Join Us!

Notifications
Clear all

Huawei Spying  

Page 2 / 3
  RSS
trewmte
(@trewmte)
Community Legend

And there we got involved. Employess are free by BYOD and running OWA for UCC. The device in question was a Huawei P20 Pro.

TinyBrain some observations, but not criticism. If you use acronyms best you state what you say the acronym means.

And there we got involved. Employess are free by BYOD and running OWA for UCC. The device in question was a Huawei P20 Pro.

OK, leaving aside the keys with the IT guys. Do you have this phone and/or what examination and analysis has been undertaken? Has the examiner applied any of the suggestion raised by UnallocatedClusters?

Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken.

How did she know it was broken? Did she buy a new charger? Test the charger on another identical Huawei P20 Pro? Why did this woman not buy a new battery and swap out with the one over-heating?

This woman is blessed by sleeping well but the third night she woke unexpected at 0200h local time and recognised that her device was very hot.

This sounds like those that fed this part of the story to you TinyBrain have used artistic licence. They may as well have started the story with "It was a dark night. An owl's hoot was heard coming from the direction of the cops. …."

What is the significance of the time this woman awoke?

What woke her up - Burning smell, crackling noise coming from phone, what???

and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state. An this SIM is in our lab.

Again, the battery? the charger?

Did anyone test for spyware app (put there by IT guys) on the BYOD device? Spyware is known to cause battery temperature to rise.

Where is the evidence of the T-Mobile data plan traffic usage?

What did the phone's internal data usage reveal?

Still don't see the need for Huawei if, and only if, they were spying to reveal their hand with such a stupid approach. After all TinyBrain you did mention in your earlier post

As in the past chip-based backdoors were on vogue but no more. The new kid in town's name is Software-Definded Networking e.g. SD-WAN and NFV.

So why would the battery or the charger circuitry be overheating when 'comms' can be (hidden) monitored in the network away from exposure?

TinyBrain, good buddy, sorry if I have got this wrong and I understand this is not your fault for the story you have been fed but can we have the forensic aspects of this case and not the speculation. You have identified NO evidence that Huawei has done anything in spying terms other than their make/model of phone 'might' have had a dodgy battery.

ReplyQuote
Posted : 09/02/2019 10:12 am
jaclaz
(@jaclaz)
Community Legend

They may as well have started the story with "It was a dark night. An owl's hoot was heard coming from the direction of the cops. …."

Damn.
I was thinking more like "Suddenly she woke up. Clad in her flimsy nightgown, her tall slender figure silhouetted against the moonlight entering from the curtainless window, she felt a cold shiver running down her spine. Something was not right, she felt observed, … " wink

jaclaz

ReplyQuote
Posted : 09/02/2019 12:46 pm
passcodeunlock
(@passcodeunlock)
Senior Member

If done well, "calling home" should be done at hardware level, without any trails or logs. If you ask me, I would build this as part of the CPU or the chipset - or both )

Did anybody dissect any Kirin CPU or Hisilicon chip and check if there isn't any built-in backdoor shipped with them ?!

I'd start looking for any kind of Reserved ranges of the Hisilicon chip.

ReplyQuote
Posted : 09/02/2019 1:05 pm
trewmte
(@trewmte)
Community Legend

They may as well have started the story with "It was a dark night. An owl's hoot was heard coming from the direction of the cops. …."

Damn.
I was thinking more like "Suddenly she woke up. Clad in her flimsy nightgown, her tall slender figure silhouetted against the moonlight entering from the curtainless window, she felt a cold shiver running down her spine. Something was not right, she felt observed, … " wink

jaclaz

lol

ReplyQuote
Posted : 09/02/2019 10:12 pm
xandstorm
(@xandstorm)
Member

To assume your client was singled out by the PRC, without any supporting evidence, is a bit weak, in my opinion.

That, I think is Tinybain's challenge and why he is posting here.

Rg,
Lex

ReplyQuote
Posted : 10/02/2019 1:44 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

TinyBrain - please explain the importance of "roaming state IR.21 highest possible bandwith" and cryptography and data potentially originating from and arriving to a smartphone?

I could not Google IR.21 and find a relevant hit.

It sounds like the executive who went to the PRC is trying to deflect blame for actions she took herself.

There are logically only three possibilities

1. She lied

2. She is the victim of an automated exfiltration

3. She is the victim of an active adversary action

Number two seems likely and I believe the NSA does as well in US domestic market.

I theorize that PRC's version of the US's NSA ingests and runs key word and analytic filters in a tool like Nuix. I would guess that world VIPs' names are on the key word list.

I am very interested to know what different or overlapping artifacts are left on a phone in above situation 2 or 3.

ReplyQuote
Posted : 10/02/2019 2:19 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

This is what is hurting my tiny brain

Can a system on a chip embedded in a smartphone strictly siphon or redirect data passing through it like DNS hijacking or does there have to, defacto, be interaction with Android OS or iOs in order for data exfiltration to occur from a smartphone? Forensic analysis will work on the latter.

ReplyQuote
Posted : 10/02/2019 2:35 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

If smartphone makers could embed a system on a chip. (“SOC”) on a given smartphone’s motherboard, and the SOC could if “triggered to, would run the equivalent of command line FTK Imager to generate a physical forensic image of a smartphone’s data and then upload the physical image to a predetermined IP address, then forensic analysis of a Cellebrite extraction would not detect such SOC physical imaging activities.

ReplyQuote
Posted : 11/02/2019 12:34 am
TinyBrain
(@tinybrain)
Active Member

The clear forensic case is the mobile, the UICC (unfortunately I got pushed into this tech domain by the Iranian case) and the datacenter of this R&D institute. Another team is looking deep into the mobile and all aspects of infection, rooting and SoC spying. No information received about hardware espionage in the mobile. The datacenter as evidence domain is the R&D's own responsability.

The UICC and the framework of roaming. Its a T-Mobile UICC all flat. Normally the scientist works in Swiss and is roaming over Swisscom. At home in Germany T-Mobile and in P.R.C. in roaming by China Mobile. My initial question about what bandwidth is possible over IR.21 (International Roaming 21 GSMA standard) focussed on how fast is it possible to transit data from home over roaming. OWA Outlook Web Access and UCC Unified Communication and Collaboration by BYOD Bring Your Own Device was in use to access data from the datacenter. IAM Identity and Access Mgmt.

I have to cryptographically investigate these questions.

#1 - How could China Mobile hack into the T-Mobile UICC?
#1a - Were they able to hack the SE Secure Element in the UICC (Mobile ID tokens inside for IAM, OWA and UCC)
#2 - What legitimate data can a roaming partner write on a foreign UICC?
#3 - SoC TrustZone to UICC secure communication, what logs Android 9.0 (Pie) out?

The R&D institute has no badges. They have strictly! biometric mobiles and an R&D app for access to all physical and digital domains with the Mobile ID tokens (hard and soft).

If the SE got hacked it was possible to get legitimate access to the datacenter.

In the eyes of the R&S institute it looked like Our employee needs access to data from outside, all credentials fine.
In reality Unknown - nightly remote data request and retransmission to unknown destination.

ReplyQuote
Posted : 11/02/2019 2:26 am
TinyBrain
(@tinybrain)
Active Member

@UnallocatedClusters, did not forget you. Your aspects are here work-in-progress. Thank you! The scientist is clean in every aspect and all sources say she has nothing to hide. Full trust of the R&D institute towards this person. They say she is a jewl in her scientific domain.

Please all consider this. I depend on what given information is forwarded to me. The nightly details I only mentioned for better understanding of the case. All information on this planet can be wrong, misunderstood and on purpose falsified. I am just human.

The case is complex and 4 teams involved. My crypto team looks into the layer of identification and authorization of data flows. The piece I still dont really deeply understand and feel home is the UICC. Thanks to trewmte I learned a lot out of the Iranian case. But I miss a reliable overview or database of UICCs of the world, their security and crypto parameters.

Questions like 'What data integrity encryption runs China Mobile on their LTE network' I dont know how to find out.

ReplyQuote
Posted : 11/02/2019 9:43 am
TinyBrain
(@tinybrain)
Active Member

Only a trial, see on this link my state of thinking. You can refer to the numbered entities or AVxs.

Order from top for secreasons link removed

ReplyQuote
Posted : 11/02/2019 10:37 am
TinyBrain
(@tinybrain)
Active Member

See upd board, what do you think? Do we miss something?

ReplyQuote
Posted : 15/02/2019 4:00 am
xandstorm
(@xandstorm)
Member

See upd board, what do you think? Do we miss something?

Gents, with all respect, but I think that in order to answer at least some of the questions at hand, one would need to recrute an informant within the "hostile" telco or as a second best option, a telco operating within the partner network of the telco in question.

There are too many varaibles to be able to answer any of the primary information requirements of TinyBrain. At this point in time there are too much assumptions to ever being able to craft a forensically sound answer.

A personal favorite is to "just ask" the telco in question.
You might be surprised what you get when you ask nicely.

In short, the only viable option I currently see is HUMINT.

Saludos,
Lex

ReplyQuote
Posted : 15/02/2019 3:01 pm
TinyBrain
(@tinybrain)
Active Member

Lex, we took your advice up from your very first post. The T-Mobile insider we already have.

When I ask I also listen.

ReplyQuote
Posted : 16/02/2019 8:28 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Here is a very interesting potential test vector for you

https://kushaldas.in/posts/tracking-my-phone-s-silent-connections.html#

ReplyQuote
Posted : 16/02/2019 4:26 pm
Page 2 / 3
Share: