Slashdot Mirror
OxygenOS Telemetry Lets OnePlus Tie Phones To Individual Users (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer. A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day. The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.
It seems that regulations are required to ensure end users can readily gain root control of their phones to enable a full range of settings to be altered to ensure their digital right to privacy and control of their property. All phone manufacturers should be required to provide software to enable any customer to gain root control of their phone, else that phone can not be connected to networks in the country.
Chaos - everything, everywhere, everywhen
It has to be more secure than iOS since it is based on open source Android OS.
OnePlus manufacture some dam nice phones, and OxygenOS was stock android with just the right amount of custom tweaks. I'm now happy i didn't pick up a OP5.
This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws
The reason this is not a concern is because everyone else does it. Absolutely priceless reasoning.
If I had a penny for every instance of this nonsense uttered in my lifetime I would be a trillionaire.
Flash the Phone with Lineage OS. Thats what I do with my Phones.
> This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.
Umm... yes it is?
15 years ago, I worked for a well known company, and wrote an innovative set of privacy algorithms.
Didn't happen, long story; but sadly typical This is, to my mind, stupid. But the current generation doesn't seem to mind.
Need hearts and minds to effect change
Only 30 comments so far, and over half of them are from painfully obvious anti-Linux shills. Which leaves me wondering - who exactly bankrolls this particular battalion of the 50 Cent Army?
Microsoft? No, can't be. I think they've given up on phones.
Apple? Now this one is fairly believable. Deep pockets, Silicon Valley ethics (read: no ethics at all), and mindless brainwashed cult followers... okay, sounds plausible. But it's so crass & crude & obvious. Doesn't really feel like an Apple-backed operation.
Russian/Chinese/Nork/USSA state-affiliated organizations? Well sure, they infest Slashdot like the regular vermin they are. But why would they give a fuck about an obscure cellphone?
Global dystopian-progressive NGOs backed by financial oligarchs? Well, they do hate freedom, so it stands to reason they would also hate Linux. The smarmy tone of the shill comments does match their supporters. Not sure why they'd care about a cellphone. But maybe their shills are on salary. They've already finished polluting the political articles, so they're just chilling out here. Shitting all over the place while trying to figure out how they can blame this on Trump colluding with the rooskies. I rate this possibility as plausible but lacking in evidence.
RMS? The shills both draw attention to the evil practice of commercial surveillance, as well as making anti-freedom proponents look like toxic fucktards. Subtle & brilliant. Alas, I don't think RMS has the funds to hire a troll army, so this one's not too plausible.
The SoC has a Wifi MAC and maybe a PHY. However as the OP pointed out 'Generally, the wifi chips donâ(TM)t even have network stacks on them. They operate at layer 1/2, and just forward packets back and forth to the hostâ(TM)s network stack'. Spying needs to sit on top of the network stack.
So on an Android device you've got a Linux kernel with TCP/IP sending packets to a network device in the SoC. The spyware is probably running up in user mode where the GPL doesn't apply anymore. Google went to great lengths to avoid user mode code having to be written in Java byte code - they have their own VM - presumably to avoid paying royalties to Sun or Oracle or whoever owns Java.
https://en.wikipedia.org/wiki/...
And they alway went to great lengths to avoid user code being subject to the GPL - they use their own C library not GLIBC.
https://en.wikipedia.org/wiki/...
That means when OEMs write user mode code in C or Java they can keep it closed source and not pay for a Java licence from Sun/Oracle.
It would be tricky to implement spyware in an NIC driver because it runs at the MAC level. And since the Linux kernel is GPL you'd theoretically have to release the source code to said spyware which would lead to you being ridiculed. Doing it in user mode on top of the Linux TCP/IP stack is trivial and you can keep the code closed source.
tl;dr - don't worry about the SoC drivers, worry about all the crap the OEMs add to closed source user mode code.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
Some people don't care, but a lot of people do. And while the internet is an inherently non-private place, even the over-sharers are not expecting their credit card information to be exposed for the world to see. Or that bulk pack of dildos they ordered.
Regardless, these over-sharers were not created by social media, it merely gave them a fine outlet, and hey, who wouldn't be interested in your relative's new clit ring or ostomy bag? I have one relative on FB who approaches that level of oversharing. But I digress, and am creeping myself out here.
If privacy is utmost, we shouldn't be on the internet period. There is certainly a difference between knowing your data is shared, and finding out it isn't anonymized. Anonymization doesn't completely work either, but at least they have to work at it.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Just turn on developer options, run ADB... adb start-server adb shell pm uninstall -k --user 0 net.oneplus.odm