Linked by Thom Holwerda on Mon 9th Jan 2012 10:08 UTC
PDAs, Cellphones, Wireless Well, well, well, what have we here? Hackers have gained access to internal documents from the Indian Military (shared on the web), and in it, it is revealed that RIM, Nokia, and Apple have added backdoors to their mobile software (BlackBerry, S40 (supposedly), and iOS) which the Indian Military's intelligence service then used to spy on the US-China Economic and Security Review Commission (the USCC). The backdoors were added by RIM, Nokia, and Apple in exchange for Indian market presence.
Order by: Score:
Remember those FOSS cribled with trojan ?
by Kochise on Mon 9th Jan 2012 10:41 UTC
Kochise
Member since:
2006-03-03

Open source don't always means secure. A free software can also be bug ridden. Yet it is more easy to dig into the stuff without the assle to reverse engineer, but still, how could a FOSS mobile OS ever exist if the protocols are themselves closed-sourced ? Bluetooth stack ? USB 3 ? What about Open-Moko ?

Kochise

Reply Score: 3

porcel Member since:
2006-01-28

Who says that bluetooth or USB3 is close source?

There are open source implementations of all these protocols.

Of course, ultimately, a real audit of any hardware would require being able to audit every piece of software that runs on a device, including its firmware, but it is interesting how happy Nokia, Apple and RIM are to give away the security of their phones for market share.

Reply Score: 4

arpan Member since:
2006-07-30

It is possible that the backdoor isn't in the software on the phone, but on the server side. For example, RIM/Apple etc. could give the Indian government access to specific emails sent from India etc. through their services. That would also make it easier to conceal.

Reply Score: 4

Not2Sure Member since:
2009-12-07

This would not affect secure communications on the blackberry network. RIM does not have the encryption keys shared between the device and the BES server that it neither hosts nor controls. Might be possible there is a backdoor in BES but that would be in violation of its contractual obligations to the point it would bankrupt the company.

Now just as in the recent brouhaha regarding the Middle East nothing prevents a government from pressuring telco's in its jurisidction from coughing up its traffic. So consumer traffic coming from consumer blackberry devices routed through telco BIS servers would certainly be (and are) susceptible. Even (especially?) here in the US that's the situation. Not really an Apple, RIM, or Android issue. It's channel thing, imho.

Reply Score: 4

jabbotts Member since:
2007-09-06

These are companies in the business of manufacturing profit for shareholders. They are not altruistic engines for social change.

"Intersting" for me would have been seeing any of them risk access to the Indian market by publicly challenging the government request.

Reply Score: 4

jabbotts Member since:
2007-09-06

I believe the article suggested that an open source mobile OS would allow developers to review the code on behalf of themselves and all users. It didn't seem to suggest that FOSS development inherently resulted in a more secure product.

Reply Score: 3

Openmoko rebirth: GTA04
by xdrudis on Tue 10th Jan 2012 00:47 UTC in reply to "Remember those FOSS cribled with trojan ?"
xdrudis Member since:
2012-01-09

Well, since you asked "what about openmoko?" let me publicize a little its successor: GTA04 (I'm not associated with Golden Delicious or anyone selling it). For me it's he best option I know to avoid spyware and other nasty surprises in your mobile phone if you want and can pay for it.
There's also a little bit about environment, labour, solvency and tooling, but it's mostly about open hardware and free software.
I think it hasn't been commented here in OSNews ?

A company in Baviera has designed a new motherboard for the GTA01 or GTA02 models of openmoko phones. It has built some prototypes and sold them to early adopters who are busy writing drivers, porting software etc. It is making a slightly fixed next version which sells in smaller quantities and it's
collecting orders to see if it can sell them a little cheaper if orders reach 350 units this month.

Replacing the phone PCB with GTA04 improves on speed, memory,
sensors, mobile internet, USB version, etc. There's progress on linux-3.2, QtMoko, power saving and other developments. There's also efforts to identify/procure/design/build/sell the rest of the hardware needed for a complete phone (if you don't have a GTA02 or GTA01 to recycle), including the case.

Details at <a href="http://www.gta04.org">http://www.gta04.org .

Some ways to help:

- spread the word

- order one

- help testing/developing/upstreaming if you already have one

- if you have a freerunner or Neo1973 you don't want anymore, sell it on the net, donate it or contact the mailing list. This will increase the potential GTA04 buyers at this stage.

- help to design and manufacture new cases. The CAD files for the previous phone cases are available but not 3D printable yet.

- offer help in upgrading the motherboard to those near you if you feel competent

- resell the PCB or offer paid service .

- help source the remaining components for a complete phone.

- donate money

- develop free replacements for the propietary firmware (Libertas for wifi/bluetooth, maybe something
for the GSM/UMTS module) or free drivers (Power GSX GPU, modem, optional camera...)

- lend measuring equipment (for RF analysis, power dissipation measurements, etc.)

- convince the chip manufacturers to release more documentation

- write applications for the new possibilities with increased bandwith, computing performace and sensors

- etc.

Reply Score: 4

UK != All of Europe
by Carewolf on Mon 9th Jan 2012 10:43 UTC
Carewolf
Member since:
2005-09-08

Please don't start using the US tradition of treating Europe as one nation. The UK has a weird view on privacy that is more extreme than the US. While continental Europe has more respect for privacy, except for the historically necessary intelligence services that operates on the outskirts of legality.

Also I fail to see why this spyware is necessary on the phones. In Europe the networks are large and homogeneous, and wiretapping is performed on carrier level. When using industry standard encryption, even encrypted conversations can be intercepted.

Reply Score: 4

RE: UK != All of Europe
by Beta on Tue 10th Jan 2012 02:49 UTC in reply to "UK != All of Europe"
Beta Member since:
2005-07-06

Britain is still European, and the linked article mentions 3 European countries … however skewed the article is to encourage people to be OK with wiretapping because other countries do it.

Reply Score: 2

RE[2]: UK != All of Europe
by zima on Thu 12th Jan 2012 03:08 UTC in reply to "RE: UK != All of Europe"
zima Member since:
2005-07-06

Britain is still European

Strangely many Britons seem to disagree...

Reply Score: 2

RE: UK != All of Europe
by lucas_maximus on Tue 10th Jan 2012 10:33 UTC in reply to "UK != All of Europe"
lucas_maximus Member since:
2009-08-18

UK's view on piracy is actually along the lines of "don't take the piss", The Police or anyone else won't mind you handing your mate a few burnt CDs, but if you are selling them outta your house they would be round there pretty quick.

Reply Score: 2

RIM != Nokia, Apple
by kragil on Mon 9th Jan 2012 10:48 UTC
kragil
Member since:
2006-01-04

Because BBs use encryption per default. I hardly doubt S40 encrypts anything, so there might be no need for the government to demand a backdoor. They just need to have access to the mobile operator.

But putting your private information into systems you don't control and nobody can check is still a very bad idea.

Reply Score: 3

RE: RIM != Nokia, Apple
by static666 on Mon 9th Jan 2012 16:09 UTC in reply to "RIM != Nokia, Apple"
static666 Member since:
2006-06-09

Remember Skype?

A closed-source, obfuscated app using a proprietary, obscure, closed protocol from those shady individuals, pioneers of early p2p techs?

Well, most users still think it not only does free calls, but also confidentiality, cause it has "encryption"! How do they know? Because Skype says so, they promised.

Now s/Skype/Blackberry/ :-)

Reply Score: 5

RE[2]: RIM != Nokia, Apple
by KLU9 on Wed 11th Jan 2012 19:44 UTC in reply to "RE: RIM != Nokia, Apple"
KLU9 Member since:
2006-12-06

and it's already public knowledge that Skype for mainland China already has government access/backdoor and keyword censorship, you know... to protect the children from porn. Why do only the Chinese Communist Party think of the children???

http://www.jeffsplace.net/node/18

And anyone in mainland China, even if trying to access the international Skype website, gets redirected to tom.skype.com and the backdoor-ed version.

Edited 2012-01-11 19:45 UTC

Reply Score: 2

RE[3]: RIM != Nokia, Apple
by zima on Sat 14th Jan 2012 03:33 UTC in reply to "RE[2]: RIM != Nokia, Apple"
zima Member since:
2005-07-06

and, hm, Zfone appears sort of... dead (at least some free ZRTP implementations seem to be getting decent)

Reply Score: 2

D.T.A.
by siraf72 on Mon 9th Jan 2012 11:28 UTC
siraf72
Member since:
2006-02-22

Don't Trust Anyone...

Except possibly your dog, and your husband/wife, ... your kids probably..... your parents should be ok too.....

(not necessarily in that order)

Reply Score: 2

RE: D.T.A.
by unclefester on Mon 9th Jan 2012 11:40 UTC in reply to "D.T.A."
unclefester Member since:
2007-01-13

The dog is the only one that can be trusted.

Reply Score: 14

RE[2]: D.T.A.
by wibbit on Mon 9th Jan 2012 12:56 UTC in reply to "RE: D.T.A."
wibbit Member since:
2006-03-22

Animals can be bribed.

Reply Score: 5

RE[3]: D.T.A.
by smashIt on Mon 9th Jan 2012 13:23 UTC in reply to "RE[2]: D.T.A."
smashIt Member since:
2005-07-06

Animals can be bribed.


it depends on the animal
a dog can be bribed
a goose can't

Reply Score: 4

RE[4]: D.T.A.
by MasterSplinter on Mon 9th Jan 2012 15:25 UTC in reply to "RE[3]: D.T.A."
MasterSplinter Member since:
2012-01-05

"Animals can be bribed.


it depends on the animal
a dog can be bribed
a goose can't
"

Don't forget about the Golden Goose. It wasn't eaten for a reason.

Reply Score: 2

RE: D.T.A.
by levi on Mon 9th Jan 2012 22:47 UTC in reply to "RE[4]: D.T.A."
levi Member since:
2006-09-07

... and cheetah is the animal that you would never trust ...

Reply Score: 2

RE[2]: D.T.A.
by zima on Thu 12th Jan 2012 03:23 UTC in reply to "RE: D.T.A."
zima Member since:
2005-07-06

I don't know, it (and my cat) can be probably always trusted to do its... feline things.

Edited 2012-01-12 03:25 UTC

Reply Score: 2

RE[2]: D.T.A.
by Kochise on Tue 10th Jan 2012 11:39 UTC in reply to "RE: D.T.A."
Kochise Member since:
2006-03-03
RE[3]: D.T.A.
by siraf72 on Wed 11th Jan 2012 15:52 UTC in reply to "RE[2]: D.T.A."
siraf72 Member since:
2006-02-22
Comment by digitallysane
by digitallysane on Mon 9th Jan 2012 14:06 UTC
digitallysane
Member since:
2011-12-19

They might have gotten India market share, but all of them are suddenly in hot waters with China (and US).
I find Apple's position especially interesting: an US company helped another country to spy on US? What does the law say in such a case? Not so far ago people were executed for this kind of stuff.

Reply Score: 6

RE: Comment by digitallysane
by Soulbender on Mon 9th Jan 2012 17:37 UTC in reply to "Comment by digitallysane"
Soulbender Member since:
2005-08-18

What does the law say in such a case?


I'ts pretty damn close to treason, I think. It probably isn't, technically, but it's almost there.

Reply Score: 4

RE[2]: Comment by digitallysane
by CapEnt on Mon 9th Jan 2012 19:36 UTC in reply to "RE: Comment by digitallysane"
CapEnt Member since:
2005-12-18

They sold national security for money (or market share, whatever). It fits quite well the definition of treason in most dictionaries out there, so i think that they truly committed treason, even technically speaking.

That's quite sad...

Reply Score: 5

RE: Comment by digitallysane
by zima on Thu 12th Jan 2012 03:33 UTC in reply to "Comment by digitallysane"
zima Member since:
2005-07-06

They might have gotten India market share, but all of them are suddenly in hot waters with China (and US).

I doubt all of them with China (and US) - for one, Nokia has minimal presence in the US (thought who knows what might be the impact on deals involving Nokia Siemens Networks) and is AFAIK not certified for gov employees (BB and iOS devices OTOH...). And the Chinese are going sort of ~nationalistic with tech choices, anyway.

Reply Score: 2

Comment by static666
by static666 on Mon 9th Jan 2012 17:22 UTC
static666
Member since:
2006-06-09

So what's exactly the link between Symantec and mobile vendors? Where's the mentioned source code that is so terribly worrying? Is there any country in the world that *still does not* use mobile networks to spy on it's citizens? LOL. Where's the news?

What's the piece of software that everyone runs, with full access to your data, that phones home all the time to upload private data (called suspicious files) and download encrypted binary blobs (called definition updates) to uncontrollably execute on your system?

AV! A perfect spot to put a backdoor. Hooray, Symantec.

Reply Score: 3

Conspicuously silent
by BallmerKnowsBest on Mon 9th Jan 2012 22:04 UTC
BallmerKnowsBest
Member since:
2008-06-02

So where're MOS6510, leos, kaiwai, frderi and the rest of the Apple Apologist Brigade? Still waiting for Gruber to tell them what their opinion is?

But hey, I'm sure it will be worth the wait... the fanboys will need some damn good talking-points to spin their way out of this one. I truly can't wait.

Reply Score: 2

RE: Conspicuously silent
by MOS6510 on Mon 9th Jan 2012 22:24 UTC in reply to "Conspicuously silent"
MOS6510 Member since:
2011-05-12

We're waiting for any real proof, not just some "stolen" "document" by "hackers".

Anyone can make such a document and put it online.

Reply Score: 1

Espionage
by Lorin on Tue 10th Jan 2012 00:50 UTC
Lorin
Member since:
2010-04-06

That would under US law make them guilty of espionage.

Reply Score: 1

...
by Hiev on Tue 10th Jan 2012 01:58 UTC
Hiev
Member since:
2005-09-27

I only trusth God.

Reply Score: 1

RE: ...
by zima on Thu 12th Jan 2012 03:11 UTC in reply to "..."
zima Member since:
2005-07-06

Why? In the very own "official" mythologies of the presently most popular deity, there are clear examples of its lies and deceit (and much worse, but that's going beyond trust issues) directed at humans...

Reply Score: 2

Paranoids
by Vijayanandham on Tue 10th Jan 2012 02:50 UTC
Vijayanandham
Member since:
2010-01-19

Feeling ashamed to live among paranoids....

Reply Score: 0

Cognitive dissonance
by atsureki on Wed 11th Jan 2012 17:31 UTC
atsureki
Member since:
2006-03-12

Here's where Thom eats his cake:

When it comes to Android, the backdoor wouldn't be in the open source AOSP, but the Indian government could, say, demand HTC, Samsung, and so on to install a bit of spyware onto their Android devices which provides the same backdoor. It could also be hiding in the closed Google applications (say, the Market), or even in the baseband processor.


But oh, look, he still has it one line later:
All this, of course, vindicates what I wrote only a few days ago: open source is important, as it allows developers to check for backdoors in the software we're all using - and do something about it.


No, no it totally does not vindicate any claim that open source is important; in fact it's direct evidence that open source is completely irrelevant, because it doesn't amount to anything more than a single ingredient in the mystery meat that is any sort of finished product.

(Unless you're speaking entirely hypothetically and have given up all illusions and equivocations that Android products and devices -- you know, Android in any meaningful sense -- were ever open to begin with. In which case, disregard: I only meant to discuss Things That Exist.)

Even if you could find the backdoor in iOS through, say, network monitoring, you still wouldn't be able to do much about it.


Hacking an Android device is called rooting. Hacking an iOS device is called jailbreaking. Aside from the name, there's not much else different between them. No matter how much Android code you audit and compile yourself, you need to put the proprietary drivers back in if you want the phone to actually operate.

Android devices are not open, and being "more open" doesn't actually get you anywhere because you can't roll your own phone. Wake me up as soon as that changes.

Reply Score: 2