[HN Gopher] Android 14 introduces first-of-its-kind cellular con...
___________________________________________________________________
Android 14 introduces first-of-its-kind cellular connectivity
security features
Author : akyuu
Score : 102 points
Date : 2023-08-08 21:07 UTC (1 hours ago)
(HTM) web link (security.googleblog.com)
(TXT) w3m dump (security.googleblog.com)
| b8 wrote:
| ATT already killed 3G devices, and there's Android apps that
| claim to detect stingray/fake towers. However, this is still a
| good move on Google's end.
| debatem1 wrote:
| There's been a setting for users to disable 2G for forever, so
| the new parts of this are null ciphers and enterprise control.
|
| Getting rid of null ciphers is good though. It would be nice to
| also refuse weak, export, etc ciphers.
| Narkov wrote:
| > There's been a setting for users to disable 2G for forever,
|
| I don't think this setting does what you think it does. The
| description under this option has a big caveat: "For emergency
| calls, 2G is always allowed". So even when disabled, the phone
| can still use 2G networks.
|
| It sounds like this new option is to actually disable _all_ 2G
| functionality.
| trehalose wrote:
| If a phone is already compromised to the point it can make
| emergency calls without the user intending it to, how helpful
| is it for the user to have disabled 2G?
| jchw wrote:
| > We look forward to discussing the future of telco network
| security with our ecosystem and industry partners and
| standardization bodies. We will also continue to partner with
| academic institutions to solve complex problems in network
| security. We see tremendous opportunities to curb FBS threats,
| and we are excited to work with the broader industry to solve
| them.
|
| I'll be honest. The stuff in this article is good, if a little
| underwhelming, but I feel a large amount of distrust for Google
| nowadays, to the point where what would've felt like unnecessary
| pessimism now feels only rational to me.
|
| Ever since Google dropped WEI into our lives, I feel like they
| should not be allowed to be a part of _any_ security efforts in
| any standards body or ecosystem. How long until carriers try to
| limit devices that don 't support Google Play or Apple remote
| attestation of some kind?
|
| I don't know what to think or do anymore.
| magicalist wrote:
| > _Ever since Google dropped WEI into our lives, I feel like
| they should not be allowed to be a part of any security efforts
| in any standards body or ecosystem. How long until carriers try
| to limit devices that don 't support Google Play or Apple
| remote attestation of some kind?_
|
| Wait, so no Google or Apple employees involved in any standards
| body security efforts. What about TPM? Better ban employees
| from Intel, AMD, Qualcomm, Microsoft...who's left?
|
| I mean, that's a take, but it seems like really the take away
| is that we should be skeptical of company motivations and
| security issues in standards bodies should be dealt with
| transparently, which all seems like a good take?
| notatoad wrote:
| The WEI discourse is just getting comical. it may be bad for
| the open internet, or for the browser ecosystem. but it's not a
| security flaw.
|
| to say you don't trust google to be part of any security
| efforts because they tried to put security in a place you don't
| want it is silly. you're arguing the slippery slope fallacy
| here, there's no reason to think that carriers would even
| _want_ any sort of device attestation, or be legally allowed to
| do that under the terms of their spectrum licenses.
| LightHugger wrote:
| Of course it's a security flaw, but it's a security flaw for
| the end user, not google. It's google's security, like them
| putting their own lock on your door that they can a remotely
| activate on a whim. This is what most humans would call a
| security flaw, but it's a non traditional one for sure.
| summerlight wrote:
| > Ever since Google dropped WEI into our lives, I feel like
| they should not be allowed to be a part of any security efforts
| in any standards body or ecosystem.
|
| Excluding Apple and Google, the remaining bodies are MS, Amazon
| and Facebook which presence is close to non-existent in the
| mobile OS market. Good luck with them?
| Kiro wrote:
| Out of all the bad things Google has done, WEI was what made
| you feel that? I don't even think WEI is unanimously bad.
| surajrmal wrote:
| It feels like folks reacting to WEI are just riding a wave of
| publicity and outlash. There are many reasons that WEI sounds
| like a good idea, but a reasonable debate can't even occur in
| the current climate. I would like the ability to improve
| websites' trust in me, and use services that are free of
| bots, but apparently giving me the ability to do that might
| somehow endanger folks rights to not do that so I am not
| going to be allowed to? What's next, people will be outraged
| that I show my state issued id before entering age restricted
| stores?
| esafak wrote:
| Google is a large company. One part can do good while another
| part does bad. It's not as if anybody thinks Pichai is
| directing it all with any success :)
| coldtea wrote:
| Google is a profit-seeking machine who has long shed any
| "startup" stage principles ("don't be evil" and such) as
| luxuries.
|
| Even the parts that do good feed the parts that do bad.
| szundi wrote:
| Agreed
| surajrmal wrote:
| Companies have many incentives and they play out in
| different ways. It's possible to have that result in some
| things that you think are good and some which you don't. At
| a certain size, there is no longer a unified set of values
| holding everything together and inevitably, some values
| will clash with yours. Lumping everything into one pile is
| dramatic.
| supertrope wrote:
| It's the right trade off for most people as the only USA 2G
| nationwide network is T-Mobile's. They are going to turn it off
| in April 2 2024 (1).
|
| There's some regional carriers in rural areas that offer the only
| coverage available. Like Commnet Wireless (2). These are few and
| far between and usually they have deployed 3G to their whole
| footprint. The Big Three are building out native coverage to
| overlap with them. But by Murphy's Law someone with an Android 14
| phone is going to discover that they can't call anything but 911.
| Ideally there would be a button prompt enabled in No Service
| situations to re-enable 2G. FCC rules mandate that cellphones
| must support fallback to null cipher if that's what's needed to
| connect an emergency call.
|
| (1) https://www.t-mobile.com/support/coverage/t-mobile-
| network-e...
|
| (2) https://www.cellularmaps.com/regional-carriers/commnet-
| wirel...
| xxpor wrote:
| Given you can get a relatively fast 4G connection in Deadhorse,
| AK (https://www.google.com/maps/place/Deadhorse,+Prudhoe+Bay,+A
| K...), it's pretty crazy that there's still places with 2G only
| connectivity anywhere in the US.
| rhuru wrote:
| I have been to Deadhorse AK, it is a pretty cool oil rig town
| probably producing billions dollars worth of oil each year,
| more than many US towns. So Please dont compare it with rural
| areas.
|
| Deadhorse also has a fully functioning commercial airport
| with Alaska Air flights that are "free" for the workers
| there.
| evil-olive wrote:
| Deadhorse is remote geographically, but it's the hub of oil
| operations for the entire North Slope, so there's demand for
| corporate connectivity and not just personal cell phones.
| there's been a fiber line out to it since 2017 [0].
|
| the remote areas with less connectivity are probably places
| without deep-pocketed corporate customers that would justify
| the expense of running fiber. I suspect large swaths of the
| Alaskan interior fall under that description.
|
| 0: https://alaskapublic.org/2017/12/05/new-fiber-optic-cable-
| sy...
| PaulDavisThe1st wrote:
| It used to be that microwave links were the alternative for
| such places. Not sure what's up with that these days.
| hobs wrote:
| Plenty of places I still get no service at all in northern
| Minnesota.
| bombcar wrote:
| Wi-Fi calling has been a godsend in the rural Midwest, as
| you can at least make calls at home.
| rabbits_2002 wrote:
| Mountains block cell signal, cell service is available but is
| very spotty in mountainous areas. Deadhorse, Alaska is in a
| flat field.
| arcticbull wrote:
| True, but some of the LTE bands are the lowest licensed
| carrier frequency cellular service - they should be the
| most reliable. Like b71 (600MHz) and
| b12/13/14/17/28/29/67/85/103 (700MHz) blocks. [1] There's
| really no reason for 2G only connectivity anywhere in the
| US other than underinvestment in rural communities no?
|
| [1] https://en.wikipedia.org/wiki/LTE_frequency_bands
| rabbits_2002 wrote:
| Absolutely, but there probably only needs to be a single
| cell tower in Deadhorse, where a rural mountainous region
| would need several to serve a smaller area if the signal
| is getting blocked, which would be more expensive.
| nimbius wrote:
| I think the biggest reveal I see in the article is that the
| lynchpin of stingray is basically an overpriced downgrade attack.
| Disabling 2g is arguably a potent way for ma bell to keep
| security companies like stingray from eating their already
| opulent lunch. We also dropped 2g because stingrays parlour trick
| also immediately outed itself as a national security threat
| secondcoming wrote:
| > In other words, the network decides whether traffic is
| encrypted and the user has no visibility into whether it is being
| encrypted.
|
| I'm pretty sure that it was intended that the OS UI would show
| you when your connection is unencrypted, but none of them do
| because that was undesired by state actors.
|
| Also, even if encryption is enabled it's only for the radio part
| of the data transmission, not handset -> handset. Otherwise you
| would not be able to make calls to landlines, so isn't it already
| trivial for a Network Operators to decrypt your raw data? It
| would help for scenarios like an embassy mounting a fake base
| station to grab data about protestors outside it, I suppose.
|
| Also, how can they tell if the encryption key is weakened by
| setting lots of bits to zero, like was done in the original
| version of GSM?
| Scene_Cast2 wrote:
| I hope that they didn't make it any more difficult for me to MITM
| my own phone traffic. The latest Android releases have a couple
| of painfully annoying methods. The one I did (simplest, IMHO)
| requires rooting, installing a (somewhat obscure) Magisk module,
| and several more steps after. Not a fun experience, and I signed
| up for Android and not iOS because I want to be able to do stuff
| like that.
| smallnix wrote:
| Is this about more than letting my company disable 2G on my
| phone?
| [deleted]
| stonogo wrote:
| They dropped null ciphers as well, but that only got a brief
| mention in comparison.
| excusemyfrench wrote:
| Not true, disabling 2G is already present in iOS in Lockdown
| Mode.
| olyjohn wrote:
| Why shouldn't you be able to disable 2G in normal mode?
| mjg59 wrote:
| Disabling 2G has been supported in Android since 12 - this is
| talking about the additional features on top of that.
| smarx007 wrote:
| How? iOS 17 is not released yet.
| clysm wrote:
| Lockdown mode is iOS 16.
| smarx007 wrote:
| I think the Lockdown Mode will disable 2G only starting
| with iOS 17.
|
| The press release [1] doesn't mention 2G directly but only
| "safer wireless connectivity defaults" but FastCo [2] is
| more direct "with iOS 17, Apple is not only beefing up
| Lockdown Mode (by blocking the iPhone from connecting to 2G
| cellular networks and from auto-joining insecure wireless
| networks) but bringing Lockdown Mode to the Apple Watch".
|
| [1]: https://www.apple.com/newsroom/2023/06/apple-
| announces-power... [2]:
| https://www.fastcompany.com/90904197/apple-ios-17-craig-
| fede...
| bbarnett wrote:
| Look forward to samsung disabling this, just like they do for
| other android cellular settings.
___________________________________________________________________
(page generated 2023-08-08 23:00 UTC)