LineageOS, the popular and nearly ubiquitous Android ROM, has suffered a security breach, with hackers gaining access to some of the project's infrastructure over the weekend on May 2nd. However, the ultimate impact on users will be low, as signing keys, builds, and source code were unaffected. In other words, the ROM already on your phone should be safe, as should the next update you download. Builds are suspended due to a pre-existing issue, according to the project's status dashboard, and individual services are coming back up one at a time.
Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.
We are able to verify that:
- Signing keys are unaffected.
- Builds are unaffected.
- Source code is unaffected.
See https://t.co/85fvp6Gj2h for more info.
— LineageOS (@LineageAndroid) May 3, 2020
The project revealed the indecent in a Twitter statement (above), mere hours after the hack itself was discovered — frankly, we wish more companies could be as timely in notifying their customers. A more detailed explanation was also published to the project's status dashboard, pointing interested parties at the precise vulnerability that was used, which was only recently discovered.
In short, existing builds should be unaffected since they were already on pause for an unrelated issue, and signing keys weren't affected — that means you won't have to worry about someone distributing nefariously modified updates through third-party forums masquerading as official builds.
ZDNet reports that LineageOS isn't the only project to have come under fire from this exploit, several other attacks have been reported over the weekend.
LineageOS has been bringing its services back up incrementally over the last two days. Downloads are back, as is the gerrit and most internal services. Only builds and stats remain down at the time of writing.