The U.S. Army has started a pilot program on June 6th to test the effectiveness of equipping troops with tablets and phones in combat, CNN recently reported. The idea is to provide troops with the ability to send text messages and geotagged images that alert others about their current surroundings. Similarly, the infantry could use the devices to file regular reports and easily view maps, CNN said. So far, the troops have been testing the iPhone and phones powered by Windows Phone and Android, and soldiers have particularly liked the iPhone and Android-powered devices. In addition to smartphones, the Army is also testing the iPad and tablets from Dell and HP. The results of the tests have been so positive that the Army could begin deploying a small amount of troops equipped with smartphones later this year. “Today, we don’t have the level of encryption that we would need to take [a smartphone] overseas and fully integrate it into our mission-command systems,” said Ed Mazzanti, an Army director working on the program. “There could be some limited deployments even this year, tied to tactical radios that supply the encryption that’s needed.”

Read

A lawsuit has been filed against Apple, Pandora, and The Weather Channel in the U.S. District Court of Puerto Rico that alleges Apple “intentionally [intercepts] personally identifying information.” The plaintiff, Lymaris M. Rivera Diaz, is charging Apple with unfair trade practices, abuse and fraud, and he believes that Apple shares the iPhone’s unique ID, as well as personal location information, with third party developers such as The Weather Channel and Pandora. Apple’s vice president of software technology, Bud Tribble, testified before the Senate Judiciary Subcommittee on Privacy, Technology, and the Law on Tuesday, and said “Apple does not track users’ locations,” and that the Cupertino-based company has no plans to do so. This is the second lawsuit filed against Apple in regards to the location tracking scandal; The first was filed in Tampa, Florida late last month.

Read

Google and Apple testified before the Senate on Tuesday, where both firms were grilled on collecting location information from mobile phones. During the hearing, Senator Al Franken was particularly vocal on the issue. “My wireless companies, Apple and Google, and my apps, all get my location or something very close to it,” Senator Franken said. “We need to address this issue now, as mobile devices are only going to get more popular.” We covered Apple’s response on Tuesday, during which Apple’s vice president of software technology, Bud Tribble, said that “Apple does not track users’ locations,” and that the firm never plans to do so. However, Franken was also concerned that Apple and Google have done little to police third-party applications that are collecting and transmitting location data, and suggested that both companies require developers to alert users of their specific privacy policies. Trimble said Apple already does this, but it has never tossed an application for violating that rule. Google’s director of public policy, Alan Davidson, said Google would consider adding the option. According to The Wall Street Journal, Jessica Rich, the deputy director of the Federal Trade Commission’s consumer-protection bureau said that, despite both firms saying they don’t collect user data, “there’s a lot [the FTC] can do… to challenge,” those claims.

Read

While testifying before the U.S. Congress today, Apple’s vice president of software technology, Bud Tribble, tried to clarify concerns that Apple had been tracking owners of its iPhone and iPad Wi-Fi + 3G. Apple has said in the past that it does not track its users and it also recently issued iOS 4.3.3, which reduces and encrypts the crowd-sourced location database cache, but Tribble explained the story in a bit more detail:

We do not share customer information with third parties without our customers’ explicit consent. Apple does not track users’ locations. Apple has never done so and has no plans to do so. An Apple device does not send to Apply any specific information associated with a user. The purpose of the cache is to allow the device to more quickly and reliably respond to location requests. Apple was never tracking an individual user’s location. The data seen on the iPhone was not the location past or present of the iPhone, but the location of cell towers surrounding the phone. Although the cache was not encrypted, it was protected from other apps on the phone.

According to 9to5 Mac, Tribble also explained to the U.S. Congress that, as we know, the iPhone and 3G iPad are able to determine a user’s location using triangulation between nearby Wi-Fi hotspots or cell phone towers.

Read

Apple has finally broken its week-long silence over the location-tracking database scandal surrounding iPhones and 3G iPads running iOS 4 and higher. The company states that it never has, and never plans to, track users’ iDevices, and that the purpose of the database file in question — consolidated.db — is to “help your iPhone rapidly and accurately calculate its location when requested.” The company noted that a software update will limit the size of the location file and be available in the next few weeks — the next major iOS release will add a layer of encryption to the file. Apple’s full statement is after the break. Have a look and let us know what you think.

Apple Q&A on Location Data

CUPERTINO, Calif.–(BUSINESS WIRE)–Apple would like to respond to the questions we have recently received about the gathering and use of location information by our devices.

1. Why is Apple tracking the location of my iPhone?
Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

2. Then why is everyone so concerned about this?
Providing mobile users with fast and accurate location information while preserving their security and privacy has raised some very complex technical issues which are hard to communicate in a soundbite. Users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date.

3. Why is my iPhone logging my location?
The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

4. Is this crowd-sourced database stored on the iPhone?
The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone. This cache is protected but not encrypted, and is backed up in iTunes whenever you back up your iPhone. The backup is encrypted or not, depending on the user settings in iTunes. The location data that researchers are seeing on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone. We plan to cease backing up this cache in a software update coming soon (see Software Update section below).

5. Can Apple locate me based on my geo-tagged Wi-Fi hotspot and cell tower data?
No. This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.

6. People have identified up to a year’s worth of location data being stored on the iPhone. Why does my iPhone need so much data in order to assist it in finding my location today?
This data is not the iPhone’s location data-it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.

7. When I turn off Location Services, why does my iPhone sometimes continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database?
It shouldn’t. This is a bug, which we plan to fix shortly (see Software Update section below).

8. What other location data is Apple collecting from the iPhone besides crowd-sourced Wi-Fi hotspot and cell tower data?
Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.

9. Does Apple currently provide any data collected from iPhones to third parties?
We provide anonymous crash logs from users that have opted in to third-party developers to help them debug their apps. Our iAds advertising system can use location as a factor in targeting ads. Location is not shared with any third party or ad unless the user explicitly approves giving the current location to the current ad (for example, to request the ad locate the Target store nearest them).

10. Does Apple believe that personal information security and privacy are important?
Yes, we strongly do. For example, iPhone was the first to ask users to give their permission for each and every app that wanted to use location. Apple will continue to be one of the leaders in strengthening personal information security and privacy.

Software Update

Sometime in the next few weeks Apple will release a free iOS software update that:

• reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
• ceases backing up this cache, and
• deletes this cache entirely when Location Services is turned off.

In the next major iOS software release the cache will also be encrypted on the iPhone.

Read

It looks as though software developer James Laird has opened Pandora’s box for Apple’s AirPlay music streaming system. Frustrated by the fact that an AirPort Express emulator did not exist, Laird began to look for a solution that would allow him to stream iTunes music without the use of AirPlay. “I was disappointed to find that Apple used a public-key crypto scheme, and there’s a private key hiding inside the ApEx [Airport Extreme],” wrote Laird. “So I took it apart (I still have scars from opening the glued case!), dumped the ROM, and reverse engineered the keys out of it.” Laird has published the private key in an open source software project dubbed ShairPort (clever). The software, which is built in Perl and C, will allow users to stream iTunes content to hardware and software designed to talk to ShairPort. Apple has opened up its AirPlay system to third-parties in recent months, but this blows the doors wide open for all those looking to circumvent that red tape-filled process.

[Via MacRumors]

Read

In a recent blog post, Twitter announced a new measure aimed at keeping its users data a bit more secure as it travels over the wire. Via the “Settings” preference pane, users can now force Twitter communications to always travel over a secure, HTTPS connection. “This will improve the security of your account and better protect your information if you’re using Twitter over an unsecured Internet connection,” writes Twitter. “In the future, we hope to make HTTPS the default setting.” Enabling the feature also secures traffic traveling to and from the official Twitter applications for both the iPhone and iPad — it will not, however, automatically enable HTTPS on the mobile Twitter website. Unless you have a specific reason not to enable the feature, we highly recommend it.

Read

Today, AT&T announced AT&T Encrypted Mobile Voice; “the first carrier-provided two factor encryption service for calls on the AT&T network.” The service, which will be available for BlackBerry and Windows Mobile devices, combines KoolSpan’s TrustChip and SRA International’s One Vault Voice. As the press release explains:

TrustChip is a fully hardened, self-contained crypto engine inserted into the smartphone’s microSD slot. Embedded with AT&T TrustGroup, the KoolSpan TrustChip offers the strength of additional hardware authentication, enables encrypted calling interoperability with a defined group of other AT&T TrustGroup users and can be managed over-the-air. [...] SRA’s One Vault Voice integrates the security functions of the TrustChip with a feature rich application that provides an intuitive user interface. This powerful combination allows users to easily place and receive encrypted calls by integrating with the mobile phone’s standard operation and address book to provide a user friendly and seamless security option.

Probably not something you are going to be using, but pretty cool nonetheless. Hit the read link for the full press release.

Read

In accordance with government wishes, Saudi Arabia’s three mobile wireless companies have shut down BlackBerry messaging services to their users. The Saudi Communications and Information Technology Commission cited security concerns when it announced on August 3rd that: “the manufacturer of the devices [RIM] couldn’t meet the regulatory requirements of the commission and it is not in accordance with the regulations and conditions of licenses issued to service providers, at its present state.”  The AFP reports that any wireless company that does not turn off the encrypted messaging service could face up to a $1.3 million fine. The BlackBerry devices are still able to make and receive phone calls. Services are due to be suspended in the United Arab Emirates beginning on October 11th. 

Read

The Wall Street Journal is reporting that BlackBerry maker Research In Motion has issued a statement to its customers letting them know just how secure their data is. The handset maker reminded everyone that “no one, including RIM” could access BlackBerry user data as it is encrypted without a master key, and that it would “be unable to accommodate any request” for access to the data. RIM continued, the system is designed “to exclude the capability for RIM or any third party to read encrypted information under any circumstances.” The statement comes on the heels of this weekend’s decision by the United Arab Emirates to suspend BlackBerry data services in the country due to reasons related to national security. RIM has not released an official statement regarding talks with the UAE citing the confidentiality of discussions at the government level.

Read

Chatter on the forums suggests that the latest update hitting the DROID X has not fixed the WiFi connectivity problem many users were reporting. Affected DROID X owners report that their handsets have difficulty connecting to a WiFi router and poor network performance once a connection has been established. Several users report that changing the encryption from AES to TKIP has alleviated the problem, while others note that changing your router to 802.11g instead of 802.11n has decreased the number of network disconnects. Anyone with a DROID X currently experiencing this problem?

Thanks, Goreja!

Read

A major security flaw has been uncovered in the Apple iPhone 3GS this week after two security experts discovered it was possible to bypass the device’s security and gain nearly full read access using Ubuntu Lucid Lynx. Perhaps even more frightening is the fact that the two believe they’re nearing the ability to write data as well. Said Bernd Marienfeldt, one of the two gentleman responsible for uncovering the flaw:

I uncovered a data protection vulnerability, which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07), all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place. [...] This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by [sic] in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with an PIN code based authentication in place to unlock it.

Marienfeldt and his partner Jim Herbeck notified Apple of the flaw, and according to then, “Apple could reproduce the described serious issue and believes to understand why this can happen but cannot provide timing or further details on the release of a fix.” Let’s hope the new data protection feature in iPhone OS 4.0 does the trick.

[Via Engadget]

Read

Remember all of the hoopla surrounding RIM’s hostile takeover of Certicom? Well the Ontario Securities Commission sure does, as it’s alleging that former RIM VP Paul Donald personally profited from the deal thanks to some insider trading. The OSC claims that back in August of 2008, Donald was attending a RIM function where RIM top brass informed him that they were actively trying to acquire the software encryption specialists Certicom — a company whose technology is used in every single BlackBerry smartphone. Although Donald was told that Certicom was resisting the takeover, he quickly purchased 200,000 shares in the company after learning it was “dramatically undervalued,” and shortly thereafter RIM announced its intentions to purchase. That announcement also had RIM run afoul of the OSC, as Certicom’s board asked the commission to block the buyout on the grounds that Certicom investors would get a raw deal. Despite this, the aquisition eventually went through which saw Donald net $295,000 in profit. Donald, who the OSC said acted, “with knowledge of material facts about Certicom that had not been generally disclosed,” and whose purchase of the shares were, “contrary to the public interest,” will be front and center as the OSC holds a hearing on June 7th.

Read

A five-month old ITC patent dispute between Research In Motion and Omaha-based Prism Technologies has been settled. Back in December of 2009, Prism had asked the ITC to block the importation of BlackBerry smartphones, servers and sofrware into the U.S. on the grounds that RIM was violating one of Prism’s patents. At the heart of the dispute was a Prism patent described as providing an “innovative way of controlling access to protected electronically stored data and information requested by a device using an Internet Protocol network.” The terms of the settlement were not disclosed, but documents filed with the ITC reveal that the companies have entered into a “license and settlement agreement.”

Read

In a move to shed light on the vulnerability of GSM wireless networks, encryption expert Karsten Nohl, with the aid of 24 fellow hackers, was able to compile the multitude of algorithms behind the twenty one year old, 64-bit encryption scheme used to encrypt 80% of the world’s cellular GSM phone calls. The algorithm’s code book, comprising 2TB worth of data, has been published by Nohl and is now available on the Internet through BitTorrent. This is not the first time GSM was “cracked”. In 2003, the method by which GSM’s encryption code could be cracked was uncovered by a team of Israeli researchers and in 2008, David Hulton and Steve Muller presented at Black Hat a technique for the successful interception and decryption of a GSM stream using $1,000 of hardware and a half hour of time. Now in 2009, we have the binary code log that could potentially make GSM decryption faster and easier than ever. Before everybody panics, it is important to point out that the GSM algorithm that was cracked was the older and less secure 64-bit A5/1 algorithm, not the newer 128-bit A5/3 algorithm. Unfortunately, GSM carriers have been slow to adopt this new 128-bit encryption standard but Nohl’s disclosure may be the kick in the butt these lazy carriers need to beef up their security.

Read