Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How would French police locate suspects by tapping their devices?
103 points by ThalesX 11 months ago | hide | past | favorite | 87 comments
I just found a news article regarding a law that passed in France allowing police to remotely activate GPS, camera, microphone on a user's device [0]. This was posted before on HN [1], but without traction, but I am not all that much interested in the civil aspects of it, I am more interested in the technical aspects of it. I'm curious if there is someone with know how about how such a thing would be achieved.

Would they base it on exploits? Would they have to require manufacturers to add police APIs on the devices? Would a remotely activated camera / microphone / location get the active camera / microphone / location indicator?

55 minute edit: It seems like for simple stuff, like coarse location they can get it through the carrier; I assumed as much and it's relatively easy to get it done. For other stuff, rootkits and exploits are developed by some intelligence agencies which require manufacturing consent or physical interception. Then there's also groups that sell OS levels exploits such as the NSO group.

I'm guessing in the case of software exploits, the indicators would appear for camera / mic / gps. But maybe for hardware exploits they could bypass the circuitry? Seems like a lot of work for non-high-profile targets.

Later edit: Keyword "baseband" seems to be the most likely attack vector

[0] https://apnews.com/article/france-surveillance-digital-devic...

[1] https://news.ycombinator.com/item?id=36779568




Software implants (“RATs” or “rootkits”) or baseband access (“backdoors”).

The baseband is an embedded computer inside the phone that controls the device’s sensors and radios. It runs off of its own OS and is separate from the consumer-facing OS. The phone’s OS then talks to this embedded system.

All phones do this, even the iPhone whose baseband OS was some variant of L4 Linux, IIRC.

Various Intelligence Community people and documents have made statements that they can remotely activate the baseband to interact with a target device.


To expand on this, you should assume that basically any significant device or microprocessor you buy comes pre-compromised by one or more intelligence agencies, by the simple expedient of them asking manufacturers to put them in. Devices from US companies will be compromised by Five Eyes agencies, those from Chinese firms will have Ministry of State Security backdoors, etc.


The thing people always say about mandated backdoors is that they make devices less secure for everyone. Ie, if the government can get in, so can other bad actors.

If this is true (and I generally believe this is is), and if basebands do indeed have backdoors for the government, why hasn't anyone found them? Why haven't we seen CVEs on this?

Can anyone point to a published baseband CVE that smells like a government plant, rather than a well-intentioned accident?


That's simply because you haven't looked. There was literally a black hat talk on exploiting cellular networks this year. Every year there seems like there's a new exploit. Just because it doesn't make it to your particular side of the internet doesn't mean it's not happening.

Now, can anyone definitively prove that they are back doors and not mistakes or exploits? No. But that's thanks to the age old "Never ascribe to malice that which is adequately explained by incompetence."


>There was literally a black hat talk on exploiting cellular networks this year.

Talk at black hat =/= everyones devices are de facto vulnerable. For as tech savy as this forum is, its surprising how many people are not well read up on security.

The summary of vulnerability is this - if you use a cellular network, your baseband chip vulnerability is next to irrelevant. Your location can be triangulated from radio signals, and its likely that there are messaging contacts and calls that are logged that use the respective celluar services.

Now for pure data transmission from a secure messaging app. Most of the communication for privacy is done using end to end encryption apps like Telegram. While those can be compromised, those require a direct targeted attack on the device, you cant just remotely do this over the internet.


> There was literally a black hat talk on exploiting cellular networks this year.

Is that talk recorded somewhere?


I assume GP is referring to

Title: "Over the Air, Under the Radar: Attacking and Securing the Pixel Modem" Summary/Slides: https://www.blackhat.com/us-23/briefings/schedule/#over-the-... YouTube (48 minute): https://www.youtube.com/watch?v=QrkB_enz2Pk


This article does a good job summing things up: https://www.devever.net/~hl/nosecuresmartphone

> Modern smartphones have a CPU chip, and a baseband chip which handles radio network communications (GSM/UMTS/LTE/etc.) This chip is connected to the CPU via DMA. Thus, unless an IOMMU is used, the baseband has full access to main memory, and can compromise it arbitrarily.

> It can be safely assumed that this baseband is highly insecure. It is closed source and probably not audited at all.

The problem is less that there are identified issues, and more that the variety of hardware and vulnerability of the implementation is suspicious.


Author of the above blogpost here.

To my knowledge the situation has changed nowadays and IOMMUs on smartphone SoCs are now common. Having said that I still don't rate the security of any smartphone and you should assume it will get compromised. There's a million reasons for this:

- Baseband is still radioactive and probably trivially compromised by any nation-state adversary so it's all down to the IOMMU.

- IOMMUs are hard to configure correctly and frequently misconfigured by drivers which don't use them correctly.

- Any host driver bugs in talking to the baseband might be exploitable.

- It's hard to verify an IOMMU is actually working correctly, so it's not like any of this is commonly audited.

- We're talking about SoCs here with the baseband usually integrated on the same chip, so there's always the risk of some undocumented channel between the baseband and the rest of the chip the vendor omitted to notice or tell anyone about.

The situation is at least better than it was but it's still 100% my assumption that no phone can be trusted in the face of an adversary who can put up a fake cellular network. There's simply far too much proprietary firmware, mysterious black boxes, etc. to be able to really trust these things.

Also I'm assuming here there's a desire to get access to the host processor and stored data, but you don't need to do that if you just want to get at the microphone or GPS or leak someone's location or so on. There's a million bad things someone could do getting access just to the baseband even if the IOMMU works right.


Article from 2016 in this area is irrelevant in 2023.


I tried to express a similar question / curiosity last year in a discussion about the Intel Management Engine (https://news.ycombinator.com/item?id=33345040#33346166) but you have expressed it better.

It's like what intelligent skeptics keep saying in the ongoing discussion of UFOs / UAPs and claims of extraterrestrial visits: With everyone having a camera in their pocket (or, more likely, in their hand) these days, shouldn't there be more compelling photographic evidence of extraordinary things at this point, if extraordinary things are really happening?

Edited to add: I guess I said it pretty well further down in that thread, "It does seem like some researcher or journalist should have blown the case open by now if this thing were systematically providing telemetry from everyone's "powered off" (but still plugged in) machines to an intelligence agency."


If you discover a zero day in a major operating system, you can sell it and become rich overnight.

Or you can play the public hero and end up best buddies with Snowden and exiled from every Western country. The governments don't particularly like whistle blowers.

And if you found a backdoor, you probably wouldn't want to use it on every device all at once and reveal its existence. Somebody somewhere will log it. But if you carefully pick and choose your targets, just a few in a million (or several billion), it might not be detected for a long time.

White hack groups like Project Zero routinely find these exploits. That doesn't necessarily mean they're planted, it just means that it's definitely possible to hide them from common view, and it takes a lot of skill and dedication to uncover that, then also a strong enough corporate shield to protect you from any possible fallout.

Unlike taking pictures of UFOs, it's not just being in the right place at the right time. It takes a very high level of skill that the general population doesn't have.


Normally these agencies “discover” these back doors through admitted confession by those bad actors. Tell us how you did it and we’ll reduce the sentence, kind of thing. Sometimes it’s of their own accord if they are high up enough (NSA) but the majority of law enforcement relies on vendors who use the same exploits as the nefarious bad actors. Only “for good”… the bad actors are always a step ahead and continue to give talks on how badly insecure our pocket computers really are.


But "we" have found them for MediaTek chipsets. There is even an APK shared in almost all Telegram channels related to hacking, which includes even uploading your implant for future use as a "demonstration".

Also check Mexico incidents of deactivated devices, Samsung, Oppo, Motorola and others have rootkits, too.


If we believe governments can convince hardware makers to add backdoors, why do we not believe governments can convince CVEs from being removed or not allowed?


Because a lot of security research is done by individuals or small firms, and the NSA doesn't generally review disclosures. I find it hard to believe this wouldn't leak, at least in the western world.


And? I don't know the CVE process, so I'm honestly asking while you're not actually answering. Who controls the release of CVEs? Sure, individuals can report something as a vuln, but does the report automatically create a CVE? Or do the reports get verified and then "promoted" to CVE? If the latter, then there's absolutely a part in the process that can be subverted


CVEs have absolutely nothing to do with finding out whether our devices are backdoored.

CVEs come out of Mitre, but lots of countries have equivalent systems or tracking codes. Further, large companies are pre-allocated blocks of CVEs to use.

But it’s irrelevant. The original position was that if govt are putting obvious remote access into devices, why has nobody ever seen and blogged or tweeted about it?


Open source / homebrew hardware will be the only way out of this.


Would it not be easier to find the backdoor and use it to patch itself?

Basically rooting the phone but on a firmware level?


And tinfoil.


There are better materials to make a Faraday cage out of, but foil is cheap, I'll concede that.


It's pretty hard with tinfoil. Try it with an am radio. It takes several layers, no small gaps to kill the signal.


TIL.


On a technical level, sure. In the bigger picture, I'm concerned that that is simply too esoteric an interest for it to have any significant impact.


Almost any innovation starts like this.


I certainly would _like_ to believe that...I'm gonna have to think about this some.


Is it even possible to homebrew a modern computer chip?


Precursor (https://www.crowdsupply.com/sutajio-kosagi/precursor) is interesting with its use of an FPGA.


That is pretty interesting, thank you!


by modern do you mean just the capabilities of or include the size of as a requirement? If you accept that a DIY processor can be the size of a room and not be portable, then maybe???? Expecting a DIY to be miniaturized, then hellz to the naw


I wanna say I read about some high schooler recently making _a_ microprocessor in his garage, but I'm guessing it's a very simple one, not what we would consider a modern design.

Also I could be thinking of something else entirely so, before repeating this, you'll probably want to google it.


Nope, even an EUV light source would be close to impossible.


no. and even if it were then are people whose job is to make sure it never really takes off.

why? because power.

what do do about it? get power. how to do that? dunno. If I told you then my own purported (and protracted) attempts would diminish. at least we don't get assasinated to death anymore..... ahahahaha (just our characters, andor career prospects, etc)


Airplane mode does work. I can put an emf meter up to my Android phone and nothing comes out of it. Same with the device off.

But is it still recording for later transmission? Perhaps!


If you're willing to believe anything can be put in passive mode, you'll absolutely drive yourself mad. There's no way to proove that a device is not listening passively, so of course people will say it is.


Modern microphones need input clock to operate, and are physically incapable of listening when the clock is absent.

This gives a trivial way to detect of the device is listening passively, at least on the workbench.


I don't even know what the "mic needs a clock" means. I've never used a microphone that needed a clock. Making a mic that needs a clock just seems like a "WTF were they thinking" kind of thing. Can you elaborate on this concept of requiring a clock for a mic?


The keyword to search for is "digital mems", and of course we are talking individual parts to place on PCB, not the consumer device. Here is one random example: [0]. Somewhat expensive at $1 ea, but that's what you pay for US manufacturer.

This microphones take 2.4 MHz clock and return PDM (pulse density modulation) signal. Does not seem very convinient for old-school analog electronic circuits, but it's pretty trivial to interface with any micro with pulse counter hardware.

And presumably the audio won't have any hum or interference from nearby radio transmitters, which is especially useful in cell phones.

[0] https://www.digikey.com/en/products/detail/cui-devices/CMM-4...


Anything with an integrated circuit can be proven to be not operating based on power consumption or switching noise of the transistors in the device.


My phone has hardware kill switches for modem, wifi/Bluetooth and mic/camera.


Do those meters work across all frequencies?


This. Unless you flashed it yourself from code you compiled and analyzed yourself, or have a verified signature/hash, assume that it’s pre-compromised and the “agencies” have access to it. For 99.999% of us, this doesn’t matter outside of civil liberties or whatnot. For the 0.001%, you’re their target audience. Smile for your camera. Ask Kaspersky.


> For 99.999% of us, this doesn’t matter outside of civil liberties

Civil liberties matter to everyone at some point.


I said outside of. Of course civil liberties matter to all.


Here's a good article about a backdoor built into Samsung's Galaxy baseband processor, discovered in 2014: https://www.fsf.org/blogs/community/replicant-developers-fin...


This isn’t a backdoor in the baseband.

It’s code in the kernel which allows the baseband to effectively execute code in said kernel.

Definitely not ideal, but (especially without seeing baseband code) not something you can call a backdoor.

That said, I’d never use a Samsung. But that’s a whole other story.


I’m not going to say this is a backdoor but what I will say is that the best backdoor is the one with plausible deniability.


Intel ME and AMD PSP is the computer equivalents of this.

https://libreboot.org/faq.html#intel

https://libreboot.org/faq.html#amd


One of the interesting aspects of the Librem 5 is putting the cellular component on USB rather than something like PCI, substantially limiting the baseband's reach. Part of why the Librem 5 is such a big heavy and chunky device is it's assembled more like an OG ThinkPad with discrete peripherals, in smartphone form.

Most (all?) modern smartphones comingle the baseband and application processors to the extent that the baseband has direct access to the application processor's memory. You can logically envision your smartphone's GUI/application environment as the baseband's guest. You are not in charge, despite owning the device.


I worked at a commercial L4 microkernel company ten-ish years ago. My memory of it was that AMSS ran on OKL4, but without a linux on top


so right to repair promoting easily removable battery would be of help here :D

unless the com chips have a purely passive mode ..


It takes a surprisingly small amount of power to intermittently ping cell towers at longer intervals.


All that hinges on a functioning antenna.


Side note, France's approach to technology is so weird.

Here's the DGSE (or not): https://www.google.com/maps/@48.8743323,2.4081584,16z/data=!...

In contrast, here's the US CIA: https://www.google.com/maps/@38.952807,-77.1456773,16z/data=...

Stumbled across that while traveling in Paris and thought "Who masks public satellite imagery in 2023?"


I was reading about the arsenal at Toulon earlier today and looked it up on Google maps to see if it was obvious where the old Darse Vauban was - only to be faced with chunky pixels across the entire port!

Yandex maps, of course, no such compulsion. Ridiculous stuff.


Mhm yandex has the only satelitte imagery I've found that does not pixelate this

https://yandex.com/maps/10502/paris/house/ZlcCdgBpTkUbWFZ0a3...



It definitely looks blurred in satellite view for me, in browser and on the app, but the roads are still visible over the top, just like Google's


Thje CIA building needs 3 times the space for parking as for the building.


Safer than underground parking.


Interesting! It's like the difference between security through obscurity and security by design.


They've been doing it for years.

It's rootkits/RATs, just malware developed by intelligence services and/or some technical branches of police, although they sometime hire external contractors for this.

They use exploits or physical access.

AFAIK there is no manufacturer giving backdoors to the french government(but the US and China definitely have some, I wouldn't be surprised if the US shared some access for major cases)


Some capabilities are available through the carrier. For example, a cell carrier has access to subscribers' coarse location information, since they can tell which cell tower(s) the subscriber is connected to, and the physics involved provides coarse direction and distance.

Other capabilities require access to the device, either through an exploit or spyware.


Baseband attacks are possible, but the French government would have to compel the (likely foreign) producer of baseband equipment to insert a backdoor, or do significant vulnerability research on closed source hardware/software to find vulnerabilities across common baseband processors.

OS level attacks seem more likely. The lazy option for a police agency would just be to purchase or develop a couple mobile browser exploits, and then serve warrants to French telcos requiring them to MitM targeted traffic. When the target tries to load something via http, redirect them to the exploit server, deliver the payload, and dump everything from their device and collect location, camera, and audio going forward.

Edit: Most people also seem to be overlooking the low-tech solution - get a warrant to break into the target's house or seize their phone during a "random" traffic stop, and use physical access to the device to do whatever.


> [...] The lazy option for a police agency would just be to purchase or develop a couple mobile browser exploits, and then serve warrants to French telcos requiring them to MitM targeted traffic. [...]

This seems highly unlikely to not alert someone as the camera / video / GPS icons would show up as being in use.

> Most people also seem to be overlooking the low-tech solution - get a warrant to break into the target's house or seize their phone during a "random" traffic stop, and use physical access to the device to do whatever.

I think people are not really overlooking, but the question is related to the remote enabling of GPS / Video / Audio interception. This kinda excludes random traffic stops or breaking into someone's house.

As such, "do significant vulnerability research on closed source hardware/software to find vulnerabilities across common baseband processors" seems like a way to achieve this.


> This seems highly unlikely to not alert someone as the camera / video / GPS icons would show up as being in use.

You would need a privesc to dump the data from other apps due to app sandboxing anyways. And once you have root, you can disable the GPS/video/camera indicators, since they are controlled by the OS.

> I think people are not really overlooking, but the question is related to the remote enabling of GPS / Video / Audio interception. This kinda excludes random traffic stops or breaking into someone's house.

Initial physical access is the poor man's way of enabling long-term remote access.

> As such, "do significant vulnerability research on closed source hardware/software to find vulnerabilities across common baseband processors" seems like a way to achieve this.

Go present a set of options to a government bureaucrat, and tell them:

A. you can build a vulnerability research program for 7-8 figures, pray that your best researchers don't get poached by Google after you train them, and maybe get something useful in five years.

B. you can buy a couple of existing browser exploits and privescs for 6-7 figures, enabling remote access.

C. you can use your legal powers to break into the suspect's home/office and load monitoring software on their phone with physical access.

They are going to pick B or C.


USim toolkit.

https://en.wikipedia.org/wiki/SIM_Application_Toolkit

It's under the control of the mobile operator which knows the secrets keys to send commands to the phone OTA.


Interesting! I'm assuming this should have limited access to what requests it sends to the phone. I'm also assuming this limited access would be implemented by the manufacturer.

So my question, based on those assumptions, is: this application toolkit, as well as OS level calls would require an exploit by the intelligence agency to be able to give commands such as start the camera and stream it? I guess the barrier between the OS and the SIM holding hardware would have to be broken so that the camera could be made to stream to some random endpoint.


About camera I don't know but controlling the browser and multimedia is possible:

https://www.etsi.org/deliver/etsi_ts/131100_131199/131111/17...


From the specification it looks it can open a browser... combine that with an exploit for the browser...


If I were some sort of criminal and my phone's browser would open up after which I'd see the video / audio / gps icons light up, I'd be very suspicious.


Definitely. But I guess that it might be more subtle. The web page can show some benign message (let's say something related to your cell provider) and deliver an exploit to install a spyware like Pegasus. There would be no immediate sign of infection or suspicious activity besides the unexpected browser opening.


They will have to install an exploit on the target device. The law merely allows that practice.


A few months ago, France did emergency broadcast tests on some users.

I was one of them and my phone (Android, Samsung, operator is Orange) suddenly was taken over. It started to root a sound I never heard (loudly), vibrate like crazy and the screen was locked to an emergency message that covered everything else. I had to click on the message to make it go.

This test shows that the administration already has some level of control, through the network provider's OS layer.


> This test shows that the administration already has some level of control, through the network provider's OS layer.

I don’t hink it shows that. This likely is cell broadcast (https://en.wikipedia.org/wiki/Cell_Broadcast)

Many phones allow you to disable it (according to that Apple page not always: “In some countries or regions, you may not be able to disable Government Alerts”). See https://support.apple.com/en-us/102516, https://www.quora.com/How-can-you-block-or-disable-cell-broa...)


Ah, you must be right then. I think it indeed looked very much like Alert-FR (https://fr.wikipedia.org/wiki/FR-Alert)


It's most likely some contracts with NSO group or some other Israeli firm.

Only for high value targets of course, otherwise they'll just go with a simpler and cheaper route.


France recently had its own Pegasus scandal, a french firm sold a software called "Predator" to dubious countries (see https://www.amnesty.org/en/documents/act10/7245/2023/en/)


There’s a recent Darknet Diaries episode about Predator for anyone interested:

https://podcasts.apple.com/au/podcast/darknet-diaries/id1296...


There is always a $5 wrench solution to pretty much any problem. You either have to be willing to use it, or just creative enough to find it.


Yeah definitely, those expensive and rare exploits won't be used for the drug dealer around the street, that's for sure.


OMA DM, or something like that.

https://en.wikipedia.org/wiki/OMA_Device_Management

Send special SMS, which makes the phone contact download instructions on what to do from a given URL. All in the background.

Even Pinephone's modem has a few FOTA binaries that handle remote instructions from different operators. I guess the binaries of the OMA DM processing programs are provided by the mobile operators, or co-developed with the modem manufacturer. It can't turn on the camera or whatever, and is disabled by default, but that's just because the modem is not integrated into the main SoC.

https://megous.com/dl/tmp/f498105e651c5935.png


obscurity seems to be a major part of securing baseband.

https://www.extremetech.com/computing/170874-the-secret-seco...

https://www.androidauthority.com/smartphones-have-a-second-o...

events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[PDF]


For smartphones, assume an always-on wiretap situation. But for laptops, it may be harder depending on how hardened your setup is, and how tight your opsec is. There is the possibility that if you're a high value target and you bought your laptop online that it could be bugged, but you would have to be someone like a drug trafficker or a journalist or some other high profile person.


I remember when someone at CCC (I think) coined the synonymous “Ortungswanze” <> smartphone - and it got way worse since that.

https://translate.google.com/?sl=auto&tl=en&text=ortungswanz...


Oh waw, I'm really interested to know how's that even possible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: