Android phones can be taken over remotely – update when you can

[David H. Lipman]

Android phones can be taken over remotely – update when you can

Posted: December 7, 2023 by Pieter Arntz

Quote

Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything.

Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.”

The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution privileges required. User interaction is not needed for exploitation.

This vulnerability, referenced as CVE-2023-40088, affects a function that is used for Bluetooth communication, so the “remote” part is limited to “close range” since the average Bluetooth range is about 30 feet (10 meters). Successful manipulation with a specially crafted input leads to a use after free vulnerability. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Another critical vulnerability (CVE-2023-40077) that looks problematic is an Elevation of Privilege (EoP) vulnerability in the Android Framework. Successful exploitation could lead to a race condition. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. In this case it could provide a successful attacker with permissions to perform actions they shouldn’t be able to.

Security patch levels of 2023-12-05 or later address all of these issues. To learn how to check a device’s security patch level, see how to check and update your Android version. The updates have been made available for Android 11, 12, 12L, 13, and 14. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors. Android vendors such as Samsung and OnePlus have pledged to release security updates once a month. Google usually ships out security updates to Pixel phones within two weeks or sooner.

Credit:  @NewTricks

[NewTricks]

When I read this, I knew my habits had to change. Now, I check for system updates daily.

[AdvancedSetup]

They haven't updated mine since version 9 and they're up to version 14 - you only get so many years of support and then they drop you

 

[digmorcrusher]

Isn't version 9 getting close to end of life regarding security and app updates?

[AdvancedSetup]

Yep, but no one has sent me $1K to buy a new phone.

[David H. Lipman]

Planned obsolescence

Quote

In economics and industrial design, planned obsolescence (also called built-in obsolescence or premature obsolescence) is a policy of planning or designing a product with an artificially limited useful life or a purposely frail design, so that it becomes obsolete after a certain pre-determined period of time upon which it decrementally functions or suddenly ceases to function, or might be perceived as unfashionable.^[1] The rationale behind this strategy is to generate long-term sales volume by reducing the time between repeat purchases (referred to as "shortening the replacement cycle").^[2] It is the deliberate shortening of the lifespan of a product to force people to purchase functional replacements.^[3]

Planned obsolescence tends to work best when a producer has at least an oligopoly.^[4] Before introducing a planned obsolescence, the producer has to know that the customer is at least somewhat likely to buy a replacement from them in the form of brand loyalty. In these cases of planned obsolescence, there is an information asymmetry between the producer, who knows how long the product was designed to last, and the customer, who does not. When a market becomes more competitive, product lifespans tend to increase.^[5][6] For example, when Japanese vehicles with longer lifespans entered the American market in the 1960s and 1970s, American carmakers were forced to respond by building more durable products.^[7]