Alleged IOS backdoors

Bluelotus bluelotus at openmailbox.org
Wed Jul 23 08:10:18 PDT 2014 

Dpnt have to go back as far as 1990's. This month, I purchased a Palm Treo 705p, released in 2006. External antenna, superior voice quality and qwerty keyboard.  WebOS doesnt capture MAC addresses of nearby wifi devices like iphones, ipads, android and Windows do. No FM radio to hack air gapped computers.  For articles see my submit history on reddit.com under user nme BadBIOSvictim.

Verizon does not activate older phones. PagePlusCellular.com does.

My other phone is a Palm Pre2 for the above reasons. Released in 2011.

On July 23, 2014 10:04:13 AM EDT, Georgi Guninski <guninski at guninski.com> wrote:
>Are dumb phones sufficiently secure?
>Say something monochrome from the 90's?
>Heard rumors operators can update the
>firmware on a lot of models, not sure
>how true is this.
>
>On Tue, Jul 22, 2014 at 12:48:35PM -0700, coderman wrote:
>> On Tue, Jul 22, 2014 at 5:21 AM, Georgi Guninski
><guninski at guninski.com> wrote:
>> > Alleged IOS backdoors
>> >
>> >
>http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf
>> >
>> > Identifying Back Doors, Attack
>> > Points, and Surveillance
>> > Mechanisms in iOS Devices
>> 
>> note that Google is no better. back in 2011 i reported the abuse of
>> Google Voice Search as easily accessible (no permissions required)
>and
>> excellent for eavesdropping (always on should not be possible).
>> 
>> the more things change, the more they stay the same ;)
>> 
>> best regards,
>> 
>> 
>> ---
>> 
>> '... nearly all Android devices equipped with Google Services
>> Framework can be affected by GVS-Attack'
>> 
>> 
>> http://arxiv.org/abs/1407.4923
>> """
>> Previous research about sensor based attacks on Android platform
>> focused mainly on accessing or controlling over sensitive device
>> components, such as camera, microphone and GPS. These approaches get
>> data from sensors directly and need corresponding sensor invoking
>> permissions.
>> 
>> This paper presents a novel approach (GVS-Attack) to launch
>permission
>> bypassing attacks from a zero permission Android application
>> (VoicEmployer) through the speaker. The idea of GVS-Attack utilizes
>an
>> Android system built-in voice assistant module -- Google Voice
>Search.
>> Through Android Intent mechanism, VoicEmployer triggers Google Voice
>> Search to the foreground, and then plays prepared audio files (like
>> "call number 1234 5678") in the background. Google Voice Search can
>> recognize this voice command and execute corresponding operations.
>> With ingenious designs, our GVS-Attack can forge SMS/Email, access
>> privacy information, transmit sensitive data and achieve remote
>> control without any permission.
>> 
>> Also we found a vulnerability of status checking in Google Search
>app,
>> which can be utilized by GVS-Attack to dial arbitrary numbers even
>> when the phone is securely locked with password. A prototype of
>> VoicEmployer has been implemented to demonstrate the feasibility of
>> GVS-Attack in real world. In theory, nearly all Android devices
>> equipped with Google Services Framework can be affected by
>GVS-Attack.
>> This study may inspire application developers and researchers rethink
>> that zero permission doesn't mean safety and the speaker can be
>> treated as a new attack surface.
>> """

More information about the cypherpunks mailing list