cancel
Showing results for 
Show  only  | would you rather see results for 
Did you mean: 
Need help?

Kids Safe is blocking the software updates on Google Pixel smartphones

Reply
17 REPLIES 17
Highlighted
Team Player

Kids Safe appears to be blocking the software updates on Google Pixel smartphones.

I see somebody reported this about 300 days ago. It's still happening. If I turn off the Kids Safe filtering the updates come through.

 

It's not a great thing to be doing because it's adding security weaknesses into people's homes.

 

Any chance you could fix it?

 

Yes I know I can fix it myself by adding the download URL to the whitelist, but it would be better if you could fix it for everyone as it's a security issue. A lot of people will not have noticed.

 

Thanks.

Highlighted
Community Team - TT Staff

Hi review,

 

What is the model number of you pixel smart phones? Which version of android are they running 

 

Do you have other makes of smartphone in your household that allow updates with kidsafe switched on?

Thanks
Chris

Highlighted
Team Player

A Pixel 2 and a 3a

 

Both running Android version 10

 

Patched to the latest patch on 5 December (Which only updated on both devices when I turned off kids safe, and I tried a few times on each device with kids safe turned on)

 

I remember noticing a November patch was stalled on the pixel 2 and having to turn off kids safe to allow it to install back in November, but I thought it was a one off, until the patch was stalled for both pixel devices in December.

 

The Apple Mobile and tablet devices seem to be installing the security updates successfully.

 

Windows based devices are updating as expected.

 

I'm guessing there's some issue related to the DNS filtering on the Google/Pixel Android update? I haven't done any packet captures to debug it as it's easier for me to just move to something like OpenDNS, but it is a bit of a security issue that could do with fixing across the Kids Safe filters.

 

Thanks

 

Highlighted
Community Team - TT Staff

Hi review,

 

Thanks for the information. Your router is showing in sync for 37 days so could you reboot it and retest. If this doesn't resolve the issue please let us know and we'll pass this over to the relevant team


Thanks

Chris


 

Highlighted
Team Player

Hi Chris,

 

How would re-booting the home router fix the problem? How would I test it before the next Android update in January?

 

The problem was rectified by turning off Kids Safe in November. Then I turned Kids Safe back on and a month later it blocked the Android Update again in December, turning it off allowed the Update to download and complete.

 

Isn't Kids Safe a DNS filtering solution in your, TalkTalk, DNS? So it's nothing to do with the home router?

 

To test it I will need to reboot the router, turn Kids Safe back on and wait for the January Android update. The problem is not a problem with checking to see if an update is available. That works fine with Kids Safe on. I've just checked. The problem is downloading an available update. This only happens when the update is available and the next one will be in January.

Highlighted
Community Team - TT Staff

Hi review,

 

Ok thanks for the update and please let us know how you get on.

 

Thanks

 

Highlighted
Team Player

- Kids Safe is still blocking Google Pixel updates (and hence is a security risk)

- The latest updates were identified by my Pixel 2 and Pixel 3a. Kids Safe was on.

- There was an error message "Download Paused"

            That suggests the URL to check if an update is available is working but Kids Safe is blocking the download, maybe it's a different URL and for some reason the automation has blacklisted it? Same symptoms I reported above.

- As requested I rebooted the TalkTalk home WiFi router

- I asked the Pixel devices to check for updates and again ended up with the error "Download Paused". So rebooting the router had no effect, as expected.

- I switched off Kids Safe

- The download started and completed successfully on both the Pixel 2 and the Pixel 3a

 

It's worth noting that an iPhone has recently updated on this broadband connection, windows 10 is updating and I've just built a PC and downloaded all the BIOS & drivers from the web without any issues when Kids Safe is switched on. It's just a problem updating Google Pixel devices.

 

As I said I can fix this for me by moving to OpenDNS instead of using TalkTalk DNS but it would be great if you could close this security issue for other users (and me).

 

Thanks

 

Highlighted
Community Team - TT Staff

Hi review,

 

Thanks for the update, we'll pass this on to the relevant team 


Thanks

Chris

Highlighted
Community Team - TT Staff

 

Hello,

 

Have you tried adding the domain to the allow list in your kidsafe settings in MyAccount and tested this again? Could you let us know how you get on please?

 

Thanks

 

 

 

Highlighted
Team Player

No because I don't know what domain is being used for the update downloads. I had a quick look online and there isn't anything specific that I could find. I'd need to do a packet capture and have a look in wireshark to find it, but that means borrowing a router so I can set it to port span so I can do a packet capture. I was rather hoping your second line support could do that as it's a security issue, presumably for other customers as well. There must be some of your support team using pixel devices?

Highlighted
Community Manager - TT Staff

Hey @review 

 

I've added android.com to your allow list in kidsafe to see if this works but a bit of a shot in the dark as we need the domain used for the updates.

 

Can you let me know if this has any positive impact?

Stephen, Community Manager


Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


Highlighted
Team Player

Yes I'll be able to tell when the Feb download works. I'd be surprised if it was android.com because presumably that would block many other customers' updates?

dl.google.com was suggested on the forums, but I added that back in November and it didn't work.

I did notice Kids Safe was stopping downloads of the TOR browser, which makes sense because it's a method of bypassing the DNS filtering provided by Kids Safe. I was wondering how you had identified that as something to block and if the same strategy is identifying something Google related that's been blocked?

Highlighted
Community Manager - TT Staff
To be fair we have thousands of sites which are blocked as part of the different categories in Kidsafe and without knowing what the domain is, we're unable to check if/why it's blocked. Your right, i would have thought that more customers would report it if all android updates where blocked and we dont proactively block google so i do wonder if it's some odd/random mirror that the phone is pulling from which is/has been flagged as an issue. I did a bit of searching on the web to try and find out myself the domains used but struggled.

Stephen, Community Manager


Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


Highlighted
Team Player

OK. I'll aim to do a packet capture next month when the update comes through and find which domain it is. Thanks for looking into it.

Highlighted
Highlighted
Team Player

Success

 

I did a packet capture and Wireshark tells me the download site that is being blocked is:

 

ota.googlezip.net

 

I've whitelisted it and the update has worked on both the pixel 2 and the pixel 3a

 

Interestingly the whitelist changed the domain to googlezip.net - but that fixed it

 

can that be fixed on your Kids Safe DNS filtering so everybody else's pixel phones on TalkTalk update?

 

Highlighted
Team Player

OpenDNS have tagged ota.googlezip.net as Software/Technology

https://domain.opendns.com/ota.googlezip.net

 

From reading the web: Domains within googlezip.net can be used by google to compress android data, hence if that's streaming non-child-friendly media whitelisting googlezip.net can let it through the filters. OpenDNS tags it as Proxy/Anonymiser which is possibly why you have blocked it.

 

So you need to whitelist ota.googlezip.net and not googlezip.net to let the pixel security updates through the filters.

 

 

Highlighted
Community Manager - TT Staff
Thanks for sharing. I’ll get this flagged for review in the mean time feel free to add it to your allow list in kidsafe to ensure it’s not blocked going forward.

Stephen, Community Manager


Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.