209
submitted 1 month ago by gytrash@feddit.uk to c/degoogle@lemmy.ml

Google's latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.

Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google.

“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews...

... “The amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations,” Nazarovas said...

you are viewing a single comment's thread
view the rest of the comments
[-] Andromxda@lemmy.dbzer0.com 55 points 1 month ago

You can’t say no to Google’s surveillance

Yes you can: https://grapheneos.org/

[-] Buddahriffic@lemmy.world 5 points 1 month ago

I was just wondering earlier today if Google kept the bootloader open to allow custom OS installation only because they had other hardware on the phone that would send them their information anyways, possibly through covert side channels.

Like they could add listeners for cell signals that pick up data encoded in the lower bits of timestamps attached to packets, which would be very difficult to detect (like I'm having trouble thinking of a way to determine if that's happening even if you knew to look for it).

Or maybe there's a sleeper code that can be sent to "wake up" the phone's secret circuitry and send bulk data when Google decides they want something specific (since encoding in timestamps would be pretty low bandwidth), which would make detection by traffic analysis more difficult, since most of the time it isn't sending anything at all.

This is just speculation, but I've picked up on a pattern of speculating that something is technically possible, assuming there's no way they'd actually be doing that, and later finding out that it was actually underestimating what they were doing.

[-] Andromxda@lemmy.dbzer0.com 17 points 1 month ago* (last edited 1 month ago)

I don't mean to discredit your opinion, but it is pure speculation and falls in the category of conspiracy theories. There are plenty of compelling arguments, why this is likely completely wrong:

  • Google Pixels have less than 1% of the global smartphone market share, in fact, they are currently only sold in ~~12~~ (the Pixel 9 is sold in 32 countries, my bad, I had an outdated number in mind) countries around the world. Do you really think that Google would spend all the money in research, custom manufacturing, software development and maintenance to extract this tiny bit of data from a relatively small number of users? I'd say more than 90% of Pixel owners use the Stock OS anyways, so it really doesn't matter. And Google has access to all the user data on around 70% of all the smartphones in the world through their rootkits (Google Play services and framework, which are installed as system apps and granted special privileges), which lets them collect far more data than they ever could from Pixel users.
  • Keeping this a secret would also immensely difficult and require even more resources, making this even less profitable. Employees leave the company all the time, after which they might just leak the story to the press, or the company could get hacked and internal records published on the internet. Since this would also require hardware modifications, it's also likely that it would get discovered when taking apart and analyzing the device. PCB schematics also get leaked all the time, including popular devices like several generations of iPhones and MacBooks.
  • Lastly, the image damage would be insane, if this ever got leaked to the public. No one would ever buy any Google devices, if it was proven that they actually contain hardware backdoors that are used to exfiltrate data.
[-] Buddahriffic@lemmy.world 0 points 1 month ago

You're right that it's pure speculation just based on technical possibilities and I hope you're right to think it should be dismissed.

But with the way microchip design (it wouldn't be at the PCB level, it would be hidden inside the SoC) and manufacturing work, I think it's possible for a small number of people to make this happen, maybe even a single technical actor on the right team. Chips are typically designed with a lot of diagnostic circuitry that could be used to access arbitrary data on the chip, where the only secret part is, say, a bridge from the cell signal to that diagnostic bus. The rest would be designed and validated by teams thinking it's perfectly normal (and it is, other than leaving an open pathway to it).

Then if you have access to arbitrary registers or memory on the chip, you can use that to write arbitrary firmware for one of the many microprocessors on the SoC (which isn't just the main CPU cores someone might notice has woken up and is running code that came from nowhere), and then write to its program counter to make it run that code, which can then do whatever that MP is capable of.

I don't think it would be feasible for mass surveillance, because that would take infrastructure that would require a team that understands what's going on to build, run, and maintain.

But it could be used for smaller scale surveillance, like targeted at specific individuals.

But yeah, this is just speculation based on what's technically possible and the only reason I'm giving it serious thought is because I once thought that it was technically possible for apps to listen in on your mic, feed it into a text to speech algorithm, and send it back home, hidden among other normal packets, but they probably aren't doing it. But then I'd hear so many stories about uncanny ads that pop up about a discussion in the presence of the phone and more recently it came out that FB was doing that. So I wouldn't put it past them to actually do something like this.

[-] Andromxda@lemmy.dbzer0.com 6 points 1 month ago

But it could be used for smaller scale surveillance, like targeted at specific individuals

Why would this only be present in Pixels then? Google isn't interested in specific people. Intelligence agencies are. This would mean, that every phone in the world needs to be compromised using this sophisticated, stealthy technology, which is even more unlikely.

[-] Buddahriffic@lemmy.world 1 points 1 month ago

If it is present there, it doesn't imply it's only present there.

And we really have no idea how close of a relationship Google, or any other corp for that matter, has with various intelligence agencies. Same thing with infiltrations by intelligence agencies.

And no, it doesn't mean that every phone in the world is compromised with this, which wouldn't be that sophisticated, just stealthy. The sophisticated part would be part of the normal design process, it's called DFT or design for test if you want to read about it, used legitimately to determine what parts of the chip have manufacturing flaws for chip binning.

Most phones don't have an unlocked bootloader, and this post is about the data Google is pulling on factory pixels.

Why would they do all the work on the software side and then themselves offer a device that allows you to remove their software entirely? And if it's worth it just from the "make more money from people who only want unlocked phones", why isn't it more common?

Mind you, my next phone might still be a pixel. Even if this stuff is actually there, I wouldn't expect to be targeted. I can't help but wonder about it, though, like just how deep does the surveillance or surveillance potential go?

[-] Andromxda@lemmy.dbzer0.com 5 points 1 month ago

And we really have no idea how close of a relationship Google, or any other corp for that matter, has with various intelligence agencies

Ok let's assume this is true, and US intelligence agencies have actually backdoored all US phone manufacturers. What about foreign phones? If this was true, someone the NSA is interested in could just defend themselves by e.g. buying a Chinese phone. All this effort, just to be defeated by foreign phone manufacturers? It wouldn't be worth it, which is why it's so highly unlikely.

[-] helloworld55@lemm.ee 1 points 1 month ago* (last edited 1 month ago)

Well to this point (I don't 100% believe this flavor of state surveillance theory but) you cannot buy phones made my foreign manufacturers ~~and have them work in the US. For example, Oppo, Huawei, Xiaomi, all do not work on USA cell networks, and~~ you can't buy them unless you go through an import process. Just to name a few of the many. But granted, those are all Chinese manufacturers. EDIT** I was wrong, apparently with the right settings you can get most phones to work on US cell networks

[-] Andromxda@lemmy.dbzer0.com 2 points 1 month ago

Oppo, Huawei, Xiaomi, all do not work on USA cell networks

Wait what? Is that actually true? What if you are a foreigner visiting the US and bring your e.g. Oppo phone with you? You can't use it? Even with a foreign SIM?

[-] Buddahriffic@lemmy.world 1 points 1 month ago

This argument assumes that they'd only do something if they could get perfect coverage, which isn't very compelling for me. IMO the question should be "would it give enough access to more information to be worth it", not "it's only worth it if it gives access to all information".

And, as the other commenter mentioned, it is difficult to get some Chinese phones, though not impossible and if this whole line of thought plays into that, the reasoning is probably as much about cutting off their access to this kind of thing as it would be about making it harder to avoid western agencies doing this. They've said the first one out loud (they being politicians justifying blocking Huawei), and wouldn't have said the second part either way.

[-] Andromxda@lemmy.dbzer0.com 1 points 1 month ago

This argument assumes that they’d only do something if they could get perfect coverage

Doing this and not covering like half of the phones out there would be even dumber, and way too risky. It's not just about Chinese phones, the most popular smartphone vendor, Samsung, is from South Korea. Yeah, South Korea is a US ally, and the NSA might have some kind of crazy deal in place with them to backdoor their phones, but that would exponentially increase the risk, as not only would the NSA and all the US phone manufacturers have to keep this a secret, the South Korean government as well as Samsung, which is a massive corporation with hundreds of thousands of employees, would also have to make sure that none of this gets leaked to the public. This is way too unrealistic, and can easily be dismissed as a conspiracy theory.

[-] Buddahriffic@lemmy.world 1 points 1 month ago

I think you're greatly overestimating the number of people who would need to be involved. It could be done by one person in the right RTL design position. ASIC validation doesn't involve exhaustively searching for any backdoors that bridge between something accessible with low privileges to something that is supposed to require higher privileges.

And if someone else did notice that, there's a good chance it would just be a "thanks for reporting that, I'll fix it" without a root cause investigation about how it got there, especially if it gets reported to the one who put it there in the first place.

[-] MajorHavoc@programming.dev 2 points 1 month ago

This is just speculation, but I've picked up on a pattern of speculating that something is technically possible, assuming there's no way they'd actually be doing that, and later finding out that it was actually underestimating what they were doing.

As the saying goes, just because you're paranoid, doesn't mean you're wrong.

The answer that will put this question to bed is open source hardware. Thankfully we're close to having viable options, finally.

[-] averyminya@beehaw.org 2 points 1 month ago

I will never understand buying a google phone just to deGoogle it. why would you give them money.

I've seen the reasoning, I just ..

[-] tht@mstdn.social 4 points 1 month ago

@averyminya @Andromxda grapheneos is SOTA of android security, and it only supports pixels, thats why

[-] averyminya@beehaw.org 2 points 1 month ago

Right, like I said I've seen the reasoning. It just seems like giving money to the very company you're all trying to avoid, which in turn is just funding for Google to be more invasive.

[-] CCMan1701A@startrek.website 1 points 4 days ago

Playing them for hardware only is different from paying for hardware and then providing all your personal information 24/7 to them.

[-] tht@mstdn.social 3 points 1 month ago

@averyminya bought it secondhand, problem solved

[-] averyminya@beehaw.org 3 points 1 month ago

Certainly helps!

[-] Andromxda@lemmy.dbzer0.com 3 points 1 month ago* (last edited 1 month ago)

Because I want a secure phone with relatively good specs, relatively good design, battery life and camera quality. And because it is one of the very few devices with a user-unlockable and re-lockable bootloader.

this post was submitted on 03 Oct 2024
209 points (97.7% liked)

DeGoogle Yourself

7743 readers
3 users here now

A community for those that would like to get away from Google.

Here you may post anything related to DeGoogling, why we should do it or good software alternatives!

Rules

  1. Be respectful even in disagreement

  2. No advertising unless it is very relevent and justified. Do not do this excessively.

  3. No low value posts / memes. We or you need to learn, or discuss something.

Related communities

!privacyguides@lemmy.one !privacy@lemmy.ml !privatelife@lemmy.ml !linuxphones@lemmy.ml !fossdroid@social.fossware.space !fdroid@lemmy.ml

founded 4 years ago
MODERATORS