29 votes

The NSA Has Inserted Its Code Into Android OS, Or Three Quarters Of All Smartphones

http://www.zerohedge.com/news/2013-07-09/nsa-has-inserted-it...

Over a decade ago, it was discovered that the NSA embedded backdoor access into Windows 95, and likely into virtually all other subsequent internet connected, desktop-based operating systems. However, with the passage of time, more and more people went "mobile", and as a result the NSA had to adapt. And adapt they have: as Bloomberg reports, "The NSA is quietly writing code for Google’s Android OS."

Is it ironic that the same "don't be evil" Google which went to such great lengths in the aftermath of the Snowden scandal to wash its hands of snooping on its customers and even filed a request with the secretive FISA court asking permission to disclose more information about the government’s data requests, is embedding NSA code into its mobile operating system, which according to IDC runs on three-quarters of all smartphones shipped in the first quarter? Yes, yes it is.

Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS. "All Android code and contributors are publicly available for review at source.android.com." Scigliano says, declining to comment further.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Lets be realistic here shall

Lets be realistic here shall we? The NSA probably has their code in Iphone, blackberries, and certainly windows phones as well. If the story is to be believed its a recent thing anyway so older versions of android aee unaffected(dont believe its a recent thing..its been there since smartphones got popular I am sure). All these corporations are faceless fascist enablers. If they have more than a hundred employees I am sure they are in bed with government in some way shape or form.

Time to go plant a garden, go

Time to go plant a garden, go hunting, fishing, skiing, to the park, to the beach, to the mountains, etc....and get the hell off the internet and cell phones.

(of course, I say this as I'm posting on a website).

“Let it not be said that no one cared, that no one objected once it’s realized that our liberties and wealth are in jeopardy.”
― Ron Paul

Open Source does Not Mean No Backdoors

For my fellow geek friends I would mention this...

Comparing Open Source Android on a phone to Linux on anything else is a false comparison.

The Hardware brings so many libraries into the runtime that you have a private closed source build for all practical purposes.

A better analogy is that your Android smart phone is like a Linux PC with a proprietary NIC that has direct memory access to your microphone and speaker and all other pars of your phone. Also there is not only a traditional NIC (WiFi) stack but also a proprietary radio that supports multiple protocols with some of those protocols completely inaccessible from the OS. The hardware is always listening to commands from the cell towers about when to wake up and perform a task (like "ring" for incoming calls). These tasks include remote bios hardware updates and kill commands including the passive "turn mic on" command.

The amount of interaction between the hardware and the phone network is probably where the NSA code is, the NSA code never needs to touch the OS.

You got it

Just wait until the internet wakes up to the new Intel stuff.

There's a whole new CPU with access to main memory. At some point after system initialization, but prior to booting the OS, memory below some address is walled off from the main CPU. The main CPU cannot even access this memory in ring zero. In this memory the code and data for the other CPU is loaded. The other CPU runs in parallel and has unfettered access to all of your memory and peripherals. It can handle interrupts from your network interface before your kernel can, so it can intercept or transmit traffic while remaining completely invisible to your OS.

This stuff survives OS reinstalls. The only way to even access it is cold boot memory dumps. It's for anti-theft. Of course, it's all modular so it can be extended to do God knows what.

robot999's picture

Guess I'll be getting an iPhone...

oh wait, damn.

"Government is the entertainment division of the military-industrial complex". - Frank Zappa

Lookout for yourself: Source.Android.com/Source/

"Barring the natural expression of villainy which we all have, the man looked honest enough." - A Mysterious Visit, bu Mark Twain, 1875

The Android Source Code

Android is an open-source software stack created for a wide array of devices with different form factors. The primary purpose of Android is to create an open software platform available for carriers, OEMs, and developers to make their innovative ideas a reality and to create a successful, real-world product that improves the mobile experience for end users. We also wanted to make sure that there was no central point of failure, where one industry player could restrict or control the innovations of any other. The result is a full, production-quality consumer product whose source is open for customization and porting.

Governance Philosophy
Android was originated by a group of companies known as the Open Handset Alliance, led by Google. ... The companies that have invested in Android ... believe that an open platform is necessary. Android is intentionally and explicitly an open-source -- as opposed to free software -- effort: a group of organizations with shared needs has pooled resources to collaborate on a single implementation of a shared product. ... The objective is a shared product that each contributor can tailor and customize.

Uncontrolled customization can, of course, lead to incompatible implementations. To prevent this, the Android Open Source Project also maintains the Android Compatibility Program, which spells out what it means to be "Android compatible", and what is required of device builders to achieve that status. Anyone can (and will!) use the Android source code for any purpose, and we welcome all such uses. However, in order to take part in the shared ecosystem of applications that we are building around Android, device builders must participate in the Android Compatibility Program.

The Android Open Source Project is led by Google, who maintains and further develops Android. Although Android consists of multiple subprojects, this is strictly a project management technique. We view and manage Android as a single, holistic software product, not a "distribution", specification, or collection of replaceable parts. Our intent is that device builders port Android to a device; they don't implement a specification or create a distribution.

Disclaimer: Mark Twain (1835-1910-To be continued) is unlicensed. His river pilot's license went delinquent in 1862. Caution advised. Daily Paul

In order to have any real

In order to have any real trust it in you need to review the source and then compile it yourself. Even then, there's the trusting trust problem, but leaving that aside, hardly any of us builds our own stuff from source.

We have no clue what our software is actually doing.

Why do you think

they are called smart?

Cyril's picture

+1 For wit :)

+1 For wit :)

"Cyril" pronounced "see real". I code stuff.

http://Laissez-Faire.Me/Liberty

"To study and not think is a waste. To think and not study is dangerous." -- Confucius

Alternatives for Android and much more...

A must-have bookmark, it is constantly updated:

https://prism-break.org/

If men are good, you don't need government; if men are evil or ambivalent, you don't dare have one.

And even more interesting

Is the discussion of what's in or out:

https://github.com/nylira/prism-break/issues

I was thinking of getting a

I was thinking of getting a Galaxy S4. Now I'm sticking with my simple flip phone. It'll stay at home most of the time like it usually does.

HELLOOO, NSA, i'd just like

HELLOOO, NSA, i'd just like to tell you, you know, directly......your a dick

Cyril's picture

LOL :D

LOL :D

"Cyril" pronounced "see real". I code stuff.

http://Laissez-Faire.Me/Liberty

"To study and not think is a waste. To think and not study is dangerous." -- Confucius

Android has an active dev

Android has an active dev community, if this is not one thing they attempt to "remedy" i think ill be looking into other avenues for a phone, or if google realise what kind of shit storm their kicking up, and voluntarily and verifiably destroy, obliterate nsa code, like to know what the code does first

It wasnt ok for carrier IQ scandel, sure as hell not okay because you are a government "agency", who do they think they are, tyrants?!

The NSA contributed SELinux.

The NSA contributed SELinux. Not everything they do harmful.

If you're worried about mobile security: http://www.cyanogenmod.org/blog/this-week-in-cm-july-5-2013

Good point

Navy is also looking to develop security improvement for Android:

http://www.navysbir.com/n13_2/N132-115.htm

I'm glad you posted this;

I was about to bring this up myself.

I've been using Red Hat Linux (then Fedora and CentOS after Red Hat discontinued its desktop OS) since 1996-97. Not exclusively; I dual-boot with Windows (I recommend all Windows users give dual-booting some consideration. It's very easy.) because I have too many friends and family members using Windows-specific software. Anyway, many U.S. agencies (other governments' agencies, as well) have been using Red Hat Linux for sensitive data (and for spying, I'm sure, since Linux is far more advanced and versatile than Windows or Mac) for many years, the NSA among them. I remember when I heard that the Linux kernel developers and Red Hat had incorporated NSA code into Linux proper and the Red Hat and Fedora distributions, and I recall being very suspicious. See, I decided to run Linux on my PC not only for the challenge (it wasn't always as easy to install and/or use as it is these days) but also because I suspected Windows of having back-doors from the beginning. But the suspicion of SELinux only lasted a moment and here's why.

Free/open-source software (Linux being the largest open-source software project ever and still) is wide open. The professional and volunteer developer communities are very large and very talented and the code is examined, debugged if necessary, and approved/rejected before being officially released to the public. That's one of the greatest benefits of free/open-source software. Because so many people see the code and compile and run the code on so many disparate architectures and pieces of hardware, bugs and security flaws are spotted, reported and fixed or removed very quickly; sometimes in a matter of hours. The NSA could never slip a back-door into something like, say, the Linux kernel, even through the SELinux code that they developed (but do not maintain). I don't even think they'd try. It wouldn't take a month (probably much sooner) for the back-door (or whatever) to be discovered and removed.

Anyway, because Android is a Linux-based OS I thought I'd make sure Linux as a whole doesn't become suspect.

You beat me to it but I thought I'd elaborate a bit more.

Work for pay, pay for freedom
Fuck 'em all, we don't need 'em

uh huh

What is your take on these?

What is your take on these?

http://arstechnica.com/security/2013/12/we-cannot-trust-inte...

http://www.theregister.co.uk/2013/12/09/freebsd_abandoning_h...

Our constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.

John Adams

Good move

Using blackbox AES is ok because the output is deterministic. Timing can be an issue but that can be mitigated. The RNG cannot be tested in any meaningful way, so I don't blame them for being suspicious of it. It might give faithfully random output when providing enough output for a statistically significant analysis, but then hand out one of a couple hundred million predetermined keys when asked for a mere 32 bytes.

In other recent news OpenSSH added a new ChaCha20-Poly1305 cipher-mac suite.

Note that the NSA has two

Note that the NSA has two missions:
1) To spy on foreigners
2) To secure the information infrastructure of US entities (government, business, and individuals).

Yes those two missions are at odds with each other. But sometimes they do things for the second mission despite its negative effect on the first. A couple examples:

- Some strange regularities in the "S-Box" tables of the NSA-designed DES cypher, which many security researchers thought were a sign of a back door for NSA, turned out to make the cypher much more robust against an attack discovered by the public cryptology community decades later.

- They have released a hardened (and open) version of Linux, with fixes that have been vetted and incorporated by the open source community since that time.

So it's POSSIBLE that this code is more hardening, rather than more wiretapping back doors.

Is it likely? IMHO "fat chance". But let's not automatically assume EVERYTHING they do IS spying, rather than defending.

We need to look at the code and try to figure out what it's up to.

= = = =
"Obama’s Economists: ‘Stimulus’ Has Cost $278,000 per Job."

That means: For each job "created or saved" about five were destroyed.

Any Open Source alternative to Android''s OS ?

Not all Desktop Operating Systems have the NSA embedded into them.
Linux does not.

Linux is Open Source, anyone can inspect the code, and many people constantly do.

____

"Take hold of the future or the future will take hold of you." -- Patrick Dixon

Replicant is open source, but not a real alternative

Replicant aims to open up all software on Android phones:

http://redmine.replicant.us/projects/replicant/wiki/Replican...

If you read the status on supported devices, however, you will see that the modem, WIFI, Bluetooth, NFC and GPS firmwares are all proprietary. You can install a 100% free an open source Replicant system on your phone, but you won't be able to make phone calls, access the internet, use GPS, Bluetooth, or NFC. Until there are open source alternatives to the firmware, the phone can never be made 100% open source. With closed source firmware, you have no idea what the firmware can and cannot do, and have no control over the phone.

We all want progress, but if you're on the wrong road, progress means doing an about-turn and walking back to the right road; in that case, the man who turns back soonest is the most progressive.

-C. S. Lewis

Android is linux and yes you can inspect

the source. Read the article. A Google rep confirms there is NSA code and it sounds like she is begging people to go find it at source.android.com

Cyril's picture

Get some LSD

Anyway. Intended or not, announced or not, software security has always been, still is, and will remain for long... largely a joke.

Back in the days, just 11 or so years ago, I was already enjoying to dig and verify by myself the hacks that guys like The Last Stage of Delirium would find possible to do, if only with this boring Windoze (which was already sold as "more secure" by MS... "lololol"):

http://lsd-pl.net/

The "exploit" (arbitrary command execution) is at the end, in the chapter 4's case study; linky for the curious' convenience:

http://dotxml.brinkster.net/2003/winasm-1.0.1.pdf

These techniques and many others are still current. Nothing new under the sun. Only the versions and the vendors' marketing rhetoric get their new makeup each year. Open source is slightly better only because you can see the design or realization flaws earlier, that's all.

The computer, like any machine, is the dumbest, most inert thing ever. So, the true weakest link remains the human, anywhere, anyhow, always. And that still includes both the users and the engineers, btw. In what they overlook or feel overconfident about. Including the NSA's "geniuses" (who, maybe, believe they can outsmart everybody with whatever they've hidden in X, Y or Z, if anything).

But! Hardware (like guns, and their size, and who has a physical custody of what, when, where) is a whole different story.

"Cyril" pronounced "see real". I code stuff.

http://Laissez-Faire.Me/Liberty

"To study and not think is a waste. To think and not study is dangerous." -- Confucius

Yeah

Remember when 0day sploits were routinely posted to bugtraq and everyone was on IRC?

Now it's all for money, cloak and dagger. Researchers are threatened. What was once the antisec is now anonymous.

Cyril's picture

Lol. Memories...

I remember downloading the Linux kernel 0.97(something) from Finland's FTPs (in 93 I think) on a dozen chunks of as many 3.5" floppy disks, to build it afterwards on a 8Mb RAM Taiwanish compatible PC...

Then, I could run the C compilo over the source of a version of Tetris in text mode.

For me, girls were more difficult to understand at the time...

;)

"Cyril" pronounced "see real". I code stuff.

http://Laissez-Faire.Me/Liberty

"To study and not think is a waste. To think and not study is dangerous." -- Confucius

There are Linux Kernel Modules that can defeat all that

but windows remains forever vulnerable.

____

"Take hold of the future or the future will take hold of you." -- Patrick Dixon

No, Windows now has better

No, Windows now has better process hardening than Linux does.