OESF Portal | OESF Forum | OESF Wiki | LinuxPDA | #planetgemini chat on matrix.org | #gemini-pda chat on Freenode | #zaurus and #alarmz chat on Freenode | ELSI (coming soon) | Ibiblio

IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> CVE-2020-0069 security issue - is it fixed? Will it be?
bloblo
post Apr 12 2020, 06:29 AM
Post #1





Group: Members
Posts: 44
Joined: 6-August 18
Member No.: 827,653



Does the Gemini PDA suffer from the CVE-2020-0069 security issue? Will there be a patch for this, or was there already? I contacted support but they haven't responded for a week.
Go to the top of the page
 
+Quote Post
bloblo
post Apr 29 2020, 01:14 PM
Post #2





Group: Members
Posts: 44
Joined: 6-August 18
Member No.: 827,653



Has anyone else had trouble reaching support over update questions? I wonder if they just decided to dig in their head in, or even blacklisted me specifically ohmy.gif

A bit sad given the Gemini is still sold by Planet Computers, and not for an entry level device price at all... huh.gif
Go to the top of the page
 
+Quote Post
novaldex
post Apr 29 2020, 11:43 PM
Post #3





Group: Members
Posts: 53
Joined: 8-January 18
Member No.: 816,032



QUOTE(bloblo @ Apr 29 2020, 10:14 PM) *
Has anyone else had trouble reaching support over update questions? I wonder if they just decided to dig in their head in, or even blacklisted me specifically ohmy.gif

A bit sad given the Gemini is still sold by Planet Computers, and not for an entry level device price at all... huh.gif


I've been in touch with support over the past couple of weeks for both my Gemini & Cosmo. It wasn't instant replies, but usually by the next day I got something back. Their hands are a little tied with the lockdown, can't do anything physical like accept deliveries or send out anything it seems.
Go to the top of the page
 
+Quote Post
Daniel W
post Apr 30 2020, 12:51 PM
Post #4





Group: Members
Posts: 231
Joined: 22-May 18
From: Sweden
Member No.: 823,019



QUOTE(bloblo @ Apr 12 2020, 04:29 PM) *
Does the Gemini PDA suffer from the CVE-2020-0069 security issue? Will there be a patch for this, or was there already? I contacted support but they haven't responded for a week.
It would seem reasonable to presume the Gemini is affected. The Quarkslab blog post linked above, lists, as one of its sources, this page on the XDA forum, which says this exploit works on unpatched devices with a MediaTek MT67xx, MT816x or MT817x SoC. The part numbers for the Helio X25 and X27 are MT6797T and MT6797X.

According to this Android security bulletin, security patch levels of March 5, 2020 (and later) has a fix for this issue (and many others). As there, to the best of my knowledge, hasn't been any firmware updates for the Gemini in quite a while, it seems safe to presume it would be vulnerable (or compatible, depending on your view).

Acoording to this thread here on OESF, there IS a forthcoming firmware update for the Gemini. As it can be hard to find among all other comments, and IndieGoGo doesn't have links to individual comments, I've opted to quote what Planet Computers wrote: "@Alex We plan to have a further Gemini firmware update available. We do not have a clear timescale to share at this stage but can confirm it is, and will remain our intention to continue support for all our devices - including the Gemini PDA. We will keep you posted as soon as we know when the Gemini update will be ready.". As far as I can tell, it was posted on Saturday, April 25, 2020.

That does, of course not guarantee that such a firmware update will have the required patch level, to fix CVE-2020-0069, but the longer it takes before the update gets available, the greater the probability that is does include a fix for CVE-2020-0069 should be, so, in a way, their slowness, might end up being an advantadge, in this particular case. Until then, be extra careful what you install. This flaw can't be exploited remotely, so an adversary would have to be able to run their software on your Gemini, and, as a rule of thumb, as soon as an untrusted party can run their code on your device, it isn't really your device any longer.
Go to the top of the page
 
+Quote Post
bloblo
post May 1 2020, 07:49 AM
Post #5





Group: Members
Posts: 44
Joined: 6-August 18
Member No.: 827,653



QUOTE(Daniel W @ Apr 30 2020, 12:51 PM) *
This flaw can't be exploited remotely, so an adversary would have to be able to run their software on your Gemini

This is a quite simplified view that in practice sadly doesn't always hold up. We all use web browsers which have a giant attack surface, and it's not unheard of for browsers to get remotely taken over. But now if you have something like CVE-2020-0069 you not only own the app, but the entire device. No flaw lives in isolation, so just avoiding untrusted apps won't really cut it. (You could use the device just offline of course, but is that the point of a smartphone really?) There is also the entire year of other flaws Planet Computers so far hasn't given us patches for... it does look kind of dire at this point.

It seems to me like whoever does these patches has a fundamentally wrong setup for doing this, it shouldn't take this much effort just for the security updates, even on something as notoriously difficult to upgrade as Android. Projects like LineageOS manage to ship monthly updates with a single volunteer for a device type. I really wonder how Planet Computers or whoever they pay for this managed to mess it up so badly.
Go to the top of the page
 
+Quote Post
Daniel W
post May 2 2020, 07:59 AM
Post #6





Group: Members
Posts: 231
Joined: 22-May 18
From: Sweden
Member No.: 823,019



QUOTE(bloblo @ May 1 2020, 05:49 PM) *
This is a quite simplified view that in practice sadly doesn't always hold up. We all use web browsers...

You certainly have some valid points. As this thread is about CVE-2020-0069 in particular, I deliberately kept my comments here to that flaw only. Combined with other flaws, CVE-2020-0069 can likely be made exploitable remotely, which indeed needs to be considered, in the context of overall device security, though I'd regard that another topic, for another thread.

As an aside, we can probably all agree that Planet Computers are not on top of the security of any of their devices. One may even say that Android is not secure by design, as it is written such that security patches typically cannot be provided to end users by the OS vendor, Google, but rather has to be baked into firmware updates by phone brands and network operators. Imagine the state of Windows, with all its flaws, if the security patches currently issued to end users by Microsoft, the OS vendor, had to be routed via the computer brands, many of which would much rather just sell you a new computer instead. Another factor, which may explain why, for example, a single developer can timely integrate patches into LineageOS, while Planet appears to struggle delivering any patches at all, may be that Android patches seems to be anything but simple to integrate. If not done exactly to the liking of Google, devices can, as we've seen, even loose their certification, which, in turn, requires another detour to resolve. In closing, I think the main part of the Android patch problem stems from Google and Android itself, and it becomes more apparent, when a tiny vendor can't compensate by throwing significant resources at it.
Go to the top of the page
 
+Quote Post
bloblo
post May 5 2020, 07:25 PM
Post #7





Group: Members
Posts: 44
Joined: 6-August 18
Member No.: 827,653



QUOTE
I think the main part of the Android patch problem stems from Google and Android itself
Honestly, I doubt it, there are other vendors struggling to do a monthly update for sure, but most who care manage at least every few months. What Planet is doing just smells like, they picked the wrong person to handle it and aren't willing to get somebody competent - or MediaTek is giving them a hard time, but then maybe they shouldn't have picked this chipset for a phone in this price range. In any case, I think we should all stop making excuses. If MediaTek is the source of the trouble, then Planet should honestly just say so. Their handling and silence on this is just hard to excuse at this point. Like, either get it done in a reasonable time frame or speak up what the actual problem is.
Go to the top of the page
 
+Quote Post
Daniel W
post May 8 2020, 09:20 AM
Post #8





Group: Members
Posts: 231
Joined: 22-May 18
From: Sweden
Member No.: 823,019



Just to be clear, I have no interest in excuses either. I'm only trying to make sense of things.

Are there any other vendors selling a few thousand phones per year? In such case, are any of them on top of their patching? If so, we should really start asking Planet some questions. I wish it just was "get a better employee", but as far as I understand (though I'd love to be wrong), Android requires each vendor to do quite a lot of work, both with the software and to meet Googles formal requirements. I don't know if MediaTek and/or EastAeon (the "factory", apparently doing a fair part of the software work) are parts of the problem or not. I, too, wish Planet would tell us what the actual problems are, rather keeping us guessing on a forum, like this.

What would be a better chipset? I doubt they realistically had that many to chose from. Provided a vendor such as, say, Qualcomm would even bother, just licensing the Snapdragon IP, would likely have eaten their entire budget, before they could even start buying chips. I don't know if MediaTek chips, in themselves, are cheaper than competing products, but I am under the impression that the cost to get started, and the minimum quantities one can buy (at a reasonable price), are fairly low, compared to most competitors. One consequence could be that MediaTek might be less keen on supporting their chips very well, but that's just me guessing, though their camera module driver is, obviously, quite lacking, anyway.
Go to the top of the page
 
+Quote Post
bloblo
post May 10 2020, 01:00 AM
Post #9





Group: Members
Posts: 44
Joined: 6-August 18
Member No.: 827,653



Some Android 9+ hardware now even allows a generic system image with a non-device specific Android kernel, which can then be once for all of them maintained with Google/AOSP kernel patch updates. So a least in some cases quick updates are very possible, and my personal guess here is MediaTek being the problem by not providing Project Treble/future-proof drivers.

If certification is the issue, Planet could just enabled LineageOS to provide an up-to-date image instead (which again, as I understand it, stuck at the drivers stage. They lacked the necessary driver sources or driver compatibility with any halfway recent Android kernel as I understand it). Maybe could have been done instead of doing all the branching out into an also outdated Linux base*, if tight resources are the main problem here. From what I've seen from the Fairphone write-up, Mediatek will possibly allow a vendor to at least attempt to do own driver updates if they really want to try it in-house, although who knows if and how much source access for that will cost. Maybe Planet has even paid to have this done for the 8.1 update, but sadly apparently not in a way that is Treble future-proof even though that should be possible with 8 and newer which I think is a mistake.

I have now actually ordered a new phone, since I plan to do productivity work and I find the Gemini's situation honestly unacceptable. In its state, putting any remotely important data onto it is just quite risky with more than a year of no security updates. I doubt I'll be buying a Planet phone again, at least Fairphone 1 makers had the decency to step up and explain why it wasn't sustainable to update, which by the way also was due to Mediatek.

QUOTE
What would be a better chipset?
Probably any other, honestly. I'm not saying they realistically had that choice, but maybe then don't enter the market with a 600 bucks premium phone for a productivity audience. Of course you're free to think differently about this, this is just my personal opinion. I'm not demanding anyone else dislike Planet for this, everyone has to draw their own conclusions. But I wish they would at least speak out why this situation is like it is. When I ordered the Gemini with the 8.1 announcement early on I assumed Planet had a plan to work around Mediatek issues, but looks like I was completely wrong.

*Regarding Linux being outdated: unlike Google backporting patches for older Android kernel's, an older Linux kernel will often just not get any updates. (I think there is an LTS line, but is the Linux flavor for the Gemini using that one rather than a hacked custom fixed version? I think it is the latter.) Therefore, my impression was the Gemini Linux kernel was likely stuck without any patches too, so even with updated userland I wouldn't hold my breath it's actually in a much safer state even if it feels like it. Linux without an updated mainline kernel is just not much better than an Android with no Google patches applied.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 25th May 2020 - 12:47 PM