**Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ** @PeterCxy@comfy.social · Dec 03, 2022, 16:30

**Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ** @PeterCxy@comfy.social · Dec 03, 2022, 16:30

Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ @PeterCxy@comfy.social

Dec 03, 2022, 16:30

Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ @PeterCxy@comfy.social

I love how Android phone manufacturers are like, "we prevent you from taking control of your own device because of security", and then proceeds to leak their own platform certificates so that any malware can gain android.uid.system privileges.

**robryk** @robryk@qoto.org · 2022-12-03T17:23:49Z

robryk @robryk@qoto.org

@PeterCxy Do we know that the keys were leaked (as opposed to misused)? I've seen reports of malware that was signed with them only.

Dec 03, 2022, 17:23 · · · ·

**Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ** @PeterCxy@comfy.social · Dec 03, 2022, 18:03

**Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ** @PeterCxy@comfy.social · Dec 03, 2022, 18:03

Dec 03, 2022, 18:03

Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ @PeterCxy@comfy.social

@robryk@qoto.org Well it spans multiple manufacturers and SoC vendors so I don't see it as misuse, at least not so likely...

**robryk** @robryk@qoto.org · Dec 03, 2022, 18:06

**robryk** @robryk@qoto.org · Dec 03, 2022, 18:06

Dec 03, 2022, 18:06

robryk @robryk@qoto.org

@PeterCxy It does span multiple different signing keys (is this what you meant?). Why does this make it more likely that some attacker managed to exfiltrate all those keys as opposed to an attacker managing to get something signed with all of them?

**Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ** @PeterCxy@comfy.social · Dec 03, 2022, 18:16

**Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ** @PeterCxy@comfy.social · Dec 03, 2022, 18:16

Dec 03, 2022, 18:16

Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ @PeterCxy@comfy.social

@robryk@qoto.org Sorry I misunderstood "misuse". Yes, it is entirely possible that someone was just able to get something signed with all of them.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…