Placebo patch, the bitter illusion of having up-to-date and secure smartphones

Users have been asking for frequent updates, especially when it comes to security, for years. Many manufacturers have started to listen to the requests and have even extended the period in which they promise to issue security patches to 4/5 years. However, there is a problem: the patches released would only contain part of the updates and those related to the often more critical hardware components would be missing.

To say it is Google Project Zero which, despite being a branch of Google, turns out to be absolutely independent in its analyzes and objectives, since in this case the problem also affects the pixels.

It’s pretty serious, and it’s easy to see why. Google explains it by pointing out a number of bugs in the Mali GPU drivers that are very common in Android SoCs. Very severe, actively exploited vulnerabilities reported by Google Project Zero in July and promptly shut down by ARM in August.

ARM has published the updated version of the drivers on its website, also showing those who know where to look what the vulnerability was in detail.

Today, in November, ARM-produced drivers and patches that close these specific vulnerabilities will be released They have never been integrated into a monthly patch of an Android smartphone. For now, manufacturers have completely ignored them, and phones are vulnerable.

The reason is simple: there is a cost associated with managing security and updates, and often a cost to the manufacturer They only absorb generic patches from Googlethat contain updates for the software part and for some processor modules, and don’t even bother to absorb all the patches released by the manufacturers of the components they contain, in this case the GPU.

The reason probably lies in the different complexity of the two things: the patch packages that Google inserts into Android and that are distributed to the various partners are already fully verified and integrated, those that would be released by the various hardware manufacturers a lot require more work in the testing phase.

Google Project Zero also explains that often a detailed analysis of the causes that led to an error has not even been done, nor on the integration of the patch with the rest of the system, and precisely for this reason 50% of Zero Days are leaks , which were discovered in the last year they are simple variants of already closed holes. The bad guys looked at how they shut it down, it’s public, and they dug around the “patch” to find another access point.

Just as users need to patch devices quickly, manufacturers need to integrate available patches quickly.

Today there is a big placebo effect: the user who receives the patch is convinced that he is safe and that he has relied on a manufacturer who updates regularly. However, the security version may contain only a subset of the patches that are really needed. The others, partly because they are difficult, partly because they are tedious, are completely ignored or postponed.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *