Linux's NEW 8 year old privilege escalation bug

[hardworkingnewbie]

• Planned obsolescence (i.e Too locked down. You are prevented from applying security updates to your own device when the manufacturer drops support. IoT and Phones both running Android exhibit the same issues)
• Purposefully naive permissions system (i.e To run a note taking app, you are required to allow it full access to your camera, emails, mic arbitrarily. It should be no-permission by default unless the user manually changes the *necessary* ones. However this current default is for the vendor to harvest as much data as possible)
• Lack of user control / access (i.e Too locked down. You don't have the necessary permissions to audit your own device, often you can't install a proper trusted firewall, often you can't even install an ad-blocker, etc)It basically stems from the underlying business case for these devices to take as much control away from the user as possible which means that you can't properly maintain it. The business case is the same as with games consoles. By design locking it down to protect the publishers / partners / content owners (i.e DRM) more so than the users. Some general discussion here.

These papers don't support your statement.

To address them in chronological order:

1. Planned obolescence - the paper talks about IoT devices, not smartphones per se. So same could also be said about iPhones.
2. Permission system - dates back to 2012, so you're not taking one decade of progress into account.
3. Lack of user control/access - dates back to 2010, so even more outdated.

Overall: if you do really value your privacy, you simply should not get a smartphone, period. Even if the OS could be trusted, the base band processor cannot. It's a black box.

 

[kpedersen]

These papers don't support your statement.

In what way? Your issues with them only really seem concerned with the age and scope of the sources which I don't believe to be valid concerns. Lets go through them.

1. Planned obolescence - the paper talks about IoT devices, not smartphones per se. So same could also be said about iPhones.

Exactly. The same *can* be said about iPhones. Why wouldn't it? This specific paper was discussing Android running on IoT. Same Android used on a phone. Same planned obsolescence, same flaws. Can you claim smartphone vendors specifically support their hardware longer than other hardware vendors? Often I see the opposite. I can find many sources discussing the security issues inherent in planned obsolescence of Apple, even non technical i.e news articles are aware of it for the average consumer.

2. Permission system - dates back to 2012, so you're not taking one decade of progress into account.

What progress do you think has been made since? You use a new phone today, the same naive permissions box comes up. Google did trial a "per-permission" setting but backtracked on it. The year could be 2040 and this paper will still likely be discussing the (then current) state of the art.

But there are much newer papers reiterating the same old problems with the permissions system. Nothing has changed. Just to clarify the part from the paper that supports my statement and the issue I am trying to describe:

The user can grant permission for requested resources either at runtime or during the installation process. However, this system is often misused in practice by demanding extra permissions that are not required to provide services. These kinds of apps stop functioning if all permissions are not granted to them

3. Lack of user control/access - dates back to 2010, so even more outdated.

Again, since the issue is by design rather than a technical one; what has exactly changed in 10 years? Are you suggesting that people are now able to install reputable firewalls or ad-blocks on all modern phones? They can't, especially if the phone can't be rooted (which also voids support from vendor). If anything the inbuilt chrome browser has become *more* restrictive to 3rd party privacy providing plugins.

Overall: if you do really value your privacy, you simply should not get a smartphone, period.

Completely agree. Going back to my original statement, they are unfortunately extremely scummy bits of kit governed by equally scummy businesses. The only winning move is to not play. Especially when they are so easy to avoid.

Either way, I have written too much and smartphones seriously bore me. Apologies for the noise!

 

[astyle]

Note that the OP is not an 8-year old bug. It is an 8-year old vulnerability, which was only found in 2022. So it is a weeks- or months-old bug.

So, a 'vulnerability' is not a 'bug' until a bug report is filed?

That makes me kind of lost as to what even counts as a bug in the first place... Originally, it was an actual squished bug that gummed up the mechanical works of a Harvard calculating device (Mark II/III), then it became a running joke that hit the pop culture...

Software bug - Wikipedia

en.wikipedia.org

 

[baaz]

There is so many talking about Linux, it comes really often in conversations, it feels strange .
Focus on BSD world instead, it could be better for the community and in the end it sends out more positive energy

There is a old saying here that translates into:
from whom have you learnt civility?

‘From those who had no civility because what appeared to me unbecoming in them I refrained from doing.’
?

 

[SWIFTYLIFT]

Are the BSDs dying? Some security researchers think so

To few eyeballs on code is a security issue. Can FreeBSD, OpenBSD, and NetBSD survive?

www.csoonline.com

Is this a personal appreciation or a truth?
I think even professionals look after number one.

Is BSD Dead Yet?

isbsddeadyet.com

 

[hardworkingnewbie]

In what way? Your issues with them only really seem concerned with the age and scope of the sources which I don't believe to be valid concerns. Lets go through them.

10 up to 12 years in software development is like several life spans in software development. This means that the kernel has been changed a lot, frameworks have changed a lot, and stuff within the framework as well.

So taking such old papers, which found issues from back then and saying "it was bad way back then, and still is today" is bonkers, wrong, because it totally neglects what has been changed since then.

Simple as that - so yes, these are valid concerns. Aside that: if privacy really is an issue, there's only one suitable solution: don't use a cellphone at all.

 

[getopt]

... extremely scummy bits of kit governed by equally scummy businesses. The only winning move is to not play. Especially when they are so easy to avoid.

Unfortunately this is reality. People around the globe have been made depending on "Smart-Phones". Next step is making them depend on projects like:

https://id2020.org/

People with a strong personality being aware of the the background problems can freely make a personal decision preferring not to.

Obviously the overwhelming consuming majority cannot or wants not to resist the seducing technology which is promising lulling accommodativeness everywhere.

Kids in a peer-group quickly become outsiders without a Smart-Phone. They are socially forced to participate and get used to Smart-Phones like junkies.

 

[kpedersen]

Unfortunately this is reality. People around the globe have been made depending on "Smart-Phones". Next step is making them depend on projects like:

This might be location specific but here in the UK there is nothing that particularly depends on them yet. Perhaps this is due to the aging population that stands no chance at engaging with them. I think the market even fell since COVID.

The personal ID is an interesting one. As seen fairly successfully in Denmark, I actually agree with it (not necessarily digital). However in the UK specifically, it is partially run by criminals who really do *not* want this form of central ID. I don't believe this will change for a long time.

Kids in a peer-group quickly become outsiders without a Smart-Phone. They are socially forced to participate and get used to Smart-Phones like junkies.

You aren't wrong. However I would add that kids tend to use smart-phones like a toy. Whether it is a gameboy or a smart-phone, nothing they do with it is particularly important in the grand scheme of things. Whether this is pulled through into industry with them (as was the case with macOS) remains to be seen however. This is maybe the biggest risk but I can't see how they are going to be productive with a consumer phone vs even a computer from the 90s.

 

[YYY__]

Off-topic:

In Spain, ING Bank forces you to use your smartphone as an authentication method once it detects that you are using its app, even if you use web banking later.
I resist using web banking exclusively and receiving an SMS from time to time.
At some point of time the obligation of the app will be effective.

 

[kpedersen]

Off-topic:

In Spain, ING Bank forces you to use your smartphone as an authentication method once it detects that you are using its app.

Makes sense. You jump into the app workflow, you are committed

My bank sends me a OTP dongle (which admittedly I am terrible with and write all of my details onto the back).

I would prefer if they just sent me the C source code, private key and random seed!

 

[mer]

I would prefer if they just sent me the C source code, private key and random seed!

Heh. Then you find out it's like that scene in the movie Spaceballs about the combination to a lock:
The combination is 12345
No idiot would use that it's stupid
Wait! That's my combination!

 

[zirias@]

Makes sense. You jump into the app workflow, you are committed

Actually, I'm quite happy about that workflow for 2FA.

At least in Europe, 2FA is mandatory for banking nowadays... and why? Because after decades, people still used guessable passwords. Yep, even Mel Brooks failed to get the message through, mer

Sure, cracking is a thing as well (e.g. by getting hold of an insufficiently encrypted password database, or client-side sniffing using some malware ...), but most of the time, the major problem still is weak passwords.

So, I'm forced to use 2FA. And seriously, just presenting my finger to my phone's sensor is the quickest and least annoying way for the second factor. And as my passwords are fine, I'm not too worried about the security of this second factor.

 

[YYY__]

I don't need an app for each account I have at each bank, and there are quite a few. A simple SMS does the double factor. Even Microsoft Authenticator can take care of that.

 

[Jose]

So, I'm forced to use 2FA. And seriously, just presenting my finger to my phone's sensor is the quickest and least annoying way for the second factor. And as my passwords are fine, I'm not too worried about the security of this second factor.

Yeah, and now Apple or whomever has a digital representation of your fingerprint that is stored somewhere in the "cloud". Under fantastic security, no doubt. In any case, changing your fingerprints is trivial should they ever get compromised.

If you want me to use 2FA you must provide me a non-cellphone dependent way of sending you a public key. I will accept nothing else.

 

[zirias@]

Yeah, and now Apple or whomever has a digital representation of your fingerprint that is stored somewhere in the "cloud". Under fantastic security, no doubt. In any case, changing your fingerprints is trivial should they ever get compromised.

Nope. Any sync is off, I even disabled the services (and yes, the system is nagging me from time to time to enable them).

If you want me to use 2FA you must provide me a non-cellphone dependent way of sending you a public key. I will accept nothing else.

If you ever want to have a bank account in the EU, good luck to find one still offering all services at the counter.

 

[Jose]

Nope. Any sync is off, I even disabled the services (and yes, the system is nagging me from time to time to enable them).

How can you be sure on a completely closed platform like a cell phone? How do you know those knobs do anything? How can you be sure that there isn't a "bug" where it syncs your biometrics anyway?

If you ever want to have a bank account in the EU, good luck to find one still offering all services at the counter.

Good to know. I will have to think about this, since I am considering retiring in the EU.

 

[zirias@]

How can you be sure on a completely closed platform like a cell phone? How do you know those knobs do anything? How can you be sure that there isn't a "bug" where it syncs your biometrics anyway?

How do you know it's a "closed platform"? It isn't. It does have some closed-source software on it, but that's about it. But hey, I'm pretty sure even Apple wouldn't dare to store any personal data without proper consent in face of GPDR. This is really a PITA for any vendor or operator of IT services, which I know from work at a financial corp targeted at b2b (so, not even interested in personal data too much, and still we're struggling a lot to comply). Of course, consent is given by many not even reading small text before touching this OK button ?

Good to know. I will have to think about this, since I am considering retiring in the EU.

Well, 2FA is mandatory. There are ways to comply with that without a (smart)phone, but I don't think many banks will offer that in the future.

 

[mer]

I'm not too worried about the security of this second factor.

"Until someone cuts my finger off"
Sarcasm, but a real possibility. Although if it were me, if someone wants to cut my finger off to gain access, I've got bigger problems to worry about.

 

[Jose]

"Until someone cuts my finger off"

There were places where you should not wear rings when I was growing up in Latin America in the '70s. I believe the situation has improved, but given how popular cell phone stealing is, this is not all that ridiculous a possibility.

 

[YYY__]

The manufacturer of each device has something to say. Xiaomi asks for acceptance of conditions for something as simple as the calculator, and so with all its apps. I don't want to know what he's going to do with his fingerprint.

 

[kpedersen]

Well, 2FA is mandatory. There are ways to comply with that without a (smart)phone, but I don't think many banks will offer that in the future.

Currently they are quite happy to hand out these things:
https://www.hsbc.com.hk/content/dam/hsbc/hk/images/security-device.jpg

Will this change in the future? Not sure, I do think the ever changing nature of phones will ensure that there will always be a stable alternative. For example I think it is unreasonable to ask an 80 year old to update their iPhone 4s to access their bank. Likewise in 30 years, it will be unreasonable to ask an 80 year old to update their iPhone 10 to access their bank.

 

[hardworkingnewbie]

Heh. Then you find out it's like that scene in the movie Spaceballs about the combination to a lock:
The combination is 12345
No idiot would use that it's stupid
Wait! That's my combination!

Air Force Swears: Our Nuke Launch Code Was Never '00000000'

For nearly a decade, an awkward debate has raged about the U.S. military's nuclear force: Did top Air Force officials really choose "00000000" as a…

foreignpolicy.com

 

[msplsh]

Apple or whomever has a digital representation of your fingerprint that is stored somewhere in the "cloud".

This is wrong particularly about how Apple's TouchID works. The fingerprint data never leaves the processor that the sensor is connected directly to.

 

[bob2112]

Because after decades, people still used guessable passwords.

Sure, cracking is a thing as well (e.g. by getting hold of an insufficiently encrypted password database, or client-side sniffing using some malware ...), but most of the time, the major problem still is weak passwords.

It's pretty much the same thing. The reason that weak passwords are a problem is they make it feasible to perform offline attacks against salted-hashed password databases.

 

[astyle]

I can't see how they are going to be productive with a consumer phone vs even a computer from the 90s.

For kids, 'productivity' is not the point, 'aptitude' is. 'productivity' is what the boss can get out of you. 'aptitude' is a measure of potential that gets realized (and paid for) by the boss later.