Illustration by Gireesh GV
The Chinese they say are good at copying ideas, Snowden that young gentleman brought up to believe in a democracy that believes in Liberty, Equality and Fraternity could understandably not stomach the global surveillance architecture crafted by his own nation. This he rightly inferred had nothing do with the fight against terrorism. Till Snowden revealed the true extent to which iconic brands were in cahoots with the NSA, none of the western security firms ever discovered the NSA back doors in any hardware or software sold by western companies. There was a lot of hullabaloo of Chinese state sponsored hacking and concerns over Chinese hardware; rightfully so by the Western national security apparatus. These dramatically declined post the Snowden disclosures as the enormity of Western perfidy was exposed.
Now since the Chinese have finally learnt the art of using their market reach in ICT hardware and have copied the West to backdoor their products, life has come full circle. Their cyber army of hackers will now merge into the plethora of companies that have started acquiring a reputation for cheap but effective ICT appliances, the devices they have sold will get weaponised with firmware updates. The global surveillance chickens are coming home to roost and like roosting chickens are going to create a cacaphonic mess that will disrupt the global ICT trade.
Capabilities are what matters as intentions can always change. The Indian nation has been found wanting in having a strategic culture and numerous bodies of literature have highlighted and documented this. It has survived till date with lots of bruises and egg on its face numerous times due to its very size. The information era is a different kettle of fish and the numerous and vast diversity of the Indian nation can be threatened by undermining the social cohesion of its population by an unregulated information landscape hampered by the absence of privacy laws and a reliance on foreign COTS solutions. The potential for social disruption has been highlighted by the mass migration of the North Easterners from the Indian heartland due to messages targeting them and also by the Kashmir uprising triggered after the killing of Hizbul terrorist Burhan Wani a social media phenomenon.
This is an existential threat which the Indian elite ignores to its peril. The entire ICT critical infrastructure of this nation is at the mercy of foreign powers and the ever-increasing data of its citizenry and functions of its state stored under foreign control.
The Prime Minister in the last Combined Commanders conference did lay emphasis on cyber security, what actions have followed since ?. The watchdogs of the Indian state with some honourable exceptions have curiously not barked and alerted the nation. In fact the watchdogs seem to have developed linkages to the very MNC’s peddling these backdoored products and the indigenous industry bodies not representing Indian interests. A privacy law with data localisation and enlightened policies to nurture Indian ICT production is the way forward.
Data they say is the new oil. Why is this impoverished nation gifting its data to the rich Western countries. Who will safe guard the interests of the Indian nation and its citizens ? I have appended two articles below to highlight the issues involved, iPhone that defender of privacy from the land of freedom and the Chinese those stealers of intellectual property of the world are both two sides of the same coin. Think of all the Chinese and Western hardware that make up the backbone of our ICT infrastructure and you will understand the true dimensions of where we as a nation stand as far as cyber security is concerned. Who will protect our national interests.. Do we now dial Donald Trump or Xi Jinping for protecting us..
Security bods find Android phoning home. Home being China
Kryptowire uncovers firmware sending texts, contacts and everything else
15 Nov 2016 at 21:35, Kieren McCarthy
Security researchers have uncovered a secret backdoor in Android phones that sends almost all personally identifiable information to servers based in China.
The firmware is managed by Shanghai Adups Technology, and according to the company, is contained on over 700 million phones worldwide, including phones available in the United States.
Adups says that the firmware provides companies with data for customer support, but an analysis by Kryptowire revealed that the software sends the full bodies of text messages, contact lists, call history with full telephone numbers, and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Station Equipment Identity.
Or, in other words, everything that you would need to keep someone under surveillance.
Although Shanghai Adups is not affiliated with the Chinese government, the discovery of the firmware is being taken very seriously by US government officials: not least because the firmware does not disclose what it is doing and the firmware – spyware – comes pre-installed on new phones.
On its website, Adups says its firmware is used by 400 mobile operators, semiconductor vendors, and device manufacturers, covering everything from smartphones to wearables to cars and televisions.
The company has admitted that the specific software under examination was written following a request by a Chinese manufacturer, but has refused to name the company.
Phones with the firmware are available for purchase online in the US, including through major retailers like Amazon and BestBuy. Kryptowire said it only discovered its existence by accident when one of its researchers bought a phone to travel with and noticed some irregular network traffic when he turned it on.
Adups has not published a list of the phones its software is included in, although it is known to provide its software to the two large Chinese phone manufacturers Huawei and ZTE. Google has apparently told the company to also remove its software from any Android phones that run its app store, Google Play.
Data collection and transmission on the affected phones are handled by two system applications – com.adups.fota.sysoper and com.adups.fota – neither of which can be disabled by the user.
According to Kryptowire, data transmission of text messages and call logs takes place every 72 hours, and all other personally identifiable information is sent every 24 hours.
The data is sent to four servers:
They all resolve to the same IP address – 184.108.40.206 – which belongs to Adups.
Further adding to suspicions, communication between phones and the servers included two elements that allow the data sent to be connected to a specific phone number. In other words, rather than simply collecting data and aggregating it – something a lot of companies do (but disclose), the Adups software purposefully makes it possible to identify and track specific phones.
In some respects, the Adups software is even more intrusive than the infamous Carrier IQ spyware, which was revealed in 2011 to be key-logging and transmitting data secretly. That discovery sparked an outcry. The technology was recently bought by AT&T.
While Adups doesn’t grab key logging or email address information, it does something much more worrying – enables apps to be updated and installed, and allows for remote execution and privilege escalation.
As such, it would be possible for Adups to identify a specific phone, install additional spyware on it, and grant full access to the phone. It would also be able to remove that software at a later date – ie, it would be the perfect spying tool.
The specific phone that the researchers discovered the firmware on was the BLU R1 HD. CEO of BLU Products, Samuel Ohev-Zion, said that the company was not aware of the firmware’s capabilities, and that the company has now removed it.
According to Adups, the software featured on the phone tested by Kryptowire was not intended to be included on phones in the United States market. ®
iPhones Secretly Send Call History to Apple, Security Firm Says
Apple emerged as a guardian of user privacy this year after fighting FBI demands to help crack into San Bernardino shooter Syed Rizwan Farook’s iPhone. The company has gone to great lengths to secure customer data in recent years, by implementing better encryption for all phones and refusing to undermine that encryption.
But private information still escapes from Apple products under some circumstances. The latest involves the company’s online syncing service iCloud.
Russian digital forensics firm Elcomsoft has found that Apple’s mobile devices automatically send a user’s call history to the company’s servers if iCloud is enabled — but the data gets uploaded in many instances without user choice or notification.
“You only need to have iCloud itself enabled” for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft.
The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user’s iCloud account for up to four months, providing a boon to law enforcement who may not be able to obtain the data either from the user’s phone, if it’s encrypted with an unbreakable passcode, or from the carrier. Although large carriers in the U.S. retain call logs for a year or more, this may not be the case with carrier outside the US.
It’s not just regular call logs that get sent to Apple’s servers. FaceTime, which is used to make audio and video calls on iOS devices, also syncs call history to iCloud automatically, according to Elcomsoft. The company believes syncing of both regular calls and FaceTime call logs goes back to at least iOS 8.2, which Apple released in March 2015.
And beginning with Apple’s latest operating system, iOS 10, incoming missed calls that are made through third-party VoIP applications like Skype, WhatsApp, and Viber, and that use Apple CallKit to make the calls, also get logged to the cloud, Katalov said.
Because Apple possesses the keys to unlock iCloud accounts, U.S. law enforcement agencies can obtain direct access to the logs with a court order. But they still need a tool to extract and parse it.
Elcomsoft said it’s releasing an update to its Phone Breaker software tool today that can be used to extract the call histories from iCloud accounts, using the account holder’s credentials. Elcomsoft’s forensic tools are used by law enforcement, corporate security departments, and even consumers. The company also leases some of its extraction code to Cellebrite, the Israeli firm the FBI regularly uses to get into seized phones and iCloud data.
In some cases, Elcomsoft’s tool can help customers access iCloud even without account credentials, if they can obtain an authentication token for the account from the account holder’s computer, allowing them to get iCloud data without Apple’s help. The use of authentication tokens also bypasses two-factor authentication if the account holder has set this up to prevent a hacker from getting into their account, Elcomsoft notes on its website.
Apple’s collection of call logs potentially puts sensitive information at the disposal of people other than law enforcement and other Elcomsoft customers. Anyone else who might be able to obtain the user’s iCloud credentials, like hackers, could potentially get at it too. In 2014, more than 100 celebrities fell victim to a phishing attack that allowed a hacker to obtain their iCloud credentials and steal nude photos of them from their iCloud accounts. The perpetrator reportedly used Elcomsoft’s software to harvest the celebrity photos once the accounts were unlocked.
Generally, if someone were to attempt to download data in an iCloud account, the system would email a notification to the account owner. But Katalov said no notification occurs when someone downloads synced call logs from iCloud.
Apple acknowledged that the call logs are being synced and said it’s intentional.
“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in an email. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”
The syncing of iCloud call logs would not be the first time Apple has been found collecting data secretly. A few months ago, The Intercept reported about similar activity occurring with iMessage logs.
Chris Soghoian, chief technologist for the American Civil Liberties Union, said he’s not surprised that Apple is collecting the information.
“It’s arguably not even the worst thing about iCloud,” he told The Intercept. “The fact that iCloud backs up what would otherwise be end-to-end encrypted iMessages is far worse in my mind. There are other ways the government can obtain [call logs]. But without the backup of iMessages, there may be no other way for them to get those messages.”
Still, he said it’s further proof that “iCloud really is the Achilles heel of the privacy of the iPhone platform. The two biggest privacy problems associated with iCloud don’t have check boxes [for users to opt out], nor do they require that you opt in either.”
Jonathan Zdziarski, an iOS forensics expert and security researcher, said he doesn’t think Apple is doing anything nefarious in syncing the call logs. But he said that Apple needs to be clear to users that the data is being collected and stored in the cloud.
Authorized and Unauthorized iCloud Collection
iCloud is Apple’s cloud service that allows users to sync data across multiple Apple devices, including iPhones, iPads, iPods, and Macs. The iPhone menu corresponding to the service gives users the option of syncing mail, contacts, calendars, reminders, browser history, and notes and wallet data. But even though call logs are automatically getting synced as well, the menu does not list them among the items users can choose to sync. Because there’s no way to opt in to sync call logs, there is also no way to opt out — other than turning off iCloud completely, but this can cause other issues, like preventing apps from storing documents and data (such as WhatsApp backups) in the cloud.
“You can only disable uploading/syncing notes, contacts, calendars, and web history, but the calls are always there,” Katalov said. One way call logs will disappear from the cloud is if a user deletes a particular call record from the log on their device; then it will also get deleted from their iCloud account during the next automatic synchronization.
Katalov said they’re still researching the issue but it appears that in some cases the call logs sync almost instantly to iCloud, while other times it happens only after a few hours.
In addition to syncing data among their devices, users can also configure their iCloud account to automatically back up and store their data. Katalov said that call logs get sent to the cloud with these backups as well, but this is separate from the trafficking his company discovered: Even if users disable the backups, their call logs will still get synced to Apple’s servers.
“I would suggest Apple to add a simple option to disable call log syncing, as they do that for calendars and other things,” Katalov told The Intercept, though he acknowledges this would likely take some re-architecting on Apple’s part. Nonetheless, he says, “They should allow people to disable that if they want to.”
Even as Apple has increased the security of its mobile devices in recent years, the company has been moving more and more data to the cloud, where it is less protected. Although iCloud data is encrypted on Apple’s server, Apple retains the encryption keys in almost every instance and can therefore unlock the accounts and access data for its own purposes or for law enforcement.
“All of your [iCloud] data is encrypted with keys that are controlled by Apple, but the average user isn’t going to understand that,” Zdziarski said. “You and I are well aware that Apple can read any of your iCloud data when they want to.”
A report in the Financial Times nine months agoindicated Apple plans to re-architect iCloud to resolve this issue and better protect customer data, but that has yet to occur.
Apple discusses the privacy implications of iCloud collection on its website and does say that implementing backups will send to iCloud “nearly all data and settings stored on your device.” A 63-page white paper on the site discloses more clearly that call logs get uploaded to Apple servers when iCloud backups are enabled. But neither document mentions that the logs still get uploaded even if backups aren’t enabled.
Even in an online document abouthandling legal requests from law enforcement, Apple never mentions that call logs are available through iCloud. It says that it possesses subscriber information that customers provide, including name, physical address, email address, and telephone number. It also says it retains IP connection logs (for up to 30 days), email metadata (for up to 60 days), and content that the user chooses to upload, such as photos, email, documents, contacts, calendars, and bookmarks. The law enforcement document also says that Apple’s servers have iOS device backups, which may include photos and videos in the user’s camera roll, device settings, application data, iMessages, SMS and MMS messages, and voicemail.
The only time it mentions call logs is to say that iCloud stores call histories associated with FaceTime, but it says it maintains only FaceTime call invitation logs, which indicate when a subscriber has sent an invitation to someone to participate in a FaceTime call. Apple says the logs “do not indicate that any communication between users actually took place.” It also says it only retains these logs for “up to 30 days.”
But Elcomsoft said this is not true. Katalov said the FaceTime logs contain full information about the call, including the identification of both parties to the call and the call duration. He said his researchers also found that the FaceTime call logs were retained for as long as four months.
Early Clues From Frustrated Apple Customers
Some users are aware that their call logs are being synced to Apple’s servers, because a byproduct of the automatic syncing means that if they have the same Apple ID as someone with a different device — for example, spouses who have different phones but use the same Apple ID — they will see calls from one device getting synced automatically to the device of the other person who is using the same ID.
“It’s very irritating,” one user complained in a forum about the issue. “My wife and I both have iPhones, we are both on the same apple ID. When she gets a call my phone doesn’t ring but when she misses that call my phone shows a missed call icon on the phone app and when I go to the phone app it’s pretty clearly someone who wasn’t calling my phone. Any way to fix this so it stops?”
Another user expressed frustration at not knowing how to stop the syncing. “I use my phone for business and we have noticed in the last few days that all of the calls I make and receive are appearing in my wife’s iPhone recent call history? I have hunted high and low in settings on both phones but with no joy.”
There’s no indication, however, that these customers realized the full implications of their logs being synced — that the same data is being sent to and stored on Apple’s servers for months.
Apple isn’t the only company syncing call logs to the cloud. Android phones do it as well, and Windows 10 mobile devices also sync call logs by default with other Windows 10 devices that use the same Microsoft account. Katalov said there are too many Android smartphone versions to test, but his company’s research indicates that call log syncing occurs only with Android 6.x and newer versions. As with Apple devices, the only way for a user to disable the call history syncing is to disable syncing completely.
“In ‘pure’ [stock versions of] Android such as one installed on Nexus and Pixel devices, there is no way to select categories to sync,” Katalov said. “For some reason, that is only able on some third-party Android versions running on Sony, HTC, Samsung, etc.” The company already produces a tool for harvesting call logs associated with Android devices.
There’s little that subscribers can do to prevent law enforcement from obtaining their iCloud call logs. But to protect against hackers who might obtain their Apple ID from doing the same, they can use two-factor authentication. But Zdziarski said there’s another solution.
“The takeaway really is don’t ever use iCloud. I won’t use it myself until I can be in control of the encryption keys,” he said.
Correction: Nov. 17, 2016
An earlier version of this story quoted the director of a university computer forensics program, who is also a former FBI supervisory agent, stating that telecom providers generally only retain call logs for 30 or 60 days. It has been updated to clarify that U.S. providers retain such information for a year or more.