Category: eavesdropping

In today’s digital landscape, data privacy and security are top concerns for users, especially those relying on smartphones, as these devices may inadvertently record conversations and transmit data to remote servers.

If you’re worried about potential eavesdropping by your smartphone, security researchers at NordVPN have developed a simple experiment to help determine if your device might be monitoring your conversations.

Here’s how to test it: Choose a topic you’ve never searched for on your mobile phone—something entirely new to your device’s search and browsing history. Discuss this topic with a friend or family member while your phone is nearby, but ensure that you do not use any device to search for information about this topic beforehand.

After a day or two, check whether advertisements related to your conversation topic appear on your browsing apps or social media platforms. For example, if you mentioned something like travel plans to a specific destination, keep an eye out for ads promoting flights, hotels, or travel packages to that location.

If you start seeing ads related to the topic you only mentioned in conversation, it may indicate that your device is “listening” to you.

Now, this raises an important question:

Is it legal for your smartphone to monitor your conversations?

In most cases, this type of surveillance would violate data privacy and security laws in many regions. However, if you use a virtual assistant like Apple’s Siri or Android’s Gemini, you may have unknowingly given consent for certain types of listening activity. Voice-activated assistants rely on continual background listening to provide instant responses to commands. This listening capability means that, even when idle, your smartphone’s virtual assistant may be capturing audio to improve the speed and relevance of its responses.

To protect your privacy, you might consider disabling these virtual assistants. Regularly clearing your voice command history and using a virtual private network (VPN) can also enhance your security, as many VPNs offer browsing tools that minimize tracking. However, it’s essential to remember that we may never fully know the extent to which data centers collect or manage information gathered through these platforms.

The post How to test if your smart phone is spying on you appeared first on Cybersecurity Insiders.

Seems that there is a deliberate backdoor in the twenty-year-old TErrestrial Trunked RAdio (TETRA) standard used by police forces around the world.

The European Telecommunications Standards Institute (ETSI), an organization that standardizes technologies across the industry, first created TETRA in 1995. Since then, TETRA has been used in products, including radios, sold by Motorola, Airbus, and more. Crucially, TETRA is not open-source. Instead, it relies on what the researchers describe in their presentation slides as “secret, proprietary cryptography,” meaning it is typically difficult for outside experts to verify how secure the standard really is.

The researchers said they worked around this limitation by purchasing a TETRA-powered radio from eBay. In order to then access the cryptographic component of the radio itself, Wetzels said the team found a vulnerability in an interface of the radio.

[…]

Most interestingly is the researchers’ findings of what they describe as the backdoor in TEA1. Ordinarily, radios using TEA1 used a key of 80-bits. But Wetzels said the team found a “secret reduction step” which dramatically lowers the amount of entropy the initial key offered. An attacker who followed this step would then be able to decrypt intercepted traffic with consumer-level hardware and a cheap software defined radio dongle.

Looks like the encryption algorithm was intentionally weakened by intelligence agencies to facilitate easy eavesdropping.

Specifically on the researchers’ claims of a backdoor in TEA1, Boyer added “At this time, we would like to point out that the research findings do not relate to any backdoors. The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption.”

And I would like to point out that that’s the very definition of a backdoor.

Why aren’t we done with secret, proprietary cryptography? It’s just not a good idea.

Details of the security analysis. Another news article.

Yet another smartphone side-channel attack: “EarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear Speakers“:

Abstract: Eavesdropping from the user’s smartphone is a well-known threat to the user’s safety and privacy. Existing studies show that loudspeaker reverberation can inject speech into motion sensor readings, leading to speech eavesdropping. While more devastating attacks on ear speakers, which produce much smaller scale vibrations, were believed impossible to eavesdrop with zero-permission motion sensors. In this work, we revisit this important line of reach. We explore recent trends in smartphone manufacturers that include extra/powerful speakers in place of small ear speakers, and demonstrate the feasibility of using motion sensors to capture such tiny speech vibrations. We investigate the impacts of these new ear speakers on built-in motion sensors and examine the potential to elicit private speech information from the minute vibrations. Our designed system EarSpy can successfully detect word regions, time, and frequency domain features and generate a spectrogram for each word region. We train and test the extracted data using classical machine learning algorithms and convolutional neural networks. We found up to 98.66% accuracy in gender detection, 92.6% detection in speaker detection, and 56.42% detection in digit detection (which is 5X more significant than the random selection (10%)). Our result unveils the potential threat of eavesdropping on phone conversations from ear speakers using motion sensors.

It’s not great, but it’s an impressive start.

They’re using commercial phones, which go through the Ukrainian telecom network:

“You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,” said Alperovitch. “That doesn’t pose too much difficulty for the Ukrainian security services.”

[…]

“Security has always been a mess, both in the army and among defence officials,” the source said. “For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

“But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the car’s glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesn’t take security very seriously, how can you expect any discipline in the regular army?”

This isn’t a new problem and it isn’t a Russian problem. Here’s a more general article on the problem from 2020.