solve anything.

To put it another way: if you learn of a very serious exploit like this in the wild and an upgrade is the only way to solve it -- by all means, go ahead and upgrade. I'm not saying you should never upgrade, nor am I saying serious security vulnerabilities cannot pop up. But neither in any way implies you need a periodic 1-2-year hardware/OS refresh. A refresh could be justified in 1 day or in 10 years; it just depends on what the actual threats and mitigations are. Remember what the original discussion was about: it was about whether the periodic refresh is justified.

As for the rest of those (StageFright and other attacks) -- I've addressed them in other comments. See here: https://news.ycombinator.com/item?id=15040745

[dmoy]

There is no way I'm going to be continually looking for new incoming CVE that affect my old phone and making sure I have solid workarounds. The risk is too high that I'd miss one, mess up a fix, and then be vulnerable. And even if the risk wasn't that high, we're talking about a lot of time sunk into looking through security postings and verifying my own fixes/workarounds. It doesn't have to take too many minutes per year before it's worth me buying a new $130 moto E or whatever. As in like, 1 hour per three years or something.

This is the same reason why I don't run a computer OS at home that isn't patched to the latest security updates. I am not going to run windows XP at home and just disable / find workarounds for every single one of the probably-thousands of risks. That's insane.

[throwaway613834]

That's a total straw man. You don't need to keep up with CVE. You really think I learned about e.g. StageFright through reading CVE or expected you to do that? If there's a serious vulnerability that actually needs your attention, you will read about it in the news (certainly on HN, most likely also the general news if it affects a sizable population). You will become aware of it somehow, most likely before a patch is even released. You won't need to put any time into it until it happens, and even then the mitigation (like e.g. disabling automatic MMS download here) will usually be far faster than the time to buy a new phone, set up your apps again, and move everything over. Not to mention that the phone you buy won't be updated to that very day anyway, so you'll have more upgrading to do soon after. Seriously, you're way blowing it out of proportion.

[mrmagooey]

> If there's a serious vulnerability that actually needs your attention, you will read about it in the news

The ol' security through tech press approach. Seriously though, you can't have the security of your devices dependent on whether or not someone has come up with a catchy name for their exploit. The exploits with names like broadpwn and stagefright are the exceptions, not the rules, there are plenty of critical CVE's that have never had cool names or tech articles written about them. Even if an exploit has a cool name and some press, what if people don't upvote it when it gets posted here (or reddit/wherever)?

[throwaway613834]

You seem to think that a security hole being "critical" implies you need to care about it. You do not. You only need to care about actual threats, not mere security holes. A "critical" CVE that nobody exploits is pretty darn pointless to worry about, just like how the fact that cellular communication is plaintext isn't really tickling too many people because the average criminal isn't using a Stingray. And an expoit that becomes widespread will get the press attention, precisely because people will want to know about it. (Unless you're the kind of person who's always one of the first few to catch a virus, in which case either you're a security researcher, or you're looking for trouble, or you're hanging out on the wrong networks...)

[ryanlol]

>If there's a serious vulnerability that actually needs your attention, you will read about it in the news

No, this is fucking stupid. Most security related bugs get zero visibility, Linux for example still has a policy to quietly patch them.

[throwaway613834]

> No, this is fucking stupid.

Well, now I'm definitely convinced...

> Most security related bugs get zero visibility, Linux for example still has a policy to quietly patch them.

Most security bugs don't need your attention either, because they don't have widespread exploits.

Read the prior comments; don't just curse in reply to a single sentence while ignoring all the prior context.

[Jaepa]

With Broadpwn; Largely yes. Android and iOS both published security fixed before this was presented at Blackhat. But:

1. Android is kind of tricky though, as firmware updates generally come from the carrier not the manufacturers, and even if its from the manufacturers its still down stream of the actual patches. But the factor is kind of moot if a phone isn't getting security upgrades.

2. Google has been trying to decouple security and firmware updates, but this is only on more recent phones.

As for how much of an issue this is. Its kind of impossible to tell. It been out for less than a month at this point. And of course there are all the devices that are now unsupported and will not receive updates.

Ok for StageFright. Do you have those enabled? How many users do you think will?

[throwaway613834]

re: Broadpwn: okay, so again: having upgraded every 1 year now wouldn't have helped you regarding Broadpwn as far as we're aware now, so I'm not sure what this example is supposed to show.

For StageFright: I assume by "enabled" you mean "disabled"? Yes, I've already mitigated; it took me like 30 seconds. See this comment [1]. I'm not claiming laymen would or should do this, but I wasn't making that claim originally either. I was responding to someone on HN who presumably understands something about technology and who felt guilty about buying phones and polluting the planet periodically just for the security updates. I'm saying he's most likely already more than capable enough to solve that problem without any tangible negative effects to himself. I'm doing that myself and it's working fine for me, I'm not losing any time to this at all, and I don't think I'm any better with phones than he is. It's completely possible and won't really cost you anything at all (it'll save you money and save the planet garbage); you just need to find the willpower. For a non-techy person the story might be different.

[1] https://news.ycombinator.com/item?id=15040700

[quicklime]

"Stagefright" is an Android vulnerability that allows attackers to exploit a device by sending a specially crafted MMS message. No user intervention is required, no dodgy apps need to be installed.

You're on Android 4, so your phone is vulnerable. If you use your phone for anything important, I'd suggest getting that new phone ASAP.

[throwaway613834]

Actually I've already mitigated this by disabling automatic MMS download, and from what I read [1] it can be mitigated in other ways as well. It can't be done in every app, but then you can just use an app that lets you do this. So this is a non-issue. Any others you can think of?

[1] https://en.wikipedia.org/wiki/Stagefright_(bug)#Mitigation

[tinus_hn]

Just make sure not to open any videos from the internet. Hardly an issue!

[throwaway613834]

> Just make sure not to open any videos from the internet. Hardly an issue!

What? Chrome and Firefox protect against it [1]... do you not use either?

[1] https://www.howtogeek.com/225834/stagefright-what-you-need-t...

[veeti]

The app-level "mitigation" is that media isn't automatically loaded. You are still just as vulnerable after you decide to play that innocuous-looking MP4 file.

[throwaway613834]

I wasn't aware, thanks for mentioning that. However, the videos I watch are on YouTube and news sites and such... not sketchy sites. And I never play MP4s on my phone directly (unless they're videos I've recorded). I'm not sure many others do either, frankly. So how much do I need to worry and how much of a justification is this to upgrade the phone every 1-2 years?

[veeti]

Just go through the monthly Android security bulletins [1]. Without fail there are a bunch of critical RCE issues every single month.

[1] https://source.android.com/security/bulletin/2017-08-01

[taivokasper]

That's not how things work! If the OS is not secure then app updates are rendered useless.

[throwaway613834]

I think to a large extent (i.e. enough to eliminate the worry in practice) it is how things work, actually. See my reply to the sister comment here: https://news.ycombinator.com/item?id=15040745

[JohnZi]

Apps do get updates, but they aren't the issue. The system/kernel/system libraries don't get updates and if they are compromised all your apps are compromised too. If someone know a vulnerability only in a normal app he can't do anything but look at only this one app, with system access well he can do way more.

(Also Android got some additional security/privacy features after Android 4)

[throwaway613834]

But the thing is, even if 100% of your apps are vulnerable, it doesn't mean anything unless the attacker can reach your phone somehow. That can only happen in 5 different ways: (1) Low-level Wi-Fi bug exploit, (2) SMS exploit, (3) Cellular exploit (like a Stingray), (4) Cellular internet connection (open ports, etc.), (5) App-level exploits.

I don't know of any critical examples of #1 that I would need to protect against where upgrading is my only solution (maybe I'll upgrade if I find one). #2 can be mitigated at the app level (see my reply to the other comment here) and probably faster so than the update you'd receive. #3 can't really be mitigated by phone updates. #4 is impractical since cells are behind carrier-grade NATs and don't have dedicated IP addresses to be reachable via the internet. And #5 just involves updating the app, not the OS or hardware.

If you can give me an example of an actual attack that cannot be prevented without upgrading the hardware or the OS, I would find that far more convincing than a hypothetical.

[veeti]

https://googleprojectzero.blogspot.com/2017/04/over-air-expl...

[throwaway613834]

Has this (a) been exploited in the wild, and more importantly, (b) even actually patched in more recent phones?

Otherwise, how is this a justification for upgrading your phone? It seems like you may have forgotten what the argument even was. I was arguing against routine 1-2-year upgrades, not against the entire concept of upgrading for something wiht a serious security vulnerability. If a serious exploit appears in the wild and your only solution is to upgrade -- by all means, go for it. But is that the case here? And this happened periodically every 1-2 years for you to justify upgrading equally often?

[veeti]

A) I don't know. How would you ever know? RCE can be silent.

B) Yes, in Android patch level July 2017 and iOS 10.3.3.