Personal computing discussed

Moderators: David, mac_h8r1, Nelliesboo

 
just brew it!
Gold subscriber
Administrator
Topic Author
Posts: 49738
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Better think twice about those "alternative brand" phones

Fri Nov 18, 2016 2:38 pm

http://arstechnica.com/security/2016/11 ... id-phones/

Who knows how many more vulnerabilities exist that just haven't been found yet? We got lucky this time, in that the perps waited too long to register the domain names. We might not be so lucky next time.
Nostalgia isn't what it used to be.
 
TwistedKestrel
Gerbil Elite
Posts: 646
Joined: Mon Jan 06, 2003 4:29 pm

Re: Better think twice about those "alternative brand" phones

Fri Nov 18, 2016 2:51 pm

I guess I can sort of understand why they didn't encrypt or put in a signature check on the payloads... doable but slightly non-trivial, maybe they thought it increased the footprint of their attack. But why would you trip up on registering the domains? Did they maybe run into snags in registering the domains in a way that couldn't be traced back to their identities?
 
UberGerbil
Grand Admiral Gerbil
Posts: 10273
Joined: Thu Jun 19, 2003 3:11 pm

Re: Better think twice about those "alternative brand" phones

Fri Nov 18, 2016 3:47 pm

Got worried for a second because I have an old BLU phone that probably has some logins on it... then I remembered it's a Windows Phone. So that's one way to avoid the bad guys... and the guys who write useful apps, also.

Still, this kind of thing is going to keep happening and sooner or later the results are going to be extremely ugly.
 
just brew it!
Gold subscriber
Administrator
Topic Author
Posts: 49738
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Better think twice about those "alternative brand" phones

Fri Nov 18, 2016 3:58 pm

UberGerbil wrote:
Still, this kind of thing is going to keep happening and sooner or later the results are going to be extremely ugly.

Something extremely ugly may have already happened, and we just don't know about it yet.
Nostalgia isn't what it used to be.
 
lmc5b
Gerbil
Posts: 16
Joined: Tue Sep 15, 2015 5:33 pm

Re: Better think twice about those "alternative brand" phones

Fri Nov 18, 2016 4:34 pm

Currently using a Xiaomi Mi-5, my thoughts were always that you buy these phones with a custom rom in mind, as the stock software is garbage anyway.
But this still gets me worried, does someone know if this would affect custom roms not based on the stock rom?
 
just brew it!
Gold subscriber
Administrator
Topic Author
Posts: 49738
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Better think twice about those "alternative brand" phones

Fri Nov 18, 2016 4:40 pm

lmc5b wrote:
Currently using a Xiaomi Mi-5, my thoughts were always that you buy these phones with a custom rom in mind, as the stock software is garbage anyway.
But this still gets me worried, does someone know if this would affect custom roms not based on the stock rom?

It is all comes down to trust. Do you trust the maker of the custom ROM more than the manufacturer of the phone?
Nostalgia isn't what it used to be.
 
lmc5b
Gerbil
Posts: 16
Joined: Tue Sep 15, 2015 5:33 pm

Re: Better think twice about those "alternative brand" phones

Fri Nov 18, 2016 5:12 pm

just brew it! wrote:
It is all comes down to trust. Do you trust the maker of the custom ROM more than the manufacturer of the phone?

Good question, honestly I would trust anyone before a Chinese company, but being not as bad is different from being good.
Still, I somehow always felt some trust towards custom roms. Because of the sense of community I guess, but thinking about it, there isn't really a good reason to trust them either.
 
Olson23
Gerbil In Training
Posts: 6
Joined: Mon Apr 10, 2017 8:15 pm

Re: Better think twice about those "alternative brand" phones

Tue Apr 25, 2017 12:41 am

well you're right that we should always be careful with whatever brand of phone we get. but, we should also be careful of the changes we make to our phone whether it be software or hardware related. sometimes, it's not the phone but the users who create the problem.
 
bfg-9000
Gerbil First Class
Posts: 184
Joined: Tue Mar 01, 2016 9:17 pm

Re: Better think twice about those "alternative brand" phones

Tue Apr 25, 2017 1:59 am

lmc5b wrote:
you buy these phones with a custom rom in mind, as the stock software is garbage anyway.
But this still gets me worried, does someone know if this would affect custom roms not based on the stock rom?

On a phone, a "ROM" is equivalent to the OS on a PC or the firmware on a router.

It's important to remember that something runs in a lower ring than these, namely the bootloader in a phone (the "firmware") which is equivalent to the BIOS in a PC or CFE on a router. These can be infected too and (unlike the ROM OS) are rarely changed by the enduser.

I find it hilarious that people who claim to be concerned about security will use Chinese company Kingroot to root their phones. And even use scripts to uninstall all of the Tencent AV and Purify crap-cleaners that it installs, then replace Kingroot with SuperSU. Even if a company is OK at first that doesn't mean they will always be so--the example set by China's estrong ES File Explorer should be a warning to all who granted it both storage and network access.
 
Welch
Grand Gerbil Poohbah
Posts: 3321
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Better think twice about those "alternative brand" phones

Mon May 01, 2017 2:37 am

Glad to see as of yet my OnePlus 3t isn't listed.

Maybe I'm neive but I trust OnePlus as much as most of the "US" branded phones or Korea's Samsung. I mean this now the most popular phone for custom ROMs on XDA. With that many teams scouring through code that is wide open... If there was something it would be caught... It may take awhile but still.

The phones listed in the advisory are HARDCORE off brands and cheapo throw aways for pay as you go plans. So I'm not surprised at all to see this as it adds a layer of anonimity to their traffic where the data being sent isn't going over a carrier owned network, but as a partner to those carriers. So the owner of the network like AT&T or Verizon can simple drop or throttle a "lesser" customer if it needs doing shady stuff, like communicating to Chinese servers from Alabama or something abnormal.

Any online data isn't safe, and the majority ofbrands collection these days isn't done at the device, unless by smaller, private, foreign groups looking to getting fast.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|500gb 840 EVO|Corsair 400R|ET750w PSU|Corsair M95 / K90 / Vengeance 1300

Who is online

Users browsing this forum: No registered users and 5 guests