It seems like it would be faster to make a list of things verizon won't accept an administrative subpoena for in lieu of a warrant as opposed to the other way around.
On an unrelated note, if you have verizon FIOS they can push a new firmware package to your router and reboot it easily, without you ever knowing. And they log in every day and confirm the hash of the firmware you're running - if it's not on the approved list (which is generally just the current one they have you set for) it automatically reflashes. A properly written firmware could monitor not just all traffic that was internet bound, but also everything on the local lan and wireless net.
At least in the router I have, there is a significant amount of dark radios on the board. There's a second (unused) 802.11n radio that in other editions is used as a second n stream but easily could be used to do full site surveys or packet capture or as an evil twin, a DECT (cordless phone) compatible phy that could impersonate a cordless basestation and if I read the spec sheet right a bluetooth and powerline phy.
The verizon STB for their converged QAM/IPTV also downloads a portion of their firmware from the management servers and verifies hashes and oprational state TCG style - if they aren't connected to the network they will never actually finish booting.
Details are limited about what the CISCO built STB contains on the inside, but it at least has a light sensor (ir remote) and a vibration / accelerometer (for sudden drop hd head park) that they have been touting as a feature that allows them to measure ad exposure based on floor vibrations that suggest you walked away during a commercial.
They've also been recently touting a 99% effectiveness rate at uniquely identifying the viewer in multi person households based on statistical modeling of the order and speed buttons are pressed on the remote, though I'm unsure if that's with the current cisco gear or the new motorola (google) gear that they are just rolling out.
You can replace their router with one of your own. On my ONT there are two ways of connecting to the Verizon service:
1) Ethernet. If you connect this way then running your own router is trivial, but by using Ethernet you lose some services related to TV.
2) Coax. This is a bit more complicated. You'll still have to power the Verizon router, but everything behind, and including, your router still will be under your control. You need a Coax to Ethernet adapter like this one:
I don't remember all the specific steps I had to take to enable this offhand. I need to go back and write a howto. In any case, The final setup will look like this:
Verizon ONT --[Coax]--> Moca Adapter --[Ethernet]--> Your router.
Moca Adapter --[Coax]--> Verizon router.
One important point is that you must release your DHCP IP on the Verizon router before your router can obtain one.
I think you can dispense with the Coax connection to the Verizon router if you don't care about TV capabilities, but if you don't you might as well switch the ONT to use Ethernet instead and avoid this mess.
My main motivation for doing this was that the wireless capabilities of the Verizon-supplied router were terrible, but it has the added bonus of keeping Verizon's prying eyes out of my home network.
Yeah, I've taken a similar approach - my comments were more just to raise awareness about how much verizon is theoretically able to do in light of what a low bar they have for doing them for LEO.
You can get it set up so all your iptv services work with the ONT using the ethernet port BTW - that is the default install configuration these days for people on the faster service tiers as moca caps some where north of 100mb. In that setup the actiontec is connected both via coax and ethernet to the ont, and it serves as a ethernet<-> moca bridge internally to support the ip features of the stbs.
Running the STB's without any moca is basically unusable, no epg, no dvr, no vod etc. And it's worth noting that even though my actiontec is physically separated from my home net through a tweaky setup, they could still theoretically do full stream wireless packet capturing of whatever the radio could hear, or become an active node on your other 802.11 network. Brute forcing a WPA2 secret is a common enough practice that they have purpose built luggable SFF pc's with 4 tesla cards inside for field work.
You can actually remove 100% of the verizon CPE and still good tv if you're willing to pay for it. Once I found out all the stuff the STB's are doing I'm in the process of replacing them with a tivo with a cable card and a tivo mini (basically a slave). Even slightly cheaper per month than the multiroom dvr, though the upfront is $$$
I think I was abusing terms when I said SFF, I guess I was thinking more like "in comparison to" an HPC rack.
similar to the intermediate CA black box providers they seem to have much larger presences at trade shows than on the web, but this is pretty close to what I'm talking about:
I'm pretty sure the generations in development have video cameras and microphones (to allow you to cough wave your hands or speak to change channels, of course). That same platform also has ISM radios in monitoring mode so that they can see what devices are present and obtain rough positioning data. So they'll know when you get home based on your phone mac appearing, and how many people are on the couch and who they are.
here is the video recognition stb patent application that includes a number of eye openers:
> And they log in every day and confirm the hash of the firmware you're running
If you can modify the firmware you can change it to respond to their query with the "correct" firmware signature, so this doesn't seem useful to me. Source?
Also, is the 802.11n radio connected to an antenna? If not, can't really do any surveys with it. Sounds like a fun box to play with for evil maid attacks, though!
You can only load verizon/actiontec signed firmware via the UI. I suppose you probably could reflash it directly if you connected leads to the smt chip on the board, that is assuming it's not on the SOC and assuming the stage 1 loader doesn't verify the signature. It's mostly to prevent rollback attacks where a known vulnerable firmware is flashed to take advanatge of a flaw.
(technically it's implemented by an automatic process that verizon runs that logs in via their TR069 carrier management port and then does various (unlogged things) including enforcing that you're on approved firmware.
yeah the box has two antennas each one attached to the radios. Almost all of the other actiontec customers use it as a 2nd channel to get 300mbit, but for whatever reason verizon's is set to only use 1.
If their stage 1 is verifying the signature it's going to be pretty hard to hack the firmware (since you need to crack the key or find some other hole to get your firmware to run), so at that point they could care less about logging in to double-check the key wasn't cracked. In that case the integrity check is more likely just making sure the firmware isn't corrupt, or just checking the version to see if it needs an upgrade in general. If on the other hand they are just verifying which firmware is applied, the stage 1 probably isn't verifying the signature, so in that case we really could fake out the check.
Flashing the chip directly is probably significantly easier than attacking the UI's signature verifying feature. Once you learn how it's pretty fun to examine random devices' firmware directly ^_^
Yeah, glancing at the specs it looks like you're almost surely correct, that it's just checking a version string thats returned.
I got a little carried away, but really my point wasn't that it's impossible to avoid the risks, just that undoubtedly 99%+ of their customer base could be subjected to this and im sure most don't realize it. I thought my concerns with it were pretty tin foil hat until reading this story about the exact company doing something very, very similar.
> they can push a new firmware package to your router and reboot it easily, without you ever knowing. And they log in every day and confirm the hash of the firmware you're running - if it's not on the approved list (which is generally just the current one they have you set for) it automatically re flashes.
This is pretty standard practice for cable providers. The cable company I work for does this to cable modems.
Oh yeah, its not an issue when you're talking about the typical WAN side CPE that only sees outbound traffic and isn't loaded with radios. After all, they can see or do whatever they want to your traffic anywhere in the path. It's a slightly different story when it also has the potential to see all your land side traffic and anything in the 2.4ghz band it can hear.
The cable modems my company provides has built in 2.4ghz, and the company has full admin rights to the modems local admin interface (the customer does not)...
yeah, so that's another good example of the future of administrative subpoena surveillance. I knew that the converged ap and modem was pretty common with dsl providers, but at least the ones i had seen allowed the customer to control what firmware was running.
My cable provider does this to and i don't trust them in the slightest so i just use my own router:
cable --> providers modem/router --> my router --> network
I would disable its routing ability and use it as a bridge, but it provides a easy way to share wifi with guests/neighbours.
I guess if they have a specific warrant with oversight for using it, I don't have a problem with this.
Now if the agent with the hardware can decide to use it on their girlfriend or brother-in-law or something like that without anyone else knowing, well we've got a big problem.
And apparently, we've got a big problem:
Rigmaiden and the American Civil Liberties Union and Electronic Frontier Foundation have argued that the government did not obtain a legitimate warrant to conduct the intrusive surveillance through the stingray. They say it’s indicative of how the government has used stingrays in other cases without proper disclosure to judges about how they work, and have asked the court to suppress evidence gathered through the use of the device.
When it comes to protecting the people they represent from unconstitional monitoring, Congress has failed epically. I suspect that it is because the people and groups who care about this subject don't line their pockets.
"The government has long asserted that it doesn’t need to obtain a probable-cause warrant to use the devices because they don’t collect the content of phone calls and text messages and operate like pen-registers and trap-and-traces, collecting the equivalent of header information."
Personally, I've always wondered how pen-registers could be legally used without the permission of the registered. It just seems like snooping. Yes, I realize Courts Have Decided, and The Legal Issues Are All Tidily Wrapped Up, but really, how un-American is a pen-register?
On a related note, do US federal law enforcement agencies suffer a significant personnel turnover because people finally have pangs of conscience over what they're required to do?
> the wireless provider reached out remotely to reprogram an air card
It's almost like people don't their own bought property after sale. The person who thought he owned the device after buying it basically got fooled - it was only rented for an unlimited time.
Going from there to an warrant-less tracking is easy. If Verizon permit the reprogramming and tracking of "their" device, then its legally allowed. They might need to add something to the 35 pages EULA, in case some states dislike warrant-less tracking of the person using the device, but it can be phrased as "improving the experience".
I had one of these a number of years ago, and it wouldn't surprise me if something like this was in Verizon's terms of service (I remember giving the device back after canceling the contract).
However, going from there to accepting the hardware as a personal surveillance device is something else entirely.
There are certainly grave concerns about oversight, abuse, privacy, etc, here. However, I find it interesting that the FBI had to have the card reprogrammed to conduct their surveillance. Similar to Google and others revealing government requests for data, these incidents imply that the government at least doesn't quite have complete unfettered access to all of our online communications, as I often hear some claiming (NSA super data center!!). Not that it's still not prudent to assume otherwise and work towards greater privacy and all that. But sometimes I find it a useful perspective to keep in mind even as we seem to slide further toward such a state.
They don't need complete unfettered access themselves. As this case shows, corporations are all to eager to give them anything they want. Why spend time building it themselves when others give it for free, just by getting "Bob"[1] down the hall to sign a piece of paper.
1. The magistrates and the police work very closely together. By nature of the relationship alone, they are likely to be inclusive of requests. When information about what is being done, as is alleged in this case, it effectively opens the police to access to anything.
I wouldn't be that optimistic. The FBI investigates and prosecutes crime, which makes it a much more public organization than the NSA.
Even assuming the agencies talk to one another, and for all the FBI's law-bending, they still have to present their evidence in court, and 'your honor, we got this off an NSA dragnet' isn't gonna cut it.
1) Obtain information about a crime via method you don't want made public (classic example is ongoing undercover work or ongoing wiretap)
2) Have someone tell a CI, then have CI report it back
3) use report to follow up and obtain sufficient justification for warrant
4) actual source of the tip is never disclosed in court.
Not saying that's what happened here because the NSA doesn't give two shits about some guy that filled out a few fraudulent tax returns, just pointing out that that shit never show up in court. That's also why very few espionage cases are brought to trial.
I doubt that. The NSA is extremely secretive even within the government, and in general the different members of the intelligence community (which disturbingly includes the FBI and the DEA) are barely able to cooperate.
That was actually one of the most interesting articles I've read today. I'm fairly familiar with the technology discussed but the specifics of how far it has come in practical use is quite interesting.
An aside, tower information is/was available via the Android frameworks.
When I was on Android, I wrote a little widget that displayed the tower ID and other information of the tower I was currently connected to.
In short order, I had the few tower IDs that I used as I roamed around the metro memorized.
After reading the article, which was great and had many details, I think this would be a viable strategy for activists worried about governmental abuse, harassment, and surveillance. Spoofing tower IDs would probably present some operational issues amongst customers. Of course, I wouldn't rely on this if my life or freedom depended on it -- and I'd certainly use a community-based ROM, such as Cyanogenmod.
Cellphones are tracking devices. Plain and simple. The fact that the trackees/victims are paying 70 to 100 bucks each month to build and support the tracking infrastructure is the amazing part.
I live in the South Bay. I do not have a cell phone. I'm a full stack engineer at a startup that's raised series A--not some grumpy "Get off of my lawn!" grandpa.
What urgency is there to need a cellphone for, in most routine days? Sure, it would suck if something horrible happened to a member of my family and I couldn't be contacted until I got home, oh maybe 4 hours later. Short of some such edge case scenarios, "it can wait".
Even in an active DF system you don't need to flash the phone's programming (not exactly firmware, more like settings, the short list of instructions the phone regularly receives from cellular networks that `hack` it to work within it's operating environment)
On an unrelated note, if you have verizon FIOS they can push a new firmware package to your router and reboot it easily, without you ever knowing. And they log in every day and confirm the hash of the firmware you're running - if it's not on the approved list (which is generally just the current one they have you set for) it automatically reflashes. A properly written firmware could monitor not just all traffic that was internet bound, but also everything on the local lan and wireless net.
At least in the router I have, there is a significant amount of dark radios on the board. There's a second (unused) 802.11n radio that in other editions is used as a second n stream but easily could be used to do full site surveys or packet capture or as an evil twin, a DECT (cordless phone) compatible phy that could impersonate a cordless basestation and if I read the spec sheet right a bluetooth and powerline phy.
The verizon STB for their converged QAM/IPTV also downloads a portion of their firmware from the management servers and verifies hashes and oprational state TCG style - if they aren't connected to the network they will never actually finish booting.
Details are limited about what the CISCO built STB contains on the inside, but it at least has a light sensor (ir remote) and a vibration / accelerometer (for sudden drop hd head park) that they have been touting as a feature that allows them to measure ad exposure based on floor vibrations that suggest you walked away during a commercial.
They've also been recently touting a 99% effectiveness rate at uniquely identifying the viewer in multi person households based on statistical modeling of the order and speed buttons are pressed on the remote, though I'm unsure if that's with the current cisco gear or the new motorola (google) gear that they are just rolling out.