[conspire] Cellphones and GSM privacy

Carl Myers cmyers at cmyers.org
Tue Jul 3 04:37:40 PDT 2012 

It is worth noting that (*very* sadly) CyanogenMod (which I use and am very
pleased with) is not a truly open option.  Such options *still* do not exist.

Cyanogenmod is built using several proprietary and presently unavoidable binary
blobs which might still do god knows what.  To build cyanogenmod from source,
besides taking a dependency on Sun's JDK (specifically, openjdk is not presently
supported) you must also run a script which scrapes a stock image and pulls the
various binary blobs you need for your specific hardware off of them.

Here is an example of the shell script to extract the blobs from the maguro
hardware (the new "open" galaxy nexus, google's official dev phone):

https://github.com/CyanogenMod/android_device_samsung_maguro/blob/0188fa978f88de56de9abd4be39c876f0f12cce4/extract-files.sh

Just a few obvious/recognizable modules include "bcm4330" which is obviously
broadcom firmware, and gps-related things and radio-related things that could
easily be stealing and transmitting your coordinates, whether gps "claims" to be
disabled or not *sad panda*.

The open-ness of android is unprecidented for a phone as widespread as most
android devices (And that qualifier is probably only required thanks to OpenMoko
*friendly nod*) but we still have a long way to go before we get the real
freedom we deserve, and if the hardware manufacturers have their way we'll never
get it.

-Carl

On Mon, Jun 25, 2012 at 06:06:38PM -0700, Rick Moen wrote:
> Date: Mon, 25 Jun 2012 18:06:38 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: conspire at linuxmafia.com
> Subject: [conspire] Cellphones and GSM privacy
> Organization: If you lived here, you'd be $HOME already.
> 
> ----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
> 
> Date: Mon, 25 Jun 2012 18:02:25 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: skeptic at lists.johnshopkins.edu
> Subject: Re: Next, he'll know if you've been sleeping, know if you're awake...
> Organization: If you lived here, you'd be $HOME already.
> 
> Quoting Eleanor Schechter (eleanorskeptic at yahoo.com):
> 
> > 
> > --- On Mon, 6/25/12, greg bart <cyclopasaurus at gmail.com> wrote:
> > ...and he ain't Santa:
> > 
> > http://bits.blogs.nytimes.com/2012/06/21/google-maps-the-worker-bees/?src=twr
> > 
> > Ha. I shall forward this to my daughter who was complaining about new
> > enforcement at work of the rule that you can't bring a cell phone (or
> > any of a number of other devices) into the building. She should be
> > glad that they're not enforcing a rule that says you _must_ bring a
> > cell phone into the buillding.
> 
> Technically, of course, the boss in the cited article doesn't get data
> about where the _worker_ went, but rather about where the worker's
> _smartphone_ went -- during periods when the smartphone is both switched
> on and has the Google Maps Coordinate application is enabled and running
> during one of its scheduled reporting periods.
> 
> Gamesmanship involving having your company-issued smartphone going where
> you are not, and vice-versa, is left as an exercise for the reader.
> 
> One of these days, when either someone else is paying my cellular bill
> or the data charges become less heinous, I will pick of a smartphone
> to replace my dirt-cheap and privacy-friendly dumb cellular -- but will
> insist on it being one capable of running CyanogenMod, thus permitting
> me to solely determine what the device does, rather than some vendor.
> Among other things, running a completely open-source and independent
> Android rebuild (e.g., CyanogenMod) should permit disabling of all
> geolocation check-in functions including the Radio Resource Location
> services Protocol (RRLP) ones mandated by the USA FCC.  
> 
> Quoting Harald Welte:
> 
> 'Many modern smartphones with GPS receiver are rumoured to have support
> of the RRLP protocol. According to its specification, RRLP enables the
> network (or anyone claiming to be the network) to obtain the current GPS
> fix of the MS without any form of authentication.
> [...]
> Result: RRLP is not just a theoretical feature specified in the GSM/3GPP
> specs. It is implemented by numerous high-end smartphones. There is no
> authentication of the network. There is no notification of the user.
> There is no way for the user to disable this [mis]feature.  Impact:
> Public debate about this feature is needed. Operators probably need to
> consider working on some terms about how they use this feature in their
> privacy policy.'
> 
> http://openbsc.osmocom.org/trac/raw-attachment/wiki/FieldTests/HAR2009/har2009-gsm-report.pdf,
> page 8
> 
> ----- End forwarded message -----
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

-- 
Carl Myers 
PGP Key ID 3537595B
PGP Key fingerprint 9365 0FAF 721B 992A 0A20  1E0D C795 2955 3537 595B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20120703/e6a6bc35/attachment.pgp>

More information about the conspire mailing list