TAG | mobile
In episode 16 of the Privacy Blog Podcast for January, Twenty Fourteen I talk about:
Biological Advanced Persistent Threats
The Apps on your mobile devices that may be enabling surveillance
Why you may soon know more about how much information your service providers are revealing to the government
The total compromise of the TorMail anonymous email service
How the British government is using pornography as a trojan horse for Internet Censorship.
And finally why continued use of a deprecated cryptographic signature algorithm could undermine the security of the Web
In March of 2013 the Bureau of Diplomatic Security at the US State Department issued a travel advisory for Americans planning to attend the 2014 winter Olympics in Sochi, Russia.
As I blogged before, this is expected to be one of the most aggressively surveilled events ever.
The advice for cyber protection in the advisory is interesting:
Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary.
Obviously this is not just good advice for attending the Olympics, but would also apply to China, or any other situation where it is important to protect your electronic information.
The ability to conduct sophisticated surveillance and cyber attack is widespread. If you are engaged in business that is a likely target of economic espionage, then you should be following these kinds of practices any time you travel anywhere, and perhaps even at home.
This is episode 14 of the Privacy Blog Podcast for November,2013.
In this episode I talk about:
How your phone might be tracked, even if it is off
The hidden second operating system in your phone
Advertising privacy settings in Android KitKat
How Google is using your profile in caller ID
and the lengths to which Obama has to go to avoid surveillance when traveling.
OS News has an interesting article: The second operating system hiding in every mobile phone
It discusses the security implications of the fact that all cell phones run two operating systems. One is the OS that you see and interact with: Android, iOS, Windows Phone, BlackBerry, etc. The other is the OS running on the baseband processor. It is responsible for everything to do with the radios in the phone, and is designed to handle all the real time processing requirements.
The baseband processor OS is generally proprietary, provided by the maker of the baseband chip, and generally not exposed to any scrutiny or review. It also contains a huge amount of historical cruft. For example, it responds to the old Hays AT command set. That was used with old modems to control dialing, answering the phone, and setting up the speed, and other parameters required to get the devices to handshake.
It turns out that if you can feed these commands to many baseband processors, you can tell them to automatically and silently answer the phone, allowing an attacker to listen in on you.
Unfortunately the security model of these things is ancient and badly broken. Cell towers are assumed to be secure, and any commands from them are trusted and executed. As we saw at Def Con in 2010, it is possible for attackers to spoof those towers.
The baseband processor, and its OS, is generally superior to the visible OS on the phone. That means that the visible OS can’t do much to secure the phone against these vulnerabilities.
There is not much you can do about this as an end user, but I thought you should know.
The Chaos Computer Club (CCC) in Germany recently announced its successful bypassing of the new iPhone 5S fingerprint scanner.
Despite many media claims that the new scanner worked on deep layers in the skin, and was not vulnerable to simple fingerprint duplication, that is exactly what succeeded.
The CCC used a high resolution photo of a fingerprint on glass to create a latex duplicate, which unlocked the phone. It strikes me as particularly problematic that the glass surface of an iPhone is the perfect place to find really clear fingerprints of the owner.