Privacy at risk using mobile phones. Not only Bitcoin-related. - page 2.

d_eddie

legendary

Activity: 2464

Merit: 2862

Quote from: Artemis3 on September 13, 2019, 09:55:45 AM

Truth is, OpSec and smartphone is something that doesn't normally go together. Unless you have one of the rare (non Android) Linux phones, installed and secured by yourself, instead of the usual android/ios...

The Android ecosystem is very vulnerable and exploits have been occurring nonstop. Its almost as dangerous as running Windows in a PC, thanks to its closed proprietary software ecosystem, and "shortcuts" taken in its OS design.

Would be interesting to see if Huawei's OS fares any better. At least they promised to provide the source code...

Huawei software is a joke. Horrible bloat without a use, and you can't delete any of it. This could appear to be unrelated, but it's a prime sign of sloppy thinking. Besides, they are not giving out bootloader unlock codes, because "the user experience could be worsened by customizations". Yes, that's their official response. So you're in their hands - no alternative option.

I'll believe a software vendor cares about security when they slim the software down to reasonable sizes. Going full open source would be another green mark.

Artemis3

legendary

Activity: 1988

Merit: 1561

CLEAN non GPL infringing code made in Rust lang

Quote from: fillippone on September 13, 2019, 08:12:01 AM

I read this horror story on an Italian newspaper, so I looked for an english version:

Simjacker attack exploited in the wild to track users for at least two years

Quote

Security researchers have disclosed today an SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals.

"We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," security researchers from AdaptiveMobile Security said in a report released today.

"We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance."

More info here:
https://simjacker.com/

This reminds me of what can happen with a SIM swap attack:

My SIM swap attack: How I almost lost $71K, and how to prevent it

Quote

I’m a security-conscious IT professional working in blockchain for 3 years, and was stunned by the ease of the attack and how my normal security precautions failed. While the attack was frustrating and embarrassing, I believe strongly that we must learn from failure — and we must socialize to do better in the future. So I am sharing what happened, what I learned and what we can do better to prevent this kind of fraud.

You can try to apply some precautions, but it's always too little , too late.

How to Protect Yourself Against a SIM Swap Attack

Quote

Perfect security hygiene won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. “Phone numbers were never intended to be a way to confirm someone’s identity,” says Nixon. “Phone companies were never in the business to sell identity documents. It was imposed on them.”

The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does.

This should be a wake up alarm, we all thing we are tech/savy, prudent and operate with good OpSec.
Reality is: the bar not to be hacked is higher than we (Fillippone) tought.

EDIT: Apparently the exploit has long been knwon, but telcos' nevever gasred to fix it, or even worse knew about governments paln about our data:
How I hacked SIM cards with a single text - and the networks DON'T CARE

Truth is, OpSec and smartphone is something that doesn't normally go together. Unless you have one of the rare (non Android) Linux phones, installed and secured by yourself, instead of the usual android/ios...

The Android ecosystem is very vulnerable and exploits have been occurring nonstop. Its almost as dangerous as running Windows in a PC, thanks to its closed proprietary software ecosystem, and "shortcuts" taken in its OS design.

Would be interesting to see if Huawei's OS fares any better. At least they promised to provide the source code...

bitbunnny

legendary

Activity: 2870

Merit: 1068

WOLF.BET - Provably Fair Crypto Casino

When smartphones appeared our privacy disappeared, that is a well known fact.
Unfortunately many people are still very reckless and kepp all sort of data and applications on their phones unprotected. Sometimes they even download all sort of apps from unknown sources and thus endanger their private and financial data.
Cryptocurrencies are very attractive for people with bad intentions and almost everyone of us also has mobile wallet. Make sure to protect it the best you can.

coiningz

jr. member

Activity: 185

Merit: 7

There are almost no privacy in our days. SIMs have a lot of vulnerabilities (s7, for example), android is the one big security hole.
You can be safe only if you dont use smartphones

hatshepsut93

legendary

Activity: 2954

Merit: 2145

Quote from: ?? on ??

Don't keep coins on exchanges, don't keep coins on phones

Imagine how Bitcoin's already low adoption would be crippled if everyone stopped keeping their coins on exchanges (lower liquidity) and didn't use mobile wallets (less real-world payments). The better advice is to take as much precautions as possible, and only store amounts that you can afford to lose in those unsecure environments. The rest of the coins should be stored in cold storage. But storing all your coins in cold storage is not very practical, as it hinders your ability to quickly make payments.

target

legendary

Activity: 2212

Merit: 1041

When your phone number is known, the risk is there.

Quote from: ?? on ??

Don't keep coins on exchanges, don't keep coins on phones and make sure your 2fa isn't sms based. It's an easy way to not take a apart in these. That and don't give your phone number out to everyone, they have to know who to target as well.

Possibly run a second burner phone with just sms and Google auth and other 2fa, nothing else.

Also don't repost anything related to crypto and brag about how much coins you got in your wallet on your social media account. This is why I don't join the facebook campaigns besides the fact that I have no idea who of my friends are also into crypto. Sharing information can make you a target to a crime.

Ibizugbe1

member

Activity: 272

Merit: 10

This is why I don't engage in random download of Apps, I try to always go through the developers web link just to be very sure of an not installing a phishing app. And friends should be enourage too to follow the develpers weblink and check ratings and developers.

AjithBtc

sr. member

Activity: 1666

Merit: 276

Vave.com - Crypto Casino

Being into digitized atmosphere is an advancement, by the same time it has got the highest level of risk. Even a small error could lead to breach and loss of entire funds. We've got various levels of security features, but those were also developed by human.

There will be people who can break this barriers. So, we need to be careful handling all the funds whether through mobile or personal computers. While using through mobile phones it is good to find the trusted application and use it. Most of the issues happen through untrusted application installation.

Lucius

legendary

Activity: 3220

Merit: 5634

Blackjack.fun-Free Raffle-Join&Win $50🎲

I'm not at all surprised that someone did something like this, we can say that spying is one big business today. Not only security agencies are involved in this, but also the private sector who then sells the informations to interested parties. There is one big obsession with total control over people, and the technology that exists today is ideal for precisely this kind of surveillance.

However, I think that most users who use smartphones today share their location in some way on a completely voluntary basis via Google services, Viber and similar apps. I see biggest problem is fact that this kind of attacks can do much more than just locate users, and in this regard something like this can be potentially dangerous for those who use crypto wallets on their mobile phones, or any type of 2FA protection.

The company that discovered this is say that they are block attacks, and that they are working with mobile providers and manufacturers of SIM cards to prevent this in future.

yazher

hero member

Activity: 2184

Merit: 585

You own the pen

For 2 years? he has some kind of mental illness like he won't stop until he gets what he wants.
this is some serious matters and one of the creepiest story I've ever heard.
Luckily poor people like us are not prone to this kind of attacker even he tracks people like us he gets nothing in return.

bitsurfer2014

hero member

Activity: 924

Merit: 520

I understand that no one is safe in this digital world and we should always be security conscious and practice utmost safeguards and

precautions that will help lessen the possibility of our security and privacy being compromised! Much better if we lessen our digital

footprints by using these mobile device less frequently.

joelsamuya

member

Activity: 532

Merit: 41

https://emirex.com

There will always be talented (and even genius) people who can use a technology for a different purpose than what we normal people know them for. This case for the mobile phone can be an alarming one all because billions of people can be at risk here if that same hacking technology can be employed to track people without the consent of the individuals involved. In the world where privacy is endangered, this news is making me uneasy but it is good that this brought to light right now so we can be aware and solutions can be done against it.

fillippone

legendary

Activity: 2114

Merit: 15144

Fully fledged Merit Cycler - Golden Feather 22-23

I read this horror story on an Italian newspaper, so I looked for an english version:

Simjacker attack exploited in the wild to track users for at least two years

Quote

Security researchers have disclosed today an SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals.

"We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," security researchers from AdaptiveMobile Security said in a report released today.

"We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance."

More info here:
https://simjacker.com/

This reminds me of what can happen with a SIM swap attack:

My SIM swap attack: How I almost lost $71K, and how to prevent it

Quote

I’m a security-conscious IT professional working in blockchain for 3 years, and was stunned by the ease of the attack and how my normal security precautions failed. While the attack was frustrating and embarrassing, I believe strongly that we must learn from failure — and we must socialize to do better in the future. So I am sharing what happened, what I learned and what we can do better to prevent this kind of fraud.

You can try to apply some precautions, but it's always too little , too late.

How to Protect Yourself Against a SIM Swap Attack

Quote

Perfect security hygiene won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. “Phone numbers were never intended to be a way to confirm someone’s identity,” says Nixon. “Phone companies were never in the business to sell identity documents. It was imposed on them.”

The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does.

This should be a wake up alarm, we all thing we are tech/savy, prudent and operate with good OpSec.
Reality is: the bar not to be hacked is higher than we (Fillippone) tought.

EDIT: Apparently the exploit has long been knwon, but telcos' nevever gasred to fix it, or even worse knew about governments paln about our data:
How I hacked SIM cards with a single text - and the networks DON'T CARE

Topic: Privacy at risk using mobile phones. Not only Bitcoin-related. - page 2. (Read 586 times)