Android Patch for Blueborne

padrone

    I'm wondering when T-Mobile will be releasing a security patch for the Blueborne vulnerability made public today (9/12/2017)? Google said they have already developed & released the security patch (Android Security Bulletin—September 2017  |  Android Open Source Project ), so when will T-mobile customer's be able to download the updated, patched version of Android? Currently there seems to be no updates available after trying to manually update. Last "Android Security patch level" my phone shows is "July 1, 2017".  This nature of this vulnerability makes it one of the worst ever for bluetooth devices.

    Vulnerability info: https://www.armis.com/blueborne/#devices

      All replies

      • gramps28

        Re: Android Patch for Blueborne

        Manufacture's release the patch's , Tmobile just sells the phone.

         

        I have a Nexus 5X and I get a monthly security updates through Google.

          • theartiszan

            Re: Android Patch for Blueborne

            Yeh it really depends largely on what phone you have and when the manufacturer develops it for that model. Even on my s8 I'm on the July security patch too. Samsung seems to bee slow with the security patch release. I'm wondering if it is because they started development for android 8 for this device.

            1 of 1 people found this helpful
              • padrone

                Re: Android Patch for Blueborne

                gramps28, theartiszan,  Thank for the replies.  However, it seems the process is a little more nuanced than simply all the responsibility falling on the manufacturer and that without T-mobile involvement, our phones won't get patched.  From what I can gather, the T-Mobile / Samsung Android update process goes something like this:

                1. Google/ other AOSP contributor updates source code repository  >

                2. Manufacturer develops & Test Android update >

                3. T-Mobile test & certifies Android update >

                4. T-Mobile makes updates available via OTA or accessible via Samsung Smart Switch Application

                 

                I just got off the phone with Samsung support, and they said all Android updates are made available by the service provider (T-Mobile for us), not from Samsung directly.  He said it doesn't matter whether is OTA (wifi) or via USB-tethered SmartSwitch, the OS updates are released from the carrier/service provider to our devices. The only thing that is released directly from Samsung is Samsung-only App updates.  He actually described the process as follows:

                1. Service Provider requests an update from Samsung

                2. Samsung contacts Google for Android update

                3. Google finishes update and releases to Samsung/Android Partners via AOSP

                4. Samsung further develops & tests, then releases to T-Mobiles

                5. T-Mobile test and certification

                6. T-Mobile makes updates available to Samsung Galaxy customers

                 

                He said as of now, there is no more later update than Baseband version G930TUVU4BQG5 / Android Security Patch level July 1 2017 and that he didn't see any evidence that T-mobile has requested an update for Blueborne.

                 

                According to Armis (https://www.armis.com/blueborne/#devices), "Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach."

                 

                Can a T-Mobile rep please chime in to validate/correct the above and give some assurance that us customers will get a patch?

                 

                I'm thinking my next device will be one that gets updates immediately from the source (e.g. Google Pixel)....without any other middleman...

                 

                Sources:

                1.Android Security Bulletin—September 2017  |  Android Open Source Project

                2. Software updates

                3. Re: BlueBorne, Are we gonna get a patch? - Samsung Community - 164854

                4. Software updates: Samsung Galaxy S7

                5. Samsung Smart Switch™

                6. How to Use Smart Switch to Update Your Galaxy S6—Even It's Rooted « Samsung Galaxy S6 :: Gadget Hacks

                7. https://www.armis.com/blueborne/#devices

                8. Samsung Technical Support

                  • tidbits

                    Re: Android Patch for Blueborne

                    padrone wrote:

                     

                    gramps28, theartiszan, Thank for the replies. However, it seems the process is a little more nuanced than simply all the responsibility falling on the manufacturer and that without T-mobile involvement, our phones won't get patched. From what I can gather, the T-Mobile / Samsung Android update process goes something like this:

                    1. Google/ other AOSP contributor updates source code repository >

                    2. Manufacturer develops & Test Android update >

                    3. T-Mobile test & certifies Android update >

                    4. T-Mobile makes updates available via OTA or accessible via Samsung Smart Switch Application

                     

                    I just got off the phone with Samsung support, and they said all Android updates are made available by the service provider (T-Mobile for us), not from Samsung directly. He said it doesn't matter whether is OTA (wifi) or via USB-tethered SmartSwitch, the OS updates are released from the carrier/service provider to our devices. The only thing that is released directly from Samsung is Samsung-only App updates. He actually described the process as follows:

                    1. Service Provider requests an update from Samsung

                    2. Samsung contacts Google for Android update

                    3. Google finishes update and releases to Samsung/Android Partners via AOSP

                    4. Samsung further develops & tests, then releases to T-Mobiles

                    5. T-Mobile test and certification

                    6. T-Mobile makes updates available to Samsung Galaxy customers

                     

                    He said as of now, there is no more later update than Baseband version G930TUVU4BQG5 / Android Security Patch level July 1 2017 and that he didn't see any evidence that T-mobile has requested an update for Blueborne.

                     

                    According to Armis (https://www.armis.com/blueborne/#devices), "Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach."

                     

                    Can a T-Mobile rep please chime in to validate/correct the above and give some assurance that us customers will get a patch?

                     

                    I'm thinking my next device will be one that gets updates immediately from the source (e.g. Google Pixel)....without any other middleman...

                     

                    Sources:

                    1.Android Security Bulletin—September 2017 | Android Open Source Project

                    2. Software updates

                    3. Re: BlueBorne, Are we gonna get a patch? - Samsung Community - 164854

                    4. Software updates: Samsung Galaxy S7

                    5. Samsung Smart Switch™

                    6. How to Use Smart Switch to Update Your Galaxy S6—Even It's Rooted « Samsung Galaxy S6 :: Gadget Hacks

                    7. https://www.armis.com/blueborne/#devices

                    8. Samsung Technical Support

                    Samsung has to make it.  So if Samsung doesn't complete it how is T-Mobile supposed to deliver it?  Samsung makes the updates for each device as different devices.  Samsung has different teams doing different updates for each variant.  Just because 1 device gets the update doesn't mean they are all finished for other devices. This is something most people fail to see.

                     

                    Samsung support is the WORST to get information from.  Try asking them about unlocked bootloaders 9/10 times they will tell you it's unlocked because they can't even tell the difference between a bootloader, and subsidy lock.

                    2 of 2 people found this helpful
                      • t1328

                        Re: Android Patch for Blueborne

                        In this case, T-Mobile is holding up the September Security update, which addresses Blueborne. Verizon has updated their Note 8 with a fix for Blueborne, but my T-Mobile Note 8 with today's update does not include that fix. T-Mobile, to say that this vulnerability is serious is the biggest understatement of the year. Please address this asap. It's not safe to use Bluetooth on your phones until it is resolved.

                          • tidbits

                            Re: Android Patch for Blueborne

                            Reread what I said. Just because it is finished on one device doesn't mean Samsung is finished for all devices. Samsung has different teams for each variant. They don't finish all at the same time.

                            1 of 1 people found this helpful
                              • t1328

                                Re: Android Patch for Blueborne

                                Understood. But the differences between the variants in this case are primarily GSM vs. CDMA. Both are US variants with very similar LTE band support, the Qualcomm processor, etc. It's possible that Samsung has released a fix for Blueborne only to the Verizon/Sprint variants, but highly unlikely. T-Mobile is also usually lot better than Verizon at doing timely updates, further strengthening your argument.

                                 

                                It would be nice if T-Mobile stepped in here and told us if they are or are not the hold up. If you read about Blueborne, I think you'l appreciate why this one is different. I would happily continue with a phone that is a few months behind on normal security updates. But this isn't normal because it can be forced into my phone without me doing anything but having Bluetooth turned on. From there it can and will jump to any other device that has Bluetooth.

                                  • tidbits

                                    Re: Android Patch for Blueborne

                                    Software is different between them.  They can't just slap it in a expect it to work properly.  Bugs can arise in difference of software.  The Note 8 on T-Mobile already got an update and it was probably scheduled long before Samsung even know about the exploit which delayed the Verizon/Sprint/AT&T variant updates because they were still working on it.

                                     

                                    I already know about the Blueborne(my job revolves around computers, and mobile devices for the DOD)   T-Mobile is not the hold up and I am willing to put money on it, but T-Mobile can't say anything about it.  There's a NDA involved and Samsung is PRO PRO PRO NDA.  Some of the stuff I could tell you about them would make you trip out.  Alas I don't want to sued and would be bankrupted and lose my job and future jobs for breaking one.  I have worked with all the major manufacturers and dealt closely with their engineers, and I can tell you first hand if it is a critical bug there is stipulation in the contract that the manufacturer can bypass carrier testing and push it out if they are finished as a standalone fix.  They rarely use this clause because generally they are developing an update and bundle it together with it to save time and money.

                                     

                                    I am willing to bet money people are going to say it's T-Mobile, but if people hounded Samsung enough that update would come 10x faster because if people really thought about it.  If it was T-Mobile Samsung has all the leverage to force them to push out the update.  Last I remember Samsung makes up 60% of all device sales on T-Mobile, and overall 50% of all sales by US carriers.  If Samsung believed carriers were the problem they could call them out publicly and tell people which carriers are better about support and suggest their customers to go to that carrier.  They've never done this why?  Because they know their customer base will blame the carriers even if it isn't them.

                                    1 of 1 people found this helpful
                                    • stevetjr

                                      Re: Android Patch for Blueborne

                                      t1328 as the others mentioned it is Samsung not TMO.  The only part TMO does is tests and signs off on the updates once Samsung completes them and sends them to them.  All you have to do is go back and look at the history of updates on Samsung phones with the big 4 carriers and you will see it is never the same one that is first or the same one that is last with each update, it is random or as mentioned by tidbits when that team gets done.  The other thing that has affected updates is that if a team has moved on to the next version of Android like in this case most likely Oreo if you look at history the regular updates tend to go by the wayside for a bit before, since they obviously don't want to spend time (or $$) doing work on a version of the OS that is going out but rather just incorporate it into the new one.  Seriously though go look you will see numerous Samsung devices where TMO had an update before VZW but others where Sprint or AT&T was first, it changes almost every time.  This unfortunately is just a known "issue" with Samsung, they make great devices but their updates are historically slow.

                                       

                                      padrone and FYI the updates are not made available by TMO they actually all come from Samsung Servers even the OTA.  Once TMO signs off on then Samsung opens the device model number up on their servers as eligible for the update.  The devices OTA feature will only look for updates in that carriers update area on Samsung's servers which is why an AT&T phone on TMO network can't find it's updates unless you use smart switch. But all the code and files are on Samsung's servers.  As I mentioned above though all you have to do is look back at the history of Samsung updates and you will see that they come in different order almost every time because it really is all on Samsung other than the testing. 

                                        • t1328

                                          Re: Android Patch for Blueborne

                                          stevetjr, I agree with you, the releases do appear to be random person your point. I wasn't aware of that before. But I've also seen cases where a specific carrier (not T-Mobile), has taken significantly longer to release major updates than others. By significant, I mean say the update to Nougat. That is also more understandable, since if the release is not stable enough, the carrier will bear the brunt of help desk calls.

                                           

                                          Anyway, in the case of Blueborne, and now KRACK, I think it's time for Samsung, T-Mobile and other carriers, and Google to figure out a way to get updates to their clients extremely quickly in urgent circumstances.

                                           

                                          As we stand, the fix for the WPA2 vulnerability will only be in Google's November Security update. Blueborne was in September and in some cases pushed out with the August update. Regardless of the normal process, both of these vulnerabilities call for urgent action on the part of the carrier, Samsung, and Google to close these gaps. Imagine what happens to folks who for the moment are advised not to use either Bluetooth or WiFi.

                                           

                                          This won't be easy, but it's necessary, and whatever framework they put in place should be able to handle future issues because hackers are not slowing down, so called ethical hackers are also not, and these are impacting basic features of the phone at a level where even educated consumers who know how to avoid malware, have no way to prevent being hacked.

                          • chaosmstr

                            Re: Android Patch for Blueborne

                            I have an older Note 3...

                            The bluetooth module should be able to be updated separately, regardless of the manufacturer.

                             

                            When is Tmo going to put out a security update on this issue, please?

                            • padrone

                              Re: Android Patch for Blueborne

                              According to the following links, Samsung has patched Blueborne in their September 2017 Security update: Samsung Mobile Security.  Note the Blueborne associated CVEs (CVE-2017-0781, CVE-2017-0782). See also Blue Borne Security Update - Samsung Community - 167223.

                               

                              Therefore those that have devices receiving Samsung's Monthly Security Update as listed in the following link *should* be getting it.  Samsung Mobile Security

                               

                              I have one of such covered devices, Galaxy S7.  *HOWEVER*, as of this post (18 Sept 12:47 AM GMT), I have not received the update, further supporting the above described Samsung/T-mobile Android update process...

                               

                              As usertG3dsCjDmZ  points out (Blue Borne Security Update - Samsung Community - 167223 ), this means either:

                              A) Samsung hasn't yet released the update to carriers  / T-Mobile

                              or

                              B) T-mobile hasn't completed Test & Certification of the update

                               

                              IMO, a little transparency / Public Relations from T-mobile and/or Samsung on the exact timing / status of getting protected from this very significant vulnerability is overdue.

                              • tmo_mike_c

                                Re: Android Patch for Blueborne

                                Hey there everyone!

                                 

                                Just want to say that we understand how important this is and that we're working with our equipment manufactures on this one. We don't have any info patch dates right now. We do suggest keeping Bluetooth off when you're not using it.

                                  • t1328

                                    Re: Android Patch for Blueborne

                                    Hi Mike:

                                     

                                    FWIW, Armis, the company who "discovered" the Blueborne vulnerability, put an app out on the Google Play store that tells you whether your device is vulnerable or not. The App is called Blueborne Scanner. I received my Note 8 earlier than the official release date, and when I used the app, it said my phone was vulnerable. After Friday the 15th update to the Note 8, despite that only including the August Security update, the app then showed my phone as no longer being vulnerable.

                                     

                                    I'm not sure that this puts the Note 8 in the clear, and it doesn't mean much for other devices since the official fix is in Google's September Security update, but perhaps for Note 8 owners, this helps? Another suggestion for folks in the meantime - change your phone's name to something that sounds like it's not a phone - don't leave it as the default Galaxy Note 8. Because actual attackers using this vulnerability will be searching for devices by name.

                                    BlueBorne Image.jpg

                                    Thanks

                                    • magenta2966160

                                      Re: Android Patch for Blueborne

                                      Samsung released the patch for S7 on September 25th. It's October 22nd, nearly a month later, and I still don't see it from T-Mobile. Exactly how long are you going to make me wait? Why Won't Anyone give me a date when you expect it to be available?

                                    • magenta948

                                      Re: Android Patch for Blueborne

                                      I just downloaded the August 2017 security patch for my GS8. The Blueborne Scanner from Armis shows "You are Safe!"

                                      • fazelpoor

                                        Re: Android Patch for Blueborne

                                        I got these error msgs on Bitcoin and I downloaded BlueBorne Scanner, and I can't find the solution, where and how can I get this fixed without getting a New Phone and I promise you it wouldn't be from T-Mobile if its not fixed

                                        Error1.png

                                        Error.png

                                        • t1328

                                          Re: Android Patch for Blueborne

                                          fazelpoor - I don't think any of the carriers have updated the S6 Edge + to Google's August or September patches at this point. This is more likely to be on Samsung at this point. This Blueborne vulnerability is the first of its kind like this, and it will unfortunately likely take a lot of time for manufacturers and carriers to sort it out. But to be sure, I'd recommend looking and asking at the forums on AndroidCentral.com to see if others with the S6 Edge+ have gotten the necessary updates yet. Currently the only viable options to ensure that this never happens again, are Blackberry phones or Pixels - or iPhones.

                                          • chaosmstr

                                            Re: Android Patch for Blueborne

                                            I tried talking to Samsung about my Note 3, and they stonewalled me.

                                            "Unfortunately we can't really comment on Software updates, since we have to work with the carrier to push them out. I do apologize for the inconvenience. They do have a page where they release update information, so I would keep an eye on that here http://t-mo.co/2xxTXem"

                                             

                                            So That's really annoying.  Pointing at each other and no one wants to take responsibility.

                                             

                                            Sigh

                                            • magenta2966160

                                              Re: Android Patch for Blueborne

                                              it's nearly November. When will you release the Blueborne patch for Galaxy S7, which is contained in the September security release?

                                                • tmo_mike_c

                                                  Re: Android Patch for Blueborne

                                                  I double checked on this for you magenta2966160  and right now we don't have a date we can give folks for the patch. Right now, we don't have more info to give but if that does change, we'll let you know.

                                                    • magenta2966160

                                                      Re: Android Patch for Blueborne

                                                      That is just unacceptable.  You need to give a reasonable timeframe, and

                                                      then you need to stick to it.

                                                        • t1328

                                                          Re: Android Patch for Blueborne

                                                          T-Mo. I agree 100% with magenta2966160. You've got a serious security vulnerability that is not allowing people to use Bluetooth for well over a month now. A response of no idea when this will be fixed, is not acceptable. I run a Support team for a Cyber Security company. If we had a severity 1 critical issue and told our clients what you just did, we'd lose them.

                                                           

                                                          This is not like other vulnerabilities as already mentioned. This is one in which if someone is in proximity of one of your users, their phones could be targeted without any ability for them to stop the attacker. This deserves emergency status. Given that this has now been fixed for the Note 8, and the S8 and S8+, it is clearly fixable.

                                                           

                                                          Speak to your product management team, and give us a firm time commitment for when other phones will be fixed and in what order. Transparency will win you a lot of friends here. Obfuscation will lose you a lot of loyal customers.

                                                          • tmo_mike_c

                                                            Re: Android Patch for Blueborne

                                                            I totally get where you're coming from and I wish we had more info for you. This is really important to us and once we have more specifics for you, we'll share it ASAP.

                                                              • magenta2966160

                                                                Re: Android Patch for Blueborne

                                                                *BZZZZT*  That is demonstrably not the case.  If it were "really important to" T-Mobile, you would have fixed it already (as other carriers have done ON THE SAME HARDWARE), or, at the very least, you would have a plan that can be communicated to those of us who PAY T-MOBILE FOR SERVICE about how long we can expect to be exposed to this severe vulnerability. 

                                                                • magenta2972245

                                                                  Re: Android Patch for Blueborne

                                                                  I concur with others. Not only is it unacceptable from a customer perspective but failing to issue the patch within a reasonable time frame is grossly negligent. Waiting a month isn't reasonable. We're absolutely reliant upon T-Mobile to push these patches and are either very vulnerable to the blue borne security hole or not getting the full functionality of the device we paid very good money to purchase. This slowness had better not recur with the recently released KRACK WiFi patches once available.