Entries Tagged "phones"

Page 7 of 18

Samsung Television Spies on Viewers

Earlier this week, we learned that Samsung televisions are eavesdropping on their owners. If you have one of their Internet-connected smart TVs, you can turn on a voice command feature that saves you the trouble of finding the remote, pushing buttons and scrolling through menus. But making that feature work requires the television to listen to everything you say. And what you say isn’t just processed by the television; it may be forwarded over the Internet for remote processing. It’s literally Orwellian.

This discovery surprised people, but it shouldn’t have. The things around us are increasingly computerized, and increasingly connected to the Internet. And most of them are listening.

Our smartphones and computers, of course, listen to us when we’re making audio and video calls. But the microphones are always there, and there are ways a hacker, government, or clever company can turn those microphones on without our knowledge. Sometimes we turn them on ourselves. If we have an iPhone, the voice-processing system Siri listens to us, but only when we push the iPhone’s button. Like Samsung, iPhones with the “Hey Siri” feature enabled listen all the time. So do Android devices with the “OK Google” feature enabled, and so does an Amazon voice-activated system called Echo. Facebook has the ability to turn your smartphone’s microphone on when you’re using the app.

Even if you don’t speak, our computers are paying attention. Gmail “listens” to everything you write, and shows you advertising based on it. It might feel as if you’re never alone. Facebook does the same with everything you write on that platform, and even listens to the things you type but don’t post. Skype doesn’t listen—we think—but as Der Spiegel notes, data from the service “has been accessible to the NSA’s snoops” since 2011.

So the NSA certainly listens. It listens directly, and it listens to all these companies listening to you. So do other countries like Russia and China, which we really don’t want listening so closely to their citizens.

It’s not just the devices that listen; most of this data is transmitted over the Internet. Samsung sends it to what was referred to as a “third party” in its policy statement. It later revealed that third party to be a company you’ve never heard of—Nuance—that turns the voice into text for it. Samsung promises that the data is erased immediately. Most of the other companies that are listening promise no such thing and, in fact, save your data for a long time. Governments, of course, save it, too.

This data is a treasure trove for criminals, as we are learning again and again as tens and hundreds of millions of customer records are repeatedly stolen. Last week, it was reported that hackers had accessed the personal records of some 80 million Anthem Health customers and others. Last year, it was Home Depot, JP Morgan, Sony and many others. Do we think Nuance’s security is better than any of these companies? I sure don’t.

At some level, we’re consenting to all this listening. A single sentence in Samsung’s 1,500-word privacy policy, the one most of us don’t read, stated: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” Other services could easily come with a similar warning: Be aware that your e-mail provider knows what you’re saying to your colleagues and friends and be aware that your cell phone knows where you sleep and whom you’re sleeping with—assuming that you both have smartphones, that is.

The Internet of Things is full of listeners. Newer cars contain computers that record speed, steering wheel position, pedal pressure, even tire pressure—and insurance companies want to listen. And, of course, your cell phone records your precise location at all times you have it on—and possibly even when you turn it off. If you have a smart thermostat, it records your house’s temperature, humidity, ambient light and any nearby movement. Any fitness tracker you’re wearing records your movements and some vital signs; so do many computerized medical devices. Add security cameras and recorders, drones and other surveillance airplanes, and we’re being watched, tracked, measured and listened to almost all the time.

It’s the age of ubiquitous surveillance, fueled by both Internet companies and governments. And because it’s largely happening in the background, we’re not really aware of it.

This has to change. We need to regulate the listening: both what is being collected and how it’s being used. But that won’t happen until we know the full extent of surveillance: who’s listening and what they’re doing with it. Samsung buried its listening details in its privacy policy—they have since amended it to be clearer—and we’re only having this discussion because a Daily Beast reporter stumbled upon it. We need more explicit conversation about the value of being able to speak freely in our living rooms without our televisions listening, or having e-mail conversations without Google or the government listening. Privacy is a prerequisite for free expression, and losing that would be an enormous blow to our society.

This essay previously appeared on CNN.com.

ETA (2/16): A German translation by Damian Weber.

Posted on February 13, 2015 at 7:01 AMView Comments

US Law Enforcement Also Conducting Mass Telephone Surveillance

Late last year, in a criminal case involving export violations, the US government disclosed a mysterious database of telephone call records that it had queried in the case.

The defendant argued that the database was the NSA’s, and that the query was unconditional and the evidence should be suppressed. The government said that the database was not the NSA’s. As part of the back and forth, the judge ordered the government to explain the call records database.

Someone from the Drug Enforcement Agency did that last week. Apparently, there’s another bulk telephone metadata collection program and a “federal law enforcement database” authorized as part of a federal drug trafficking statute:

This database [redacted] consisted of telecommunications metadata obtained from United Stated telecommunications service providers pursuant to administrative subpoenas served up on the service providers under the provisions of 21 U.S.C. 876. This metadata related to international telephone calls originating in the United States and calling [redacted] designated foreign countries, one of which was Iran, that were determined to have a demonstrated nexus to international drug trafficking and related criminal activities.

The program began in the 1990s and was “suspended” in September 2013.

News article. Slashdot thread. Hacker News thread.

EDITED TO ADD (1/19): Another article.

Posted on January 19, 2015 at 12:42 PMView Comments

Surveillance Detection for Android Phones

It’s called SnoopSnitch:

SnoopSnitch is an app for Android devices that analyses your mobile radio traffic to tell if someone is listening in on your phone conversations or tracking your location. Unlike standard antivirus apps, which are designed to combat software intrusions or steal personal info, SnoopSnitch picks up on things like fake mobile base stations or SS7 exploits. As such, it’s probably ideally suited to evading surveillance from local government agencies.

The app was written by German outfit Security Research Labs, and is available for free on the Play Store. Unfortunately, you’ll need a rooted Android device running a Qualcomm chipset to take advantage.

Download it here.

Posted on January 14, 2015 at 1:18 PMView Comments

SS7 Vulnerabilities

There are security vulnerabilities in the phone-call routing protocol called SS7.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes—such as keeping calls connected as users speed down highways, switching from cell tower to cell tower—that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

Some details:

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function—a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

We’ll learn more when the researchers present their results.

Posted on December 19, 2014 at 6:41 AMView Comments

Fake Cell Towers Found in Norway

In yet another example of what happens when you build an insecure communications infrastructure, fake cell phone towers have been found in Oslo. No one knows who has been using them to eavesdrop.

This is happening in the US, too. Remember the rule: we’re all using the same infrastructure, so we can either keep it insecure so we—and everyone else—can use it to spy, or we can secure it so that no one can use it to spy.

Posted on December 16, 2014 at 11:34 AMView Comments

Who Might Control Your Telephone Metadata

Remember last winter when President Obama called for an end to the NSA’s telephone metadata collection program? He didn’t actually call for an end to it; he just wanted it moved from an NSA database to some commercial database. (I still think this is a bad idea, and that having the companies store it is worse than having the government store it.)

Anyway, the Director of National Intelligence solicited companies who might be interested and capable of storing all this data. Here’s the list of companies that expressed interest. Note that Oracle is on the list—the only company I’ve heard of. Also note that many of these companies are just intermediaries that register for all sorts of things.

Posted on December 12, 2014 at 9:26 AMView Comments

Pre-Snowden Debate About NSA Call-Records Collection Program

AP is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program.

The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing the calling records of nearly every American fundamentally changed the character of the agency, which is supposed to eavesdrop on foreigners, not Americans.

Hacker News thread.

Posted on November 20, 2014 at 2:42 PMView Comments

1 5 6 7 8 9 18

Sidebar photo of Bruce Schneier by Joe MacInnis.