Placebo patch, the bitter illusion of having up-to-date and secure smartphones

Users have been asking for frequent updates for years, especially regarding security. Many manufacturers have begun to listen to the requests, and have even extended the period during which they promise to release security patches to 4/5 years. There is, however, a problem: the patches that are released would contain only part of the updates and those related to the often more critical hardware components would be missing.

To say it is Google Project Zerowhich despite being a branch of Google, proves to be absolutely independent in its analyzes and objective, given that in this case the problem also affects Pixels.

The matter is quite serious, and it is also easy to understand why. Google explains it by citing the case of a series of flaws in the Mali GPU drivers, very common in Android SoCs. Very serious, actively exploited flaws that Google Project Zero reported in July and ARM promptly shut down in August.

ARM has released the updated version of the drivers on its site, and this means that it has also shown, to those who understand where to look, what the vulnerability was in detail.

Today, in November, ARM-produced drivers and patches that close those specific vulnerabilities they have never been integrated into any monthly patch of any Android smartphone. At the moment, manufacturers have completely ignored them, and phones are vulnerable.

The reason is simple: managing security and updates has a cost, and often manufacturers they just absorb what are generic patches from Googlewhich include updates for the software part and for some processor modules, and don’t bother to absorb even all the patches that are released by the manufacturers of the components that are present inside, in this case the GPU.

The reason is probably to be found in the different complexity of the two things: the patch package that Google inserts into Android and that are distributed to the various partners have already been fully verified and integrated, those that are released by the various hardware manufacturers would require much more work on the test phase.

Google Project Zero also explains that often a detailed analysis of the causes that led to a flaw is not even done, nor on the integration of the patch with the rest of the system, and it is precisely for this reason that 50% of zero day leaks discovered in the last year they are simple variants of holes that have already been closed. The bad guys looked at how they had been closed, it’s public, and they dug around the “patch” to find another point to enter.

Just as users need to be quick to patch devices, manufacturers need to be quick to integrate available patches.

Today there is a great placebo effect: the user who receives the patch is convinced that he is safe and that he has relied on a manufacturer who updates regularly, however, within the security release there may be only part of the patches that are really needed. The others, partly because they are difficult and partly because they are laborious, are completely ignored or postponed.

We would like to thank the author of this write-up for this incredible material

Placebo patch, the bitter illusion of having up-to-date and secure smartphones

We have our social media profiles here , as well as additional related pages here.