I mean, based on this, you really should investigate what other devices with mediatek chips are vulnerable. I didn't have any faith in a scam product being safe, but if this vulnerability still works on current TVs or phones, I'd rather it be reported on.
@@KanonenwindDunno if or why YT deleted my reply, but yeah, a lot of Android-related companies use Mediatek chips, from OnePlus, Huawei, Xiaomi, and Oppo to Lenovo, through their Chromebooks, and Samsung Galaxy's A13 and A14. In particular, the A14 uses the MediaTek MT6769 Helio G80 chip, and it's been around since 2023. It's a real shame, 'cause I was considering switching over to Samsung, but clearly I can't if I gotta worry about crap like this...
Also why shou;dn't consumer have access to the debugging port?? Right to repair anybody? Why shouldn't I be able to use my own device for whatever I want?
Also love how they put out this video like as if it's new. Dude, EVERYONE already knows it's a cheapo android phone running an app. You didn't "hack" anything. You plugged a cable into what was essentially the cheapo phone's USB port, and transferred data.
@jaybrooks: The exploit they used works over USB not de debug ports, they are secured good enough and are within the device @akostadinov: Because, if they are, any security can be bypassed by anyone, including bad actors. Would be comparable with running around with a phone without passcode… @JamesR624: They had to wait with going puplic after informin rabbit, else rabbit could have and would have sued them. It is normal USB connection, but you can gain root right like this and bypass any password/encryption of any user on the device and thus you are able to install hidden stuff. They mentioned, that they use a bug already found for those chip. So what they did, is discovering that thi exploit is working as well on rabbit HW.
you need to check for the correct voltage level (1.8v, 3.3v, 5v) but also the TX pin will fluctuate if its trying to speak to the outside world, so its a fast way of checking if anything is trying to say anything over the UART port before hooking it up to the adaptor
on god bro, the moment is saw that shit i went form 99.99 to 1000% sure this guy is complete fraude. At least this time a product came out lol, cant say the same for the nfc or whatever he sold.
@@djksfhakhaks I feel you're putting words in his mouth there. >so you think that due to your lack of research we should all suffer. What do you expect he do with his lack of knowledge? Warn people that it's a scam based on no evidence?
Yeah, it's also oversensationalizing the whole situation... They opened an embedded device and found the TX/RX pins of a debug UART which literally 95% of all embedded devices have. Then they found a 5 years old MediaTek exploit that requires physical access, and went on to spread fear against MediaTek... yeah MediaTek is not the best SoC company but that's all this video accomplishes? These guys have no idea what hardware hacking is...
access to the debug port is something that everyone should have, as well as the tools to debug any and everything. The entire schematics should be public so that it can be repaired.
Some devices that might be fun to explore: AI Friend, Any meshtastic, Anything using TEE like STM32MP1 ProvenCore, Steamdeck, CanBus/ECU automotive display.
But this vulnerability can be used before any operating system loaded. I have this vulnerability on my phone. I use it to modify firmware, because it is only way how to modify firmware on my device without memory desoldering. With this exploit I have full access to memory, everything can be replaced in firmware. Connecting off device through usb enougth to use this exploit.
Important thing to note: This doesn't tangibly affect the security of the device, only the end-user's ability to modify it. If a device software were modified by a third-party, this would require the bootloader to be unlocked, which would then launch an error message regarding such upon every single startup, alerting users to potential modification. If the device is AVB (Android Verified Boot) 2.0 compliant and supports avb_custom_key, it can be re-signed with another key (something I have only seen in Pixels and select OnePlus and Motorola devices), however it will still notify the user that it is loading a separate operating system. Any Android 10+ device is also mandated to be encrypted for Play Services certification, which may not apply to this device anyway, but this means if the bootloader were unlocked, it would dump the encryption key and force a factory reset, rendering the data effectively useless. It's about as much of a danger as Qualcomm's EDL mode.
This exploit shouldn't even be able to be used to read or modify user data either, since that's often encrypted by default. The most they'd be able to do is get an encrypted blob to put on an emulator or other device, they'd still need the pin, pattern, or password as the other part.
@@Jeff-ss6qt Yup, hence why it doesn't really matter too much. One could argue it makes the process easier though, but no software is gonna stop someone from pulling the nandflash if they really wanted to lol. This vuln is a huge win for the consumer tbh
Why? not every cheap tech product that needs a cpu needs a good cpu. If anything, their insecure chips are a blessing if you want to root a budget phone
Well, if I break into a house by picking a lock, a > 200 year old trick, can I argue that I never broke into the house because it's already been repeated before?
@@EXEC_A your analogy is flawed, here is a better one: someone shows you what tools are needed and exact movements to pick a lock, you pick a lock and then decide to brag the whole village that you lockpicked it yourself
@@Ne-vc5pm But... in your example, you DID lockpick it yourself. I'm guessing you wanted to make an analogy for a script kiddy, but it did not work. It would have been better like this: "someone gives you a tools that you can just put on a lock, and it picks it for you. You use it, and then decide to brag the whole village that you lockpicked it yourself"
If you watch the video, they're just saying what they went through and tried before finding the actual vulnerability. The vulnerability is the MediaTec chip, which allows you to modify the firmware or replace it entirely without any issue.
Many tech companies will obfuscate what key components they use by e.g. laser etching the markings away. Good luck guessing the part number by a standard package format.
The chip doesn't seem to be a rebaged old chip, from what I found it is Helio P35, which was designed before 2019. Mediatek probably just didn't bother with updating the design. I don't really think there was a malicious intent, and the Rabbit company simply cheaped out. The chip is/recently was very common in low budget devices (below 80$ on many brands). I guess the moral of the story is not to buy devices with pre-2019 chips designed by mediatek
Just the product design alone was a joke. Also, who would want to keep track of that and their smartphone. The day it came out my first thought was that I would be seeing them in thrift shops within a year.
I'm dealing with an exploit with my toothbrush. There's no place to put the batteries and it doesn't run, proving I've become a victim of North Korean espionage or something Snowden did.
The way I understood it it's the other way around. He is employed by CyberNews, that is a Lithuanian company. I could be wrong though. Just what I understood.
i think the only reason they went with that specific chip, was it was dirt cheap, because of said vulnerabilities, and the creators of the R1 didnt do their research beforehand, OR if they did, and knew of the vuln, that is treading dangerously close to criminal behaviour, willingly using a bad chip, for a device like that..
Omg!! we can read and write the firmware of a device we own, how craaZzzyyy. That just shows that there should be a foolproof way to do a factory reset on a device, not that we should lock down every piece of equipment...
The obvious next step is to start connecting random phones, tablets, TVs, routers, smart speakers, robot vacuums, etc. to a laptop and run this exploit. If Mediatek is still selling vulnerable chips and Rabbit bought them, there's no way other random companies haven't also.
Wow. This coupled with the fact that all your use is logged to the device, including past GPS history, and the fact that the rabbit hole uses VNC to have you enter your credentials to sites on computers you don't control instead of using oauth tokens client side is a huge liability for consumers. What were they thinking?!
Suggestion for research. Just bought the cheap TP-Link TAPO C220, and found that it requires internet AND inter-client (phone:app and camera) communication. A huge red-flag.
so is it possible Rabbit bought the chips from anywhere but Meditak? The chip etching is scratched off pretty much. Also, I can't find anything on the Mediatek R1 that it showed up as. I would highly recommend going to Mediatek themselves and asking about the chip name it came up as. It's very possible that the chip isn't what Rabbit claimed it to be. My guess is that it's a custom chip and Rabbit went with the older architecture that MediaTek used with the vulnerability.
You know what, 1. I don't care, and 2. So what? Most major "hacks" and "leaks" are not the end users fault, it's the corporate companies fault, and the end user is left holding the bag. Everything is hackable, Just accept that and move on.
I think a serious vulnerability is cause enough to break a contract. It should be law that you can do it if it is serious enough and not up for the contract to decide.
They should make a tool available to flash the stock firmware. Mediatek already has one called SP flash tool, that they could distribute with instructions and the stock rom.
I don't need to open rabbit to know it's crap, all you need to know is the founder previously had a get rich quick scheme involving a videogame and nfts.
2:48 And the amount of bot activity in comment section indicates that it is what the Rabbit is meant for.. and you should not buy it to serve CCP 😂 Message to the channel: Guys you explained everything in detail but, please be aware of bots when you are touching some countries!
I was waiting for you to have a point. You didn't. This video is so pointless, of course if you have physical access to a device you can reprogram it and have access to it. That's why the mediatek "vulnerability" isn't considered really notable either. You trying to somehow gas yourself up as if this was some big revelation makes your whole channel look bad
That's a good vulnerability for developers 😅 They can use Rabbit for various projects, instead of fiddling with microchips and trying to solder tiny cameras and mics. I guess R1 is the best development board out there!
isn't this a way people use to root their phone. the hack you are talking about? as in is this not just one of the exploits how people add their own rom to a device?
An exploit that can root your phone can also act as a backdoor to install malware. Products shouldn't have these exploits to be available in the first place.
Official tools should show chip ID that is printed on chip. If it's different then they may have counterfeit or relabeled chips. Big problem if you don't use official resellers etc. Also pcb assembly company can swap chips to fake ones. I think this was case in few FT232 problem where company had delivered original chips but pcb assembly company swapped chips to "fakes".
What other device should we try and research?
Subscribe for more #cybernews
Not exactly a device but Building Access Control systems would be interesting
I mean, based on this, you really should investigate what other devices with mediatek chips are vulnerable.
I didn't have any faith in a scam product being safe, but if this vulnerability still works on current TVs or phones, I'd rather it be reported on.
@@KanonenwindDunno if or why YT deleted my reply, but yeah, a lot of Android-related companies use Mediatek chips, from OnePlus, Huawei, Xiaomi, and Oppo to Lenovo, through their Chromebooks, and Samsung Galaxy's A13 and A14.
In particular, the A14 uses the MediaTek MT6769 Helio G80 chip, and it's been around since 2023.
It's a real shame, 'cause I was considering switching over to Samsung, but clearly I can't if I gotta worry about crap like this...
Fliper zero
RUclips deleted my reply.
A physical hack through a debug port is not exactly the greatest heck of all times
Also why shou;dn't consumer have access to the debugging port?? Right to repair anybody? Why shouldn't I be able to use my own device for whatever I want?
Also love how they put out this video like as if it's new. Dude, EVERYONE already knows it's a cheapo android phone running an app. You didn't "hack" anything. You plugged a cable into what was essentially the cheapo phone's USB port, and transferred data.
@jaybrooks:
The exploit they used works over USB not de debug ports, they are secured good enough and are within the device
@akostadinov:
Because, if they are, any security can be bypassed by anyone, including bad actors. Would be comparable with running around with a phone without passcode…
@JamesR624:
They had to wait with going puplic after informin rabbit, else rabbit could have and would have sued them. It is normal USB connection, but you can gain root right like this and bypass any password/encryption of any user on the device and thus you are able to install hidden stuff. They mentioned, that they use a bug already found for those chip. So what they did, is discovering that thi exploit is working as well on rabbit HW.
@@JamesR624 If the site'S name is something with cyber in its name it's gonna be some cringe
Looking at a serial port with a multimeter is like taking time at the Olympics with a sundial
you need to check for the correct voltage level (1.8v, 3.3v, 5v) but also the TX pin will fluctuate if its trying to speak to the outside world, so its a fast way of checking if anything is trying to say anything over the UART port before hooking it up to the adaptor
@@AUATUWVSHThe fast way is called oscilloscope
I find it hilarious that anyone took this guy seriously after his nft pump and dump.
on god bro, the moment is saw that shit i went form 99.99 to 1000% sure this guy is complete fraude. At least this time a product came out lol, cant say the same for the nfc or whatever he sold.
@@R1L1. At that point. If you get pownd, that's your fault.
@JohnathanDHill so you think that due to your lack of research we should all suffer.
I'd take him seriously. A crime they might be, but a pump and dump has worked in the past, so he's not an idiot in that regard.
@@djksfhakhaks I feel you're putting words in his mouth there.
>so you think that due to your lack of research we should all suffer.
What do you expect he do with his lack of knowledge? Warn people that it's a scam based on no evidence?
So you did not "hack" anything and found "nothing" :P
Guy hypes up but its just another script kiddo :P
imagine having to rewrite the entire exploit if there is already one
basically sums up the whole concept of this channel. uninformative and superficial clickbait videos
@@sims234ify tho I have to agree the video was extremely diluted
my thoughts exactly, what is this garbage channel?!
Yeah and then hyped themselves up for another incredibly boring 10 minutes. At least I used 2x.
10:30 to only say that the chip has got a vulnerability. C'mon..
10min video for a one liner
This content is interesting but the delivery style is way too over the top. You don't have to act like you're doing an informercial.
Yeah, it's also oversensationalizing the whole situation...
They opened an embedded device and found the TX/RX pins of a debug UART which literally 95% of all embedded devices have.
Then they found a 5 years old MediaTek exploit that requires physical access, and went on to spread fear against MediaTek... yeah MediaTek is not the best SoC company but that's all this video accomplishes?
These guys have no idea what hardware hacking is...
It's content for the unwashed masses lol
I totaly agree with you! This video was all over the top
agree.
Breaking News: A device is exploitable, given unlimited physical Access.
The rabbit R1 ain't nothing but the spotify car thing on steroids. Wait until the day they end support for it.
And like the Ouya, its still going to be overpriced on the secondhand market for what it is because it was such an infamous flop.
access to the debug port is something that everyone should have, as well as the tools to debug any and everything. The entire schematics should be public so that it can be repaired.
Some devices that might be fun to explore:
AI Friend, Any meshtastic, Anything using TEE like STM32MP1 ProvenCore, Steamdeck, CanBus/ECU automotive display.
Seconding Steam deck! Or anything claiming open source that shouldn't.
The Deck is open by design. It's just a PC running a Linux distro with an immutable rootfs. Not much to explore.
You did not hack anything. People are running Linux in that R1.
But this vulnerability can be used before any operating system loaded. I have this vulnerability on my phone. I use it to modify firmware, because it is only way how to modify firmware on my device without memory desoldering. With this exploit I have full access to memory, everything can be replaced in firmware. Connecting off device through usb enougth to use this exploit.
Important thing to note: This doesn't tangibly affect the security of the device, only the end-user's ability to modify it.
If a device software were modified by a third-party, this would require the bootloader to be unlocked, which would then launch an error message regarding such upon every single startup, alerting users to potential modification. If the device is AVB (Android Verified Boot) 2.0 compliant and supports avb_custom_key, it can be re-signed with another key (something I have only seen in Pixels and select OnePlus and Motorola devices), however it will still notify the user that it is loading a separate operating system. Any Android 10+ device is also mandated to be encrypted for Play Services certification, which may not apply to this device anyway, but this means if the bootloader were unlocked, it would dump the encryption key and force a factory reset, rendering the data effectively useless.
It's about as much of a danger as Qualcomm's EDL mode.
This exploit shouldn't even be able to be used to read or modify user data either, since that's often encrypted by default. The most they'd be able to do is get an encrypted blob to put on an emulator or other device, they'd still need the pin, pattern, or password as the other part.
@@Jeff-ss6qt Yup, hence why it doesn't really matter too much. One could argue it makes the process easier though, but no software is gonna stop someone from pulling the nandflash if they really wanted to lol. This vuln is a huge win for the consumer tbh
They choose Mediatek because is the only logical and commercially viable option for this kind of devices.
Ah yes mediatek, the most disgusting chip company ever. These people will literally make actual human shit if they could sell it to you.
Why? not every cheap tech product that needs a cpu needs a good cpu. If anything, their insecure chips are a blessing if you want to root a budget phone
@@leonidas14775 True
@@leonidas14775 keep buying insecure everything because it's cheaper
You didn't hack anything. You found a serial port that wasn't enabled, then tried someone else's exploit and found it still works.
and he made a video out of it to make money scam
Well, if I break into a house by picking a lock, a > 200 year old trick, can I argue that I never broke into the house because it's already been repeated before?
@@EXEC_A your analogy is flawed, here is a better one: someone shows you what tools are needed and exact movements to pick a lock, you pick a lock and then decide to brag the whole village that you lockpicked it yourself
@@Ne-vc5pm But... in your example, you DID lockpick it yourself. I'm guessing you wanted to make an analogy for a script kiddy, but it did not work. It would have been better like this:
"someone gives you a tools that you can just put on a lock, and it picks it for you. You use it, and then decide to brag the whole village that you lockpicked it yourself"
Should have listened to you
So uhh, whats an example of the vulnerability besides the debugging port?
It's entirely hackable.
If you watch the video, they're just saying what they went through and tried before finding the actual vulnerability.
The vulnerability is the MediaTec chip, which allows you to modify the firmware or replace it entirely without any issue.
Just gonna mention that the Nintendo Switch originally shipped with a vulnerable chip on board which ultimately lead to custom code being executable.
Many tech companies will obfuscate what key components they use by e.g. laser etching the markings away. Good luck guessing the part number by a standard package format.
The chip doesn't seem to be a rebaged old chip, from what I found it is Helio P35, which was designed before 2019. Mediatek probably just didn't bother with updating the design. I don't really think there was a malicious intent, and the Rabbit company simply cheaped out. The chip is/recently was very common in low budget devices (below 80$ on many brands). I guess the moral of the story is not to buy devices with pre-2019 chips designed by mediatek
It might be the G35 which is the 2020 rebadge release of the 2018 CPU... but yeah, it is not a 2023 chip by any means.
Just the product design alone was a joke. Also, who would want to keep track of that and their smartphone. The day it came out my first thought was that I would be seeing them in thrift shops within a year.
If they just made an AI app people could install on any phone, they'd have more success. I think the device was just investor bait.
I'm dealing with an exploit with my toothbrush. There's no place to put the batteries and it doesn't run, proving I've become a victim of North Korean espionage or something Snowden did.
For thos wondering what vulnerability it is, its BROM mode
How nice it is for a Lithuanian to see that your employee is from Lithuania
The way I understood it it's the other way around. He is employed by CyberNews, that is a Lithuanian company. I could be wrong though. Just what I understood.
there goes 10:30 mins of my life i’ll never get back
i think the only reason they went with that specific chip, was it was dirt cheap, because of said vulnerabilities, and the creators of the R1 didnt do their research beforehand, OR if they did, and knew of the vuln, that is treading dangerously close to criminal behaviour, willingly using a bad chip, for a device like that..
Oh no. Root access on a device I own. What a nightmare.
The key to security on this device is that it’s really expensive and doesn’t do anything. That’s a feature, not a bug.
Do some more like this - deep dives into exploits are my favorite, even the old ones.
lol what a glazer
why does alot of this look edited and fake?
3:00 it connects to _chinese_ servers but its encrypted so thats "additional points for privacy"? you have to be joking
most advanced ai newscaster i’ve seen from y’all yet ;)
Looks like the "debugging port" is a UART. Note the RX and TX pins.
I could see Rabbit having cheaped out in their source for the CPU and having gotten an inofficial rebadged CPU which used old CPUs.
Amazing video!!
Please make more videos like this, as a programmer and cybersecurity enthusiast, I really enjoy this style of content, keep it up!!
Thank you!
I'll even go as far as to say this channel is view farming. Too many views and likes, not enough comments.
LLL covered pretty much the same vulnerability, but with more information about the actual vulnerability
"This was discovered in 2019. Some of you were not even born then." How many 6 year olds do you think watch your videos? Like *really* watch them?
Including you yes
@@toututu2993 Mi ne comprenas vin.
Good job bringing out the risk of buying a second hand Rabbit.
But that applies to almost every device running these processors.
Nice my mum's phone is bricked and the boot loader is locked. I might try to use this exploit to finally fix it
Omg!! we can read and write the firmware of a device we own, how craaZzzyyy.
That just shows that there should be a foolproof way to do a factory reset on a device, not that we should lock down every piece of equipment...
This device would be a practise tool for learning hacking. Or to practise modding devices.
If I own one of these, I'm more than a regular user, and should be allowed to access if fully without hacking it.
The obvious next step is to start connecting random phones, tablets, TVs, routers, smart speakers, robot vacuums, etc. to a laptop and run this exploit. If Mediatek is still selling vulnerable chips and Rabbit bought them, there's no way other random companies haven't also.
Hopefully, your researchers are not in Kaliningrad as the map suggests.😂
was **not** expecting this bro
YOOO POWER
I'm sure this is a cliffhanger for all the people watching who were born after 2019.
Wow. This coupled with the fact that all your use is logged to the device, including past GPS history, and the fact that the rabbit hole uses VNC to have you enter your credentials to sites on computers you don't control instead of using oauth tokens client side is a huge liability for consumers. What were they thinking?!
IS ANY1 REALLY USING THAT TRASH? LMAO
This is a big, and I mean a BIG Security risk. If rabbit does not fix this bug soon. It would probably be discontinued. (Correct me if I am wrong.)
Summary: Mediatek chip in Rabbit r1 has a vunrability since 2019
Suggestion for research. Just bought the cheap TP-Link TAPO C220, and found that it requires internet AND inter-client (phone:app and camera) communication. A huge red-flag.
Not the Monty Python Rabbit catching strays 😭😭🤣🤣🤣🤣
Can someone tell me what is the stuff that we shouldn't be allowed to do on R1 that the debugging makes possible?
so is it possible Rabbit bought the chips from anywhere but Meditak? The chip etching is scratched off pretty much. Also, I can't find anything on the Mediatek R1 that it showed up as. I would highly recommend going to Mediatek themselves and asking about the chip name it came up as. It's very possible that the chip isn't what Rabbit claimed it to be. My guess is that it's a custom chip and Rabbit went with the older architecture that MediaTek used with the vulnerability.
Never let someone else hookup a USB to your device lmao
You couldn't find a lump of coal in a coal sack, but hey you can say you did if you were handed one.
Never trusted a MediaTek chipset in my life :D
Its insane that we still give views to a company that is legit a scam ........
cant wair for the r1 to be used in ddos attakcs
I didn’t realise Christian Bale was a tech head
I am curious about how secure are gaming consoles. That could be an interesting device to hack into
Alternative video title: a rabbit hole of cyber exploits
You know what, 1. I don't care, and 2. So what? Most major "hacks" and "leaks" are not the end users fault, it's the corporate companies fault, and the end user is left holding the bag. Everything is hackable, Just accept that and move on.
6:16 They could use a CPU from a different manufacturer like Qualcomm.
I think a serious vulnerability is cause enough to break a contract. It should be law that you can do it if it is serious enough and not up for the contract to decide.
They should make a tool available to flash the stock firmware. Mediatek already has one called SP flash tool, that they could distribute with instructions and the stock rom.
Not gonna happen as you don't have the sale quantity to reduce the price of the chip from them.
Fantastic video. Thanks
Good thing I never purchased one
Did you expect anything less for a Chinese product?
I discovered all this in June. Along with everyone else in the Rabbitude discord.
"We" = your research team..
I don't need to open rabbit to know it's crap, all you need to know is the founder previously had a get rich quick scheme involving a videogame and nfts.
It's ORANGE!
Orange for: FREEMASON!
That says it all right there.
2 billion colors and they chose the big O.
love to see more, thx for sharing
we got steve jobs talking rabbit r1
2:48 And the amount of bot activity in comment section indicates that it is what the Rabbit is meant for.. and you should not buy it to serve CCP 😂
Message to the channel: Guys you explained everything in detail but, please be aware of bots when you are touching some countries!
It's alright no one even bought that physical android app :D
7:55 'where money?' wtf come on guys LOL
Happy for more of that!
AI generated bullshit
I was waiting for you to have a point. You didn't. This video is so pointless, of course if you have physical access to a device you can reprogram it and have access to it. That's why the mediatek "vulnerability" isn't considered really notable either.
You trying to somehow gas yourself up as if this was some big revelation makes your whole channel look bad
do you guys planning on expanding your team in the future?
They could just remove the debug points.
This device is not worth any attention, why give it more coverage?
That's a good vulnerability for developers 😅 They can use Rabbit for various projects, instead of fiddling with microchips and trying to solder tiny cameras and mics. I guess R1 is the best development board out there!
Can you please make a video a install Minecraft to it for the Rabbit r1
you cracked the fortune cookie and found the following message" "Clarity is better than cleverness"
you make good explanations more than AI generated one
Grace period allows the Zero day Market...
Interesting...🤔
I have no idea why I feel so relieved and satisfied for watching this video 😂
Maybe because of the bit of exposing a vulnerability
isn't this a way people use to root their phone. the hack you are talking about? as in is this not just one of the exploits how people add their own rom to a device?
An exploit that can root your phone can also act as a backdoor to install malware. Products shouldn't have these exploits to be available in the first place.
What is Rabbit R1?
The exploit in these chips needs physical access doesn't it?
The one he's using does. But there are root exploits for mediatek chips that can be run from inside android after it is booted
ooh nice Leon reference
FitMC is that you?
good video, thanks!
what have to say Nothing brand?
Official tools should show chip ID that is printed on chip. If it's different then they may have counterfeit or relabeled chips. Big problem if you don't use official resellers etc. Also pcb assembly company can swap chips to fake ones.
I think this was case in few FT232 problem where company had delivered original chips but pcb assembly company swapped chips to "fakes".
New chip with an old vulnerability, or an old/fake chip being passed off as a new one?
Your average low end cell phone can do all that. Why carry an extra device.