General > General Technical Chat
A new chapter in "C was a mistake", courtesy of Samsung
Marco:
https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html
Samsung was silly enough to leave its mobile phone baseband machine code out in the open ... and don't you know it, an ancient massive closed source C codebase with shared memory access to everything in mobile phones has buffer overflows as far as the eye can see. Who could have predicted that?
A little more obscurity and not letting the machine code escape into the wild (for non state actor level adversaries at least) would have helped of course. All programmers waking up a little sooner and realizing how utterly fucked software was the moment buffer overflows entered the field would have helped more.
thm_w:
Yeah thats crazy that its even a possibility no matter how badly the code is written:
--- Quote ---Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number.
--- End quote ---
Ed.Kloonk:
I remember when the 'open' phones started showing up and the total push-back they received from existing phone companies to release or even licence anything.
I suspected then that it was all un-audited garbage.
tom66:
Been around for a while.
tszaboo:
--- Quote from: thm_w on March 17, 2023, 09:15:06 pm ---Yeah thats crazy that its even a possibility no matter how badly the code is written:
--- Quote ---Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number.
--- End quote ---
--- End quote ---
Almost feels like it was on purpose...
Navigation
[0] Message Index
[#] Next page
Go to full version