Stupid Smartphones and Their Lying Lies

[Apple iPhone 5s via]

[Apple iPhone 5c via]

If you value emptywheel’s insights, donate the equivalent of a couple beers—and thanks for your readership and support.

My Twitter timelines across multiple accounts are buzzing with Apple iPhone 5s announcement news. Pardon me if I can’t get excited about the marvel that is iPhone’s new fingerprint-based biometric security.

Let’s reset all the hype:

There is no smartphone security available on the market we can trust absolutely to keep out the National Security Agency. No password or biometric security can assure the encryption contained in today’s smartphones as long as they are built on current National Institute of Standards and Technology (NIST) standards and/or the Trusted Computing Platform. The NSA has compromised these standards and TCP in several ways, weakening their effectiveness and ultimately allowing a backdoor through them for NSA use, bypassing any superficial security system.

There is nothing keeping the NSA from sharing whatever information they are gleaning from smartphones with other government agencies. Citizens may believe that information gleaned by the NSA ostensibly for counterterrorism may not be legally shared with other government agencies, but legality/illegality of such sharing does not mean it hasn’t and isn’t done. (Remember fusion centers, where government agencies were supposed to be able to share antiterrorism information? Perhaps these are merely window dressing on much broader sharing.)

There is no exception across the best known mobile operating systems to the vulnerability of smartphones to NSA’s domestic spying. Although Der Spiegel’s recent article specifically calls out iOS, Android, and Blackberry smartphones, Windows mobile OS is just as exposed. Think about it: if your desktop, laptop, and your netbook are all running the same Windows OS versions needing patches every month to fix vulnerabilities, the smartphone is equally wide open as these devices all use the same underlying code, and hardware built to the same NIST standards. Additionally, all Windows OS will contain the same Microsoft CryptoAPI believed to be weakened by the NSA.

If any of the smartphone manufacturers selling into the U.S. market say they are secure against NSA domestic spying, ask them to prove it. Go ahead and demand it — though it’s sure to be an exercise in futility. These firms will likely offer some non-denial denials and sputtering in place of a firm, “Yes, here’s proof” with a validated demonstration.

Oh, and the Touch ID fingerprint biometrics Apple announced today? You might think it protects not against the NSA but the crook on the street. But until Apple demonstrates they pass a gummy bear hackability test, don’t believe them.

And watch for smartphone thieves carrying tin snips.

23 replies
  1. P J Evans says:

    I foresee a larger market share for dumb phones, without GPS or contact lists. (No, I keep my phone numbers on paper.)

  2. Rayne says:

    @P J Evans: That’s all I have, a dumb phone I can afford to lose.

    Think my contacts are limited to a dozen, the obvious ones a suburban mother would have at hand (as if I had anything else going on in my life besides shuttling teenagers around and buying groceries).

    EDIT — 7:49 PM EDT —
    This story cracked me up, in a funny-ha-ha-ouch sort of way. Published 1:36h after I posted here at emptywheel.

    Docs: Officials Misused US Surveillance Program – NPR

    “[N]early three years accessed data on thousands of domestic phone numbers” obtained by government, and they lied about it.

  3. Greg Bean (@GregLBean) says:

    And if anyone thinks for a moment that their fingerprint is not being forwarded to the NSA from any computer/phone that captures it, they’re really really naive.

  4. Rayne says:

    @Greg Bean (@GregLBean): I’m less concerned about fingerprints because they can be faked (see last link in my piece above).

    BUT…voiceprint? Hah. They’ve had you.

    The really big questions have yet to be asked. Here’s one: what’s the chances last year’s abysmal launch of Apple Maps in tandem with iPhone 5 was sabotaged — either to thwart Apple, which had backed out of a likely manipulated Trusted Computing Program, or to thwart the NSA’s tracking?

    Yeah. Kind of makes one wonder, in hindsight. Sure wish I had that $300/share I lost on my AAPL stock after that bit of fail.

  5. earlofhuntingdon says:

    Apple’s new phone’s fingerprint “security” device. Their claim that the biometric data will be retained on the phone and not on an “Apple server” is, shall we say, suspect. At best, it may be Clintonian; the data might simply be downloaded to and stored on someone else’s server: Booze Allen Hamilton’s, SAIC’s, NSA’s, FBI’s. The list is as lengthy as line items in the Pentagon’s budget.

  6. P J Evans says:

    I’ve run into stuff like that in novels, so it may actually be possible. And if you’re really bad, you might consider removing the relevant digit from your victim.

  7. Rayne says:

    @P J Evans: If you read the Gummy Bear Hackability paper at the last link in the article, you’ll see the researchers cite a severed user’s finger as a hack method. Hence my smartass comment about tin snips. Heh. Ouch.

    And voice recognition is a for real thing — has been.

    @Frank33: @Frank33: Nuts! I have a groovy graphic for I-Spy tucked away, should have thought of that sooner. Would have fit the iSpyPhone nicely. ;-)

  8. jerryy says:

    @P J Evans: You might want to take a look at this report, certainly read past the headline:,2817,2394177,00.asp

    (On some browsers it has a skippable advert showing up first.)

    Just as a side note, not keeping your contact list on your phone will inhibit applications hackers, if the NSA wants to know whome you are chatting with, they do not need to dos something so esoteric as hacking your phone when it is much easier to let the phone company hand them the list of numbers you call and / or call you — the phone company keeps that list for a long time…
    [Hey Rayne, that image you are using from TheVerge is the new iPhone 5C, not the new 5S. The 5C does not have the fingerprint sensor.]

  9. Frank33 says:

    There is a service, Captel. People with a hearing disability can read the other person’s conversation. The technology is amazing and certainly helpful. And it certainly can be abused by governments or corporations or individuals. We do have to learn to deal with this technology that can transcribe audio phone conversations.

  10. Rayne says:

    @Frank33: Does it ID the person calling? That’s the part we really need to think about as such technology positively IDs the person using a particular phone, creating specific metadata, at a specific GPS coordinate.

    @Story of O: They could, but the criminals we are dealing with don’t need that–that’s for the average street criminal. The corrupt oligarchs want something else altogether and they take it with out any physical contact save for selling you a vulnerability wrapped in a smartphone.

  11. lefty665 says:

    @Rayne: Short APPL it can get you most of your loss back. Their fall ain’t done yet.

    I also keep Repubs and others I generally don’t like very much on my contact list.

  12. Rayne says:

    @lefty665: I bought the stock at $37.50 a share. It has a long way to fall before I pull the plug. Not before Christmas, anyhow. Not before teenagers stop asking for Apple products. Until then the market won’t fully move out of AAPL and migrate to something else, and there isn’t any replacement for investments yet given flat energy prices and skepticism about long-term real estate values. (For anybody else reading this: I am not a broker, your mileage may vary.)

    And you actually have to call people before contact lists are useful to the watchers. A network is defined by actual relationships between nodes. Until you call them AND call other less savory nodes (whatever unsavory may mean to the watchers), unused contacts are worthless, like the Yellow Pages in hardcopy these days.

    [Hah. While I’m sitting here typing on my PC, my WiFi-enabled Android tablet sitting here at hand decided to reboot all by itself. Thanks, but I don’t need the demo, dudes.]

  13. lefty665 says:

    @Rayne: You haven’t actually lost or made anything until you sell.

    Don’t believe I’ve ever added anyone to a contact list if I didn’t have to call/txt them. Hardly a “contact” if you don’t reach out and touch someone.

  14. Story of O says:


    > They could, but the criminals we are dealing with don’t need that–
    > that’s for the average street criminal

    Not everyone on the street who is harassed by police state officers is a criminal.

  15. Rayne says:

    @Story of O: If we’re talking about folks who are just as likely to escalate by taking your finger with a pair of tin snips, we’re talking street criminals.

    Any police state officer forcing us to open our personal communications are criminals, too, just not the common street variety, less like to take a digit. The worst won’t harass you on the street; they’ve already got an inventory of everything you own and know where your children are right now.

  16. earlofhuntingdon says:

    @earlofhuntingdon: And that’s up to FIVE sets of fingerprints per phone, to make it easier on family and friends, dontchyaknow. Imagine what pattern analysis and X degrees of separation will make of that.

    The possible privatization of Blackberry, the principal alternative to Android and Apple, would have serious implications for privacy, not to mention further eroding competition. Such privatizations are normally about extracting more for less, solely for the rentier class. They are not frequently about improving services or introducing novel products.

    Fighting for customer privacy against a supine industry and aggressive government is expensive. It needs to be built around a fuller, customer-centric business model. That is not normally what takeovers by predatory capital entail.

  17. Rayne says:

    @earlofhuntingdon: I’ve been wondering about the spin-off of Symbian to Accenture, too. Why was it handled that way by Nokia (even under the assumption that CEO Elop was a MSFT mole pre-acquisition)?

    Are the 1% planning for their own privacy via walled off mobile OS?

Comments are closed.