I firmly believe that permanent key fusing to lock bootloaders should be outlawed. At the very least the keys (and schematics) should be released once the device reaches EOL.
Agreed. We really need some sort of regulation that prevents companies from bricking devices they sold. It's just so unethical, and wasteful, to put these devices out there and then just turn them into trash.
It should be required from day one. This tying of specific user-environment software to hardware is a straightforward antitrust issue, and frankly should never have been allowed to fester as long as it has.
The industry should be made to move to security models that don't revolve around baking in manufacturer-privileged keys (verification or attestation). Internal groups developing any default user-environment software should have to stay at an arms length from the hardware team, and only be using published documentation.
Any connected device NEEDS continual updates in order to continue to be secure.
This is particularly true of internet connected devices, but is also true for IOT devices that only connect to the internet indirectly. Security holes get found, if you can't patch and update devices in the field then you are leaving your customers unprotected.
Doesn't sound like its an update that bricks them, thought the article is a bit confusing on that point. Sounds to me like they broke the API (or just blocked this particular User-Agent)
Realistically how many people are going to bother reflashing their devices? This case is exceptional because it was EOLed so early, but for the typical phone that reaches EOL in 2 years I doubt more than 1% of people are going to make use of this ability.
It's a chicken and egg problem. There isn't much firmware being developed for these devices because there is no easy path for users to install them.
If installing alternative/third-party firmware becomes easy and normalized, there will also be more options to choose from, because it will actually become worthwhile for people/companies to develop said firmware.
I think if the process was made easy, it would save quite a bit more than 1% of these devices from the landfill, assuming you have enough power users to build a community. Plenty of people flash their chromebooks to MrChromebox UEFI to give them a new life, because it's easy enough for mere mortals, and because Google doesn't lock them down.
I believe if given the tools, people would gladly donate their time to make something fun with it. Heck, that's what I do in my spare time. But it's impossible if everything is completely locked down, as if a music streaming box contains nuclear launch codes that must be protected at all costs.
If you have an easy way to flash any phone and plenty of firmware available, it makes sense to turn flashing into a business. Buy used phones off people who don't need them any more, reflash them with a newer and debloated Android, and then sell them off for more than you got them for.
This would very quickly lead to abuses though. If PC OEMs are bad, imagine what a small mom-and-pop shop, subject to a lot less scrutiny and having much less respect for the law could do.
tedivm|1 year ago
mindslight|1 year ago
The industry should be made to move to security models that don't revolve around baking in manufacturer-privileged keys (verification or attestation). Internal groups developing any default user-environment software should have to stay at an arms length from the hardware team, and only be using published documentation.
Aardwolf|1 year ago
Have proper standards how music is transmitted. Have devices support those standards. Have those standards be long-running.
rkangel|1 year ago
This is particularly true of internet connected devices, but is also true for IOT devices that only connect to the internet indirectly. Security holes get found, if you can't patch and update devices in the field then you are leaving your customers unprotected.
contravariant|1 year ago
talldayo|1 year ago
gruez|1 year ago
Nextgrid|1 year ago
If installing alternative/third-party firmware becomes easy and normalized, there will also be more options to choose from, because it will actually become worthwhile for people/companies to develop said firmware.
mkopec|1 year ago
I believe if given the tools, people would gladly donate their time to make something fun with it. Heck, that's what I do in my spare time. But it's impossible if everything is completely locked down, as if a music streaming box contains nuclear launch codes that must be protected at all costs.
miki123211|1 year ago
If you have an easy way to flash any phone and plenty of firmware available, it makes sense to turn flashing into a business. Buy used phones off people who don't need them any more, reflash them with a newer and debloated Android, and then sell them off for more than you got them for.
This would very quickly lead to abuses though. If PC OEMs are bad, imagine what a small mom-and-pop shop, subject to a lot less scrutiny and having much less respect for the law could do.
yareal|1 year ago