Feds Finally Decide To Do Something About Years-Old SS7 Spy Holes In Phone Networks

Jessica Lyons reports via The Register: The FCC appears to finally be stepping up efforts to secure decades-old flaws in American telephone networks that are allegedly being used by foreign governments and surveillance outfits to remotely spy on and monitor wireless devices. At issue are the Signaling System Number 7 (SS7) and Diameter protocols, which are used by fixed and mobile network operators to enable interconnection between networks. They are part of the glue that holds today’s telecommunications together. According to the US watchdog and some lawmakers, both protocols include security weaknesses that leave folks vulnerable to unwanted snooping. SS7’s problems have been known about for years and years, as far back as at least 2008, and we wrote about them in 2010 and 2014, for instance. Little has been done to address these exploitable shortcomings.

SS7, which was developed in the mid-1970s, can be potentially abused to track people’s phones’ locations; redirect calls and text messages so that info can be intercepted; and spy on users. The Diameter protocol was developed in the late-1990s and includes support for network access and IP mobility in local and roaming calls and messages. It does not, however, encrypt originating IP addresses during transport, which makes it easier for miscreants to carry out network spoofing attacks. “As coverage expands, and more networks and participants are introduced, the opportunity for a bad actor to exploit SS7 and Diameter has increased,” according to the FCC [PDF].

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers’ locations. The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and — if known — the attacker’s identity. This time frame is significant because in 2018, the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC, issued several security best practices to prevent network intrusions and unauthorized location tracking. Interested parties have until April 26 to submit comments, and then the FCC has a month to respond.

Read more of this story at Slashdot.

The FBI Is Using Push Notifications To Catch Sexual Predators

According to the Washington Post (paywalled), the FBI is using mobile push notification data to unmask people suspected of serious crimes, such as pedophilia, terrorism, and murder. Gizmodo reports: The Post did a little digging into court records and found evidence of at least 130 search warrants filed by the feds for push notification data in cases spanning 14 states. In those cases, FBI officials asked tech companies like Google, Apple, and Facebook to fork over data related to a suspect’s mobile notifications, then used the data to implicate the suspect in criminal behavior linked to a particular app, even though many of those apps were supposedly anonymous communication platforms, like Wickr.

How exactly is this possible? Push notifications, which are provided by a mobile operating system provider, include embedded metadata that can be examined to understand the use of the mobile apps on a particular phone. Apps come laced with a quiet identifier, a “push token,” which is stored on the corporate servers of a company like Apple or another phone manufacturer after a user signs up to use a particular app. Those tokens can later be used to identify the person using the app, based on the information associated with the device on which the app was downloaded. Even turning off push notifications on your device doesn’t necessarily disable this feature, experts contend. […]

If finding new ways to catch pedophiles and terrorists doesn’t seem like the worst thing in the world, the Post article highlights the voices of critics who fear that this kind of mobile data could be used to track people who have not committed serious crimes — like political activists or women seeking abortions in states where the procedure has been restricted.

Read more of this story at Slashdot.

Re-Victimization From Police-Auctioned Cell Phones

An anonymous reader quotes a report from KrebsOnSecurity: Countless smartphones seized in arrests and searches by police forces across the United States are being auctioned online without first having the data on them erased, a practice that can lead to crime victims being re-victimized, a new study found (PDF). In response, the largest online marketplace for items seized in U.S. law enforcement investigations says it now ensures that all phones sold through its platform will be data-wiped prior to auction.

Researchers at the University of Maryland last year purchased 228 smartphones sold “as-is” from PropertyRoom.com, which bills itself as the largest auction house for police departments in the United States. Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they were able to guess an additional 11 of the PINs by using the top-40 most popular PIN or swipe patterns. Phones may end up in police custody for any number of reasons — such as its owner was involved in identity theft — and in these cases the phone itself was used as a tool to commit the crime. “We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner,” the researchers explained in a paper released this month. “Unfortunately, that expectation has proven false in practice.”

Beyond what you would expect from unwiped second hand phones — every text message, picture, email, browser history, location history, etc. — the 61 phones they were able to access also contained significant amounts of data pertaining to crime — including victims’ data — the researchers found. […] Also, the researchers found that many of the phones clearly had personal information on them regarding previous or intended targets of crime: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that apparently belonged to sex workers; their phones contained communications with clients. “We informed [PropertyRoom] of our research in October 2022, and they responded that they would review our findings internally,” said Dave Levin, an assistant professor of computer science at University of Maryland. “They stopped selling them for a while, but then it slowly came back, and then we made sure we won every auction. And all of the ones we got from that were indeed wiped, except there were four devices that had external SD [storage] cards in them that weren’t wiped.”

Read more of this story at Slashdot.

Millions of Mobile Phones Come Pre-Infected With Malware, Say Researchers

Trend Micro researchers at Black Hat Asia are warning that millions of Android devices worldwide come pre-infected with malicious firmware before the devices leave their factories. “This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it,” reports The Register. From the report: This insertion of malware began as the price of mobile phone firmware dropped, we’re told. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product. “But of course there’s no free stuff,” said [Trend Micro researcher Fyodor Yarochkin], who explained that, as a result of this cut-throat situation, firmware started to come with an undesirable feature — silent plugins. The team analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed. The plugins that were the most impactful were those that had a business model built around them, were sold on the underground, and marketed in the open on places like Facebook, blogs, and YouTube.

The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. “The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.

The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you’ll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. “Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin.

Read more of this story at Slashdot.

Motorola Unveils Co-Branded Lenovo ‘ThinkPhone’

The Lenovo ThinkPhone by Motorola is being launched today in the U.S. for $699. It’s the first co-branded phone from Motorola that arrives nine years after Lenovo purchased the Motorola brand for $2.91 billion. According to The Verge, the smartphone offers “a suite of productivity features designed to work with ThinkPad laptops.” From the report: The ThinkPhone has a lot of the same stuff as a mainstream flagship phone, even though it’s priced just below the likes of the $799 Samsung Galaxy S23. It comes with a big 6.6-inch 1080p OLED with up to 144Hz refresh rate. Build quality is quite sturdy with an aluminum frame, Gorilla Glass on the front panel, and Lenovo’s signature textured aramid fiber back panel for a softer touch. The whole device is IP68 rated for strong dust and water resistance, and it’s also MIL-STD-810H compliant to protect against falls and more extreme conditions.

In addition to the ThinkPad-like look and feel, there’s a red key on the side of the phone in a nod to Lenovo’s classic keyboard nub. You can customize it to a degree: a double-press can be assigned one of the phone’s ThinkPad integration features, while a single-press can act as an app shortcut. Some apps will even let you launch certain features — mapping it to the “Pay” screen of the Starbucks app could save you a lot of embarrassing fumbling at the register, for example. The ThinkPhone is available first to enterprise customers, with general availability on April 28th via Motorola.com.

Read more of this story at Slashdot.

Lenovo’s Rollable Laptop and Smartphone Are a Compelling, Unfinished Pitch For the Future

At Mobile World Congress in Barcelona, Lenovo demoed a laptop and smartphone with rollable screens that “can gradually expand to offer more screen real-estate, rather than needing to be completely unfolded like books,” writes Jon Porter from The Verge. These are early proof of concept devices that don’t have any public release dates as of yet. From the report: Before we get into the concept laptop’s signature feature, it’s worth pointing out just how unassuming the device looks before its screen unrolls. Lenovo had the device sitting alongside its other laptops in a conference suite, and not a single one of the dozen-or-so journalists in attendance clocked that it was anything other than a standard ThinkPad. In its unextended form, it’s got a regular looking 12.7-inch display with a 4:3 aspect ratio. That all changes with a flip of a small switch on the right of the chassis, at which point you can hear some motors whirring and the screen extends upwards. That switch causes a couple of motors in the laptop to spring into action, pulling the screen out from underneath the laptop’s keyboard to hoist it up more or less vertically in front of you. It’s an admittedly slow process on this concept device (from our footage it seems to take a little over ten seconds to fully extend) but eventually you’re left with an almost square 15.3-inch display with an 8:9 aspect ratio. The device brings to mind LG’s fancy (and eye-wateringly expensive) rollable TV that’s designed to roll away when you’re not using it. Only in Lenovo’s case the screen is rolling down into the laptop’s keyboard rather than a small box, and it also can’t roll away entirely. Once fully extended, Lenovo’s laptop screen has a small crease where its screen originally bent underneath the keyboard. But again — it’s a prototype.

Lenovo’s other rollable device it’s demoing at MWC is a Motorola smartphone. We’ve seen numerous companies including Samsung Display, Oppo, TCL, and even LG (RIP) show off rollable concept devices in various stages of development over the years, but we’re yet to see the technology break through in a consumer device. Like a foldable, the idea is that a rollable smartphone can be small when you need it to be portable, and big when you need more screen to get the job at hand done. Lenovo’s phone — which it’s calling the Motorola rollable smartphone concept — is all about taking a small square of a display and making it longer. It’s almost like a foldable flip phone, but without a secondary cover display because it’s the same screen the entire time. When all neatly rolled up, Lenovo’s Motorola rollable offers a 5-inch display with a 15:9 aspect ratio. Then, with a small double tap of a side button, the screen unfurls to give you a remarkably tall 6.5-inch display with a 22:9 aspect ratio. […] “In 2019, it seemed like foldable phones were about to become the next big thing in the world of smartphones,” writes Porter, in closing. “But four years later, it feels like we’re still waiting for this future to become a mainstream reality. Lenovo would be the first to admit that its rollable concept devices are far from ready for prime time, but they offer a compelling argument for an alternative, rollable future.”

Read more of this story at Slashdot.

Q4 2022 Was a Disaster For Smartphone Sales, Sees the Largest-Ever Drop

The International Data Corporation has the latest numbers for worldwide smartphone sales in Q4 2022, and it’s a disaster. Shipments declined 18.3 percent year-over-year, making for the largest-ever decline in a single quarter and dragging the year down to an 11.3 percent decline. With overall shipments of 1.21 billion phones for the year, the IDC says this is the lowest annual shipment total since 2013. Ars Technica reports: In the top five for Q4 2022 — in order, they were Apple, Samsung, Xiaomi, Oppo, and Vivo — Apple was, of course, the least affected, but not by much. Apple saw a year-over-year drop of 14.9 percent for Q4 2022, Samsung was down 15.6 percent, and the big loser, Xiaomi, dropped 26.5 percent. For the year, Samsung still took the No. 1 spot with 21.6 percent market share, Apple was No. 2 with 18.8 percent, and Xiaomi took third place at 12.7 percent.

The IDC also notes consumers are keeping smartphones longer than ever now, with “refresh rates” or the time that passes before people buy a new phone ‘climb[ing] past 40 months in most major markets.’ The report closes saying: “2023 is set up to be a year of caution as vendors will rethink their portfolio of devices while channels will think twice before taking on excess inventory. However, on a positive note, consumers may find even more generous trade-in offers and promotions continuing well into 2023 as the market will think of new methods to drive upgrades and sell more devices, specifically high-end models.”

Read more of this story at Slashdot.

Do Screens Before Bedtime Actually Improve Your Sleep?

Having trouble falling asleep, a writer for Vulture pondered a study from February in the Journal of Sleep Research that “runs refreshingly counter to common sleep-and-screens wisdom.”

For years, science and conventional wisdom have stated unequivocally that looking at a device — like a smartphone, tablet, laptop, or television — before bed is akin to lighting years of your natural life on fire, then letting the flames consume your children, your community, and the very concept of human progress….

Specifically interested in the use of “entertainment media” (streaming services, video games, podcasts) before bed, [the new February study’s] researchers asked a group of 58 adults to keep a sleep diary and found that, if participants consumed entertainment media in the hour before bed, the habit was associated with an earlier bedtime as well as more sleep overall (though the benefits diminished if participants binged for longer than an hour or multitasked on their phones). Essentially, these researchers explored screen use before bed as a form of relaxation rather than a form of self-harm, which is exactly how I and probably 5 billion other people use it — as a way of distracting our minds from the onslaught of material reality just before we drift off to temporary oblivion.

Vulture’s writer interviews Dr. Morgan Ellithorpe, one of the authors of the Journal of Sleep Research study and an assistant professor in the Department of Communication at the University of Delaware who specializes in media psychology.

Dr. Ellithorpe is a proponent of intentional media use as a way to relieve stress, but she tells me that, in her research, she’s found that the worst types of media to absorb before bed are those that have no “stopping point” — Instagram, TikTok, shows designed to be binge-watched. If you intend to binge a show, that might be fine: “Making a plan and sticking to it seems to matter,” she says. We agree that humans are famously bad at that, and that’s where the problems begin. The solution, Dr. Ellithorpe says, is figuring out why we’re on our screens and if that reason is “meaningful.” Are we turning to a screen in order to recover from an eventful day? Because we want something to talk about with our friends? Because we’re seeking, as she puts it, a moment of “hedonic enjoyment”? The key is that you must be able to recognize when that need is fulfilled. Then “you’re likely to have a good experience, and you won’t need to force yourself to stop. But it takes practice.”

Dr. Ellithorpe cites several studies for me to review — on gratification, mood-management theory, selective exposure, and self-determination theory — all of which, to various extents, grapple with the notion that human beings can make decisions to use media for purposeful things. “There’s this push now to realize that people aren’t a monolith, and media uses that seem bad for some people can actually be really good for other people.” Although many researchers like Dr. Ellithorpe and her cohort are onboard with this push, she admits that “the movement has not filtered out to the public yet. So the public is still on this kick of ‘Oh, media’s bad.'”

And that’s a huge part of the issue. “We sabotage ourselves when it comes to benefiting from media because we’ve been taught in our society to feel guilty for spending leisure time with media,” Dr. Ellithorpe says. “The research in this area suggests that people who want to use media to recover from stress, if they then feel bad about doing so, they don’t actually get the benefit from the media use.”

But even Dr. Ellithorpe is prone to unintentional sleep moralizing, saying she is often “bad” and “on her phone two seconds before I turn off the light.” She recommends watching a “low-challenge show” before bed and, like Dr. Kennedy, cites Stranger Things specifically as a dangerous pre-bed content choice because “you have to keep track of all the characters, remember what happened three seasons ago, and it’s emotionally charged. It might be difficult afterward to come down from that and go to bed.” In the end, she suggests watching whatever you want as long as it doesn’t delay your bedtime.

Read more of this story at Slashdot.

Visitors of Qatar World Cup Need To Install Spyware On Their Phone

“Everyone visiting Qatar for the World Cup needs to install spyware on their phone,” writes security researcher Bruce Schneier. His comments are in response to an article from the Norwegian Broadcasting Corporation (NRK), reporting: Everyone traveling to Qatar during the football World Cup will be asked to download two apps called Ehteraz and Hayya. Briefly, Ehteraz is an covid-19 tracking app, while Hayya is an official World Cup app used to keep track of match tickets and to access the free Metro in Qatar. In particular, the covid-19 app Ehteraz asks for access to several rights on your mobile., like access to read, delete or change all content on the phone, as well as access to connect to WiFi and Bluetooth, override other apps and prevent the phone from switching off to sleep mode.

The Ehteraz app, which everyone over 18 coming to Qatar must download, also gets a number of other accesses such as an overview of your exact location, the ability to make direct calls via your phone and the ability to disable your screen lock. The Hayya app does not ask for as much, but also has a number of critical aspects. Among other things, the app asks for access to share your personal information with almost no restrictions. In addition, the Hayya app provides access to determine the phone’s exact location, prevent the device from going into sleep mode, and view the phone’s network connections. It remains to be seen whether Qatar will strictly enforce the installation of these apps. “I know people who visited Saudi Arabia when that country had a similarly sketchy app requirement,” says Schneier. “Some of them just didn’t bother downloading the apps, and were never asked about it at the border.”

Read more of this story at Slashdot.