Skip to content

The Isoblog. Posts

Android Security Bulletin April 2017 makes Firmware look like WTC after 9/11

The April 2017 Android Security Bulletin is out, and makes Android Qualcomm and Broadcom Firmware look like the WTC straight after 9/11. At this rate we have exhausted the four digit CVE counter for 2017 before Pentecost.

We already know MediaServer is a piece of swiss cheese, but this is about CameraBase, Audioserver, SurfaceFlinger,Telephony, Factory Reset (sic!) and Broadcomm, Qualcomm, NVIDIA, HTC and MediaTek Firmware problems as well.

Much of that is available as binary blob only and never has seen a systematic audit, ever. Hence the CVE list. Multiple Critical, plenty of High.

Your phone does get updates and fixes, does it?


Infrastructure development

Think like a dev, but code as if you are on call.

Are you an infrastructure developer? Do you think like a developer, do you understand developer tools, but think like an infrastructure person? Are you more interested into worst case behavior than new best cases? Do you shoot trouble before it happens?

Here is an opportunity for you:

Go Away Or I Will Replace You With A Very Little Shell Script, Video: Kristian Köhntopp, Froscon Talk

Go Away Or I Will Replace You With A Very Little Shell Script, Slideset

Leave a Comment

The Future of Mobility

Electrified. Delegated driving. Sustainable. Mobile connected. Easy vehicle sharing. The future of mobility.

A new player in the electric transport market brings themselves into our awareness with an awesome spot.

1 Comment

Hacking “Smart” TVs via DVB-T

Ars Technica reports about a possible mass-hack of Smart TVs using the DVB-T signal:

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.

Multimedia Stream decoding is notoriously complicated, and prone to bugs, as Google demonstrated with a whole suite of problems in the Android Stream decoders. There is no reason to assume that it’s easier anywhere else.

The TV sets are being fed the signal with a low-power mobile transmitter, a small fake TV station, and the attack is on the web browser that is running permanently in the background.

Leave a Comment