Monday, 2 November 2020

What phones can you trust?

Long term reader Tony A asks, “What phones can you trust?” Now, Tony is responding to the potential of Chinese made handsets spying on their owners. In reality, it goes several levels deeper than that.

The answer to ‘What phones can you trust?’ boils down to many issues.

  • Manufacturer
  • Country of manufacture
  • Hardware
  • Software
  • Software update policies
  • Apps loaded
  • App permissions
  • And updates – whether it will remain something you can trust over the 36 months or so you will use it.

What phones can you trust

Because of libel laws and journalist ethics, we can’t come out and say brand X is bad and brand Y is good. Tony, perhaps over a bottle or two of good red, you may get a better indication. But we can equip you with some insight to help those tin-hats out there to maintain a greater sense of security.

What mainstream Google Android brands do we have in Australia?

  • Alcatel (owned by TCL China)
  • Google Pixel (US-owned – handsets made in Vietnam and China)
  • LG (handsets made in South Korea and Vietnam)
  • Motorola (US company now owned by Lenovo – China)
  • Nokia (HMD is Finnish owned – made China)
  • OnePlus (BBK* – not officially here)
  • OPPO (BBK* – handsets made in China, India and Indonesia)
  • Realme (BBK* – same)
  • Samsung (handsets made in South Korean and outside China)
  • TCL – (China)
  • Vivo (BBK* – same)
  • Xiaomi – China
  • ZTE – China

* BBK is now collectively either the world’s largest or second-largest Android phone maker. It niche markets under several brands. As far as we can tell, it is not embroiled in the Huawei spying scandal as it does not make Telco infrastructure.

You will find most of these brands in major CE stores like JB Hi-Fi, Good Guys, Harvey Norman, Bing Lee, Officeworks etc. And some go via Myers, David Jones, Woolworths, Coles, Aldi etc. Telstra, Optus and Vodafone all sell selected ‘Made for Australia’ handsets.

Some sell to speciality markets or are relatively new entrants

  • Aspera (China)
  • Blackberry (no longer TCL made in China)
  • Cat (China)
  • HTC (Taiwan – not active here at the moment)
  • Kogan (China)
  • Mintt (Australian/Asia-Pac – China)
  • Razer (China)
  • Sony (no longer in Australia)
  • Opel (China)

Then there are the plethora of Chinese no-names that you find on Amazon, eBay or via the grey market/parallel importers. Names like UMIDIGI, YING TAI, Zopo etc.

Apple iPhones (US-owned) assemble in China. It is a closed garden with iOS – it could be subject to several vulnerabilities below.

Huawei is the only vendor that cannot use Google Android instead using its own EMUI/Android that is not available for scrutiny.

What are spies interested in?

You! If you are a person of interest or influence then as a recent massive data leak revealed, Australian politicians and their family members (among many others) are targets of concerted and lengthy spying by the Chinese Communist Party (CCP). If that sounds chilling read our article here that shows the types of people the CCP wants to gather information on. Are you one?

A smartphone in your pocket can provide

  • Phone data like IMEI, ID, Call logs
  • GPS/Wi-Fi/BT/Beacon Location
  • Call metadata
  • Voice to text translation and keyword identification
  • App use and internet access
  • Your contacts, mail, calendar, tasks, passwords and more
  • Surveillance via the microphone and camera

So, if you are not a person of interest, it is unlikely the CCP is spying. But suppose you are a bikie, gang member, drug dealer, terrorist, foreign diplomat, foreign spy, or miscreant. In that case, it is increasingly likely that law and intelligence agencies are using your smartphone to glean your innermost secrets.

Hardware

99% of the world’s smartphones are China assembled using a mix of Chinese made and globally sourced parts. We say ‘assembled’ that because the simplest way would be to poison the supply chain to insert hardware-based ‘backdoors’.  

If a phone were to have a backdoor it would be relatively easy to poison/subvert a chip (like memory, modem, eSIM) to gather, store and forward data. And it has happened before costing some companies millions of dollars to rip and replace affected hardware.

The potential threat of that happening to 5G core infrastructure is why Chinese companies, including Huawei and ZTE, are not welcome in Australia. Note, we are not suggesting that they are doing this. It is the Government’s prerogative to use suppliers it can innately trust.

Back to smartphones, it is highly unlikely that any major maker would risk the hardware approach. Besides its far simpler and cheaper to go the software route.

Software – operating system

It is far easier to subvert an operating system to use hardware (mic, camera, mobile data. Wi-Fi, BT, NFC) to spy. From that perspective, you should trust pure Google Android handsets without any user interfaces (UI) overlaid on them. Google Pixel, Nokia, and low-cost provider Mintt use pure Android.

Samsung, LG, BBK, Xiaomi and Motorola use fairly light UIs to add value to Google Android. I would not be concerned.

But I would be concerned at any phone that asks you to agree to a second set of T&Cs or privacy policies to use the phone.

For example, TCL 10 Pro requires you to accept its secondary privacy policy that gives its ‘Loader’ access to sensitive data on your device. It may be harmless, but it is not necessary.

Note that this does not refer to signing up to use a vendor cloud or account – not doing so does not affect your phones usage.

Where is the cloud?

Simply put, the manufacturers’ cloud is subject to the law of the country it is located in. For example, the Samsung cloud is in South Korea and subject to democratic rule and court access. Chinese clouds are subject to Chinese law – totally exposed to the CCP without the need to gain legal access.

More smartphone makers are moving their ‘international’ clouds from China. And many are looking to assemble international market devices in countries outside China.

What phones can you trust

But it is not just the manufacturer’s cloud, but the apps clouds you need to worry about.

Apps are the weakest link

The most pertinent and concise thing I can say is that under no circumstances allow an app to have permissions to access things it does not need.

For example, a weather app needs location only. Yet so many are data harvesters that can access your phone logs, contacts, data, photos etc. and exfiltrate this data to spy clouds.

The TCL/Alcatel spyware found 24 apps developed by Shenzhen Hawk (wholly owned by TCL) requested app permissions well beyond what is necessary to do the job. Of the 24 initially found (and there may be more in the pipeline) some unnecessarily:

  • Access the camera/mic
  • Place calls or sends SMS to premium paid-for services
  • Access call history, contacts and SMS/MMS
  • Access a user’s GPS location
  • Read and exfiltrate data from internal or external connected storage
  • Collect and exfiltrate details of a user’s phone, network and contacts
  • Record any audio on the device or its servers
  • Download and install further malware

Have a look under Settings, Apps and check each installed app. Ask yourself why it may need access to the calendar, camera, location, storage etc. At worst enable these only for when the app is in use.

And finally, a word on Apple.

People trust Apple. But that does not mean, it cannot get spyware or malware. Apple users live with a false sense of security as it perpetuates the myth that iPhones cant get malware. They can!

What phones can you trust

GadgetGuy’s take – What phones can you trust?

Reader Tony, the short answer is unless you are a person of interest or influence you can trust the major brands sold from authorised Australian retailers with the caveat that pure Google Android (Pixel, Nokia and Mintt) are most trustworthy.

We also trust the companies and UIs from LG, Samsung, BBK and Motorola. Why? Because using Norton 360, we have been able to track data exfiltration.

We especially trust those slated to get Android 11 and later operating system and at least quarterly security patches.

You can’t trust no-name Chop Suey brands sold online. Most of these are meant for China consumption and have non-removable spyware in them. Usually disguised as apps these track Hong Kong’ rebels’ and mainland dissidents and now you.

We recommend a paid antivirus/spyware solution from Norton or Kaspersky that offers a higher level of protection and peace of mind.

What phones can you trust? If you are really paranoid, don’t buy a smartphone. A featurephone is inherently safer.

The post What phones can you trust? appeared first on Gadget Guy Australia.


0 comments:

Post a Comment