Tell HN: Your Android carrier can remotely turn settings on
(1) Were you aware that carriers can remotely override your settings like this? (2) Any strategies to keep something like this from happening besides rooting the device? (3) How do you feel about this type of remote control by a third party?
I must say I strongly dislike losing control over my own device. It feels dystopian to me.
I also couldn't find any mention of this particular power of carriers apart from one lonely Reddit post about someone trying to turn off Amber alerts [1].
---------------- EDIT: Additional info for clarity:
The settings I am referring to are under "Apps & notifications"/"Wireless emergency alerts". They are about controlling whether to and which alerts one wants to receive on their phone.
It's an unlocked Android One device. The carrier seems to be able to remotely change these settings (see the referenced Reddit post as well), which I would never expect. It seems to be because of the SIM the phone uses and the network it connects to. No user-controlled software change like updates.
----------------
[1] https://old.reddit.com/r/GooglePixel/comments/zebvs4/settings_changed_by_carrier/
298 comments
[ 3.9 ms ] story [ 278 ms ] threadSome of our bank accounts require using an Android (or iPhone) app, for example. Messengers like Signal don't work w/o a smartphone. COVID-related apps for traveling. I could continue.
Genuinely curious.
Choosing your bank according to the provision of acceptable services.
> messengers
You just need an OS somewhere (not necessarily a smartphone)
> travelling
Cannot really help: if some administration requested a smartphone, I would either try to avoid it or buy some provisional, temporary thing.
I feel like you are confusing local Android settings with carrier settings loaded from network. For instance carrier is not going to change setting of your default keyboard or ringtone without (carrier customized) system update.
The settings I am referring to are under "Apps & notifications"/"Wireless emergency alerts". They are about controlling whether to and which alerts one wants to receive on their phone.
This not only seems very user-facing to me, it's also something I definitely would want to have control over.
It's an unlocked Android One device. The carrier seems to be able to remotely change these settings (see the referenced Reddit post as well), which I would never expect. It seems to be because of the SIM the phone uses and the network it connects to. No user-controlled software change like updates.
Does my surprise make more sense now?
Your personal device is letting you know your carrier does not provide an option for this setting.
(2) All the ways I can think off are significantly harder than rooting, so essentially no.
(3) I don't really mind that much, I have Google services running on my phone and I am certain those can do far more than my carrier could ever dream off. I have begrudgingly accepted those, so it would be a bit hypocritical to complain about my carrier turning cell broadcast back on. Especially since "turning cell broadcast back on" is a use case that I can see the argument behind.
It you care about this then I suggest you look up the relevant standard documents, probably you will find this behavior documented there.
What standard are you referring to?
Carriers can't change regular settings like language, lock screen code or background. Just what cell towers you connect to and a short list of telephony related features. Please correct me if I'm wrong.
I've understood cell broadcasts are also used for advertisements/otherwise spammy stuff in eg. the US? Then I could understand you considering cell broadcast being turned on being unreasonable
For example, what politician could turn down the grieving parents of a kidnapped child, when they call for using the emergency alert system for missing children?
But if I work from home, and there aren't any kidnapped children in my home, then waking me up at 5am with a missing child alert just inconveniences for no benefit to anyone.
Everyone will be forced to see how much they care which proves how good they are, like it or not!
Stranger than waking people up from sleep for a custody disagreement, is when they'd broadcast those on TV... The purpose of those is not to find the kid, but to send a message to TV viewers, none of whom would be of any assistance in finding the kid.
You see this display of "care" with storm sirens being set off after the storm already passed the area.
Well guess what? The Quebec government sends every type of alert, even the regular test ones, with the presidential alert severity which makes all of these settings useless and does nothing but irritate the population with spammy messages. Recently, they sent out an AMBER alert that was supposed to be localized in some area and, instead, sent it everywhere in Quebec except for the affected area. This is exactly why people have the right to remain skeptical about alert systems like this one.
Err, no - emergency alerts aren’t used for advertising here.
Just wait when your neighbor repeats the packet at night, locally and undetected
https://en.m.wikipedia.org/wiki/Wireless_Emergency_Alerts#Se...
They already do that. Or, rather they don't need to "know" anything; a phone with no signal will scan through all the bands it has a radio for, and will find a network to connect to. If a network rejects the connection, it'll move on to another.
This is also something that traditionally has been configurable: you can tell your phone not to do this, if you want, and it will obey your command. But allowing the carrier to change settings on the phone after a connection is established is pretty intrusive, IMO.
(2) Changing to a device that doesn't have that feature. Which probably means no Android and no iOS. I would not be willing to do so, I'd change carrier instead if it was problematic enough to me.
(3) I don't mind when it's to set settings for a good reason. I assume some settings are configured that way for the phone to properly work on the carrier network. On the other hand, I hate it when it's to enforce a stupid thing or extract more money from a built-in feature.
You can attempt to disable it, but you need to be aware that in many places it's outright illegal for phone manufacturer and carrier to allow that.
My iOS settings and experience differ from this rather greatly - can you cite any such laws or regulations?
I have clear settings on my up to date ios device in the US, on a large American carrier that allow me to a)ignore emergency alerts, b) get them but silently if my phone is in silent mode, or c) allow them through at full blast.
See https://support.apple.com/en-us/HT202743 - note the little "3" note where it says that some broadcasts in some regions can't be disabled?
I believe these varies by country, since this was done for a limited set of countries my Company sas operating on
Just because its listed under "Apps & notifications"/"Wireless emergency alerts", it doesn't mean they are "user settings". Its not necessarily the local "carrier" that turned the settings on, its more that connecting to a cell tower in a particular jurisdiction can enforce receiving emergency alerts.
More on the EU alerts systems: https://en.wikipedia.org/wiki/EU-Alert
This absolutely is a user setting.
How far we've fallen from sharing the DeCSS flag, to arguing that users shouldn't have control over their devices, and governments and carriers should.
Hey, it's the law! You must comply, and for your convenience, your phone will do that automatically for you!
Good grief.
But of course, that wouldn't be convenient, and a lot of people would be confused, and that would generate costly support calls, so they'd rather just violate the sanctity of the things we apparently don't really own and put intrusive hooks into "our" hardware and software.
In the case of this particular requirement -- that wireless alerts be enabled -- I would almost certainly just enable them and go about my day. But reaching into my device and changing things without my consent crosses a line.
You just need to sign a service level agreement along with paying for them to develop that feature and deploy it on your phone.
The people who have the power to make the phones vs the people who have the power to make laws and prevent the makers from selling, vs a few individuals who actually care and a large majority who do not have the time to care.
I’d love to vote with my wallet, but I live in a country that 90%+ votes against me, so my vote is meaningless.
Companies will then be forced to make a decision based on the market size of your country. Or they will break the law, and you will have to deal with enforcement.
Most companies would like to do business in the EU.
And as we've seen time and time again, China can get away with a lot of bullshit with demands anywhere from tech to culture (e.g. MCU films that ended up censored). At least now, Apple has woken up and begun moving off production to Vietnam, and Marvel has decided to ignore Chinese demands after all.
If you suffer from panic attacks, for example, and these alerts trigger them, they do not help you, no matter how well intended.
If you suffer from (C)PTSD, and these alerts trigger flooding, they actually make everything worse.
If this were to happen while you are driving, you might even cause an accident.
The world is sadly too complex for simple solutions that assume something to be always good or helpful.
Which is why I believe it's important for the user to eventually control his device.
Of course, you can liberate yourself quite a bit from the draconian rule of the manufacturer by rooting the device, but then you're also able to disable cell broadcasts permanently...
We need to get rid of those in power who decide on things they have no fucking clue about it. The easiest way to do that is to not just go vote, but educate everyone else about who is running and why they are/are not a good choice. The harder way is also (at least for the US folks) showing up and engaging at primary votes and holding the primary candidates accountable, which takes a lot more effort but has the advantage that your vote is amplified in its effects.
Smartphones are already locked down in a million other ways compared to eg a desktop Linux install. Why is this different?
It's not, but it's bad that smartphones are locked down like that, so we should be pushing back on it at every opportunity.
Namely, that it's created by a party / parties also subject to (and abiding by) these laws?
I'm not sure what you plan to do with this information; certainly a law-abiding supplier is more likely to remain in business, so perhaps it's indicative of a better chance of receiving long-term support for the device...
The EU legislation allows "opt out" from level 2/level 3 notifications, but is based on the notion that messages are received "without the need for the public to have to opt-in".
So for compliance sake, you're opted in. Maybe this should only happen the first time you enter EU or a member state, and then either your phone or cell service provider should remember your preference (which is probably not worth the resources to implement for the cell service provider, but maybe your phone already does?).
I'd be interested to see if this already exists, i.e. do you only need to opt out in Germany once? Does that opt-out at EU level?
When your wife disabled notifications, she merely opted out of notifications in whatever jurisdiction she was in (presumably US?), but opting out of something in US doesn't mean you opted out of every other similar law from every other nation state.
The fact that it's so unclear leads me to wonder what other settings -- perhaps some related to my security or privacy -- the carrier can modify without my knowledge.
You can’t disable 911/112 just because you don’t like it either.
Nothing sadder/funnier than seeing politicians defend their broken system as it increasingly did broken things.
Buuuuut, these alerts are LTE/5G only, so I’ve set up an iPhone automation to switch my phone to 3G in the evening and back to whatever in the morning to avoid alerts at night. I’ll cry when 3G gets shutdown.
A lot of people in this thread are understandably okay with good carriers doing this for good reasons, but it's very easy to abuse if there aren't strong enough communication laws. From the amount of spam I got when I lived there, I'm surprised this is not happening in America.
With that implementation, it would not be possible for any random carrier in a foreign country to load random bloat onto my phone just by me crossing the border to that country.
You travel to other countries, you abide by their laws. This is no different.
Even with a rooted device where perhaps you personally coded up the ROM you are still missing a piece which is the binary blob that runs the baseband radio. That firmware is, afaik, not something which exists in any sort of open-source or rootable manner. It's a closed blob running proprietary software on your phone, and it runs at a lower level than the ROM/OS does. So, even if you go to great lengths to secure most of the software that runs on the device (a noble goal, it's your hardware after all!) then you still must contend with the uncertainty and perhaps risk (depending on your threat model) of that untrusted code running there. You can search around the web for articles covering baseband radio exploits that span the years...
Probably illegal and the firmware running the radio hardware is still proprietary.
> Not everything is open in this firmware. The baseband firmware, aka the RF bits known as ADSP firmware, remains closed and not yet reverse-engineered by anyone – you’re not gonna be running OpenBTS on this modem yet.
> The TrustZone kernel remains closed too – my understanding is that it’s signed by Qualcomm.
Some manufacturers likely still implement the "old" architecture, though.
Edit typo
The Amber alerts, OTOH, have been usually across the state and of debatable usefulness[0].
0: https://www.tandfonline.com/doi/abs/10.1080/0735648X.2014.10...
[1] https://en.wikipedia.org/wiki/2018_Hawaii_false_missile_aler...
[2] https://www.youtube.com/watch?v=sdmkTkWB40Q
[3] https://media.ccc.de/v/osmodevcon2019-107-production-grade-c...
[4] https://osmocom.org/projects/cellular-infrastructure/wiki/Se...
https://nymag.com/intelligencer/2013/07/ambert-alert-phone-4...
I remember group chats of people discussing how to turn it off and my friends and I telling our parents how to turn them off.
I think your example is a powerful reminder why folks turn off alerts. For most of us tho, it was the bazillionth urgent notice of a non-applicable event.
I googled the issue and it's affecting quite a lot of people. It's unclear whether the culprit is the provider or a long-standing bug in iOS (the first mention I found is a few years old). Some people suggested that you take out the SIM and the options would reappear. Didn't work in my case.
Which also reminds me how the NSA has intentionally crippled standards in the past so they could eavesdrop or inject code without having to go through the carrier. This means Johnny Scriptsalot can do it too.
10-20 years ago the FBI was regularly remotely programming firmware to listen in and record cell phone microphones to capture conversations of suspects. IIRC a mafia case hinged on data gathered in this way so it is not some abstract theoretical or crackpot theory (https://www.cnet.com/news/privacy/fbi-taps-cell-phone-mic-as...).
It's only gotten worse as phones have gotten more capable. You don't own squat about the device in your pocket at all times.
1) Prudent opsec against nation-state adversaries dictates that you assume 0 time for them to have a tap on a device.
2) In reality, it takes >0 time, because people processes aren't instantaneous.
3) Intelligence services sometimes break the letter of the law.
4) Intelligence services usually follow the law, because it's less hassle.
That's not really a problem when intelligence services can just "remind" any would-be annoying congress person that they have endless amounts of data showing exactly what they and their family members have been doing and could plant whatever they want into the data they already have.
One of the things that finally convinced Snowden to give up everything he had in order to tell the American people that the NSA was violating their constitutional rights was when he watched NSA director James Clapper outright lie right to the faces of congress. After the truth came to light, do you think Mr. Clapper faced any meaningful consequences for that? Nope. Can you guess why not?
Intelligence services are too powerful to be held accountable by anyone. They'll do whatever they want.
I think I got hacked for trying to run for Congress.
"If video games have taught me anything, it's that if you encounter enemies then you're going the right way." - Ali G
lol
This was also around the time remote meth labs were getting really common out in rural areas. Multiple agents were talking about how frustrated they were with getting access to burner phones since most of the companies were resellers. They said by the time they got a warrant to start recording the devices, they were already dead.
I guess the bad guys knew their burner phones were only good for about two to three months tops. That was usually the timeframe from when the FBI got a read on a line, saw a judge and got the warrant processed, to contacting the carrier and getting access.
Sounds like whatever was hampering them in the past has been fixed.
There are a tonne of reddit links on this one so I'll leave it to the Interested Reader.
In one of those conversations, I was asked to not publish details about the extensive cellular tracking data that had helped to make the case. According to the detective, despite the ubiquitousness of cellular tracking data in prosecutions, your everyday criminal is not doing anything remotely like ‘throwing mobile phones out of the car window after each call.’ Quite the opposite, they are posting pictures of themselves with contraband to Instagram, and using their phones to facilitate crime as if they were untouchable.
Perhaps drug lords are more careful than lower-level dealers, but I’m not so sure. Total conjecture here, but I suspect the money gets to their heads, which leads to a feeling of invincibility — with consequent opsec failures.
If you keep an eye on major arrests, criminals routinely get taken down in essentially the same ways as the criminals who were caught before them. Despite their belief that they had been taking precautions against those failure modes.
Also, public telephones are no longer an option.
At a certain level you stop buying burner phones and simply buy the whole phone company.
https://www.npr.org/2011/12/09/143442365/mexico-busts-drug-c...
Street level criminals are like Fast food employees - replaceable. The guys up the chain can be invisible indefinitely, but hooking up with the wrong girl, pissing off the wrong guy, being too impulsive or too deliberate with a decision etc can be the one mistake.
VPNs hide the content of connections, at least from MITM / eavesdroppers, but server-side data scrapes are quite effective at figuring out who you are (or what your phone is ... see below). Nothing really does a good job of hiding the fact that you are connected to a VPN except TOR, and where that connection originates (e.g., your wifi network, which is well Geo-located, remember?). And de-anonymization of VPN connections to identify downstream connections are possible, IIRC. Details about your phone are well recorded (MAC, SID, etc)
And always remember, your phone can be implicated based on location data, which will implicate you once it's discovered you own the phone. And that's as simple as looking up the SIM purchase / use.
When I am at home, I am WIFI only. When I am out, WIFI & bluetooth are off. This takes some discipline at first but then just becomes habit. I know the spot on my commute home where I switch my settings.
In theory it could protect location data from the carrier for locating you with a wild amount of opsec practice but I highly doubt you could pull that off for a daily driver.
Having wifi/bluetooth off in public isn't a terrible idea though as those are generally much easier attack surfaces and are leakier.
Suppose you wanted to find someone that aways turned on their phone on at ~8:15 AM and found someone that always turned their phone off at ~8:10 AM within 15 miles. How difficult would you say it was to make this connection?
All of these privacy focussed phone OSes tread lightly on the fact that there are a grand total of zero modern open source basebands in existence.
You need burner phones to cycle after each usage.
TBH, seems you cranked up the paranoia to 11. The VPN has to terminate somewhere, so if I was a state actor attacking you, I'd figure out where that is. WiFi+BT firmware isn't bullet proof, either, and hypothetically an exploit chain could be found to enter via WiFi and stealthy enable cellular. In practice XKCD #538 applies: https://xkcd.com/538/
For most of us the attacker is someone trying to make some money by scamming, stealing CC or installing a malicious app.
VPNs cannot break TLS, (unless you're dealing with the intelligence apparatus of a major power, which probably can break TLS) so they cannot introspect most of the content you send and receive anyways.
What they can do, however, is see the domain name of the HTTP requests you send when setting up TLS.
Chaining VPNs doesn't add security by any metric.
It's also possible GP is referencing GGPs arguably paranoid position on phones, relating it to similar paranoias held by Dwight (the character who delivers the monologue).
https://youtu.be/PlIzKaGBeHk
Do your family and friends do that?
Maybe it's better to blend in with the noise.
That's not how saved networks work, as far as I know. If you have a source saying otherwise, I would like to read it.
[0]: https://www.wi-fi.org/knowledge-center/faq/what-are-passive-... [1]: https://dot11ap.wordpress.com/active-scanning-probes/ [2]: https://stackoverflow.com/questions/36264440/phone-doesnt-se...
What does intelligence have to do with whether someone is a criminal? There are dumb criminals and smart criminals; I'm not sure what the correlation here is.
Honestly though they might as well just use the average IQ for the population. There's not a person alive who hasn't violated some law at some point. We're all criminals.
Treating this just like investments, over your lifetime, its a no brainer on which is the better path to take.
"Why do this risky exciting dangerous thing over there when you could come over here and be a flacid lifeless drone with me at Bezos' personal blowjob-drone company. Marry the first person you meet, have some kids, yay stability!"
It's the day you miss something that your effort was pointless. Even if your solution is always secure, it only takes one slip up to ruin everything
Any threat as large as youre trying to protect against, if interested in you, can just wait for you to make a mistake.
Anyhow, if one slip-up is enough, you're doing it wrong. Imagine you were a mad scientist testing out a jetpack- you are confident yes? But I imagine you would feel more confident with a bunch of nets, and a trampoline underneath that, and a lightning rod in case of a storm, and a requirement that you hold down multiple buttons at once to play with the controls, etc.
That is, if you are serious you will put in multiple safety nets at every layer of the stack so that "one slip" is not enough.
You like to talk to people, but you know that a long-term pseudonym is the gravest danger of them all.
You like virtualization, but you keep some crucial data and keys(treams) on a un-networked machine.
You like anonymizing networks, but you know the caveats of traffic tunneling and didn't connect from your home router.
You connect to a randomly-chosen wireless AP, but you know that just in case your MAC-spoofing fails or you get pwned or something, you are glad that you bought the device with cash and never tied its characteristics to your identity.
You are glad that the only transceiver connected to the device is an external wireless dongle so that when you are done, you don't accidentally connect with your device from home.
You are glad you waited for an overcast day so that you could thwart spy satellites that use visible/infrared light, and that you connected to the AP from afar to thwart cameras.
The list goes on. The guy whose face you see plastered in the news? Yeah, that guy thought his experimental jetpack was the shit. And it was- until it wasn't.
How do you pay for jmp.chat? Do you trust their code to be bug-free and without possible exploits? Do they do regular security audits and code reviews? Do they have enough users and maintainers to be able to quickly detect and address security issues? Are you sure Airplane Mode turns off the baseband and cuts off all cellular communication? It doesn't, you can still emergency receive alerts in Airplane Mode. Your phone can tell exactly where you are by comparing your wifi search results + RSSIs to known public databases without even having to use GPS. How much do you trust your VPN provider to keep no logs? How do you pay for VPN?
I use the word 'mitigate' not 'solve' since closed source baseband modems are a problem. Cellular traffic is off in airplane mode, but the baseband could be exploited if someone wanted to find me AND knew which IMEI to target. Because the IMEI has never been associated to me, that is a challenge.
I run my own VPN and share it with a few other people.
How confident are you in your VPN server configuration skills? Gaining access through mis-configured self-hosted boxes is the easiest attack vector usually as most people who self-host aren't experts in the software they are using leading to leaks. Besides that, do you keep a list of packages installed on your box, open ports, etc? How about security patches and regular updates as well as auditing access logs to ensure no one gained access to your box?
Squeaky wheels get the grease and squeaky nails get the hammer, but silence in a noisy forest is alarming.
The carrier definitely knows where you live if you take your phone to your house at night, even if it is off. The only way to prevent that is to put it in a faraday pouch at your “airplane mode” checkpoint.
Why do you think basically zero phones have trivially removable/changeable batteries? Any phone that clams to be security first and doesn’t at least have a switch (an actual switch) that disconnects the battery altogether is a joke.
I wish my cellphone would not have all those sensors for this reason...
Specifically can your whatsapp/signal audio calls be recorded by FBI remotely in this manner?
Hint, it's not the application you use but the microphone/speaker itself.
Yes, court records show the FBI has and continues to explicitly do this. Leaks from folks like Snowden show the NSA/CIA have done this too.
> Specifically can your whatsapp/signal audio calls be recorded by FBI remotely in this manner?
The baseband firmware is at a level 'below' the operating system of the phone. It can directly access peripherals and intercept them, so it could be reading your microphone and passing it along to the higher level OS at the same time. WhatsApp/Signal thinks it's secure, and if you look at its app signature or anything else it looks exactly like the normal app you expect. However your data is still getting intercepted at the lower level and recorded for a state/government actor.
Are you saying that the electrical signals from the microphone and to the speakers pass through the baseband chip before/after going to the main chip on the phone? Or that the baseband chip has separate access to the microphone and speakers?
Baseband firmware is the firmware for the modem. It has no relation to the SoC that runs the phone, unless there is some sort of exploit that allows it direct hardware/memory access. To listen to the mic or capture video, it has to interface with the ADC chip which is not directly connected to it.
There may have been phones in the past that allowed DMA to the SoC from the baseband chip which hypothetically would have allowed a properly crafted exploit on a per app basis, but its not longer the case, as pretty evident by the FBI asking Apple to unlock the phones (if they could access the memory from baseband, they would not need to)
People are discussing that in this thread:
https://news.ycombinator.com/item?id=33958252
It looks like the implementation isn't perfect yet but it's a start.