Android Patch for Blueborne

padrone

    I'm wondering when T-Mobile will be releasing a security patch for the Blueborne vulnerability made public today (9/12/2017)? Google said they have already developed & released the security patch (Android Security Bulletin—September 2017  |  Android Open Source Project ), so when will T-mobile customer's be able to download the updated, patched version of Android? Currently there seems to be no updates available after trying to manually update. Last "Android Security patch level" my phone shows is "July 1, 2017".  This nature of this vulnerability makes it one of the worst ever for bluetooth devices.

    Vulnerability info: https://www.armis.com/blueborne/#devices

      All replies

      • gramps28

        Re: Android Patch for Blueborne

        Manufacture's release the patch's , Tmobile just sells the phone.

         

        I have a Nexus 5X and I get a monthly security updates through Google.

          • theartiszan

            Re: Android Patch for Blueborne

            Yeh it really depends largely on what phone you have and when the manufacturer develops it for that model. Even on my s8 I'm on the July security patch too. Samsung seems to bee slow with the security patch release. I'm wondering if it is because they started development for android 8 for this device.

            1 of 1 people found this helpful
              • padrone

                Re: Android Patch for Blueborne

                gramps28, theartiszan,  Thank for the replies.  However, it seems the process is a little more nuanced than simply all the responsibility falling on the manufacturer and that without T-mobile involvement, our phones won't get patched.  From what I can gather, the T-Mobile / Samsung Android update process goes something like this:

                1. Google/ other AOSP contributor updates source code repository  >

                2. Manufacturer develops & Test Android update >

                3. T-Mobile test & certifies Android update >

                4. T-Mobile makes updates available via OTA or accessible via Samsung Smart Switch Application

                 

                I just got off the phone with Samsung support, and they said all Android updates are made available by the service provider (T-Mobile for us), not from Samsung directly.  He said it doesn't matter whether is OTA (wifi) or via USB-tethered SmartSwitch, the OS updates are released from the carrier/service provider to our devices. The only thing that is released directly from Samsung is Samsung-only App updates.  He actually described the process as follows:

                1. Service Provider requests an update from Samsung

                2. Samsung contacts Google for Android update

                3. Google finishes update and releases to Samsung/Android Partners via AOSP

                4. Samsung further develops & tests, then releases to T-Mobiles

                5. T-Mobile test and certification

                6. T-Mobile makes updates available to Samsung Galaxy customers

                 

                He said as of now, there is no more later update than Baseband version G930TUVU4BQG5 / Android Security Patch level July 1 2017 and that he didn't see any evidence that T-mobile has requested an update for Blueborne.

                 

                According to Armis (https://www.armis.com/blueborne/#devices), "Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach."

                 

                Can a T-Mobile rep please chime in to validate/correct the above and give some assurance that us customers will get a patch?

                 

                I'm thinking my next device will be one that gets updates immediately from the source (e.g. Google Pixel)....without any other middleman...

                 

                Sources:

                1.Android Security Bulletin—September 2017  |  Android Open Source Project

                2. Software updates

                3. Re: BlueBorne, Are we gonna get a patch? - Samsung Community - 164854

                4. Software updates: Samsung Galaxy S7

                5. Samsung Smart Switch™

                6. How to Use Smart Switch to Update Your Galaxy S6—Even It's Rooted « Samsung Galaxy S6 :: Gadget Hacks

                7. https://www.armis.com/blueborne/#devices

                8. Samsung Technical Support

                  • tidbits

                    Re: Android Patch for Blueborne

                    padrone wrote:

                     

                    gramps28, theartiszan, Thank for the replies. However, it seems the process is a little more nuanced than simply all the responsibility falling on the manufacturer and that without T-mobile involvement, our phones won't get patched. From what I can gather, the T-Mobile / Samsung Android update process goes something like this:

                    1. Google/ other AOSP contributor updates source code repository >

                    2. Manufacturer develops & Test Android update >

                    3. T-Mobile test & certifies Android update >

                    4. T-Mobile makes updates available via OTA or accessible via Samsung Smart Switch Application

                     

                    I just got off the phone with Samsung support, and they said all Android updates are made available by the service provider (T-Mobile for us), not from Samsung directly. He said it doesn't matter whether is OTA (wifi) or via USB-tethered SmartSwitch, the OS updates are released from the carrier/service provider to our devices. The only thing that is released directly from Samsung is Samsung-only App updates. He actually described the process as follows:

                    1. Service Provider requests an update from Samsung

                    2. Samsung contacts Google for Android update

                    3. Google finishes update and releases to Samsung/Android Partners via AOSP

                    4. Samsung further develops & tests, then releases to T-Mobiles

                    5. T-Mobile test and certification

                    6. T-Mobile makes updates available to Samsung Galaxy customers

                     

                    He said as of now, there is no more later update than Baseband version G930TUVU4BQG5 / Android Security Patch level July 1 2017 and that he didn't see any evidence that T-mobile has requested an update for Blueborne.

                     

                    According to Armis (https://www.armis.com/blueborne/#devices), "Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach."

                     

                    Can a T-Mobile rep please chime in to validate/correct the above and give some assurance that us customers will get a patch?

                     

                    I'm thinking my next device will be one that gets updates immediately from the source (e.g. Google Pixel)....without any other middleman...

                     

                    Sources:

                    1.Android Security Bulletin—September 2017 | Android Open Source Project

                    2. Software updates

                    3. Re: BlueBorne, Are we gonna get a patch? - Samsung Community - 164854

                    4. Software updates: Samsung Galaxy S7

                    5. Samsung Smart Switch™

                    6. How to Use Smart Switch to Update Your Galaxy S6—Even It's Rooted « Samsung Galaxy S6 :: Gadget Hacks

                    7. https://www.armis.com/blueborne/#devices

                    8. Samsung Technical Support

                    Samsung has to make it.  So if Samsung doesn't complete it how is T-Mobile supposed to deliver it?  Samsung makes the updates for each device as different devices.  Samsung has different teams doing different updates for each variant.  Just because 1 device gets the update doesn't mean they are all finished for other devices. This is something most people fail to see.

                     

                    Samsung support is the WORST to get information from.  Try asking them about unlocked bootloaders 9/10 times they will tell you it's unlocked because they can't even tell the difference between a bootloader, and subsidy lock.

                    2 of 2 people found this helpful
                      • t1328

                        Re: Android Patch for Blueborne

                        In this case, T-Mobile is holding up the September Security update, which addresses Blueborne. Verizon has updated their Note 8 with a fix for Blueborne, but my T-Mobile Note 8 with today's update does not include that fix. T-Mobile, to say that this vulnerability is serious is the biggest understatement of the year. Please address this asap. It's not safe to use Bluetooth on your phones until it is resolved.

                          • tidbits

                            Re: Android Patch for Blueborne

                            Reread what I said. Just because it is finished on one device doesn't mean Samsung is finished for all devices. Samsung has different teams for each variant. They don't finish all at the same time.

                            1 of 1 people found this helpful
                              • t1328

                                Re: Android Patch for Blueborne

                                Understood. But the differences between the variants in this case are primarily GSM vs. CDMA. Both are US variants with very similar LTE band support, the Qualcomm processor, etc. It's possible that Samsung has released a fix for Blueborne only to the Verizon/Sprint variants, but highly unlikely. T-Mobile is also usually lot better than Verizon at doing timely updates, further strengthening your argument.

                                 

                                It would be nice if T-Mobile stepped in here and told us if they are or are not the hold up. If you read about Blueborne, I think you'l appreciate why this one is different. I would happily continue with a phone that is a few months behind on normal security updates. But this isn't normal because it can be forced into my phone without me doing anything but having Bluetooth turned on. From there it can and will jump to any other device that has Bluetooth.

                                  • tidbits

                                    Re: Android Patch for Blueborne

                                    Software is different between them.  They can't just slap it in a expect it to work properly.  Bugs can arise in difference of software.  The Note 8 on T-Mobile already got an update and it was probably scheduled long before Samsung even know about the exploit which delayed the Verizon/Sprint/AT&T variant updates because they were still working on it.

                                     

                                    I already know about the Blueborne(my job revolves around computers, and mobile devices for the DOD)   T-Mobile is not the hold up and I am willing to put money on it, but T-Mobile can't say anything about it.  There's a NDA involved and Samsung is PRO PRO PRO NDA.  Some of the stuff I could tell you about them would make you trip out.  Alas I don't want to sued and would be bankrupted and lose my job and future jobs for breaking one.  I have worked with all the major manufacturers and dealt closely with their engineers, and I can tell you first hand if it is a critical bug there is stipulation in the contract that the manufacturer can bypass carrier testing and push it out if they are finished as a standalone fix.  They rarely use this clause because generally they are developing an update and bundle it together with it to save time and money.

                                     

                                    I am willing to bet money people are going to say it's T-Mobile, but if people hounded Samsung enough that update would come 10x faster because if people really thought about it.  If it was T-Mobile Samsung has all the leverage to force them to push out the update.  Last I remember Samsung makes up 60% of all device sales on T-Mobile, and overall 50% of all sales by US carriers.  If Samsung believed carriers were the problem they could call them out publicly and tell people which carriers are better about support and suggest their customers to go to that carrier.  They've never done this why?  Because they know their customer base will blame the carriers even if it isn't them.

                                    1 of 1 people found this helpful
                                    • stevetjr

                                      Re: Android Patch for Blueborne

                                      t1328 as the others mentioned it is Samsung not TMO.  The only part TMO does is tests and signs off on the updates once Samsung completes them and sends them to them.  All you have to do is go back and look at the history of updates on Samsung phones with the big 4 carriers and you will see it is never the same one that is first or the same one that is last with each update, it is random or as mentioned by tidbits when that team gets done.  The other thing that has affected updates is that if a team has moved on to the next version of Android like in this case most likely Oreo if you look at history the regular updates tend to go by the wayside for a bit before, since they obviously don't want to spend time (or $$) doing work on a version of the OS that is going out but rather just incorporate it into the new one.  Seriously though go look you will see numerous Samsung devices where TMO had an update before VZW but others where Sprint or AT&T was first, it changes almost every time.  This unfortunately is just a known "issue" with Samsung, they make great devices but their updates are historically slow.

                                       

                                      padrone and FYI the updates are not made available by TMO they actually all come from Samsung Servers even the OTA.  Once TMO signs off on then Samsung opens the device model number up on their servers as eligible for the update.  The devices OTA feature will only look for updates in that carriers update area on Samsung's servers which is why an AT&T phone on TMO network can't find it's updates unless you use smart switch. But all the code and files are on Samsung's servers.  As I mentioned above though all you have to do is look back at the history of Samsung updates and you will see that they come in different order almost every time because it really is all on Samsung other than the testing. 

                                        • t1328

                                          Re: Android Patch for Blueborne

                                          stevetjr, I agree with you, the releases do appear to be random person your point. I wasn't aware of that before. But I've also seen cases where a specific carrier (not T-Mobile), has taken significantly longer to release major updates than others. By significant, I mean say the update to Nougat. That is also more understandable, since if the release is not stable enough, the carrier will bear the brunt of help desk calls.

                                           

                                          Anyway, in the case of Blueborne, and now KRACK, I think it's time for Samsung, T-Mobile and other carriers, and Google to figure out a way to get updates to their clients extremely quickly in urgent circumstances.

                                           

                                          As we stand, the fix for the WPA2 vulnerability will only be in Google's November Security update. Blueborne was in September and in some cases pushed out with the August update. Regardless of the normal process, both of these vulnerabilities call for urgent action on the part of the carrier, Samsung, and Google to close these gaps. Imagine what happens to folks who for the moment are advised not to use either Bluetooth or WiFi.

                                           

                                          This won't be easy, but it's necessary, and whatever framework they put in place should be able to handle future issues because hackers are not slowing down, so called ethical hackers are also not, and these are impacting basic features of the phone at a level where even educated consumers who know how to avoid malware, have no way to prevent being hacked.

                          • chaosmstr

                            Re: Android Patch for Blueborne

                            I have an older Note 3...

                            The bluetooth module should be able to be updated separately, regardless of the manufacturer.

                             

                            When is Tmo going to put out a security update on this issue, please?

                            • padrone

                              Re: Android Patch for Blueborne

                              According to the following links, Samsung has patched Blueborne in their September 2017 Security update: Samsung Mobile Security.  Note the Blueborne associated CVEs (CVE-2017-0781, CVE-2017-0782). See also Blue Borne Security Update - Samsung Community - 167223.

                               

                              Therefore those that have devices receiving Samsung's Monthly Security Update as listed in the following link *should* be getting it.  Samsung Mobile Security

                               

                              I have one of such covered devices, Galaxy S7.  *HOWEVER*, as of this post (18 Sept 12:47 AM GMT), I have not received the update, further supporting the above described Samsung/T-mobile Android update process...

                               

                              As usertG3dsCjDmZ  points out (Blue Borne Security Update - Samsung Community - 167223 ), this means either:

                              A) Samsung hasn't yet released the update to carriers  / T-Mobile

                              or

                              B) T-mobile hasn't completed Test & Certification of the update

                               

                              IMO, a little transparency / Public Relations from T-mobile and/or Samsung on the exact timing / status of getting protected from this very significant vulnerability is overdue.

                              • tmo_mike_c

                                Re: Android Patch for Blueborne

                                Hey there everyone!

                                 

                                Just want to say that we understand how important this is and that we're working with our equipment manufactures on this one. We don't have any info patch dates right now. We do suggest keeping Bluetooth off when you're not using it.

                                  • t1328

                                    Re: Android Patch for Blueborne

                                    Hi Mike:

                                     

                                    FWIW, Armis, the company who "discovered" the Blueborne vulnerability, put an app out on the Google Play store that tells you whether your device is vulnerable or not. The App is called Blueborne Scanner. I received my Note 8 earlier than the official release date, and when I used the app, it said my phone was vulnerable. After Friday the 15th update to the Note 8, despite that only including the August Security update, the app then showed my phone as no longer being vulnerable.

                                     

                                    I'm not sure that this puts the Note 8 in the clear, and it doesn't mean much for other devices since the official fix is in Google's September Security update, but perhaps for Note 8 owners, this helps? Another suggestion for folks in the meantime - change your phone's name to something that sounds like it's not a phone - don't leave it as the default Galaxy Note 8. Because actual attackers using this vulnerability will be searching for devices by name.

                                    BlueBorne Image.jpg

                                    Thanks

                                    • magenta2966160

                                      Re: Android Patch for Blueborne

                                      Samsung released the patch for S7 on September 25th. It's October 22nd, nearly a month later, and I still don't see it from T-Mobile. Exactly how long are you going to make me wait? Why Won't Anyone give me a date when you expect it to be available?

                                    • magenta948

                                      Re: Android Patch for Blueborne

                                      I just downloaded the August 2017 security patch for my GS8. The Blueborne Scanner from Armis shows "You are Safe!"

                                      • fazelpoor

                                        Re: Android Patch for Blueborne

                                        I got these error msgs on Bitcoin and I downloaded BlueBorne Scanner, and I can't find the solution, where and how can I get this fixed without getting a New Phone and I promise you it wouldn't be from T-Mobile if its not fixed

                                        Error1.png

                                        Error.png

                                        • t1328

                                          Re: Android Patch for Blueborne

                                          fazelpoor - I don't think any of the carriers have updated the S6 Edge + to Google's August or September patches at this point. This is more likely to be on Samsung at this point. This Blueborne vulnerability is the first of its kind like this, and it will unfortunately likely take a lot of time for manufacturers and carriers to sort it out. But to be sure, I'd recommend looking and asking at the forums on AndroidCentral.com to see if others with the S6 Edge+ have gotten the necessary updates yet. Currently the only viable options to ensure that this never happens again, are Blackberry phones or Pixels - or iPhones.

                                          • chaosmstr

                                            Re: Android Patch for Blueborne

                                            I tried talking to Samsung about my Note 3, and they stonewalled me.

                                            "Unfortunately we can't really comment on Software updates, since we have to work with the carrier to push them out. I do apologize for the inconvenience. They do have a page where they release update information, so I would keep an eye on that here http://t-mo.co/2xxTXem"

                                             

                                            So That's really annoying.  Pointing at each other and no one wants to take responsibility.

                                             

                                            Sigh

                                            • magenta2966160

                                              Re: Android Patch for Blueborne

                                              it's nearly November. When will you release the Blueborne patch for Galaxy S7, which is contained in the September security release?

                                                • tmo_mike_c

                                                  Re: Android Patch for Blueborne

                                                  I double checked on this for you magenta2966160  and right now we don't have a date we can give folks for the patch. Right now, we don't have more info to give but if that does change, we'll let you know.

                                                    • magenta2966160

                                                      Re: Android Patch for Blueborne

                                                      That is just unacceptable.  You need to give a reasonable timeframe, and

                                                      then you need to stick to it.

                                                        • t1328

                                                          Re: Android Patch for Blueborne

                                                          T-Mo. I agree 100% with magenta2966160. You've got a serious security vulnerability that is not allowing people to use Bluetooth for well over a month now. A response of no idea when this will be fixed, is not acceptable. I run a Support team for a Cyber Security company. If we had a severity 1 critical issue and told our clients what you just did, we'd lose them.

                                                           

                                                          This is not like other vulnerabilities as already mentioned. This is one in which if someone is in proximity of one of your users, their phones could be targeted without any ability for them to stop the attacker. This deserves emergency status. Given that this has now been fixed for the Note 8, and the S8 and S8+, it is clearly fixable.

                                                           

                                                          Speak to your product management team, and give us a firm time commitment for when other phones will be fixed and in what order. Transparency will win you a lot of friends here. Obfuscation will lose you a lot of loyal customers.

                                                          • tmo_mike_c

                                                            Re: Android Patch for Blueborne

                                                            I totally get where you're coming from and I wish we had more info for you. This is really important to us and once we have more specifics for you, we'll share it ASAP.

                                                              • magenta2966160

                                                                Re: Android Patch for Blueborne

                                                                *BZZZZT*  That is demonstrably not the case.  If it were "really important to" T-Mobile, you would have fixed it already (as other carriers have done ON THE SAME HARDWARE), or, at the very least, you would have a plan that can be communicated to those of us who PAY T-MOBILE FOR SERVICE about how long we can expect to be exposed to this severe vulnerability. 

                                                                • magenta2972245

                                                                  Re: Android Patch for Blueborne

                                                                  I concur with others. Not only is it unacceptable from a customer perspective but failing to issue the patch within a reasonable time frame is grossly negligent. Waiting a month isn't reasonable. We're absolutely reliant upon T-Mobile to push these patches and are either very vulnerable to the blue borne security hole or not getting the full functionality of the device we paid very good money to purchase. This slowness had better not recur with the recently released KRACK WiFi patches once available.

                                                                  • magenta2985555

                                                                    Re: Android Patch for Blueborne

                                                                    This is not an acceptable answer.  This is a major vulnerability that can lead to a complete compromise of the device.  T-Mobile has dragged it feet for way to long on this patch.  It's been well over a month since the vulnerability was disclosed publicly.  Samsung has already released this patch and T-Mobile is the only thing in the way.  This is the worst part about a carrier locked phone.  If T-Mobile truly want to be a "uncarrier" then they need to remove themselves from the update chain.  At the very least it needs to allow those who know and understand the process to get the updates from Samsung directly.  How long before KRACK is patched, sometime 2018?

                                                            • psy0nic2

                                                              Re: Android Patch for Blueborne

                                                              This is all quite BS.   I "spoke" with a Samsung engineer the day the public disclosure was released and they ensured me that they made the patch available earlier so that Google could include it in the August update and the engineer I spoke to had no idea why T-Mobile hadn't even contacted them yet for their release schedule.  I contacted T-Mobile the same night and actually had to send the tech the news article that I was referring to because apparently their support wasnt even aware of the vulnerability.  Now even Verizon who has the worst carrier record for updates even released an out of band update within 2 weeks for the S7 and S7 Edge and crickets from T-Mobile.  I live on my Bluetooth he'll I run my business on Bluetooth half the time to accept payments, calls on my headset, connect to my car, etc.  I've been a T-Mobile customer since they started, left and came back after I saw the grass wasnt greener on the other side but now I'm either leaving over this and taking my 3 lines of service with me or waiting for the Pixel XL to come out and buying that.  Either way it's the last time T-Mobile is getting $1000 out of me for each device roughly every 1-2 years.

                                                                • t1328

                                                                  Re: Android Patch for Blueborne

                                                                  As a matter of interest, which devices do you have? T-Mo's August updates for the S8/+ and Note 8 did include the fix for Blueborne. Do you have the S7? I would hope they at least included that too. Anyway, I imagine you've tested your devices with Armis' Blueborne app to check if they are in fact safe or not. But just in case, that's the best way to do that since T-Mobile didn't include the fact that the Blueborne vulnerability will as addressed in the August updates for the above mentioned phones in the release notes.

                                                                • psy0nic2

                                                                  Re: Android Patch for Blueborne

                                                                  I have an S7 Edge and yes I check for both updates and vulnerabilities nearly daily.  I read in another thread that we were supposed to receive the update no later than the 10th and it never came through.

                                                                    • t1328

                                                                      Re: Android Patch for Blueborne

                                                                      I'd also be very upset in your shoes. That's last year's flagship. Come on T-Mobile. Is it that difficult to integrate the fix for this that you've already integrated into the S8 into the S7/Edge?

                                                                        • psy0nic2

                                                                          Re: Android Patch for Blueborne

                                                                          Well that's that.  Pixel will arrive tomorrow.  If Google Fi pans out that's it for T-Moble I guess which is a shame.  I've been a customer since the 93' but this is really unacceptable.  I'd understand if I had a 2 or 3 year old phone but I don't think I've personally even had this one for a year yet because I was late switching from my Note III.

                                                                      • psy0nic2

                                                                        Re: Android Patch for Blueborne

                                                                        They either need to release the patch or unlock the bootloader and let customer flash a ROM on it that does supply the patch like LineageOS.  If they don't want to be a responsible carrier then let the people that "OWN" the devices take the responsibility back.  I already have the Pixel in my shopping cart in the google store ready for purchase but I really want to give T-Mobile a chance to do the right thing but this is out of hand already.  I realize that they're probably just delaying it because they think a portion of people will be impatient like me and just upgrade to a 8 series Samsung instead because they too don't want to take the risk of using bluetooth under these circumstances not to mention that those of us that accept CC payment via a bluetooth card reader are not allowed to accept payments or we won't be PCI compliant and risk losing our certifications.  This really sucks.  I have 10 years worth of Samsung devices and now I have to abandon them because of T-Mobile not even because of Samsung themselves.  And great I just thought about the mess the Pixel will now cause with my S3 Frontier watch because they're not 100% compatible.  T-Mobile, I have really lost respect for you over this.  I'm hoping that Google Fi will be just as good in my area as T-Mobile service and I'll just take my 3 lines of service ($2700 per year) and phones (~$2500 per year) to Google instead.

                                                                          • tidbits

                                                                            Re: Android Patch for Blueborne

                                                                            Talk to Samsung about the bootloader.

                                                                             

                                                                            To date T-Mobile has said it's up to the manufacturer to lock the bootloader.  They will never ask for it.  Especially Samsung devices Samsung is locking it on their own.

                                                                             

                                                                            FYI if you use https traffic then you don't have to worry about getting this patched, and any website not using https by now needs stop having an online presence there is no additional costs to use https.

                                                                          • psy0nic2

                                                                            Re: Android Patch for Blueborne

                                                                            Are you confusing the blueborne vulnerability that can spread malware to any other affected device in proximity of the phone with the WPA2 KRACK vulnerability?

                                                                            • magenta2985555

                                                                              Re: Android Patch for Blueborne

                                                                              I've gone from waiting patiently to frustrated to now angry.  Even AT&T has released the Bluebourne patch for the S7 and S7E.  Yet T-Mobile continues to sit on this critical vulnerability fix.  Where is the patch T-Mobile?

                                                                              • stevetjr

                                                                                Re: Android Patch for Blueborne

                                                                                What's funny is you all keep hounding T-Mobile for the update when it's been pointed out here, in court and various other places that the update comes from Samsung.  Yes T-Mobile has to test it but if it is just a security update that wouldn't take that long unless there was an issue with the update which then it is sent back to get corrected but due to NDA you will never hear it and of course Samsung just gives their standard non answer answer.  What's funny is even Samsung's Oreo Beta only has up to the September update even though it was just launched.

                                                                                  • psy0nic2

                                                                                    Re: Android Patch for Blueborne

                                                                                    So I'm assuming what you're trying to allude to here is that the patch that Samsung released to the carriers the same day the announcement was made that both Verizon and now AT&T were able to release on the same hardware (both CDMA and GSM carriers) somehow doesn't work for the same hardware on T-Mobile's network and that T-Mobile kicked it back to Samsung to make some custom change for them?  Just trying to figure out your rationality here.  Works for all carriers except T-Mobile?  Not sure I'm buying that.

                                                                                      • stevetjr

                                                                                        Re: Android Patch for Blueborne

                                                                                        T-Mobile has always had more features than the other carriers a lot of which required OS level programing/development by whichever manufacturer the device came from i.e. Wi-Fi calling which until Nougat wasn't baked into the AOSP version of Android but rather each manufacturer had to develop/integrate the code into the OS for TMO.   Now for example TMO's requirements for their radios is more advanced than any other US carrier.  While a lot the other carriers have 1 or 2 of these "advanced" features they don't have them all like TMO does.  Even the GoGo internet texting feature is something that is baked into the OS as is some of the gigabit LTE.  TMO's RCS (Advanced Messaging) is also different, since they launched it they have their own version but then then everyone else jumped on board and came up with the "standard" which TMO is moving towards but still needs to support their custom version in the mean time.  Just look back at update history and you will see cases where the Verizon customers are seething because they don't have an update that the other carriers have had for months, who is first and who is last seems to change from update to update just look back. 

                                                                                         

                                                                                        Samsung has said they are trying to streamline the update process especially security updates and while they are not their yet obviously I think the S8 model nomenclature is a clue toward the direction they are going but even then I think carrier interference will still hinder that process but more for VZW and AT&T down the road.  If you noticed for the first time all the US carrier versions of the S8/S8+ end with the model number U (US) not like in the past where they ended in T (TMO) V (VZW) S (SPT) A (ATT), if you look the specs are all the same with the exception of what some of the carriers have blocked or want hidden because they don't support it so they don't want their customers to see something the competition has.  But from reading forums folks have successfully rooted and loaded TMO images (OS & Radio) onto other carrier devices and it works which means that it was just the carrier that was blocking a frequency or feature. I suspect Samsung is working it towards just a U model to speed updates and inventory/manufacturing savings.

                                                                                      • t1328

                                                                                        Re: Android Patch for Blueborne

                                                                                        Stevetjr, can you provide any evidence of what you're claiming about this actually being in Samsung's court?  I just don't buy that Samsung does the actual releases for T-Mobile, AT&T, and then the countless other carriers all over the world. If you could back this up, like the point you said about this having already being argued in court, that would help convince me.

                                                                                         

                                                                                        Either way, both Samsung and T-Mobile need transparency in these situations. Leaving joint clients sitting wondering when is he worst thing they could do.

                                                                                          • stevetjr

                                                                                            Re: Android Patch for Blueborne

                                                                                            I can't find any of the cases right off the top but I know one of the first was when Motorola got sued about the Cliq, they promised an update then didn't deliver.  Initially TMO was also named in the suit since they were one of the primary sellers of the phone in the US but eventually they were dropped off of it because it was shown they didn't have involvement in the development or coding of the update that it was Motorola that owned and controlled the source code.

                                                                                             

                                                                                            Samsung got sued in the Netherlands because of their issues with updates, if you notice they didn't sue the carriers they went after Samsung because they are responsible.

                                                                                             

                                                                                            The second link which goes thru the process also notes that even when the carrier approves the update that it is Samsung (or the carriers) that set the release date as to break it up so they don't overwhelm the servers.  If the carriers housed their own updates it wouldn't overwhelm their own servers, it overwhelms the servers because the manufacturers keep the code on their servers and that is where the update actually comes from.

                                                                                             

                                                                                            https://www.androidauthority.com/samsung-sued-update-phones-668328/

                                                                                             

                                                                                            https://www.sammobile.com/when-will-i-receive-the-latest-android-update-on-my-phone/

                                                                                            • magenta2972245

                                                                                              Re: Android Patch for Blueborne

                                                                                              It's a Samsung issue. I spoke to both Samsung and T-Mobile today. Samsung support desk says the last security patch update sent to T-Mobile was June 29, 2017. It was applied by T-Mobile in its Aug 1 OTA. T-Mobile is hamstrung here and is reliant on Samsung to pass along these patches.@ Samsung also hasn't updated my wife's Galaxy S7, which I bought directly from Samsung.

                                                                                               

                                                                                              A thread in the Samsung forums also follows the same path as this thread  S7 G930U / G935U Security Updates - Page 71 - Samsung Community - 47620

                                                                                               

                                                                                              T-Mobile needs to stop selling Samsung devices until it commits to a reasonable patch schedule (@tmo_mike_c). I'm contacting my state AG (California) and asking his office to get involved. The device is placed into the stream of commerce with an implied warranty that Samsung will release security patches within a reasonable timeframe. The fact that other carriers have already patched the same model of device - more than a month ago - strongly suggest Samsung is acting unreasonable here (and T-Mobile is implicated because it sold the now-defective device).

                                                                                                • magenta2985555

                                                                                                  Re: Android Patch for Blueborne

                                                                                                  You are confusing the different models of the S7 phones.  If you have a G93xU model phone then this is true.  Samsung would provide you with the update and not T-Mobile.  The G93xU is the "unlocked" model sold directly from Samsung and has no carrier software or settings.  The unlocked model is supposed to get updates faster because the updates do not need to be tested by any carrier.  It goes from Samsung directly to your phone via OTA.  The problem is that Samsung ended up releasing updates and patches much slower than the carrier models.  That's what the thread is about.  People were promised quick updates and ended up not getting them or much slower than advertised.  The T-Mobile version of the phones actually received the Nougat (7.0) update 2-3 months before the unlocked model did.  You can understand why people are upset then they paid full price in a lump sum only to get screwed over.  This is entirely on Samsung and a mess they created by themselves.

                                                                                                   

                                                                                                  If you have a G935T, like I do then the update comes from T-Mobile.  This is the model sold in T-Mobile's stores and site.  Every carrier has their own model that is differentiated by the last letter in the model number.  Carrier models have an additional layer in the process.  Samsung creates the image then sends it to T-Mobile.  T-Mobile then tests the update to make sure there are no issues.  This process can take days, weeks or in this case months.  If there is a problem the image can be rejected and Samsung would have to fix or address the issue and the process repeats.  All carriers have agreements with the phone manufacturers that prohibit the manufacturer from sending out updates directly.  These are the only models they carry in their stores.  Any update regardless of how big or small must all come from the carrier.  The carrier gets to decide if they even want to send it out or not.  AT&T and Verizon won't even allow the phone to be updates unless it has one of their SIM chips in it.  Not sure about T-Mobile or that other carrier.

                                                                                                   

                                                                                                  The fact that T-Mobile claims they have no info on the process is an absolute lie.  They want you to be confused by the process because it keeps people from complaining to them.  Logic would suggest that Samsung is the source of the problem but clearly it's not.  The Verizon and AT&T versions of the S7 and S7E have already received their patches.  They at least seem to understand that this is a major security issue and protecting their users.  T-Mobile on the other hand is just be negligent in not even acknowledging that there is even a patch.  I've had to turn my Bluetooth off for the past 1.5 months now.  Don't know about anyone else but that means no hand free calls in the car, no wireless headphones, no smart watch.

                                                                                                    • stevetjr

                                                                                                      Re: Android Patch for Blueborne

                                                                                                      First off I and @tidbits are not paid by T-Mobile but am acutely aware of how the process works since I have been involved in the process for a couple of devices before they came to market.

                                                                                                       

                                                                                                       

                                                                                                      As for you statement "All carriers have agreements with the phone manufacturers that prohibit the manufacturer from sending out updates directly"  totally incorrect at as soon as Samsung sets the release date you can download the update via OTA or SmartSwitch which is all Samsung. 

                                                                                                       

                                                                                                       

                                                                                                      All the carriers with the exception of Verizon lock their devices and Verizon doesn't keep them unlocked to be charitble but rather it was an agreement they made with the FCC regarding their aquistion of spectrum. The locking feature is not unique to each carrier, it's the same system but when a device is produced/locked to that carrier Samsung knows which IMEI's were sold to each carrier so when the carrier submits the unlock request Samsung knows it is coming from the right carrier which is why unlocked Apple devices that are sold at Best Buy have issues because of Apple's Flex policy which locks the device to the first SIM card inserted but then Apple sees the device locked to TMO but TMO of course has no record of it so they can't submit the request to Apple to have it unlocked since they show no record of selling it.  Of course before Samsung (or any device maker) provides an unlock code wants to hear from the carrier they sold it to so they know the carrier approves and has gotten paid or had whatever required commitment fufilled.

                                                                                                       

                                                                                                       

                                                                                                      Your device has preloaded apps on it and off course they are installed at the root level so you can't disable them because in some cases the carrier is getting paid for selling their devices with these apps installed.  If you notice other than a handful of TMO apps that's it for the preloaded stuff unlike the other 3 that have all sorts of bloatware added.  A lot of those apps are contracted out and then provided to Samsung to install at the root level during the intial software load.  Also yes the carriers can try to negotiate things like Band 12, but it's pretty simple when TMO says we will by X number of these but they must meet these network requirements or we won't sell it for you. The carriers really don't make much profit on the devices so of course Samsung (or whomever) will make it compatible with the network.  This however gets into your other statement regarding the model number, you are correct in the the -T is the TMO variant and -V Verizon (and etc).  That was true until the S8 series which are all now -U variants and that isn't for unlocked but for US.  All the S8's are the same device, they just have custom ROM versions to disable/hide features one or more particular carriers don't want you to see because their network doesn't support a feature.  Part of this is because Qualcomms latest radio/modem supports everything so they don't need to have different hardware variants anymore.

                                                                                                       

                                                                                                       

                                                                                                      Next issue "AT&T and Verizon won't even allow the phone to be updates unless it has one of their SIM chips in it" also patently incorrect.  I have directed friends that have AT&T devices on TMO when AT&T has released an update.  No they couldn't get it OTA because Samsung's servers are set up in such a way they won't acknowledge an update request for a -A version coming from TMO's network.  All they had to do is go to Smart Switch (or previously Kies) and they can get the update to their -A variant with the TMO SIM still in it.

                                                                                                       

                                                                                                       

                                                                                                      "The Verizon and AT&T versions of the S7 and S7E have already received their patches"  I dare you to go back and look at all the updates ever put out by Samsung for their phones and the 4 US Carriers.  You will see the order of which carrier was first and which was last is generally different with each update. Heck I have seen Verizon get an update 3 months after TMO but then have seen them get one a month sooner.  It is all dependent on when Samsung gets the work done, because if you know anything about software programming the last thing Samsung is going to do is give their source code to anyone outside Samsung that's why they do all the programing and also why they (Samsung) are being sued in the Netherlands  https://www.androidauthority.com/samsung-sued-update-phones-668328/ for their horrible track record on updates, especially critical ones, you will notice they are not suing the Dutch carriers, they are suing SAMSUNG.

                                                                                                  • magenta2985555

                                                                                                    Re: Android Patch for Blueborne

                                                                                                    Stevetjr is a pro T-Mobile troll.  Along with tidbits.  Don't know if they're being paid by T-Mobile or not but nothing is ever T-Mobile's fault.  He, she or it has taken cases where the manufacturers refused to provide a major upgrade from one major Android version to another and generalized it to say T-Mobile has no say in the software process.  Then why does my phone have preloaded T-Mobile apps that I don't want and can't remove.  Why are there pre-configured T-Mobile APNs in the wireless settings.  Why is the phone locked to only work with T-Mobile until it's been paid off.  Guess who you'd have to call to get the phone unlocked?  T-Mobile not Samsung.  T-Mobile is involved in every step of the process including specifying band 12 LTE support and WI-FI calling.

                                                                                                      • magenta2972245

                                                                                                        Re: Android Patch for Blueborne

                                                                                                        I still stand by what I said, and confirm I'm not confusing the device variants. I provided the Samsung forum thread to demonstrate that we aren't alone.

                                                                                                         

                                                                                                        In both cases Samsung admitted that it hasn't made the security patch available. In the case of my phone, G930T (purchased through T-Mobile), Samsung support said it hasn't given T-Mobile the patch. I assume this means it hasn't given a patch that T-Mobile accepted (failed to pass T-Mobile tests?). T-Mobile support essentially said the same thing. Samsung support also acknowledged it hasn't sent the update to my wife's device, G930U (purchased unlocked through Samsung).

                                                                                                         

                                                                                                        Either way this is unreasonable, and I hold T-Mobile partly responsible.

                                                                                                  • padrone

                                                                                                    Re: Android Patch for Blueborne

                                                                                                    More than 2 months later,  it seems T-mobile has finally certified/approved the patch Samsung developed to patch Blueborne and is allowing TMO users to get the update via OTA from Samsung. The T-mobile variant of the Samsung Galaxy S7 (SM-G930T) seems to be patched with the November 1, 2017 Android Security Patch Level.  Baseband version: G930TUVS4BQJ2.  I received this update today and verified it does patch BlueBorne for my SM-G930T.

                                                                                                     

                                                                                                    Despite statements from TMO reps to "keep folks in the loop", there was no PA campaign or post announcing the patch that I've seen.  Furthermore, TMO doesn't even take credit for the patch on the S7 updates page: Software updates: Samsung Galaxy S7 as of 18 Nov 2017 17:00 UTC (Zulu Time).  I expect TMO will update that page soon or in response to this post.

                                                                                                     

                                                                                                    Now for the next big problem affecting TMO SM-G930T users: KRACK!!!!  According to the Android Security Bulletin for November 2017, updated 11/8/2017,  "Security patches for the KRACK vulnerabilities are provided under the 2017-11-06 security patch level." source: Android Security Bulletin—November 2017  |  Android Open Source Project .  This means TMO SM-G930T users still aren't patched from KRACK even with the Nov 1 2017 Security Patch. I'm sure there's another TMO forum thread for KRACK.

                                                                                                     

                                                                                                    tmo_mike_c T-mobile, with respect to patching KRACK for TMO users, you're getting a second and for many, perhaps a last chance to be more transparent about critical updates, that left unpatched results in unsatisfied and potentially compromised customers.  This holiday season, some of those customers will be looking to Google for both hardware (Nexus, Pixel) and service (Google Project Fi) to avoid delays of getting key updates and security patches for Android.  Recommend you get a head of this by letting all TMO customers know the plan for patching KRACK on applicable users.

                                                                                                    1 of 1 people found this helpful