TR Forums

http://arstechnica.com/security/2016/11 ... id-phones/

Who knows how many more vulnerabilities exist that just haven't been found yet? We got lucky this time, in that the perps waited too long to register the domain names. We might not be so lucky next time.

I guess I can sort of understand why they didn't encrypt or put in a signature check on the payloads... doable but slightly non-trivial, maybe they thought it increased the footprint of their attack. But why would you trip up on registering the domains? Did they maybe run into snags in registering the domains in a way that couldn't be traced back to their identities?

Got worried for a second because I have an old BLU phone that probably has some logins on it... then I remembered it's a Windows Phone. So that's one way to avoid the bad guys... and the guys who write useful apps, also.

Still, this kind of thing is going to keep happening and sooner or later the results are going to be extremely ugly.

UberGerbil wrote:

Still, this kind of thing is going to keep happening and sooner or later the results are going to be extremely ugly.

Something extremely ugly may have already happened, and we just don't know about it yet.

Currently using a Xiaomi Mi-5, my thoughts were always that you buy these phones with a custom rom in mind, as the stock software is garbage anyway.
But this still gets me worried, does someone know if this would affect custom roms not based on the stock rom?

lmc5b wrote:

Currently using a Xiaomi Mi-5, my thoughts were always that you buy these phones with a custom rom in mind, as the stock software is garbage anyway.
But this still gets me worried, does someone know if this would affect custom roms not based on the stock rom?

It is all comes down to trust. Do you trust the maker of the custom ROM more than the manufacturer of the phone?

just brew it! wrote:

It is all comes down to trust. Do you trust the maker of the custom ROM more than the manufacturer of the phone?

Good question, honestly I would trust anyone before a Chinese company, but being not as bad is different from being good.
Still, I somehow always felt some trust towards custom roms. Because of the sense of community I guess, but thinking about it, there isn't really a good reason to trust them either.

well you're right that we should always be careful with whatever brand of phone we get. but, we should also be careful of the changes we make to our phone whether it be software or hardware related. sometimes, it's not the phone but the users who create the problem.

lmc5b wrote:

you buy these phones with a custom rom in mind, as the stock software is garbage anyway.
But this still gets me worried, does someone know if this would affect custom roms not based on the stock rom?

On a phone, a "ROM" is equivalent to the OS on a PC or the firmware on a router.

It's important to remember that something runs in a lower ring than these, namely the bootloader in a phone (the "firmware") which is equivalent to the BIOS in a PC or CFE on a router. These can be infected too and (unlike the ROM OS) are rarely changed by the enduser.

I find it hilarious that people who claim to be concerned about security will use Chinese company Kingroot to root their phones. And even use scripts to uninstall all of the Tencent AV and Purify crap-cleaners that it installs, then replace Kingroot with SuperSU. Even if a company is OK at first that doesn't mean they will always be so--the example set by China's estrong ES File Explorer should be a warning to all who granted it both storage and network access.

Glad to see as of yet my OnePlus 3t isn't listed.

Maybe I'm neive but I trust OnePlus as much as most of the "US" branded phones or Korea's Samsung. I mean this now the most popular phone for custom ROMs on XDA. With that many teams scouring through code that is wide open... If there was something it would be caught... It may take awhile but still.

The phones listed in the advisory are HARDCORE off brands and cheapo throw aways for pay as you go plans. So I'm not surprised at all to see this as it adds a layer of anonimity to their traffic where the data being sent isn't going over a carrier owned network, but as a partner to those carriers. So the owner of the network like AT&T or Verizon can simple drop or throttle a "lesser" customer if it needs doing shady stuff, like communicating to Chinese servers from Alabama or something abnormal.

Any online data isn't safe, and the majority ofbrands collection these days isn't done at the device, unless by smaller, private, foreign groups looking to getting fast.