Privacy, Security Archive

Xiaomi fixes privacy leak on Redmi 1s

A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi's servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting "Settings > Mi Cloud > Cloud Messaging" from their home screen or "Settings > Cloud Messaging" inside the Messaging app - these are also the places where users can turn off Cloud Messaging.

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.

Fast response, but it's exactly this kind of shitty behaviour that especially a Chinese company simply cannot afford out here in the west. If Microsoft, Apple, or Google does something like this, they'll have armies of defenders and a huge PR department to solve it. Upcoming Chinese companies are generally much, much leaner and do not have that at all.

In any case, you're generally much better off with a custom ROM anyway, and this just yet another reason.

Ars reviews the Blackphone

Ars Technica reviews the BlackPhone, a device which claims to be much more secure than other smartphones.

After configuring the various pieces of Blackphone's privacy armor, it was time to check it for leaks. I connected my loaner phone to a Wi-Fi access point that was set up to perform a packet capture of my traffic, and we started to walk through the features. I also launched a few Wi-Fi attacks on the phone in an attempt to gather data from it.

For my last trick, I unleashed a malicious wireless access point on Blackphone, first passively listening and then actively trying to get it to connect. While I did capture the MAC address of the phone’s Wi-Fi interface passively, I was unable to get it to fall for a spoofed network or even give up the names of its trusted networks.

So, we've verified it: Blackphone is pretty damn secure.

A very disappointing test of the essential claim to fame of this smartphone. All Ars has done is confirm it does not leak data - something you can easily achieve on any phone. This review does not spend a single word on the baseband operating system of the device, which is a crucial part of any smartphone that we know little about. There's no indication whatsoever that the baseband operating system used by the NVIDIA chipset inside the Blackphone is in any way more secure than that of others.

Unless we have a truly open baseband processor, the idea of a secure phone for heroes like Edward Snowden will always be a pipe dream. I certainly commend Blackphone's effort, but there's a hell of a lot more work to be done.

‘Chinese Android smartphone shipped with spyware’

A Chinese no-name Galaxy S4 knock-off allegedly comes pre-loaded with spyware:

For the first time ever, the experts at the German security vendor have discovered a smartphone that comes with extensive spyware straight from the factory. The malware is disguised as the Google Play Store and is part of the pre-installed Android apps. The spyware runs in the background and cannot be detected by users. Unbeknownst to the user, the smartphone sends personal data to a server located in China and is able to covertly install additional applications.

The news comes from a security firm, so take it with a grain of salt, but still - this is exactly the kind of stuff legitimate Chinese manufacturers really do not want.

OpenBSD forks, prunes, fixes OpenSSL

Members of the OpenBSD project, already known for the OpenBSD operating system and related projects such as OpenSSH, OpenBGPD, OpenNTPD, OpenSMTPD, are creating a fork of the OpenSSL project, likely to be called LibreSSL. (OpenSSL and OpenBSD are completely separate projects with different people working on them.)

Apparently, the focus is not so much on taking OpenSSL into a completely different direction, but more on a massive code cleanup and long-overdue maintenance.

NSA said to exploit Heartbleed bug for intelligence for years

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

I'm so surprised.

Update: NSA denies.

On that supposed backdoor in Samsung devices

First it was a huge backdoor, then it turned out not to be a big deal. Whatever is the case with this issue with Samsung phones - it only serves to highlight what I wrote about several months ago:

It's kind of a sobering thought that mobile communications, the cornerstone of the modern world in both developed and developing regions, pivots around software that is of dubious quality, poorly understood, entirely proprietary, and wholly insecure by design.

Whether or not this is actually a huge security issue, I don't care - it just further highlights the dire need for a properly and truly open baseband firmware.

On hacking microSD cards

Remember when I wrote about how your mobile phone runs two operating systems, one of which is a black box we know and understand little about, ripe for vulnerabilities? As many rightfully pointed out in the comments - it's not just mobile phones that have tiny processors for specific tasks embedded in them. As it turns out, memory cards have microprocessors though - and yes, they can be cracked for remote code execution too.

Today at the Chaos Computer Congress (30C3), xobs and I disclosed a finding that some SD cards contain vulnerabilities that allow arbitrary code execution - on the memory card itself. On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else. On the light side, it also enables the possibility for hardware enthusiasts to gain access to a very cheap and ubiquitous source of microcontrollers.

There's so much computing power hidden in the dark.

Disclosure timeline for vulnerabilities under active attack

Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.

Dutch gov. proposes cyberattacks against… Everyone

"Last week, the Dutch Minister of Safety and Justice asked the Parliament of the Netherlands to pass a law allowing police to obtain warrants to do the following: install malware on targets’ private computers, conduct remote searches on local and foreign computers to collect evidence, and delete data on remote computers in order to disable the accessibility of 'illegal files'. Requesting assistance from the country where the targetted computer(s) were located would be 'preferred' but possibly not required. These proposals are alarming, could have extremely problematic consequences, and may violate European human rights law." You get true net neutrality with one hand, but this idiocy with another. This reminds me a lot of how some of our busy intersections are designed; by people who bike to city hall all their lives and have no clue what it's like to drive a car across their pretty but extremely confusing and hence dangerous intersections.

Kaspersky Labs preps its own operating system

Kaspersky is working on its own secure operating system for highly specialised tasks. "We're developing a secure operating system for protecting key information systems (industrial control systems) used in industry/infrastructure. Quite a few rumors about this project have appeared already on the Internet, so I guess it's time to lift the curtain (a little) on our secret project and let you know (a bit) about what's really going on." More here.

Verizon, AT&T sell users’ browsing, location histories to marketers

As it turns out, new Verizon customers (although there are reports existing customers are getting notified too) have 30 days to opt out of something really nasty: Verizon will sell your browsing history and location history to marketers. Apparently, AT&T does something similar. Doesn't matter what phone - iOS, Android, anything. Incredibly scummy and nasty. I quickly checked my own Dutch T-Mobile terms, and they don't seem to be doing this.

ClamAV leader leaves the project

"It is time for us to make a change. ClamAV is now mature software and we are confident that Sourcefire will successfully continue its development, move it forward and maintain the integrity of its infrastructure. Matt Watchinski, who has headed Sourcefire's Vulnerability Research Team for 10 years, will continue to lead this project. Joel Esler, the company's Open Source community manager, will also be your main point of contact and advocate."

US, Israel created Stuxnet, lost control over it

"Mr. Obama decided to accelerate the attacks - begun in the Bush administration and code-named Olympic Games - even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran's Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet." And we're letting these people have unmanned drones. Seems legit.

Flame: massive malware infiltrating Iranian computers

"A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years. Dubbed 'Flame' by Kaspersky, the malicious code dwarfs Stuxnet in size." Since I'm not particularly well-versed in the subject, maybe someone can answer this question for me: if country A creates a malware infection like this to spy on and/or harm computers in country B, can it be construed as an act of war under existing international law?