Smart phones and privacy

February 24, 2015 |

The World Today story Alleged hack of world’s largest SIM card manufacturer Gemalto could affect Australian mobiles highlights several currents running through the protection of data and privacy.  The first is finding the best way to keep data secure. Technologically encryption is increasingly a minimum requirement.  Privacy guidelines make it clear that encryption of key data is good privacy practice.  However with the cost of encryption decreasing while the sophistication increases the dilema for some organs of the State is the inability to access data.  Encryption works against surveillance, be in of a police or national security kind.  The attitude one has to this development depends on where one stands on the political spectrum.  This may explain, at least for one national security body, the hack on Gemalto.

The story provides:

ELEANOR HALL: Now to those warnings that the alleged cyber attack on the world’s largest SIM card manufacturer could allow overseas spy agencies to tap the mobile phones of Australians.

Documents supplied by Edward Snowden allege that US and British spies hacked into the Gemalto company to steal encryption keys that enable the monitoring of mobile communications.

Telstra, Vodafone and Optus have all confirmed that Gemalto has supplied their SIM cards.

Sarah Sedghi reports.

SARAH SEDGHI: The Snowden documents allege that spies from the American National Security Agency and the UK government Communications Headquarters were involved in a large-scale hack affecting millions of SIM cards.

The documents allege the spies’ accessed servers and computers at the Netherlands-based company Gemalto, and took the encryption keys for mobile SIM cards.

Stilgherrian is a writer and commentator on internet, security and cybercrime.

STILGHERRIAN: This whole story centres around the SIM cards that we have in our phones and other mobile devices. The SIM cards not only identify you to the mobile carrier to make sure the call or the data is billed to the right place, they also contain the encryption keys that encode your conversations and your data transmissions, so they cannot be overheard or monitored by someone with a radio or someone intercepting the communications.

What’s happened here is that it’s alleged that the NSA, and Britain’s GCHQ, have infiltrated Gemalto, the world’s largest manufacturer of these SIM cards, and gotten hold of all of those individual encryption keys for a period of time that we are not yet sure about.

SARAH SEDGHI: What does this mean for Australian citizens who might have a SIM card originally supplied by Gemalto?

STILGHERRIAN: Effectively, it means if your SIM card is one of those that’s affected, that the intelligence agencies can impersonate you, use your device to send messages or use your account to send messages at least.

More importantly, your communications are completely open and transparent to those intelligence agencies. They can get them without a warrant, without talking to the telecommunications provider, and if they’ve previously recorded your communications, they can now go back and decrypt and listen to them.

It essentially allows them to do anything like that in relation to your mobile device or your mobile communications, without you knowing about, without the telco knowing about it.

SARAH SEDGHI: Telstra, Vodafone and Optus have all confirmed that Gemalto is among their SIM suppliers.

All three companies issued statements which said they are being updated about the alleged security breach by Gemalto, but which conveyed little additional information for customers, which for most people will be fine, according to Jim McGregor, the founder and principal analyst at Tirias Research, a technology research and advisory firm.

JIM MCGREGOR: It really depends on who has the data. Obviously, if this is a third-party bent on hacking and for financial gain, then there would be cause for concern. If it’s a government entity, you really have to think of, are you doing anything that identifies you as a threat?

If you aren’t, it’s highly unlikely that the US or any other government’s probably listening in or paying attention to your calls or your texts or your emails.

The average consumer has to stop and think of, you know, especially if it’s a government, do I really need to be concerned? Am I doing something illegal?

Government at that level, or the people at that level that would be going after these hacks, are really concerned about national security; they’re not concerned about whether or not you’re cheating on your wife or whether you were speeding home or whatever; they’re really concerned about, you know, information that would be highly illegal and a concern to national security.

SARAH SEDGHI: Mark Rumold is an attorney with the Electronic Frontier Foundation, a digital civil liberties organisation.

He says, if the alleged hack did take place, questions will be raised about how data is accessed.

MARK RUMOLD: In the law enforcement model, you obtain suspects first and then you go and you target those suspects. This is working in the reverse, right? This is assuming everyone’s a suspect, keeping all their data and then having the encryption key to decrypt your conversations once they do become of interest to you.

And, at least in the United States that turns, kind of, our constitutional principles and our legal principles on their head.

SARAH SEDGHI: Gemalto has said in a statement it’s investigating the alleged hack and will be holding a press conference tomorrow to report on its findings.

It says investigations so far show their products are secure.

The story was picked up with Telcos face mass SIM card recall after spy agencies’ encryption hack revealed.

But equally interesting, and concerning, is the Wired’s article Spies Can Track You Just by Watching Your Phone’s Power Use it reports on a paper published at Stanford University titled Powerspy: Location Tracking using Mobile Device Power Analysis.  The use of technology to measure usage, or “noise”, is another way of tracking without actually requiring access to data.

It provides:

Smartphone users might balk at letting a random app like Candy Crush or Shazam track their every move via GPS. But researchers have found that Android phones reveal information about your location to every app on your device through a different, unlikely data leak: the phone’s power consumption.

Researchers at Stanford University and Israel’s defense research group Rafael have created a technique they call PowerSpy, which they say can gather information about an Android phone’s geolocation merely by tracking its power use over time. That data, unlike GPS or Wi-Fi location tracking, is freely available to any installed app without a requirement to ask the user’s permission. That means it could represent a new method of stealthily determining a user’s movements with as much as 90 percent accuracy—though for now the method only really works when trying to differentiate between a certain number of pre-measured routes.

Spies might trick a surveillance target into downloading a specific app that uses the PowerSpy technique, or less malicious app makers could use its location tracking for advertising purposes, says Yan Michalevski, one of the Stanford researchers. “You could install an application like Angry Birds that communicates over the network but doesn’t ask for any location permissions,” says Michalevski.  “It gathers information and sends it back to me to track you in real time, to understand what routes you’ve taken when you drove your car or to know exactly where you are on the route. And it does it all just by reading power consumption.”

PowerSpy takes advantage of the fact that a phone’s cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental conditions and cell tower distance is strong enough that momentary power drains like a phone conversation or the use of another power-hungry app can be filtered out, Michalevsky says.

One of the machine-learning tricks the researchers used to detect that “noise” is a focus on longer-term trends in the phone’s power use rather than those than last just a few seconds or minutes. “A sufficiently long power measurement (several minutes) enables the learning algorithm to ‘see’ through the noise,” the researchers write. “We show that measuring the phone’s aggregate power consumption over time completely reveals the phone’s location and movement.”

Even so, PowerSpy has a major limitation: It requires that the snooper pre-measure how a phone’s power use behaves as it travels along defined routes. This means you can’t snoop on a place you or a cohort has never been, as you need to have actually walked or driven along the route your subject’s phone takes in order to draw any location conclusions. The Stanford and Israeli researchers collected power data from phones as they drove around California’s Bay Area and the Israeli city of Haifa. Then they compared their dataset with the power consumption of an LG Nexus 4 handset as it repeatedly traveled through one of those routes, using a different, unknown choice of route with each test. They found that among seven possible routes, they could identify the correct one with 90 percent accuracy.

“If you take the same ride a couple of times, you’ll see a very clear signal profile and power profile,” says Michalevsky. “We show that those similarities are enough to recognize among several possible routes that you’re taking this route or that one, that you drove from Uptown to Downtown, for instance, and not from Uptown to Queens.”

Michalevsky says the group hopes to improve its analysis to apply that same level of accuracy to tracking phones through many more possible paths and with a variety of phones—they already believe that a Nexus 5 would work just as well, for instance. The researchers also are working on detecting more precisely where in a known route a phone is at any given time. Currently the precision of that measurement varies from a few meters to hundreds of meters depending upon how long the phone has been traveling.

The researchers have attempted to detect phones’ locations even as they travel routes the snooper has never fully seen before. That extra feat is accomplished by piecing together their measurements of small portions of the routes whose power profiles have already been pre-measured. For a phone with just a few apps like Gmail, a corporate email inbox, and Google Calendar, the researchers were able determine a device’s exact path about two out of three times. For phones with half a dozen additional apps that suck power unpredictably and add noise to the measurements, they could determine a portion of the path about 60 percent of the time, and the exact path just 20 percent of the time.

Even with its relative imprecision and the need for earlier measurements of power use along possible routes, Michalevsky argues that PowerSpy represents a privacy problem that Google hasn’t fully considered. Android makes power consumption data available to all apps for the purpose of debugging. But that means the data easily could have been restricted to developers, nixing any chance for it to become a backdoor method of pinpointing a user’s position.

Google didn’t respond to WIRED’s request for comment.

This isn’t the first time that Michalevsky and his colleagues have used unexpected phone components to determine a user’s sensitive information. Last year the same researchers’ group, led by renowned cryptographer Dan Boneh, found that they could exploit the gyroscopes in a phone as crude microphones. That “gyrophone” trick was able to to pick up digits spoken aloud into the phone, or even to determine the speaker’s gender. “Whenever you grant anyone access to sensors on a device, you’re going to have unintended consequences,” Stanford professor Boneh told WIRED in August when that research was unveiled.

Stanford’s Michalevsky says that PowerSpy is another reminder of the danger of giving untrusted apps access to a sensor that picks up more information than it’s meant to. “We can abuse attack surfaces in unexpected ways,” he says, “to leak information in ways that it’s not supposed to leak.”

One Response to “Smart phones and privacy”

  1. Smart phones and privacy | Australian Law Blogs

    […] Smart phones and privacy […]

Leave a Reply