Flyme OS vulnerable to BlueBorne
Once again Meizu proved its weak security policy.
A few months ago security experts discovered a general severity for all mobile and desktop devices using Bluetooth, allowing attackers to execute any kind of code and entirely overtake these.
While Microsoft patched their OS with a couple of patches between Juli and September, Google started to enroll patches as well. However, even though Google patched these leaks is questionable when OEMs will apply these patches to their firmwares. Especially Meizu is known for being slow when it comes down to apply security relevant patches. Their patch behaviour was more than shocking as the Stagefright exploit appeared. Even though it was such a severe security flaw, Meizu left the firmware unpatched for almost 3 months. Especially users of the stable firmware suffer as Meizu doesn't thinks its necessary to provide proper patches within time. So instead of releasing "Flyme OS 18.104.22.168", Meizu often waits for the next stable release e.g. "Flyme OS 22.214.171.124", knowing very well it might take even more than 5 months.
So what shall you do? There are a couple of possibilities. While you can of course disable your Bluetooth or keep a distance of more than 10 meters to others and so isolate yourself, you can also use the latest Chinese beta firmware based upon Android N. Meizu usually includes the latest security patches there. If your device has no Android N firmware yet, you are doomed to be stuck with the first or second option until Meizu enrolls a patch.
As soon as an firmware with this security patch becomes available we will inform you over our social media accounts and our forum of course.
For your other Android devices, like Tablets or other smartphones, we recommend using the BlueBorne Vulnerability Scanner by Armis and check if you are affected or not.
Download Server issues
A couple of days ago I noticed first performance issues with our download archive. The server itself was responding mostly fine over SSH, however access to the firmwares was massively delayed. Often it took ages to load the firmwares.
While everything seemed to look like a traffic peak I didn't care any longer about it. However, today (2 days later) I have been contacted by a couple of users that the server was still behaving this way. Therefore, I hooked up again with the machine and got some interesting statistics.
The download archive alone serves 1.38TB traffic a day.
While this is indeed something one can be proud of, its also at the same time very upseting. Why? Because we do not earn anything with this traffic. Indeed, its the goal to provide an archive open for everyone and everything, but when our regular users, who watch ads or simply participate on our forum and so help this place to become better, suffer under the usage of others, "fun" ends.
So I made an inevstigation to check for hotlinkers. The result was shocking.
There are 90.300 entrances on Google for our download archive alone. Lets take into consideration that maybe 40-50% are garbage links or non-hotlink links, this still means that there are more than 45.000 hotlinked files!
You can do the maths on your own now. 45.000 files x 700MB (most of the new firmwares are above 1GB) x 1 download (definitely more) = 31.500.000MB = 31,5TB. Ironically some of these hotlinks come from the official Meizu websites (Meizu Italy was once caught redhanded hotlinking to our firmware archive already), especially FlymeOS.com and Flyme.cn appear a couple of times on the first few pages of the search results.
What shall we do - and yes, this question is for you!
While we definitely don't want our firmware archive or any links on our page to be available for registered users only, we have to do something against this. There are basically two ways how to handle this:
- Block any access from non Meizufans domains
- Block access with download clients
- Recaptcha verification (prevent spambots)
- Private firmware archive, exclusively for registered and verified members
Indeed - I am the administrator of this site and can do whatever I want with it. However, one of the most important things is that all decisions I make represent the will of the community. Any comment on this issue is greatly appreciated.