Slashdot Mirror
OxygenOS Telemetry Lets OnePlus Tie Phones To Individual Users (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer. A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day. The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.
It seems that regulations are required to ensure end users can readily gain root control of their phones to enable a full range of settings to be altered to ensure their digital right to privacy and control of their property. All phone manufacturers should be required to provide software to enable any customer to gain root control of their phone, else that phone can not be connected to networks in the country.
Chaos - everything, everywhere, everywhen
It has to be more secure than iOS since it is based on open source Android OS.
And your proof is where exactly?
Having written anonymizing algorithms, all I can do is cringe.
If you wan't privacy, don't opt in.
(At least google is giving an opt in)
Welcome to the Brave New World
OnePlus manufacture some dam nice phones, and OxygenOS was stock android with just the right amount of custom tweaks. I'm now happy i didn't pick up a OP5.
This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws
The reason this is not a concern is because everyone else does it. Absolutely priceless reasoning.
If I had a penny for every instance of this nonsense uttered in my lifetime I would be a trillionaire.
Flash the Phone with Lineage OS. Thats what I do with my Phones.
> This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.
Umm... yes it is?
15 years ago, I worked for a well known company, and wrote an innovative set of privacy algorithms.
Didn't happen, long story; but sadly typical This is, to my mind, stupid. But the current generation doesn't seem to mind.
Need hearts and minds to effect change
I know someone with a one plus 3t and it seemed like the perfect device. I am not sure what effect disabling those applications might have, so ill wait a few days before advising her to do that. Hopefully this is big news, but sadly everyone is doing it.
If you are a smartphone user and you think google and apple don't have the complete picture of you as an individual you are dreaming! This is just the chinese not giving even the slightest fuck, while american companies still have to pretend to care about privacy somewhat.
Advertising, marketing and databases. Isn't it great what all this technology has become! A worthless extension of 20th century consumerism.
-
Only 30 comments so far, and over half of them are from painfully obvious anti-Linux shills. Which leaves me wondering - who exactly bankrolls this particular battalion of the 50 Cent Army?
Microsoft? No, can't be. I think they've given up on phones.
Apple? Now this one is fairly believable. Deep pockets, Silicon Valley ethics (read: no ethics at all), and mindless brainwashed cult followers... okay, sounds plausible. But it's so crass & crude & obvious. Doesn't really feel like an Apple-backed operation.
Russian/Chinese/Nork/USSA state-affiliated organizations? Well sure, they infest Slashdot like the regular vermin they are. But why would they give a fuck about an obscure cellphone?
Global dystopian-progressive NGOs backed by financial oligarchs? Well, they do hate freedom, so it stands to reason they would also hate Linux. The smarmy tone of the shill comments does match their supporters. Not sure why they'd care about a cellphone. But maybe their shills are on salary. They've already finished polluting the political articles, so they're just chilling out here. Shitting all over the place while trying to figure out how they can blame this on Trump colluding with the rooskies. I rate this possibility as plausible but lacking in evidence.
RMS? The shills both draw attention to the evil practice of commercial surveillance, as well as making anti-freedom proponents look like toxic fucktards. Subtle & brilliant. Alas, I don't think RMS has the funds to hire a troll army, so this one's not too plausible.
This is SlashDot. While that means that the most worthless crap can be posted, it also strangely means that intelligent people will read and comment about it. Of course it's a concern if your friends are jumping off of a cliff, not a reason to follow them. It's only an issue of no concern if the product isn't being marketed as needing to be as secure as possible. Threat surface is threat surface.
Oh, so this is a story about products sold by those under direct command of those who ordered the Tiananmen Square Massacre. Now I see why the story Really doesn't matter.
But is it very difficult for a competent computer programmer to inspect the open source software and add this feature? Oh, you say it's a mountain of fucking work that wouldn't matter because there are thousands of other equally unnecessary threat surfaces that are baked in, and no effort made to make product owners empowered enough to easily patch as many as they can and share those patches with the community of product owners resulting in a massively more useful, robust, and secure product. Now I understand why this story Really Really Doesn't Matter.
Moore didn't do his homework about where the post-Snowden state of cybersecurity is. Moore wasted his time. That's the moral of this story.
I don't care what OS is on the phone. It is both designed and manufactured in China by a Chinese company. The government has total control on what it does. They've obviously taken the opportunity to clandestinely track the location and usage data from everyone worldwide with a OnePlus phone. It is most certainly feeding into a government intelligence database for permanent storage.
This is no different than Kaspersky. As far back as 2000 a company I worked for considered Kaspersky and quickly rejected it due to the security implications of its connections with the Russian intelligence community.
China has a history of demanding assistance with data collection from those doing tech business in their country. You have to expect as a consumer of anything they make that has data collection potential, they've made their demands and the demands were granted. Otherwise, the company would not be in business.
I wrote some free software yesterday, as part of my paid job. Because it's easier, faster, and cheaper for us to use Free Software than to roll our own. And when we need to fix/improve something, we contribute it back. Not only because it's the morally right thing to do. But also because maintaining unsupported private forks is a security nightmare.
Oh, that's right, Android is Linux, and Linux can do no wrong. If this was was Windows or Mac OS, the outrage here would be massive.
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
Open Source can be a security nightmare too. The simple fact is it is much easier to find and fix but also to exploit bugs when you have the source code. You simply cannot argue that it's better because it's easier to find and fix bugs while ignoring the fact that it is equally easy to find and exploit them. Yes in a perfect world where all hackers are white hat hackers, everybody is vetting everybody else's code and there's nobody malicious then open source would unquestionably be the right choice but the problem is that the evangelists like to pretend they live in this ideal world and get all upset when people point out reality.
You can argue there's no security through obscurity and again in the idealized world where you say nothing is safe because some malicious state-sponsored actor with infinite resources can hack it that might be true but again we don't live in that idealized world, reality is simply not like that.
All this isn't to say Open Source is bad or to say that Open Source is worse the Closed Source but just to point out that Open Source is not all secure fairies farting rainbows like many Open Source evangelists pretend it to be.
The SoC has a Wifi MAC and maybe a PHY. However as the OP pointed out 'Generally, the wifi chips donâ(TM)t even have network stacks on them. They operate at layer 1/2, and just forward packets back and forth to the hostâ(TM)s network stack'. Spying needs to sit on top of the network stack.
So on an Android device you've got a Linux kernel with TCP/IP sending packets to a network device in the SoC. The spyware is probably running up in user mode where the GPL doesn't apply anymore. Google went to great lengths to avoid user mode code having to be written in Java byte code - they have their own VM - presumably to avoid paying royalties to Sun or Oracle or whoever owns Java.
https://en.wikipedia.org/wiki/...
And they alway went to great lengths to avoid user code being subject to the GPL - they use their own C library not GLIBC.
https://en.wikipedia.org/wiki/...
That means when OEMs write user mode code in C or Java they can keep it closed source and not pay for a Java licence from Sun/Oracle.
It would be tricky to implement spyware in an NIC driver because it runs at the MAC level. And since the Linux kernel is GPL you'd theoretically have to release the source code to said spyware which would lead to you being ridiculed. Doing it in user mode on top of the Linux TCP/IP stack is trivial and you can keep the code closed source.
tl;dr - don't worry about the SoC drivers, worry about all the crap the OEMs add to closed source user mode code.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Stories like this and fscking Samsung ruining Galaxies by removing removable batteries, switching from Qualcomm to Exynos etc makes me wonder if there's a gap in the market for a new phone. It would be like this
1) Qualcomm reference design
2) Removable battery
3) SD card slot
4) Enough onboard flash and SDRAM that people won't complain
5) Headphone jack
6) IP67 or better
Incidentally all this was possible when Samsung build the Galaxy S5. And in fact the Galaxy's 1080p display is fine for most people. Though I suspect you'd go for IPS rather than OLED because more people sell decent IPS displays than sell decent OLED ones.
For software you'd aim for stock Android. Or this
http://www.androidauthority.co...
The idea is that rather than selling a mix of hardware and software like Apple, Samsung and OnePlus you're building hardware to run industry standard software, a bit like PC OEMs do.
Which means no spyware. And no bloated crap like TouchWiz. You'd have to make sure you made money on the hardware alone.
Actually there are lot of Chinese and Taiwanese OEMs selling devices like this cheaply. The problem is that they haven't made the leap from selling mix of hardware and software to being purely hardware OEMs and depending on open source software. Well that and most of them are terrible at software.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
minds exploding as all the people bashing windows 10 for sending loads of anonymous telemetry try to wrap their heads around an open source project getting away with something even worse...
If I make the battery non-removable, I can keep the radio on without you knowing it, so I can send packets of who-knows-what whenever I like.
If I lock it down, you won't be able to detect it, or shut it off.
Don't be distracted by the bloatware and ad notifications -- those are the result of corporate flacks that can't help themselves. Your privacy is really being eroded in the background.
Think about another phone you might have, with a non-removable battery, and a very walled garden.
--#
Have they never heard the saying "if everyone else jumps off a bridge are you going to do it too?"
I always wonder that when this type of reasoning is used. At one point a lot of people were smoking cigarettes, but that didn't make the health risk any lower. Plenty litter or make a lot of waste, that doesn't help us in the effort to sustain ourselves. The number of people doing something has no bearing on whether that is beneficial or not.
Twinstiq, game news
Yeah, because that's something that I'm going to expect my mother to do. And fandroids can't figure out why millions of people line up to buy iPhones.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Can you? It's specifically talking about that OS and the phone hardware. Is the phone hardware rootable so that installing another OS image can be done? Is it a burdensome task to do, which a non-IT person could easily do?
"Just install another OS" is a great dismissal of a problem if it's actually something most normal people can figure out without bricking their phone or getting frustrated at having to type in multiple long commands. Most anyone around here already knows that you can root and install another OS, but most phone buyers would look at you like you asked them to crack the atom if you started talking about rooting.
That's why these problems are so insidious - not because it can't be solved, but because the technical barrier to solving it is high for a layman. It's about the same as if someone was complaining about a clunking sound coming from a wheel well when they go over small bumps in their car and I tell them "Oh, you just need to replace the worn sway bar end link." It's probably two bolts, but most people wouldn't have a fucking clue how to do that, or have the necessary tools. For anyone with a bit of mechanical experience and an impact gun, it's child's play.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Everyone's already jumped in, but I'll also add that collecting telemetry data can sometimes slow things down to a crawl. I'm personally more worried about unnecessary use of computing resources than collecting metadata - it directly impacts my bottom line in buying more powerful hardware to compensate.
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
It's a goal of the 1984 blueprint.
The cesspool just got a check and balance.
Citation needed for the claim that security through obscurity works.
No citation needed, just common sense. It works, but only relatively better and not absolutely. If you can literally look at the code and find the bugs, it's easier to find an exploit bugs - without the code, you have to guess and check at where bugs might be.
We already know that it's because of environmental lock-in and Keeping Up With the Jones'. People seem to forget that iOS still has plenty of security issues and that Apple collects nearly as much data as Google does.
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
Some people don't care, but a lot of people do. And while the internet is an inherently non-private place, even the over-sharers are not expecting their credit card information to be exposed for the world to see. Or that bulk pack of dildos they ordered.
Regardless, these over-sharers were not created by social media, it merely gave them a fine outlet, and hey, who wouldn't be interested in your relative's new clit ring or ostomy bag? I have one relative on FB who approaches that level of oversharing. But I digress, and am creeping myself out here.
If privacy is utmost, we shouldn't be on the internet period. There is certainly a difference between knowing your data is shared, and finding out it isn't anonymized. Anonymization doesn't completely work either, but at least they have to work at it.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Can you? It's specifically talking about that OS and the phone hardware. Is the phone hardware rootable so that installing another OS image can be done?
Not that this takes away from the seriousness of the tracking issue, but on this one specific point not only can you root OnePlus phones, OnePlus provide information on how to do so.
Just turn on developer options, run ADB... adb start-server adb shell pm uninstall -k --user 0 net.oneplus.odm
I have never found a security bug in someone else's code by looking at code--everyone else is a better programmer than I.
A great many security researchers find their bugs by fuzzing. EternalBlue amazes some folks in the exploit development sphere but, even as a non-exploit-developer, it's pretty simple to me: the researchers looked at a thing they could make happen and, given other things that they could make happen, worked out what information they could derive from each part. Then they had tools which they could assemble into a complete machine. It wasn't built by digging a straight line from A to B; it was built by saying, "I can do X, but can't get further because I'm missing Y and Z; but here is a thing that reveals Y and Z, and with X ..."
I've written exploits. I had software I knew was vulnerable, cashed it, looked at it in a debugger, found where my unique string went (stack!), and then replaced that with a jump onto that part of the stack. Injected Metasploit-generated shell code and it worked. When your bug is strcpy(a[100], strUserInput), it's easy to look at source code; when it's a whole hell of a lot of complex operations which in some but not all cases allocate a[shortLength] and copy bigUserInput, the bug is non-obvious. Actually causing a crash and hunting it down is easier even than crashing it, looking at the source code, and working out why it crashes: if I'm reliably getting stuff on the stack, I can reliably inject a stack buffer overflow without understanding the complex logic that lets it happen.
This is why we have randomized XOR canaries, address space randomization, and non-executable data policies.
Support my political activism on Patreon.
From TFS:
Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.
I beg to differ. Collecting telemetry without notifying users or allowing a way to disable it is a matter of large concern to a lot of people.
That it's quite common means absolutely nothing.
Windows 10 telemetry... anonymized... oh, the horrors!
Android (Linux) telemetry... not anonymized... it's okay, we'll look the other way
Not even close. I object to telemetry you can't disable equally on all platforms. Android or Linux doesn't get a pass on this.
Good job completely missing the point.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
I just sent a complaint towards OnePlus, will not be recommending it anymore for anyone, and the OnePlus 3 will be my last OnePlus device.
It's not like I didn't think this could happen, I was hoping that it wouldn't because quite frankly, any business these days should be monitored for stuff like that.
But now, my relationship with this company is done. Very sad because the OnePlus 3 is a great device overall for the price. Up until now I was recommending it for people looking for high end capabilities with a fair price. Now, it's over. I will be recommending against it, just like I recommend against puchasing anything from Lenovo.
Even sadder is that privacy conscious people are getting curbed into a corner with fewer and fewer options to chose from.