On Sun, 26 Mar 2023 07:50:57 -0000 John via Replicant <replicant@osuosl.org> wrote:
> On Fri, 24 Mar 2023 23:29:24 +0100 Denis 'GNUtoo' Carikli wrote: > > > I'm not sure if Replicant devices are affected too, > > Who/Where should we ask? > > > though: > > - It's relatively easy to find vulnerabilities in Samsung modems > > more recent than the ones supported by Replicant, so it would be > > surprising if it wasn't easy to also find similar vulnerabilities > > in the modems of Replicant compatible smartphones. > > What is that easy way exactly? Is it documented anywhere? Yes, this is documented in this presentation: https://redmine.replicant.us/projects/replicant/wiki/AcademicPapersAndPresentations#A-walk-with-Shannon-Walkthrough-of-a-pwn2own-baseband-exploit > How can one tests one's device? On some software, finding vulnerabilities is really hard because people already invested a lot of resources on the low hanging fruits. But here: - Researchers can find vulnerabilities very easily on more recent Samsung modems. - Samsung will probably never fix vulnerabilities on devices it stopped supporting. So the only thing we can do here is to treat the modem as some non-trusted component. This is precisely why we try to only support phones with isolated modems. > > - Replicant 6.0 probably has many unpatched vulnerabilities because > > it's based on a LineageOS version that isn't maintained anymore. > > Some are probably serious and easily exploitable (like the ones in > > Webview, the browser component used in many Android applications). > > Why isn't that important info on the first page of the website? The most important bugs are mentioned in the installation instructions, right at the beginning. This includes the information that Replicant 6.0 is insecure. It also mention the most important bugs. The Replicant version (6.0) also tries to conveys that information as Replicant 6.0 is based on Android 6.0. Here Replicant is an Android distribution, so lot of things are different. With smartphones there isn't any ideal solution yet: the network tracks people, a lot of people use outdated Android versions, Software updates and hardware doesn't lasts much compared to GNU/Linux on laptops, because most smartphones aren't supported by Linux anyway (the vendors usually fork Linux and don't contribute back) etc. On x86 laptops, network manager changes the MAC address automatically, people usually run up to date distributions, hardware support is upstream, and even older WiFi and Ethernet protocol still continue to work. The only issue is that x86 32bit computers aren't supported well anymore. Though old 64bit x86 computers still work perfectly fine. > Now it sounds like I invested explicitly in insecurity > which nobody is going to even look at. Quite disturbing. The smartphone situation in general is really problematic and we need a big amount of help in general (not only in Replicant) to improve the situation. And even with that we would only be able to limit (way) more the damage, not make things acceptable because: - the network would still track people. - there would be fast planned obsolescence through the removal of older networks (like 3G). This really complicates long term support of smartphones. And as far as I know, running your own network is only possible if you can buy at auction frequencies, live in some indigenous communities, or have a tiny or temporary network for testing purposes only. And even if we change the regulations around the world (we don't have enough people for that), there is also an issue of cost: building a network that covers a complete country usually costs a lot of money. As for the Replicant 6.0 security issues the solution isn't to fix Replicant 6.0, it's instead to make Replicant usable on more recent Android versions, and we're working on it. An alternative that works right now here would be to use PureOS (apparently it also supports modem isolation though USBGuard) for instance but: - The phones it supports are extremely expensive (though they contribute back to various upstream project as I understand). - They use GNU/Linux and not Android, so you will get a different set of applications, some of which will be well adapted, and other that won't. So right now there isn't a perfect solution that solves everything. Denis.
pgpDLRyhsczXc.pgp
Description: OpenPGP digital signature
_______________________________________________ Replicant mailing list Replicant@osuosl.org https://lists.osuosl.org/mailman/listinfo/replicant