(1) Were you aware that carriers can remotely override your settings like this? (2) Any strategies to keep something like this from happening besides rooting the device? (3) How do you feel about this type of remote control by a third party?
I must say I strongly dislike losing control over my own device. It feels dystopian to me.
I also couldn't find any mention of this particular power of carriers apart from one lonely Reddit post about someone trying to turn off Amber alerts [1].
---------------- EDIT: Additional info for clarity:
The settings I am referring to are under "Apps & notifications"/"Wireless emergency alerts". They are about controlling whether to and which alerts one wants to receive on their phone.
It's an unlocked Android One device. The carrier seems to be able to remotely change these settings (see the referenced Reddit post as well), which I would never expect. It seems to be because of the SIM the phone uses and the network it connects to. No user-controlled software change like updates.
----------------
[1] https://old.reddit.com/r/GooglePixel/comments/zebvs4/settings_changed_by_carrier/
10-20 years ago the FBI was regularly remotely programming firmware to listen in and record cell phone microphones to capture conversations of suspects. IIRC a mafia case hinged on data gathered in this way so it is not some abstract theoretical or crackpot theory (https://www.cnet.com/news/privacy/fbi-taps-cell-phone-mic-as...).
It's only gotten worse as phones have gotten more capable. You don't own squat about the device in your pocket at all times.
How do you pay for jmp.chat? Do you trust their code to be bug-free and without possible exploits? Do they do regular security audits and code reviews? Do they have enough users and maintainers to be able to quickly detect and address security issues? Are you sure Airplane Mode turns off the baseband and cuts off all cellular communication? It doesn't, you can still emergency receive alerts in Airplane Mode. Your phone can tell exactly where you are by comparing your wifi search results + RSSIs to known public databases without even having to use GPS. How much do you trust your VPN provider to keep no logs? How do you pay for VPN?
VPNs hide the content of connections, at least from MITM / eavesdroppers, but server-side data scrapes are quite effective at figuring out who you are (or what your phone is ... see below). Nothing really does a good job of hiding the fact that you are connected to a VPN except TOR, and where that connection originates (e.g., your wifi network, which is well Geo-located, remember?). And de-anonymization of VPN connections to identify downstream connections are possible, IIRC. Details about your phone are well recorded (MAC, SID, etc)
And always remember, your phone can be implicated based on location data, which will implicate you once it's discovered you own the phone. And that's as simple as looking up the SIM purchase / use.
The carrier definitely knows where you live if you take your phone to your house at night, even if it is off. The only way to prevent that is to put it in a faraday pouch at your “airplane mode” checkpoint.
Why do you think basically zero phones have trivially removable/changeable batteries? Any phone that clams to be security first and doesn’t at least have a switch (an actual switch) that disconnects the battery altogether is a joke.
You need burner phones to cycle after each usage.
TBH, seems you cranked up the paranoia to 11. The VPN has to terminate somewhere, so if I was a state actor attacking you, I'd figure out where that is. WiFi+BT firmware isn't bullet proof, either, and hypothetically an exploit chain could be found to enter via WiFi and stealthy enable cellular. In practice XKCD #538 applies: https://xkcd.com/538/
For most of us the attacker is someone trying to make some money by scamming, stealing CC or installing a malicious app.
It's the day you miss something that your effort was pointless. Even if your solution is always secure, it only takes one slip up to ruin everything
Any threat as large as youre trying to protect against, if interested in you, can just wait for you to make a mistake.
Do your family and friends do that?
Maybe it's better to blend in with the noise.
In one of those conversations, I was asked to not publish details about the extensive cellular tracking data that had helped to make the case. According to the detective, despite the ubiquitousness of cellular tracking data in prosecutions, your everyday criminal is not doing anything remotely like ‘throwing mobile phones out of the car window after each call.’ Quite the opposite, they are posting pictures of themselves with contraband to Instagram, and using their phones to facilitate crime as if they were untouchable.
Perhaps drug lords are more careful than lower-level dealers, but I’m not so sure. Total conjecture here, but I suspect the money gets to their heads, which leads to a feeling of invincibility — with consequent opsec failures.
If you keep an eye on major arrests, criminals routinely get taken down in essentially the same ways as the criminals who were caught before them. Despite their belief that they had been taking precautions against those failure modes.
Specifically can your whatsapp/signal audio calls be recorded by FBI remotely in this manner?
Yes, court records show the FBI has and continues to explicitly do this. Leaks from folks like Snowden show the NSA/CIA have done this too.
> Specifically can your whatsapp/signal audio calls be recorded by FBI remotely in this manner?
The baseband firmware is at a level 'below' the operating system of the phone. It can directly access peripherals and intercept them, so it could be reading your microphone and passing it along to the higher level OS at the same time. WhatsApp/Signal thinks it's secure, and if you look at its app signature or anything else it looks exactly like the normal app you expect. However your data is still getting intercepted at the lower level and recorded for a state/government actor.
Hint, it's not the application you use but the microphone/speaker itself.
I wish my cellphone would not have all those sensors for this reason...
Oh, it gets better. We also, by default, get alerts for severe/extreme weather. Nothing like getting an emergency alert because a tornado touched down on the other side of the state, or a flash-flood warning while you're at home, 300' above the nearest body of water.
They shouldn't be sending out Amber Alerts for something a couple hundred miles away, because as you said, that causes people to ignore them. In my area, we only get very localized Amber Alerts, which makes them pretty rare... 1-2 per year.
Nobody is going to know for sure if its a false alarm, or if we'll wind up with a murdered child until after the fact, so why wait or ignore it?
As for the risk of a murdered child, well, if that argument works for you, then why stop there? Why should police have to wait for a search warrant...what if we end up with a murdered child? Why should police have to avoid using deadly force to stop a fleeing suspect...what if we end up with a murdered child? Of course, we already have a (rather large, vocal) group of people who believe exactly this, which is why CPS is called on parents who, for example, run into a bakery, with their minivan idling with 6 kids in it, and get arrested for child endangerment.
It's easier to take an extreme, confident position when you don't know anything about it.
The idea doesn't scale unless the events are actually quite selective, and a missing person that isn't even necessarily missing yet probably shouldn't qualify.
Even if you are sympathetic and care about that kid, it doesn't matter because it doesn't work anyway. Everyone just ignores the alert. It's just not a reasonable balance between how much some bad thing matters and how many people's attention are commandeered for it. Every single death even from peaceful old age after a rich full life is a tragedy, but the rest of the world can not care about it. Literally can not, because it doesn't scale. Those tragedies are happening at a constant rate of many new ones every second of every day at all times. Instead there are a much smaller set of people who care about or who's job is to care about each one, and that set is smaller than "everyone in a 400 mile circle". The fact that a person can drive 200 miles in any direction in a few hours doesn't change that.
It's probably a good thing for the system to exist, but if it's used the wrong way, it's entire utility and reason for existing is sabotaged and nullified.
However the real point not about the alert system but about a carrier's ability to control your device more than yourself, even if you own your device outright, that I do not say is a good thing that it exists. I accept that there's not much to do about it. I do have a rooted phone running LineageOS, which gives me a bit more control, but I don't kid myself that that really means much. But I don't think it's good or right.
If you don't, we'll end up with a murdered child, so why not?
Amber/Silver/Blue alerts should be more like a regular notification.
https://www.tandfonline.com/doi/abs/10.1080/0735648X.2014.10...
Just because its listed under "Apps & notifications"/"Wireless emergency alerts", it doesn't mean they are "user settings". Its not necessarily the local "carrier" that turned the settings on, its more that connecting to a cell tower in a particular jurisdiction can enforce receiving emergency alerts.
More on the EU alerts systems: https://en.wikipedia.org/wiki/EU-Alert
The fact that it's so unclear leads me to wonder what other settings -- perhaps some related to my security or privacy -- the carrier can modify without my knowledge.
You can’t disable 911/112 just because you don’t like it either.
Buuuuut, these alerts are LTE/5G only, so I’ve set up an iPhone automation to switch my phone to 3G in the evening and back to whatever in the morning to avoid alerts at night. I’ll cry when 3G gets shutdown.
This absolutely is a user setting.
How far we've fallen from sharing the DeCSS flag, to arguing that users shouldn't have control over their devices, and governments and carriers should.
The EU legislation allows "opt out" from level 2/level 3 notifications, but is based on the notion that messages are received "without the need for the public to have to opt-in".
So for compliance sake, you're opted in. Maybe this should only happen the first time you enter EU or a member state, and then either your phone or cell service provider should remember your preference (which is probably not worth the resources to implement for the cell service provider, but maybe your phone already does?).
I'd be interested to see if this already exists, i.e. do you only need to opt out in Germany once? Does that opt-out at EU level?
When your wife disabled notifications, she merely opted out of notifications in whatever jurisdiction she was in (presumably US?), but opting out of something in US doesn't mean you opted out of every other similar law from every other nation state.
Even with a rooted device where perhaps you personally coded up the ROM you are still missing a piece which is the binary blob that runs the baseband radio. That firmware is, afaik, not something which exists in any sort of open-source or rootable manner. It's a closed blob running proprietary software on your phone, and it runs at a lower level than the ROM/OS does. So, even if you go to great lengths to secure most of the software that runs on the device (a noble goal, it's your hardware after all!) then you still must contend with the uncertainty and perhaps risk (depending on your threat model) of that untrusted code running there. You can search around the web for articles covering baseband radio exploits that span the years...
Probably illegal and the firmware running the radio hardware is still proprietary.
> Not everything is open in this firmware. The baseband firmware, aka the RF bits known as ADSP firmware, remains closed and not yet reverse-engineered by anyone – you’re not gonna be running OpenBTS on this modem yet.
> The TrustZone kernel remains closed too – my understanding is that it’s signed by Qualcomm.
Some manufacturers likely still implement the "old" architecture, though.
Edit typo
Carriers can't change regular settings like language, lock screen code or background. Just what cell towers you connect to and a short list of telephony related features. Please correct me if I'm wrong.
I've understood cell broadcasts are also used for advertisements/otherwise spammy stuff in eg. the US? Then I could understand you considering cell broadcast being turned on being unreasonable
They already do that. Or, rather they don't need to "know" anything; a phone with no signal will scan through all the bands it has a radio for, and will find a network to connect to. If a network rejects the connection, it'll move on to another.
This is also something that traditionally has been configurable: you can tell your phone not to do this, if you want, and it will obey your command. But allowing the carrier to change settings on the phone after a connection is established is pretty intrusive, IMO.
Some of our bank accounts require using an Android (or iPhone) app, for example. Messengers like Signal don't work w/o a smartphone. COVID-related apps for traveling. I could continue.
Genuinely curious.
Choosing your bank according to the provision of acceptable services.
> messengers
You just need an OS somewhere (not necessarily a smartphone)
> travelling
Cannot really help: if some administration requested a smartphone, I would either try to avoid it or buy some provisional, temporary thing.
- Android comes with a list of carriers and their required configurations; when the MNC and MMC provided by the SIM match a carrier on that list, Android uses the configuration from that list. This list updates with Android updates, and so SIM don't have to be reprogrammed.
- Modern SIMs just Java cards with a SIM app (especially if they offer IMS). The Java cards also have a secure storage element to hold subscriber keys and mitigate tampering to change these keys. They also contain signing public keys which is queried by Android whenever /Carrier Privileges/ are requested. That way, an app signed by a carrier can very against the carrier's SIM in order to get access to this configuration.
- There are remote configuration protocols, so Android will have a bare configuration for carriers just to fetch the latest configuration from them (to then use it).
https://source.android.com/docs/core/connect/uicc
https://source.android.com/docs/core/connect/carrier
One could probably write a rooted Android ROM that filters / requests user permission / logs changes to carrier settings, and there's utility in that since it may be a vector for espionage / traffic redirection (provided stolen keys or an exploit of the SIM's certificate storage machinery). SIM cards are usually directly connected to the CPU, not to the baseband.
[0] https://opendevelopment.verizonwireless.com/content/dam/open...
[1] https://en.wikipedia.org/wiki/2018_Hawaii_false_missile_aler...
[2] https://www.youtube.com/watch?v=sdmkTkWB40Q
[3] https://media.ccc.de/v/osmodevcon2019-107-production-grade-c...
[4] https://osmocom.org/projects/cellular-infrastructure/wiki/Se...
I think your example is a powerful reminder why folks turn off alerts. For most of us tho, it was the bazillionth urgent notice of a non-applicable event.
With that implementation, it would not be possible for any random carrier in a foreign country to load random bloat onto my phone just by me crossing the border to that country.
A lot of people in this thread are understandably okay with good carriers doing this for good reasons, but it's very easy to abuse if there aren't strong enough communication laws. From the amount of spam I got when I lived there, I'm surprised this is not happening in America.
When setting up the device, I was asked to insert my SIM card. Usually, I'd have skipped past this screen, but I thought "Ok, let me swap out my SIM", since I was trading in an older device.
Worst mistake ever. Even on an unlocked phone, all the verizon crapware was silently installed in the background. This doesn't happen when you put in the SIM after setting up the phone.
Such a backwards experience.
Is it reversible? As in: can you eject the sim, reset the phone to factory defaults and restart the setup process, now inserting the sim card later?
You can attempt to disable it, but you need to be aware that in many places it's outright illegal for phone manufacturer and carrier to allow that.
My iOS settings and experience differ from this rather greatly - can you cite any such laws or regulations?
I have clear settings on my up to date ios device in the US, on a large American carrier that allow me to a)ignore emergency alerts, b) get them but silently if my phone is in silent mode, or c) allow them through at full blast.
See https://support.apple.com/en-us/HT202743 - note the little "3" note where it says that some broadcasts in some regions can't be disabled?
(2) All the ways I can think off are significantly harder than rooting, so essentially no.
(3) I don't really mind that much, I have Google services running on my phone and I am certain those can do far more than my carrier could ever dream off. I have begrudgingly accepted those, so it would be a bit hypocritical to complain about my carrier turning cell broadcast back on. Especially since "turning cell broadcast back on" is a use case that I can see the argument behind.
It you care about this then I suggest you look up the relevant standard documents, probably you will find this behavior documented there.
What standard are you referring to?
I feel like you are confusing local Android settings with carrier settings loaded from network. For instance carrier is not going to change setting of your default keyboard or ringtone without (carrier customized) system update.
The settings I am referring to are under "Apps & notifications"/"Wireless emergency alerts". They are about controlling whether to and which alerts one wants to receive on their phone.
This not only seems very user-facing to me, it's also something I definitely would want to have control over.
It's an unlocked Android One device. The carrier seems to be able to remotely change these settings (see the referenced Reddit post as well), which I would never expect. It seems to be because of the SIM the phone uses and the network it connects to. No user-controlled software change like updates.
Does my surprise make more sense now?
You travel to other countries, you abide by their laws. This is no different.
I believe these varies by country, since this was done for a limited set of countries my Company sas operating on
The Amber alerts, OTOH, have been usually across the state and of debatable usefulness[0].
0: https://www.tandfonline.com/doi/abs/10.1080/0735648X.2014.10...
I googled the issue and it's affecting quite a lot of people. It's unclear whether the culprit is the provider or a long-standing bug in iOS (the first mention I found is a few years old). Some people suggested that you take out the SIM and the options would reappear. Didn't work in my case.
https://www.etsi.org/deliver/etsi_ts/102900_102999/102900/01...
Check Security Considerstions in 5.5.
Which also reminds me how the NSA has intentionally crippled standards in the past so they could eavesdrop or inject code without having to go through the carrier. This means Johnny Scriptsalot can do it too.
(2) Changing to a device that doesn't have that feature. Which probably means no Android and no iOS. I would not be willing to do so, I'd change carrier instead if it was problematic enough to me.
(3) I don't mind when it's to set settings for a good reason. I assume some settings are configured that way for the phone to properly work on the carrier network. On the other hand, I hate it when it's to enforce a stupid thing or extract more money from a built-in feature.
Is there strong crypto preventing anyone who's not a carrier or government from changing settings on device?