CVE-2020-0069 security issue - is it fixed? Will it be?

[bloblo]

Does the Gemini PDA suffer from the CVE-2020-0069 security issue? Will there be a patch for this, or was there already? I contacted support but they haven't responded for a week.

[bloblo]

Has anyone else had trouble reaching support over update questions? I wonder if they just decided to dig in their head in, or even blacklisted me specifically  

A bit sad given the Gemini is still sold by Planet Computers, and not for an entry level device price at all...  

[novaldex]

Has anyone else had trouble reaching support over update questions? I wonder if they just decided to dig in their head in, or even blacklisted me specifically  

A bit sad given the Gemini is still sold by Planet Computers, and not for an entry level device price at all...  

I've been in touch with support over the past couple of weeks for both my Gemini & Cosmo. It wasn't instant replies, but usually by the next day I got something back. Their hands are a little tied with the lockdown, can't do anything physical like accept deliveries or send out anything it seems.

[Daniel W]

Does the Gemini PDA suffer from the CVE-2020-0069 security issue? Will there be a patch for this, or was there already? I contacted support but they haven't responded for a week.

It would seem reasonable to presume the Gemini is affected. The Quarkslab blog post linked above, lists, as one of its sources, this page on the XDA forum, which says this exploit works on unpatched devices with a MediaTek MT67xx, MT816x or MT817x SoC. The part numbers for the Helio X25 and X27 are MT6797T and MT6797X.

According to this Android security bulletin, security patch levels of March 5, 2020 (and later) has a fix for this issue (and many others). As there, to the best of my knowledge, hasn't been any firmware updates for the Gemini in quite a while, it seems safe to presume it would be vulnerable (or compatible, depending on your view).

Acoording to [a href=\'index.php?showtopic=36247\']this thread here on OESF[/a], there IS a forthcoming firmware update for the Gemini. As it can be hard to find among all other comments, and IndieGoGo doesn't have links to individual comments, I've opted to quote what Planet Computers wrote: "@Alex We plan to have a further Gemini firmware update available. We do not have a clear timescale to share at this stage but can confirm it is, and will remain our intention to continue support for all our devices - including the Gemini PDA. We will keep you posted as soon as we know when the Gemini update will be ready.". As far as I can tell, it was posted on Saturday, April 25, 2020.

That does, of course not guarantee that such a firmware update will have the required patch level, to fix CVE-2020-0069, but the longer it takes before the update gets available, the greater the probability that is does include a fix for CVE-2020-0069 should be, so, in a way, their slowness, might end up being an advantadge, in this particular case. Until then, be extra careful what you install. This flaw can't be exploited remotely, so an adversary would have to be able to run their software on your Gemini, and, as a rule of thumb, as soon as an untrusted party can run their code on your device, it isn't really your device any longer.

[bloblo]

This flaw can't be exploited remotely, so an adversary would have to be able to run their software on your Gemini

This is a quite simplified view that in practice sadly doesn't always hold up. We all use web browsers which have a giant attack surface, and it's not unheard of for browsers to get remotely taken over. But now if you have something like CVE-2020-0069 you not only own the app, but the entire device. No flaw lives in isolation, so just avoiding untrusted apps won't really cut it. (You could use the device just offline of course, but is that the point of a smartphone really?) There is also the entire year of other flaws Planet Computers so far hasn't given us patches for... it does look kind of dire at this point.

It seems to me like whoever does these patches has a fundamentally wrong setup for doing this, it shouldn't take this much effort just for the security updates, even on something as notoriously difficult to upgrade as Android. Projects like LineageOS manage to ship monthly updates with a single volunteer for a device type. I really wonder how Planet Computers or whoever they pay for this managed to mess it up so badly.

[Daniel W]

This is a quite simplified view that in practice sadly doesn't always hold up. We all use web browsers...

You certainly have some valid points. As this thread is about CVE-2020-0069 in particular, I deliberately kept my comments here to that flaw only. Combined with other flaws, CVE-2020-0069 can likely be made exploitable remotely, which indeed needs to be considered, in the context of overall device security, though I'd regard that another topic, for another thread.

As an aside, we can probably all agree that Planet Computers are not on top of the security of any of their devices. One may even say that Android is not secure by design, as it is written such that security patches typically cannot be provided to end users by the OS vendor, Google, but rather has to be baked into firmware updates by phone brands and network operators. Imagine the state of Windows, with all its flaws, if the security patches currently issued to end users by Microsoft, the OS vendor, had to be routed via the computer brands, many of which would much rather just sell you a new computer instead. Another factor, which may explain why, for example, a single developer can timely integrate patches into LineageOS, while Planet appears to struggle delivering any patches at all, may be that Android patches seems to be anything but simple to integrate. If not done exactly to the liking of Google, devices can, as we've seen, even loose their certification, which, in turn, requires another detour to resolve. In closing, I think the main part of the Android patch problem stems from Google and Android itself, and it becomes more apparent, when a tiny vendor can't compensate by throwing significant resources at it.

[bloblo]

I think the main part of the Android patch problem stems from Google and Android itself

Honestly, I doubt it, there are other vendors struggling to do a monthly update for sure, but most who care manage at least every few months. What Planet is doing just smells like, they picked the wrong person to handle it and aren't willing to get somebody competent - or MediaTek is giving them a hard time, but then maybe they shouldn't have picked this chipset for a phone in this price range. In any case, I think we should all stop making excuses. If MediaTek is the source of the trouble, then Planet should honestly just say so. Their handling and silence on this is just hard to excuse at this point. Like, either get it done in a reasonable time frame or speak up what the actual problem is.

[Daniel W]

Just to be clear, I have no interest in excuses either. I'm only trying to make sense of things.

Are there any other vendors selling a few thousand phones per year? In such case, are any of them on top of their patching? If so, we should really start asking Planet some questions. I wish it just was "get a better employee", but as far as I understand (though I'd love to be wrong), Android requires each vendor to do quite a lot of work, both with the software and to meet Googles formal requirements. I don't know if MediaTek and/or EastAeon (the "factory", apparently doing a fair part of the software work) are parts of the problem or not. I, too, wish Planet would tell us what the actual problems are, rather keeping us guessing on a forum, like this.

What would be a better chipset? I doubt they realistically had that many to chose from. Provided a vendor such as, say, Qualcomm would even bother, just licensing the  Snapdragon IP, would likely have eaten their entire budget, before they could even start buying chips. I don't know if MediaTek chips, in themselves, are cheaper than competing products, but I am under the impression that the cost to get started, and the minimum quantities one can buy (at a reasonable price), are fairly low, compared to most competitors. One consequence could be that MediaTek might be less keen on supporting their chips very well, but that's just me guessing, though their camera module driver is, obviously, quite lacking, anyway.

[bloblo]

Some Android 9+ hardware now even allows a generic system image with a non-device specific Android kernel, which can then be once for all of them maintained with Google/AOSP kernel patch updates. So a least in some cases quick updates are very possible, and my personal guess here is MediaTek being the problem by not providing Project Treble/future-proof drivers.

If certification is the issue, Planet could just enabled LineageOS to provide an up-to-date image instead (which again, as I understand it, stuck at the drivers stage. They lacked the necessary driver sources or driver compatibility with any halfway recent Android kernel as I understand it). Maybe could have been done instead of doing all the branching out into an also outdated Linux base*, if tight resources are the main problem here. From what I've seen from the Fairphone write-up, Mediatek will possibly allow a vendor to at least attempt to do own driver updates if they really want to try it in-house, although who knows if and how much source access for that will cost. Maybe Planet has even paid to have this done for the 8.1 update, but sadly apparently not in a way that is  Treble future-proof even though that should be possible with 8 and newer which I think is a mistake.

I have now actually ordered a new phone, since I plan to do productivity work and I find the Gemini's situation honestly unacceptable. In its state, putting any remotely important data onto it is just quite risky with more than a year of no security updates. I doubt I'll be buying a Planet phone again, at least Fairphone 1 makers had the decency to step up and explain why it wasn't sustainable to update, which by the way also was due to Mediatek.

What would be a better chipset?

Probably any other, honestly. I'm not saying they realistically had that choice, but maybe then don't enter the market with a 600 bucks premium phone for a productivity audience. Of course you're free to think differently about this, this is just my personal opinion. I'm not demanding anyone else dislike Planet for this, everyone has to draw their own conclusions. But I wish they would at least  speak out why this situation is like it is. When I ordered the Gemini with the 8.1 announcement early on I assumed Planet had a plan to work around Mediatek issues, but looks like I was completely wrong.

*Regarding Linux being outdated: unlike Google backporting patches for older Android kernel's, an older Linux kernel will often just not get any updates. (I think there is an LTS line, but is the Linux flavor for the Gemini using that one rather than a hacked custom fixed version? I think it is the latter.) Therefore, my impression was the Gemini Linux kernel was likely stuck without any patches too, so even with updated userland I wouldn't hold my breath it's actually in a much safer state even if it feels like it. Linux without an updated mainline kernel is just not much better than an Android with no Google patches applied.