Web Concepts

Archive for the ‘Mobile’ Category

Be prepared to be scared about your cell phone privacy. Two security researchers showed today how they can track down cell phone numbers, identify the person who owns the phone, and then track the whereabouts of that person. And they can do it with technology available to ordinary civilians.

That last part is the shocking part. Government investigators and police can do this. But Don Bailey and Nick DePetrillo (pictured) showed they were able to do it by collecting bits of information and then amassing them into a powerful tool that can invade your privacy. They showed off working code and other proof from Project Carmen Sandiego (named after a computer game where you tracked somebody down as part of a geography lesson) at the Black Hat security conference today in Las Vegas.

“This is intelligence gathering for civilians,” said Bailey, speaking to a roomful of security researchers and hackers. “We can find out where you are, who you talk to, where you are most vulnerable.”

Bailey and DePetrillo joked that they could get actress Megan Fox’s cell phone number and sell it to the highest bidder. But they said the point of doing this isn’t to get the cell phone numbers of celebrities or executives like Apple’s Steve Jobs. They wanted to show how security should be stepped up for cell phones and how shockingly easy it is to do. If they could do it, they reasoned, then the bad guys with evil intent have probably already figured out how to do it. In effect, Bailey and DePetrillo said that they have enough information to put together a White Pages for cell phones, with home numbers for everybody’s cell phone.

Governments can pretty much afford the technology to do this now. But ordinary civilians can’t. One of the tools they exploit is a central database called a Home Location Register, which records the phone number of every SIM (subscriber identity module) authorized to use the cell phone network based on the GSM (Global System for Mobile communications) standard, which is the standard used in about 80 percent of the world’s phones. You can access HLR data through various third-party resources, Bailey said. You can cross reference that with Mobile Switching Center information that determines where you are, generally.

That data tells the researchers what city the user is in. They reverse engineered this data to get more information. In other countries, the MSC data has zip code data embedded in it, making it much easier to find someone’s location. U.S. data isn’t that easy to figure out. But the researchers say that can take a given MSC number and find out its location and its cell phone provider.

“That information should be privileged, but it isn’t,” Bailey said. “I shouldn’t know that you switched from AT&T to T-Mobile.”

You can buy CallerID information from companies such as Targus, which gets data from Verizon and other carriers. They add your name to the CallerID database with phone number data. If you buy a cell phone in the U.S., your name will wind up in a CallerID database. With this data, the researchers were able to reverse engineer the data to create a White Pages for mobile phones, which means they can put a name to a cell phone number. With the name and phone number together, the researchers can assemble other information.

“It’s extremely easy to build your own database,” DePetrillo said.

The databases are more expensive if you want to get the most current data, but older data is cheaper, costing only 0.0024 cents per name looked up. One of the things they can do with names is piece together who your co-workers are, because they will be using company-purchased phones with similar phone numbers.

Some of the techniques they use to glean information include backspoofing. But if you don’t want to do that, you can buy databases from Bulkcname.com for around $100 per 1,000 name lookups. The researchers say they can get 10,000 names identified for just $30. You can verify the data by cross referencing it with HLR data, which tells which carrier is associated with certain phone numbers.

During the talk, the researchers showed slides of text that showed phone numbers, names, locations and company affiliations. They can even make educated guesses about which banks of phone numbers are assigned to prepaid phones, which are phones bought at stores and can generally disguise their owners. The researchers say they can pinpoint people 99 percent of the time. With Google, Facebook and other tools, you can often then put a face to the name. You can find out if there are multiple phone numbers associated with one person.

“Our intent is to get people thinking about their actions and their vulnerabilities,” Bailey said. “You can target people. You can locate private individuals. You can locate groups of individuals. You can track where people are traveling. That’s a lot of information. It can be scary.”

Added DePetrillo, “This is simple stuff to understand. I have information I shouldn’t have. I didn’t do any crazy, insane hacker tricks. It requires very little intelligence.”

Tags: BlackHat, Carmen Sandiego Project, security

People: Don Bailey, Nick DePetrillo

Google today announced on its Mobile Ads blog that it has launched location-aware display advertisements for mobile phones. Through Google’s “location extension” feature, advertisers can now include their location and phone numbers to appear in display ads on iPhone and Android mobile websites.

The feature, previously available only on search ads, will appear as banner text advertising and will pinpoint business locations on a small map as well as a “click-to-call” phone number. Consumers will also have the option for generate directions if needed.

Giving consumers the option of viewing businesses in their area increases Google’s chance that the consumer will call the business or click to its website, which are the two ways Google makes money on the service. The move shows Google’s increased investment in mobile and display advertising, two areas that have traditionally played second-fiddle to regular search advertising.

The location aware advertisements might be just what local businesses need as well. According to TechCrunch, “Google says that mobile ads that offer a location generally see an average 8 percent increase in click-through rates over plain-vanilla mobile ads, and click-to-call mobile ads see a 6 percent increase in clicks.”

Advertisers have to opt-in to the Google Ad Network and make sure they check the “Display Network” option. From there, the advertiser includes its number and address as well as the option to upload a logo. The last step is to check the box for iPhones and other mobile devices will full Internet browsers.

Tags: geo-targeting, location aware, mobile advertising

Companies: Google

Carriers are often the gatekeepers when it comes to deploying new services to mobile networks and devices. They can bring scale businesses in the mobile community in a sudden and dramatic way. And they are where the money is — the collection point of monthly subscription revenue from customers. Carriers will take the stage at TC3 to talk about their innovation strategies, programs, and about what solutions they are looking for from innovators and entrepreneurs.

If you’re an innovator or entrepreneur in mobile, the annual Telecom Council Carrier Connections summit, TC3, connects you with the people and ideas that are directing the innovation activities inside many global carriers. You will get an inside look at how carriers around the world are planning and executing their innovation efforts and how they seek to partner with entrepreneurs and work with new companies.

The Telecom Council of Silicon Valley is “where telecom meets innovation.” And the TC3 conference is the seminal venue for carriers around the world to bring attention to their innovative sides – to market their innovation activities throughout the ecosystem, to attract entrepreneurs and developers, and to promote innovation inside and outside their labs. This is a 1-day conference with a very senior audience from across the ecosystem – from fixed and wireless to content, apps, and infrastructure – where the speakers are the same executives responsible for the innovation strategies and activities of their respective carriers.

TC3 also has limited opportunities for other companies to get their message out to the community of telecom innovators. When you register, you will notice additional options for a demo package to display product in the showcase area, an option to buy space in the event program, and the option to join our speakers for dinner later that evening. Agenda, speaker bios, registration and marketing opportunities are available here. Join your telecom colleagues at TC3 to connect, communicate and collaborate.

The components that make up HTC’s Droid Incredible Android smartphone cost about $163.35, according to a teardown estimate by market research firm iSuppli.

Most touchscreen smartphones today can usually be broken down into $150-$190 worth of components, so the teardown number isn’t a huge surprise. The Droid Incredible retails for $199 with a two-year contract on Verizon.

The phone shares many components with Google’s Nexus One (also built by HTC), so it’s no surprise that it’s similar to the Nexus One’s $174.15 material cost. Both phones share the same Samsung 3.7-inch AMOLED (Active Matrix Organic Light Emitting Display) screen, 1 gigahertz Qualcomm Snapdragon processor, and 512MB of RAM.

All three of those components also ended up being among the most expensive in the Incredible: The processor cost $31.40, the display $31.20, and the RAM (together with the phone’s 8GB of flash storage) cost $29.80.

The biggest difference between the two phones is the Incredible’s support for the CDMA cellular standard. The Nexus One was originally released for T-Mobile’s GSM network, while the Incredible runs on Verizon’s CDMA network.

Compared to the iPhone 4, which contains around $188 worth of parts according to iSuppli, HTC ended up spending far more on the Incredible’s processor. The iPhone 4’s A4 chip — which was designed by Apple engineers and produced by Samsung — only cost the company around $10.75. Of course, that doesn’t take into account the extensive research and development costs to design the chip — which is also used in Apple’s iPad.

Check out iSuppli’s full Droid Incredible component breakdown below:

Tags: Android, Droid Incredible, iPhone

Companies: HTC, Isuppli

The problem with being private is that it increasingly means that you have to choose to drop out of society. You would never let the government put a tracking device on you, but you may be carrying a cell phone that tracks your location. You don’t want the government monitoring your internet usage, but Google collects data on you.

Since most people find they can’t live without a cell phone or Google, they grudgingly accept that they will lose their privacy and become trackable. That doesn’t sit well with Moxie Marlinspike, a security hacker with the Institute for Disruptive Studies. He is a common speaker at security events, and he spoke at the Black Hat security conference in Las Vegas today about how to give users more choices by allowing them to hide from both Google and cell phone carriers without losing access to their services.

Marlinspike (pictured) has set up two experimental services that allow you to stay anonymous and still use the internet. One service circumvent’s Google’s data collection methods. Google itself “anonymizes” search engine data after nine months by deleting the last eight digits of Internet Protocol address data. But Google gathers a lot of data on you through Gmail, Google Analytics, Google Checkout, and Google Health. You have to be logged in to use Gmail, and so that gives Google the ability to track you for advertising purposes.

“Make no mistake,” Marlinspike said. “They are a surveillance business. Their intent is not the same as the government eavesdroppers. The effect is the same. Who knows more about citizens in their own country, North Korean leader Kim Jong-il, or Google? Why is Google not scary? Because we choose to use it.”

To create anonymous access to Google, Marlinspike created an add-on for the Firefox web browser with a custom proxy server, which redirects you when you are using a Google application. If Marlinspike’s software detects a request for a Google service that does not require a login, it sends the request to the Google Sharing proxy server. That server anonymizes your identity and assigns a cookie to you that will work with the Google service. The link from you to the proxy server is encrypted using SSL technology.

You can then use the Google service without being tracked. It has been available for about six months and about 80,000 people are using it. Meanwhile, Marlinspike has also set up a way to do voice-over-internet-protocol VOIP calls on cell phones without being identified. The system, dubbed Whisper Systems, lets you make calls (via RedPhone) or send text messages (TextSecure) without being tracked. RedPhone creates encrypted phone calls so no one can listen into your conversation. TextSecure also encrypts your text messages.

The Whisper Systems service has been available for two months and has about 2,000 users. It is interesting and noble that Marlinspike wants to create a third path, which lets you participate in society without being tracked. But the sad truth is that many people probably won’t care enough to use these services.

Tags: Black Hat, Whisper Systems

People: Moxie Marlinspike

A questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, has been downloaded millions of times, according to data unearthed by mobile security firm Lookout.

That means that apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, in their talk at the Black Hat security conference in Las Vegas today.

“Even good apps can be modified to turn bad after a lot of people download it,” MaHaffey said. “Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”

The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market, where users can download it and use it to decorate their phones that run the Google Android operating system. It includes branded wallpapers from My Little Pony and Star Wars, to name just a couple.

Update: Lookout notes it does not capture browsing history and text messages. It collects your browsing history, text messages, your phone number, subscriber identification, and even your voicemail password, as long as it is programmed automatically into your phone. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data. The search through the data showed that Jackeey Wallpaper and another developer known as iceskysl@1sters! (which could possibly be the same developer, as they use similar code) were collecting personal data. The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning. While suspicious, Lookout says there isn’t evidence of malicious behavior.

The Lookout executives found the questionable app as part of their App Genome Project. Lookout is a mobile security firm, and it logged data from more than 100,000 free Android and iPhone apps as part of the project to analyze how apps behave. It found that the apps access your personal data quite often. On Android, each user is asked if they give their permission to access an app, but on the iPhone, where Apple approves apps, no permission is needed.

Roughly 47 percent of Android apps access some kind of third-party code, while 23 percent of iPhone apps do. The executives also found that many apps use third-party software programs to do things such as feed ads into an app. Often, developers unquestioningly use the software development kits of those third parties in their apps, even if they don’t know what they do. In many cases, there is a good reason for the use of personal information. Ads, for instance, can be better targeted if the app knows a user’s location.

Hering said in a press conference afterward that he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps. But it’s unclear what happens when apps behave as the wallpaper apps do, where it’s not clear why they are doing what they are doing. [Update: Google has said it has suspended the wallpaper app while it investigates the matter].

Tags: Android, iPhone

Companies: Apple, Google, Lookout

People: John Hering, Kevin MaHaffey

eWise, an online payments and financial management solutions company, has secured $12.1M in funding, it announced today.

The round was led by prominent European tech investor Balderton Capital, and included Total Technology Ventures, Patagorang, and Allen & Co.’s Roger Allen and Stanley S. Shuman.

Founded by Alexander Grinberg, who also heads the company, eWise is headquartered in the United Kingdom, and has expanded its market services to the United States, Australia, and China. Utilizing its new funds, eWise hopes to realize the widespread use of Secure Vault Payments (SVP) in the US.

eWise’s chief concern is to assure security — it says customers should make payments safely and confidently, either through its person to person solution, eWise Pay Anyone, or their its banking e-payments solution, eWise Pay By Account.

eWise’s new board member, Balderton partner Dharmash Mistry, said “In SVP, the compelling yet simple proposition of allowing customers to pay for online purchases through their own bank accounts, we believe that eWise has developed an innovative game-changing payments solution.”

Tags: epayments

Companies: Allen & Co, balderton, ewise, total technology ventures

People: alexander grinberg, dharmash mistry