[HN Gopher] Android 14 introduces first-of-its-kind cellular con... ___________________________________________________________________ Android 14 introduces first-of-its-kind cellular connectivity security features Author : akyuu Score : 102 points Date : 2023-08-08 21:07 UTC (1 hours ago) (HTM) web link (security.googleblog.com) (TXT) w3m dump (security.googleblog.com) | b8 wrote: | ATT already killed 3G devices, and there's Android apps that | claim to detect stingray/fake towers. However, this is still a | good move on Google's end. | debatem1 wrote: | There's been a setting for users to disable 2G for forever, so | the new parts of this are null ciphers and enterprise control. | | Getting rid of null ciphers is good though. It would be nice to | also refuse weak, export, etc ciphers. | Narkov wrote: | > There's been a setting for users to disable 2G for forever, | | I don't think this setting does what you think it does. The | description under this option has a big caveat: "For emergency | calls, 2G is always allowed". So even when disabled, the phone | can still use 2G networks. | | It sounds like this new option is to actually disable _all_ 2G | functionality. | trehalose wrote: | If a phone is already compromised to the point it can make | emergency calls without the user intending it to, how helpful | is it for the user to have disabled 2G? | jchw wrote: | > We look forward to discussing the future of telco network | security with our ecosystem and industry partners and | standardization bodies. We will also continue to partner with | academic institutions to solve complex problems in network | security. We see tremendous opportunities to curb FBS threats, | and we are excited to work with the broader industry to solve | them. | | I'll be honest. The stuff in this article is good, if a little | underwhelming, but I feel a large amount of distrust for Google | nowadays, to the point where what would've felt like unnecessary | pessimism now feels only rational to me. | | Ever since Google dropped WEI into our lives, I feel like they | should not be allowed to be a part of _any_ security efforts in | any standards body or ecosystem. How long until carriers try to | limit devices that don 't support Google Play or Apple remote | attestation of some kind? | | I don't know what to think or do anymore. | magicalist wrote: | > _Ever since Google dropped WEI into our lives, I feel like | they should not be allowed to be a part of any security efforts | in any standards body or ecosystem. How long until carriers try | to limit devices that don 't support Google Play or Apple | remote attestation of some kind?_ | | Wait, so no Google or Apple employees involved in any standards | body security efforts. What about TPM? Better ban employees | from Intel, AMD, Qualcomm, Microsoft...who's left? | | I mean, that's a take, but it seems like really the take away | is that we should be skeptical of company motivations and | security issues in standards bodies should be dealt with | transparently, which all seems like a good take? | notatoad wrote: | The WEI discourse is just getting comical. it may be bad for | the open internet, or for the browser ecosystem. but it's not a | security flaw. | | to say you don't trust google to be part of any security | efforts because they tried to put security in a place you don't | want it is silly. you're arguing the slippery slope fallacy | here, there's no reason to think that carriers would even | _want_ any sort of device attestation, or be legally allowed to | do that under the terms of their spectrum licenses. | LightHugger wrote: | Of course it's a security flaw, but it's a security flaw for | the end user, not google. It's google's security, like them | putting their own lock on your door that they can a remotely | activate on a whim. This is what most humans would call a | security flaw, but it's a non traditional one for sure. | summerlight wrote: | > Ever since Google dropped WEI into our lives, I feel like | they should not be allowed to be a part of any security efforts | in any standards body or ecosystem. | | Excluding Apple and Google, the remaining bodies are MS, Amazon | and Facebook which presence is close to non-existent in the | mobile OS market. Good luck with them? | Kiro wrote: | Out of all the bad things Google has done, WEI was what made | you feel that? I don't even think WEI is unanimously bad. | surajrmal wrote: | It feels like folks reacting to WEI are just riding a wave of | publicity and outlash. There are many reasons that WEI sounds | like a good idea, but a reasonable debate can't even occur in | the current climate. I would like the ability to improve | websites' trust in me, and use services that are free of | bots, but apparently giving me the ability to do that might | somehow endanger folks rights to not do that so I am not | going to be allowed to? What's next, people will be outraged | that I show my state issued id before entering age restricted | stores? | esafak wrote: | Google is a large company. One part can do good while another | part does bad. It's not as if anybody thinks Pichai is | directing it all with any success :) | coldtea wrote: | Google is a profit-seeking machine who has long shed any | "startup" stage principles ("don't be evil" and such) as | luxuries. | | Even the parts that do good feed the parts that do bad. | szundi wrote: | Agreed | surajrmal wrote: | Companies have many incentives and they play out in | different ways. It's possible to have that result in some | things that you think are good and some which you don't. At | a certain size, there is no longer a unified set of values | holding everything together and inevitably, some values | will clash with yours. Lumping everything into one pile is | dramatic. | supertrope wrote: | It's the right trade off for most people as the only USA 2G | nationwide network is T-Mobile's. They are going to turn it off | in April 2 2024 (1). | | There's some regional carriers in rural areas that offer the only | coverage available. Like Commnet Wireless (2). These are few and | far between and usually they have deployed 3G to their whole | footprint. The Big Three are building out native coverage to | overlap with them. But by Murphy's Law someone with an Android 14 | phone is going to discover that they can't call anything but 911. | Ideally there would be a button prompt enabled in No Service | situations to re-enable 2G. FCC rules mandate that cellphones | must support fallback to null cipher if that's what's needed to | connect an emergency call. | | (1) https://www.t-mobile.com/support/coverage/t-mobile- | network-e... | | (2) https://www.cellularmaps.com/regional-carriers/commnet- | wirel... | xxpor wrote: | Given you can get a relatively fast 4G connection in Deadhorse, | AK (https://www.google.com/maps/place/Deadhorse,+Prudhoe+Bay,+A | K...), it's pretty crazy that there's still places with 2G only | connectivity anywhere in the US. | rhuru wrote: | I have been to Deadhorse AK, it is a pretty cool oil rig town | probably producing billions dollars worth of oil each year, | more than many US towns. So Please dont compare it with rural | areas. | | Deadhorse also has a fully functioning commercial airport | with Alaska Air flights that are "free" for the workers | there. | evil-olive wrote: | Deadhorse is remote geographically, but it's the hub of oil | operations for the entire North Slope, so there's demand for | corporate connectivity and not just personal cell phones. | there's been a fiber line out to it since 2017 [0]. | | the remote areas with less connectivity are probably places | without deep-pocketed corporate customers that would justify | the expense of running fiber. I suspect large swaths of the | Alaskan interior fall under that description. | | 0: https://alaskapublic.org/2017/12/05/new-fiber-optic-cable- | sy... | PaulDavisThe1st wrote: | It used to be that microwave links were the alternative for | such places. Not sure what's up with that these days. | hobs wrote: | Plenty of places I still get no service at all in northern | Minnesota. | bombcar wrote: | Wi-Fi calling has been a godsend in the rural Midwest, as | you can at least make calls at home. | rabbits_2002 wrote: | Mountains block cell signal, cell service is available but is | very spotty in mountainous areas. Deadhorse, Alaska is in a | flat field. | arcticbull wrote: | True, but some of the LTE bands are the lowest licensed | carrier frequency cellular service - they should be the | most reliable. Like b71 (600MHz) and | b12/13/14/17/28/29/67/85/103 (700MHz) blocks. [1] There's | really no reason for 2G only connectivity anywhere in the | US other than underinvestment in rural communities no? | | [1] https://en.wikipedia.org/wiki/LTE_frequency_bands | rabbits_2002 wrote: | Absolutely, but there probably only needs to be a single | cell tower in Deadhorse, where a rural mountainous region | would need several to serve a smaller area if the signal | is getting blocked, which would be more expensive. | nimbius wrote: | I think the biggest reveal I see in the article is that the | lynchpin of stingray is basically an overpriced downgrade attack. | Disabling 2g is arguably a potent way for ma bell to keep | security companies like stingray from eating their already | opulent lunch. We also dropped 2g because stingrays parlour trick | also immediately outed itself as a national security threat | secondcoming wrote: | > In other words, the network decides whether traffic is | encrypted and the user has no visibility into whether it is being | encrypted. | | I'm pretty sure that it was intended that the OS UI would show | you when your connection is unencrypted, but none of them do | because that was undesired by state actors. | | Also, even if encryption is enabled it's only for the radio part | of the data transmission, not handset -> handset. Otherwise you | would not be able to make calls to landlines, so isn't it already | trivial for a Network Operators to decrypt your raw data? It | would help for scenarios like an embassy mounting a fake base | station to grab data about protestors outside it, I suppose. | | Also, how can they tell if the encryption key is weakened by | setting lots of bits to zero, like was done in the original | version of GSM? | Scene_Cast2 wrote: | I hope that they didn't make it any more difficult for me to MITM | my own phone traffic. The latest Android releases have a couple | of painfully annoying methods. The one I did (simplest, IMHO) | requires rooting, installing a (somewhat obscure) Magisk module, | and several more steps after. Not a fun experience, and I signed | up for Android and not iOS because I want to be able to do stuff | like that. | smallnix wrote: | Is this about more than letting my company disable 2G on my | phone? | [deleted] | stonogo wrote: | They dropped null ciphers as well, but that only got a brief | mention in comparison. | excusemyfrench wrote: | Not true, disabling 2G is already present in iOS in Lockdown | Mode. | olyjohn wrote: | Why shouldn't you be able to disable 2G in normal mode? | mjg59 wrote: | Disabling 2G has been supported in Android since 12 - this is | talking about the additional features on top of that. | smarx007 wrote: | How? iOS 17 is not released yet. | clysm wrote: | Lockdown mode is iOS 16. | smarx007 wrote: | I think the Lockdown Mode will disable 2G only starting | with iOS 17. | | The press release [1] doesn't mention 2G directly but only | "safer wireless connectivity defaults" but FastCo [2] is | more direct "with iOS 17, Apple is not only beefing up | Lockdown Mode (by blocking the iPhone from connecting to 2G | cellular networks and from auto-joining insecure wireless | networks) but bringing Lockdown Mode to the Apple Watch". | | [1]: https://www.apple.com/newsroom/2023/06/apple- | announces-power... [2]: | https://www.fastcompany.com/90904197/apple-ios-17-craig- | fede... | bbarnett wrote: | Look forward to samsung disabling this, just like they do for | other android cellular settings. ___________________________________________________________________ (page generated 2023-08-08 23:00 UTC)