Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Monday June 15 2015, @08:46AM   Printer-friendly
from the marketing-1-customer-0 dept.

Just bought a FirefoxOS Revolution Geeksphone in mid-May. I mean, sure, it's buggy and needs improvement, but it's an open source, community-driven project. That is how it was presented to consumers.

It has nowhere to go but up, right? Wrong. Without any kind of transparency or openness or communication, the Geeksphone crew let us know in a one-line comment that they were orphaning all of us.

Re: Firefox OS 2.2
« Reply #3 on: June 10, 2015, 05:34:08 PM »
No sorry, all FxOs development are finished by Geeksphone.

Thanks..... ;)

And that's all, folks. Apparently. To add injury to injury, they used a locked bootloader, according to another commenter. I didn't even check on that. It's an open source project, I thought.

I'm also mad as hell. Any other Soylentils in this mess? Anybody have any ideas on a useful way forward?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by VortexCortex on Monday June 15 2015, @08:29PM

    by VortexCortex (4067) on Monday June 15 2015, @08:29PM (#196635)

    if you go to Menu->Settings->My Shortcuts, you can reconfigure the navigation and selection keys to do just about anything.

    Indeed, the devices typically run Java (Mobile Edition), which is incredibly moddable too, but for which you probably don't have the ability to flash with your own firmware image -- really how is that better in any way (besides battery life)?

    To those concerned about cracking a locked bootloader, and/or consider a non-smartphone: On all modern cell phones the mini-kernel that handles the baseband radio IO is insecure and has full read/write access to the entirety of the phone's memory. Even the "feature phones" or "dumb-phones" you have today are basically the same as smartphones just with less CPU power, (thus better battery life), and different input features (no fancy multi-touch screen). Point being: The security benefits of using a dumb phone are largely imaginary, as are the security benefits of having a phone with open source software/firmware.

    Let's say you do get open source audited firmware installed: Just like with a smart(er) phone an IMSI interceptor, like the Stingray systems cops are using, could easily inject malicious data that exploit any of the hundreds of unchecked bounds in the baseband kernel to perform a remote code execution vulnerability and take over the dumb(er) phone, install a rootkit that reports location information (tower signal strength for triangulation even if no GPS), exfiltrate all the data on the phone, and etc. Since the decommission of analog cellular so too went the uncrackable plain dumb cell phone with simple speed-dial memory - You could spy on these too (even with just a modified HAM radio), but at least they didn't have the capacity to have spyware installed to carry around with you. Some of this could be fixed with an open source baseband kernel instead of a blob, but then there are a few hardware level exploits that no amount of open source code can fix.

    I like FLOSS, and understand the principals behind using it exclusively, but I don't get why it's such a big deal today with so many exploits (mistakes) in the code and no way to verify the hardware it's running on isn't injecting spyware into all of your binaries. Ken Thompson's ACM acceptance speech covered this in the prophetic year of 1984. [bell-labs.com] Until we have open & verifiable hardware FLOSS is primarily to avoid vendor lock-in, IMO; It does little to ensure security. Complete Mobile VMs, when? It's a bit more complex to deliver ex-filtration and tracking payloads on smarter phones because the dumber ones are less diverse in the firmware department, but state level hackers have the time and resources to build cracks for any/every phone model. Beware if your phone gets an over the air firmware update, then seems slightly off (typically missing a few vendor installed custom features) and requires you re-enter WIFI passphrases etc, then a reboot or two later returns to prior operating conditions: Rather than hack the phone in real time, sometimes a spoofed update cycle is used to send you a spyware infested firmware for your model then (re)update to the vendor's firmware after getting your data (this attack is often deployed during an actual update cycle) -- Don't get too paranoid as some vendor features disable normally until you accept terms and conditions required by some firmware updates.

    Ever since GSM's poor linear shift register encryption was hacked anyone with a bit of cash and some know-how can use a software defined radio and about a month of evenings figuring out how to overwrite their own phone's OS in real time (do so in a Faraday cage to avoid breech of FCC regs). Buh bie "bootloader" lock, just warm-boot over the air to a whole new OS. Bonus: Turn it off and on again, and it's an unmodified phone again... Besides price & battery life, I'm not really sure what the draw is for the dumber phone. They aren't any more secure than smart ones are, and they do less. Just be aware that anything you do and anywhere you go with any cell phone purchased today is potentially public information (as they ping the public airwaves just asking to get spied on or infected). One outcome will probably be that enough hobbyists like myself hacking on their own mobile hardware will bring the barrier to entry to cracking phones low enough such that common identity thieves will have plug-n-play point-n-click access to the same tech hackers do (just like with exploit toolkits on desktop / server machines). That way we'll be forced to take a proactive approach to security (as on desktop and servers); We probably won't ever get open hardware with end to end encryption default on our systems at the hardware level, but that's what we need. Until we can 3D print chips at home your best bet is a FPGA if you REALLY need to know the chipset isn't spying on you. Off the grid (clean power) computing in an EM shielded enclosure is another option -- it doesn't matter if the Intel Sandy Bridge chip's cellular modem is spying on me, or just waiting to get bricked, if it can't phone home.

    Invest in a Faraday bag if you want a bit of mobile privacy. Also, try leaving the mobiles at home every now and then. You may be pleasantly surprised at the results of less distracting information overload. For the more adventurous, create a phone pool and trade phones with friends (don't put anything important on them - get a little black book for your contacts), that way any tracking done is mostly useless. For the most adventurous, I don't recommend this as it's highly illegal, but you can sniff cellular traffic then clone a nearby phone's signature (even a dumb phone), and use the SDR to make innocuous looking phone calls (preferably at both ends, receiving end will have to jam the phone it cloned). Buh Bie usefulness of "meta data" collection. That's what some of the higher tech criminal elements do, which demonstrates why all the NSA spying can't stop terrorists (that's a smoke screen to manufacture consent to spy on "troublemaking" US citizens / activists who blow whistles on the powerful and corrupt).

    P.S. It's fun to see the complexity of good 'ol Hayes-like modem commands still down in the guts of our cellular modems. It's a veritable cornucopia of exploitability -- almost like none of those command strings are even tested for overflow / unexpected input. I guess most hackers today don't get down to that level, but I expect they will as the Software Defined Radio becomes ever more available.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Gravis on Monday June 15 2015, @09:49PM

    by Gravis (4596) on Monday June 15 2015, @09:49PM (#196661)

    On all modern cell phones the mini-kernel that handles the baseband radio IO is insecure and has full read/write access to the entirety of the phone's memory.

    actually, you are wrong about this. the radios have their own little ARM chips that handle the I/O. the radio is an I/O peripheral to the CPU just as much as the keypad and LCD.

    Point being: The security benefits of using a dumb phone are largely imaginary,

    the primary threat to pocket computers is not their voice telephony capability, it's the other software that gets installed on it. the secondary threat is bugs in absurdly complex OSes and software. the smaller the OS, the better.

    as are the security benefits of having a phone with open source software/firmware.

    having a phone with open source software/firmware allows people to verify that they aren't being spied on by the phone manufacturer and that there are no (deliberate) backdoors. yes, they have been busted in the past for doing this.

    Invest in a Faraday bag if you want a bit of mobile privacy. Also, try leaving the mobiles at home every now and then. You may be pleasantly surprised at the results of less distracting information overload.

    do you really have that little willpower?

    as for all the rest of you post: ugh... you talk big but you really don't really get the big picture.