Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say(mobile.nytimes.com) |
Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say(mobile.nytimes.com) |
Unfortunately, currently the only Android operating system to do this is Replicant, which has terrible hardware support and---due to the sorry state of affairs for mobile---lacks many features requiring proprietary drivers. Cyanogenmod stops short, but would still make situations like this much more difficult.
Even if you don't subscribe to the principles of software freedom, please consider helping out the Replicant project if you know enough about the operating system. I use a Replicant device (S3) and I'd love to see others working to get version 6 out:
http://blog.replicant.us/2016/08/replicant-6-early-work-upst...
We also need reproducible builds of the operating system and its software---again, something that cannot be done without a fully free/libre OS.
Despite increased surveillance on such a vulnerable and enticing target, this doesn't get enough emphasis.
* CopperheadOS
* OmniROM
* PrivatOS, on Silent Circle Blackphones AFAIK
* The version on Blackberry Priv phones
.
I've also come across these, but don't know much about them:
* Cryptogenmod: I'm not sure this project ever went anywhere
* Chamelephon: http://chamelephon.com/
* GuardianROM: Discontinued?
* KeyROM by Mocana: Seems aimed at businesses that need secure Android. https://www.mocana.com/iot-security/keyrom
* Privacy phone by FreedomPOP: https://www.freedompop.com/theprivacyphone
.
And a couple probably not available to the public:
* OK:Android by General Dynamics: http://gdmissionsystems.com/cyber/products/trusted-computing...
* The OS on Boeing Black smartphones: http://www.boeing.com/defense/boeing-black/index.page
And while many things could most certainly be discovered by extensive, costly audits, that someone has to pay for...
OS code bases are huge.
How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
Not very, I think.
If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
If you don't build the hardware yourself, component by component (assuming that the components themselves are trustworthy), and audit every single LOC in the OS, something can always slip by.
But even without such a campaign, evil developers would be in a constant danger that someone may discover a backdoor. It is a very unstable situation: just one person is enough to make a lot of noise, and everyone could be this person. And yes, people do read the sources:
https://www.fsf.org/blogs/community/who-actually-reads-the-c...
It's all about defense in depth:
https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...
Indeed, so it's unfortunate that it doesn't get more discussion in situations such as these.
> How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
More difficult than it would be with proprietary software, where anyone at any time can add malicious code that may never even be discovered over the lifetime of the device.
Free software doesn't prevent malicious actors from contributing malicious code, but it certainly improves chances. It also makes such a move very risky. Just as laws are a deterrent for many crimes, so is public scrutiny.
> How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
In a fully free OS, this app would have been built from source. So the same arguments apply.
> If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Again, it improves changes. Here's a good example from Replicant:
http://redmine.replicant.us/projects/replicant/wiki/SamsungG...
> Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
Sure, but that's not an excuse to throw our hands up and not worry about the security of the software running on it. The OS might even be able to itself mitigate certain things (e.g. the Samsung backdoor mentioned above).
This issue also exists on PCs:
Projects have the option to only accept contributions from known entities. If your identity is public knowledge, trying to sneak a backdoor into version control is high-risk.
Openness is viable stratagem for hardening and reducing the attack surface. It does not have to be perfect to make meaningful improvements towards a layered defense.
It also has an auto-update (read: backdoor) feature that cannot be disabled.
I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
As a consumer I am very disappointed and feel being deceived by Google. I know about "you are the product" saying but the smartphone is not free. I bought an expensive (two hundred dollars!) device and I had to spend a lot of my time to be able to control its activity. And of course the advertisement never mentioned that a smartphone is going to spy on me.
We need a law against this.
When the same is sent to China, it's outrage?
Ditto with auto-updates.
I'd be glad if I could control much more of my data exposure. But business.
I also remember there used to be application firewalls in windows that kept track of the connections that each application made and if any of them contacted a new server, they'd ask you for permission. I don't think most folks used them because in the end they kept asking a lot of questions that the users didn't necessarily know how to answer, but I wonder if it wasn't such a bad idea after all, and whether the "default" choice could be mined from other users' settings.
bigdata.adups.com (primary)
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn
Then check the content of the POST request (usually to url/mobileupload.do )Did you provide the Federal Trade Commission with an advance copy of your report, or just DHS? If not, why not?
I suppose you could interpret this "backdoor" as third-party access to the data, rather than to the device.
We can tell the same about Facebook, Google, Yahoo, Twitter, Uber, Microsoft, Visa, AmericanExpress...
Otherwise you accept our Terms of Service.
Thank you for trusting us.
(Is it just me or is it actually very hard to figure out whom I've given consent to do something with something that is mine?)
As example, I'll submit PRISM (while admitting that we're still not 100% clear on that) and the retroactive immunity provided to telecom companies.
linuxbsdos.com/2016/11/05/the-samsung-android-tablet-that-will-never-access-the-internet/
Google hates it when a program phones home to someplace other than Google.
This whole article is a lot less racist if this paragraph is put on top. You know because every app made by some of the 1.3B people must be a government effort to collect intelligence.
The app is bad because it does the function without consent, not because it's made by Chinese.
For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to the USA every few seconds.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The authorities say it is not clear whether this represents secretive data mining for advertising purposes or a government effort to collect intelligence.
[EDIT: Fixed formatting]
>In one of the leaked emails sent by Apple Environment, Policy and Social Initiatives Vice President Lisa Jackson to Podesta, the Apple team clearly stated that the current methods of encryption in place allows the firm to essentially send an unlimited amount of personal and sensitive user data to law enforcement.
>Jackson further emphasized that Apple already has a 24-hour live team established for the sole purpose of handling law enforcement and government requests. “Thousands of times every month, we give governments information about Apple customers and devices, in response to warrants and other forms of legal process,” Jackson stated. “We have a team that responds to those requests 24 hours a day. Strong encryption does not eliminate Apple’s ability to give law enforcement meta-data or any of a number of other very useful categories of data.”
You have to love that 24 hour live team whose sole purpose is to provide customer data to law enforcement and government people.
cough
I do hope Eric Schmidt and Trent Lott have been using one of these phones/devices.
In other words you can use it only on a network you control.
In other words, at home you can use your own router; you can set the gateway as a computer that you control.
Correct?
What if you had a portable gateway, one that could travel with you?
We now have Apple devices, Google/Android devices, Microsoft devices, and the majority of apps all phoning home. It is routine. No one cares. Right.
We may not be able to run the latest device purchased from major retail sources using open source, user-installed OS (UNIX).
But what we can do with UNIX is build our own routers from inexpensive hardware, including older hardware, and use these as our gateways.
To do this, no one needs Apple, Google or Microsoft's assistance. We have what we need.
It is easy to do at home, but what I would like to see is more travel-sized routers which can be driven by user chosen and user installed bootloader and user chosen UNIX-like kernel.
The aim with these efforts is control, not impressive hardware specs.
Proprietary hardware and locked bootloaders will always have the most impressive hardware specs on their side.
But to get those things, the user has to sacrafice some control.
Yes.
> What if you had a portable gateway, one that could travel with you?
I can rent a VPS and connect through it using "Always-on VPN" option (I did it once and it worked). But then I have to pay for a server monthly in addition to the mobile plan. It is not that expensive but I would prefer just having access to iptables and being able to install my firewall on a phone.
I might be wrong but on Windows you can at least install a firewall. At least you could on earlier versions.
Why Google and not the maker of the phone? They're the ones that wrote the backdoor that sent stuff to China. You're not suggesting that Google helped with that, are you?
Or they could not to sell Android license to companies not repecting consumer's privacy.
Even if I got refunded, what would I buy instead? Free market doesn't work here and all major manufacturers have some form of tracking and preinstalled software built in. It looks like the only way is to buy a backdoored proprietary device and replace a ROM (and then solve all kinds of problems with hardware not working properly or battery getting drained).
How did you set that up? I'd be interested in knowing how to redirect/proxy cellular connections to something local, in a way I could read and monitor the data (is it encrypted?).
Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage? For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
> I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
A VPN with a firewall might be easier.
I used Wireshark on Windows to check that everythink is set up correctly and to see what kind of requests the phone makes.
You can use WiFi instead of bluetooth the same way. You only need to use "hotspot" option and provide DHCP to a phone and set your linux machine as a gateway. Probably you can do that with a router too, for example if you connect its WAN port to your linux machine or set up traffic redirection.
On linux I redirected traffic from phone to localhost with ports 53 (DNS), 80/443 (HTTP) and rejected any other traffic (there were some requests to time servers, that were sent by drm component of Android). I also ran a DNS server (dnsmasq) and Squid HTTP proxy that can process redirected traffic (Squid can also generate certificates to decrypt HTTPS traffic which was very useful though it took some time to find correct settings). I set up dnsmasq and squid to serve requests based on white and black lists.
After I did some tests I found another, easier way to capture traffic from Android phone. Android has a useful "Always-on VPN" feature that sends all traffic through specified host (and doesn't allow any network access until VPN connection is set up). You only need to set up ipsec on a linux box (I used strongswan). I used "Always-on VPN" feature to redirect traffic to my VPS while using mobile internet connection.
> Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage?
I physically disconnected a laptop from the Internet and monitored the traffic on a bluetooth interface with Wireshark. The phone did not have a SIM card inside so it could not connect to a mobile network.
> For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
This can be detected using my setup. But if software is programmed to send some data only via mobile network and not via WiFi/bluetooth then it is more difficult to detect. You would need to set up a fake BTS (using OpenBTS for example) to capture that traffic. You would need special (not very expensive) SDR hardware in this case.
> A VPN with a firewall might be easier.
I ended up with the same idea. I even wrote a simple PHP app to manage black and white lists and view logs.
I was under the impression that US does not allow selling of Android phones from most Chinese brands due to the reasons you mentioned, and for those that all allowed, they have strict vetting procedures to prevent phones with such capabilities from reaching the US market?
It is good to hear that in some countries importing such phones is not allowed.
Can you share the report yet?
I've got two phones here that were used during my trip there. I was wondering if you had any tips for figuring out of they were compromised or otherwise owned while I was out there.
Find a phone which has a large community around it, and lots of custom ROMs available. An official Cyanogenmod release is a good sign. It's also a sign that your phone will have a longer usable life than whatever the manufacturer promises you now.
Custom ROMs have a long history of extending the life of phones. For example the HTC G1 was abandoned by Google at Donut (1.6) but unofficially received up to Gingerbread (2.3). It's a bit of a perverse example, but hopefully enough to make the point. Phones with good community support receive current versions of Android long after both Google and the manufacturer have stopped giving a shit.
To the people who say "you can't trust a random stranger on the internet making a custom ROM to be any more secure than the manufacturer ROM" you're right. If someone wanted to make a custom ROM with malware in it, there's a pretty good chance it may not be noticed.
If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want.
I recommend to all my friends and family to buy phones with good community support just to receive updates to ROMs like Cyanogen. The first thing I do when they say they're considering "Phone XYZ" is to look on XDA Developers[0] to gauge the level of community around the model. If it looks dead (e.g. look up any tablet based on the NVidia Tegra for what not to buy [1]) then I recommend they keep looking.
I've had really good luck with Chinese phones which are also sold in markets like South East Asia and India. There are millions of users of these phones, so the custom ROM community is quite strong. The hardware is also quite cheap, I have a Xiaomi Redmi 2 I bought last year for $125 USD including shipping, and it runs Android 7 thanks to community developers [2].
[0] http://forum.xda-developers.com
I wouldn't count on that either.. It depends on how "interesting" you are for them, given their reach, I would be really surprised if some of these agencies doesn't have zero-days and/or backdoors stockpiled for high value targets.
All other concerns raised elsewhere here still apply, but the baseband threat is mitigated. Worth it...? Check that threat model again.
Android is pretty much a wasteland outside of the Nexus/Pixel line. Ignoring security and privacy, you just have a lot of shovelware involved along with a lack of commitment to timely, or if any, updates.
I would feel confident a Nexus/Pixel is a secure and nonsense free as a phone running CyanogenMod. Of course, that's difficult to prove, but historically we haven't seen anything like this on a Nexus/Pixel device.
Battery life has actually been slowly and steadily improving after each update by Samsung. I imagine this is a sign of Samsung not liking Google's spyware very much and trying their best to limit background activity.
None of us has solid proof of course, but judging by observable facts (and by the pretty awful battery life of the Nexus 6P and the Pixels -- compared to the Exynos S7 Edge at least), I'd say mine aren't that crazy.
Perhaps device makers that know how to compile source and host the updates themselves are more likely to have more control over the firmware. So we might ask, what the update policy is, do they provide updates?
So this is the threshold I'll have to pass to get a chance for true privacy?
A throw-away phone without ID bound to it would be my way to go then.
Seems to be some work ahead if you want to find out which phone doesn't use this service. And we're only talking about this particular service.
For example, Samsung Galaxy S5 from T-Mobile (SM-G900T) you can put Cyanogenmod on, but Samsumg Galaxy S5 from AT&T (SM-G900A) you can not.
Reading and understanding EULAs for every tool you use is a full time job that requires a law degree.
Unlocking their bootloader can be done officially through a request, or unofficially. Changing the recovery by replacing a single file in the EDL and retaining bootloader lock is also possible.
After the unlock:
fastboot flash recovery twrp.img
fastboot boot twrp.img
<Couple swipes to Install the previously downloaded .zip>
Same as Nexus.
I do INFOSEC for a living and needed to make sure I wasn't bringing back any compromised devices when I returned. So far, the two phones have remained powered down while I come up with a plan to examine them.
It would be interesting to see if they are loaded with malware out of the box or if there is something going on when they are used in country.
But honestly, who can ensure to me that there is no national security letter (or other mechanism I don't know about) forcing Apple to cooperate, with a gag order forcing them to keep silent?
Who can ensure me that the NSA et al have are not bribing, blackmailing, or using court orders on the three or four vocal security experts I can name (like Bruce Schneier, tptacek, Moxie Marlinspike, ...). Everything they say on this topic might be manipulated, who knows.
There could be backdoors everywhere, in apps, hardware, routers, lamps, whatever. Occam's razor suggests that this is crazy, but then people found spam sending wifi chips in clothes irons, so I guess nothing is too far fetched.
If you suspect "they" might be out to get you, the only thing you can really do is to stay under the radar, and hope they don't notice you and target you individually.
Apple deserves some recognition for their attempts. At some point they were fighting several lawsuits seeking to protect their users, and were under massive attack by some politicians because one of the cases was a terrorist. That's quite risky – with the current political climate, being associated with one of the parties has the potential to cut your revenue in half.
The FBI may have ultimately gotten the data after buying a zero-day exploit, which is unfortunate. But Apple seemed to be winning in court at that time and the gov may have been quite happy to find a way to drop the lawsuits without losing face.
Apple also uses https://en.wikipedia.org/wiki/Warrant_canary, which may or may not be useful.
What can we do?
Yes, but it's not much of a phone if it's WiFi only. You could use any laptop for such scenario as well.
Still though, you have to worry that the hosting provider is taking adequate measures to protect your data, as well as also not secretly spying on you. I've worked with enough hosting sysops making trivial errors with their OVZ/KVM setups to realize that some VPS providers are about as secure and resilient as a power grid made from discarded toasters with forks shoved in them.
And the manufacturer could simply unroot the phone and lock its bootloader. At the end of the day it's the phone manufacturer that controls the product, even if Google tries to prohibit such practices in its contracts.
And generally it is pretty decent model. It sends some data home but at least it doesn't have preinstalled adware like another chinese tablet I saw (that displays an ad over browser window and tries to disguise it as a part of a web page).
I wonder if many security researchers know to routinely shop their findings to multiple agencies independently. It doesn't seem like this is common knowledge.
The FTC, in contrast, is a consumer protection agency. They don't kick down doors and they don't arrest people.
And yes, many security researchers have shared their prepublication research with the FTC.
Seems like for items that involve things you care about (kids, your personal data), you take your chances buying from a vendor who might be an fly-by-night and in a jurisdiction that doesn't care about your local country's laws.
"More established" brands have a history of leaving secret backdoors and phoning home just the same as the Chinese devices.
One was discovered in a range of Samsung devices just a couple years ago. Lenovo, same story, spyware and garbage hidden deep within their gadgets.
The only solution is to take a chance, buy a device, test it. If it's backdoored, return it if you can, and call them out on HN/Amazon reviews, etc.
Maybe if the phone is past its supported update lifespan then I would consider custom roms, otherwise I don't want to have to deal with these frustrations on a brand new device.
Coincidentally enough, the custom ROMs for the N4 and N5 are ubiquitous & surprisingly stable. My N4 running CM 10.1.3 has yet to crash or freeze w/out my fiddling with Privacy Guard(been fiddling with it for 2 years, became daily phone only recently). The Sailfish OS ROM has come a long way and is still actively updated. Sure they're dated & SFOS is somewhat limited(and trust isn't quite on par w/ Maemo) but what else is there? Yeah, Neo900 was an admirable reboot attempt, but roadblocks have put them even further behind the curve.
Nexus 6P (Marshmallow); any time I lost phone signal the messaging app would get itself stuck in a tight loop until it had to be force stopped. You'd think they would have tested that on a brand new device..
Cyanogen Mod has been great in the past, as you say, to extend the life of old phones. Quite stable too.
It runs Android 6 (CM13) great, just in my opinion Nougat isn't polished enough for daily use.
[0] http://forum.xda-developers.com/redmi-2/development/rom-cyan...
You want me to tell you why Google won't do anything, because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible and in return they get more advertising dollars.
> You want me to tell you why Google won't do anything, because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible
Google could allow controlling firewall on Android (and getting root access). The only reason they don't do it is because then users will be able to block tracking and advertisement.
If it's GMS Certified, sure.
It's possible (common even) for some shady OEMs to install Google Play Store, despite not being GMS certified. Asking them to prevent that is a lot like demanding a stop to all software piracy.
And why exactly is that bad?
The price of freedom is eternal vigilance. You want crap free gadgets, make them sell crap free gadgets by ratting them out when they sell gadgets loaded with crap.
Do you happen to know me in real life? I can't think of another reason for this.
Microsoft didn't have any telemetry in earlier days. Now they turned to a dark side.
Do you demand Microsoft take action because say Lenovo installs superfish?
You make Lenovo fix it instead of a tangentially related company like Microsoft.
Same thing here. It's not a Google issue.
While it makes sense to hit the vendors directly to the extent possible, it also costs these platforms trust when most of the ways users end up with them have them compromised from day one. I.e. do I give relatives a list of vendors I think might be safe to use without a complete wipe and fresh install? For windows that is impossible.