The Fairphones 3, 4 and 5

Security Update: APEX Modules Vulnerability FIXED

In November 2023, a security vulnerability was detected in an assorted list of smartphones, including the Fairphone 5, by Meta Red Team X. Fairphone took immediate action to release a security fix in mid-December that solved the issue, meaning that every Fairphone model is now secured against this vulnerability.

The vulnerability detected by Meta Red Team X affects APEX modules and the way they are signed; APEX modules allow original equipment manufacturers (“OEMs”) to update specific portions of the system without issuing a full over-the-air (OTA)  update, but instead only delivering the subsystems that need to be updated. These modules need to be signed with the private key of the OEM during the build process, but it was found that our building process had a shortcoming, and we were using a test key (present in the Android source code build tree) instead of Fairphone’s private key.

This means that, in practice, it would have been possible for an attacker to substitute the incorrectly signed modules with other files signed with the same test key, potentially containing malicious code. Having said that, this is not easy to exploit. The substitution would require either physical access to the device, along with the debugging options activated, or remote access obtained through a chain of other critical vulnerabilities. Yet, it did present a high severity vulnerability.

Triggered by the report on Fairphone 5, we also opened an internal investigation on Fairphone 4 and Fairphone 3/3+, where we found similarly affected APEX modules. The vulnerability was resolved in December 2023 for all Fairphone devices with the following software versions, respectively:

If you have not updated your phone recently, we invite you to install the most recent software version available to you. You can always check manually for system updates in the Settings menu under the System sub-menu. More information on the vulnerability can be found on the original report or the security advisory published by Red Team X.

The post you are currently reading is an AMP HTML document; an optimized version for mobile usage to increase loading speed and decrease data usage. To see our full website you can visit our own mobile version of this post.

Die mobile Version verlassen

Abonniere unseren Newsletter, um regelmäßig über alle Neuigkeiten rund um Fairphone

Melde dich für den Newsletter an und erhalte 5€ Discount auf deine nächste Bestellung.

Dein Rabatt von 5€ wird an die von dir angegebene E-Mail-Adresse gesendet. Der Gutschein kann bei deiner nächsten Bestellung über 75 € eingelöst werden. Bitte beachte, dass unsere Kommunikationssprache Englisch ist. Wir bitten dich um deinen Namen und deine E-Mail-Adresse, damit du unseren Newsletter für tolle Projekt-Updates erhalten kannst. Du kannst deine Einwilligung jederzeit widerrufen. Wir verwenden MailChimp als E-Mail-Plattform. Indem du auf „Abonnieren“ klickst, erkennst du an, dass die von dir angegebenen Informationen an MailChimp zur Verarbeitung in Übereinstimmung mit deren Datenschutzrichtlinien und Geschäftsbedingungen übertragen werden.

Close
Die mobile Version verlassen