Link

Hackers and Law Enforcement Could Hijack Wi-Fi Connections to Track Cellphones

From The Intercept:

But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.

This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.

O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.

Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.

Yet another time that Apple has dedicated engineering resources to better protect their customers whereas their major competitor has declined to do so. And this wasn’t even an Apple or Google problem, per se, but a protocol level issue.

Quote

At its core, respecting the user means that, when designing or deploying an information system, the individual’s privacy rights and interests are accommodated right from the outset. User-centricity means putting the interests, needs, and expectations of people first, not those of the organization or its staff. This is key to delivering the next generation of retail experience because empowering people to play active roles in the management of their personal data helps to mitigate abuses and misuses. To this end, Aislelabs provides an opt out site that allows individuals to choose not to have their retail traffic data included in any anonymous analytics.

It’s incredible that any company – let alone a Canadian Privacy Commissioner – would claim that an opt-out mechanism for hidden and secretive tracking technologies (i.e. monitoring your mobile devices as you walk through the world so retailers can better sell you things) constitutes “putting the interests, needs, and expectations of people first, not those of the organization or its staff.” For such an assertion to be valid the ‘people’ should be given the opportunity to opt-in, not out, of a surveillance system that few will know about and fewer will understand. There are vast bodies of academic and industry literatures which show opt-out mechanisms generally do not work; they’re not effectively centralized and they add considerable levels of friction that hinder consumers’ abilities to express their actual interests. And that’s just fine for many retailers and analytics companies because they’re concerned with turning people into walking piggy banks, not with thinking of individuals as deserving any semblance of a reasonable expectation of privacy.

The Painful Process of Updating Android

Android fragmentation is a very real problem; not only does it hinder software developers’ abilities to build and sell apps but, also, raises security issues. In a recent report from Open Signal, we learn that 34.1% of Android users are using the 2.3.3–2.3.7 version of Android, whereas just 37.9% of users using 4.x versions of the operating system, most of whom are themselves using a years-old version of Android. In effect, an incredibly large number of Android users are using very outdated versions of their mobile phone’s operating systems.

It’s easy to blame this versioning problem on the carriers. It’s even easier to blame the issue on the manufacturers. And both parties deserve blame. But perhaps not just for the reasons that they’re (rightly!) often crucified for: I want to suggest that the prevalence of 2.3.x devices in consumers’ hands might have as much to do with consumers not knowing how to update their devices, as it does with updates simply not being provided by carriers and manufacturers in the first place.

Earlier this month I spent some time with ‘normal’ gadget users: my family. One family member had a Samsung Galaxy S2…which was still using version 2.x of the Android operating system. Since February 2013, an operating system update has been available for the phone that would bring it up to Android version 4.1.2, but my family member neither knew or cared that it was available.

They didn’t know about the update because they had received no explicit notice that an update was available, or at least didn’t recall being notified. To be clear, they hadn’t updated the phone even once since purchasing the device about two years ago, and there have been a series of updates to the operating system since purchase time.

The family member also didn’t care about there being an update, because they only used the phone for basic functions (e.g. texting, voice calls, the odd game, social networking). They’re not a gadget monkey and so didn’t know about any of the new functions incorporated into the updated Android operating system. And, while they appreciate some of the new functionality (e.g. Google Now) they wouldn’t have updated the device unless I had been there.

A key reason for having not updated their phone was the absolute non-clarity in how they were supposed to engage in this task: special software had to be downloaded from Samsung to be installed on their computer,[1] and then wouldn’t run because the phone’s battery had possess at least a 50% charge,[2] and then it took about 3 hours because the phone couldn’t be updated to the most recent version of Android in one fell swoop. Oh, and there were a series of times when it wasn’t clear that the phone was even updating because the update notices were so challenging to understand that they could have been written in cipher-text.

Regardless of whether it was Rogers’, Samsung’s, Google’s, or the tooth fairy’s fault, it was incredibly painful to update the Android device. Painful to the point that there’s no reason why most people would know about the update process, and little reason for non-devoted Android users to bother with the hassle of updating if they knew what a pain in the ass it was going to be.

The current state of the Android OS ecosystem is depressing from a security perspective. But in addition to manufacturers and carriers often simply not providing updates, there is a further problem that Android’s OS update mechanisms are incredibly painful to use. Only after the significant security SNAFUs of Windows XP did Microsoft really begin to care about desktop OS security, and Google presently has a decent update mechanism for their own line of Nexus devices. What, exactly, is it going to take for mobile phone manufacturers (e.g. Samsung, HTC) and mobile phone carriers (e.g. Rogers, TELUS) to get their acts together and aggressively start pushing out updates to their subscribers? When are these parties going to ‘get’ that they have a long-term duties and commitments to protect their subscribers and consumers?[3]


  1. In theory there is an over the air update system that should have facilitated a system update in a relatively painless way. Unfortunately, that system didn’t work at all and so Samsung’s software had to be used to receive the updates.  ↩
  2. Really, this made no sense. To update the device it had to be plugged into a computer; why, then, did the phone (which was charging because it was plugged into the computer) need to have a 50%+ charge?  ↩
  3. I actually have a few ideas on this that will, hopefully, start coming to fruition in the coming months, but I’m open to suggestions from the community.  ↩
Link

Why No Big Wireless Carriers Protect Journalist Phone Records

Via HuffPo:

I love just how direct Chris is these days when speaking with the press about the telcos and their utterly abhorrent practices.

Quote

The new Home app/UX/quasi-OS is deeply integrated into the Android environment. It takes an effort to shut it down, because Home’s whole premise is to be always on and be the dashboard to your social world. It wants to be the start button for apps that are on your Android device, which in turn will give Facebook a deep insight on what is popular. And of course, it can build an app that mimics the functionality of that popular, fast-growing mobile app. I have seen it done before, both on other platforms and on Facebook.

But there is a bigger worry. The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time.

(…)

And most importantly it is Facebook, a company that is known to have played loose-and-easy with consumer privacy and data since its very inception, asking for forgiveness whenever we caught them with its hand in the cookie jar. I don’t think we can be that forgiving or reactive with Facebook on mobile.

Quote

The traditionally advocated uses for NFC have been to replace RFID chips in travel cards, such as the Oyster card in the UK, and RFID chips in credit cards, such as MasterCard’s PayPass.

The problem with these replacements is a simple one, however. Smartphone batteries run out. They do so with alarming regularity, and they do so at inopportune moments. I don’t care what phone you say you have, and I don’t care if you say it doesn’t happen to you, because it does. You end up staying out late, or you leave your charger at home by accident, or you just plain use the phone too much during the day, and then when you need the phone to work, it doesn’t because it’s out of juice.

The phone running out of power is bad enough when it means you don’t have maps and directions. That’s annoying. But even worse is the battery going flat when you need the phone for mass transit or paying for stuff.

And yet that’s precisely the value proposition that NFC offers: go out for a night on the town and get stranded with no money, no subway ride home. The only way to be safe is to take your credit card and travel card with you anyway, and if you’re doing that? Well you don’t exactly need NFC then, do you?

* Peter Bright, “Mobile World Congress is Mean Girls, and NFC isn’t going to happen”

Attention shoppers: Retailers can now track you across the mall

While the technology that the IT World article discusses isn’t terribly novel – I was given a paper conducted by grad students on this topic a few years ago, and they had a working prototype of similar systems – I find it incredibly worrying that ambient information that smartphones expel is being used for purposes in excess of why the information is transmitted in the first place. We don’t live in a (Western) world where lacking a cell phone is common; for many people a mobile phone is critical to their business or livelihood. Indeed, when you go to other areas of the world where mobile penetration is even higher because of exorbitant costs associated with laying down fibre, mobiles are even more important on a daily basis.

As such, and any suggestion like “if you don’t want to be tracked, don’t own a phone” misses the point around privacy concerns related to mobile phone tracking. In effect, it shouldn’t be up to the individual to unilaterally defend themselves from further expansions of private surveillance capabilities. Instead, those capabilities should be limited by law, by regulation, and by a minimalistic sense of ethics. Tracking where people are walking, and giving them an option to opt-out of tracking by visiting a website they’ve never heard of and digging into its depths is not a sufficient way to ‘empower’ individuals.

Link

What Windows Phone Needs

Tumblr user nugnug provides an excellent list of the core “what’s missing” in Windows Phone right now and that will continue being absent after the 7.8 update:

  • rotation lock – I surf the net when I’m lying down. Everyone does. This is such an important feature and yet, where the hell is it?
  • screen capture – I can’t take screenshots on my phone! What is this!? How can I blackmail people and post the stupid things they say on Facebook?
  • customized sounds for messaging, etc. – We can customize our ringtones, so why not the rest?
  • notification center – This ain’t happening. I already know this cause they didn’t have time to make it. Lame.
  • separate volume controls for phone sounds and media – I want to listen to music at a really low volume but that means I won’t be able to hear my phone ring. A dilemma that can be easily rectified.
  • the forward button and “find on page” function in IE – there’s a java fix someone else kindly made, but there shouldn’t be a need. It’s a basic function that should be included in all internet browsers.
  • Wifi turns off when in sleep mode – the biggest reason why my whatsapp messages arrive hours later is because my phone, which relies on only Wifi when I’m at home, turns off Wifi when it goes to sleep. Ugh.
  • Blutooth file transfers – I WANNA GIVE MY FRIENDS STUFF WITHOUT USING MY NET DATA BUT I CAN’T.
  • multi selection – let me delete multiple photos on my phone at a time. PLZZ.
  • editing the dictionary – there are some words I made up, I would like to delete please.
  • improvements in the calendar – by far the most used section of my phone, it holds all my schedules and Facebook events and works seamlessly. So why not build on it? Include a weekly view, allow me to change colours on some of my personal entries.
  • automatic sleep mode – not too fussy, but this would be really cool. If I set a time e.g. from 11pm to 8am, my phone will sleep between those hours and I won’t get any notifications between those times.
  • closing apps from the multitasking view – not too important

I have to admit that some of the items aren’t top of mind for me: I don’t really care about the sleep mode, don’t see the point of closing apps from the multitasking view, and am not interested in bluetooth sharing. That said, every other suggestion is much, much needed.

I would also add to the list that scrolling in the 7.8 update needs to change; in the older version 1 Windows Phones scrolling would accelerate the more your scrolled up or down, whereas the current generation of 7.5 phones feature a static scrolling rate. This speed simply feels slower than earlier – and less capable – hardware and software iterations of Windows Phone.

Quote

You hereby grant Ninja Tel permission to listen to, read, view and/or record any and all communications sent via the network to which you are a party,“ one section stated. “Before you get all upset about this, you already know full well that AT&T does this for the NSA. You understand that you have no reasonable expectation of privacy as to any on the Ninja Tel network. You grant Ninja Tel a worldwide, perpetual, assignable, royalty-free license to use any and all recorded or real-time communications sent via the Ninja Tel network to which you are a party. Don’t worry, most of this is for the lulz.

* Ninja Tel Terms of Service (read more at Ars)