from Hacker News

Tell HN: Your Android carrier can remotely turn settings on

by brainchild-adam on 12/12/22, 1:47 PM with 290 comments

• by qbasic_forever on 12/12/22, 5:27 PM

  Wait until your learn what a country or local government/police can do remotely to the baseband firmware of your phone with a court order...

  10-20 years ago the FBI was regularly remotely programming firmware to listen in and record cell phone microphones to capture conversations of suspects. IIRC a mafia case hinged on data gathered in this way so it is not some abstract theoretical or crackpot theory (https://www.cnet.com/news/privacy/fbi-taps-cell-phone-mic-as...).

  It's only gotten worse as phones have gotten more capable. You don't own squat about the device in your pocket at all times.

• by msingh_5 on 12/12/22, 3:49 PM

  These are emergency broadcast alerts. Different countries have different laws on these - and in some countries you might not even be able to disable them.

  Just because its listed under "Apps & notifications"/"Wireless emergency alerts", it doesn't mean they are "user settings". Its not necessarily the local "carrier" that turned the settings on, its more that connecting to a cell tower in a particular jurisdiction can enforce receiving emergency alerts.

  More on the EU alerts systems: https://en.wikipedia.org/wiki/EU-Alert

• by willyt on 12/12/22, 6:11 PM

  I can totally understand why Americans would want to silence these. I'm from the UK and I was in Central Park with my wife and kids when we got an 'Amber Alert' which said something like 'Black Ford SUV reg XYZ123' or something equally cryptic. It was not long after the terrorist attack in Nice where a guy drove a truck thorough a crowd of people walking beside the beach. Everyone's phones started going at the same time and we assumed it was some kind of disaster warning (the second worst level of disaster after a Red Alert?) as did many other tourists in the park! It went off again on the subway on the way back to the apartment and all the New Yorkers were totally unfazed by it. I asked the woman next to me what it was, she just said ignore it. I googled it later and it turned out an ex boyfriend had not showed up from picking their daughter up from school in a small town at the other end of New York state a couple of hundred miles away. Talk about crying wolf, I hope they have a different sound for when there actually is an inbound rogue North Korean nuke, otherwise 20 million people are going to think 'fuck's sake' and silence their phones without looking...

• by N_A_T_E on 12/12/22, 3:13 PM

  IMHO, carrier settings are a small portion and not super impactful part of the phone configuration you see in the settings list. This is actually a somewhat cool feature. Imagine going to another country, jumping on another network and your phone automatically knows what cell bands and towers to connect to.

  Carriers can't change regular settings like language, lock screen code or background. Just what cell towers you connect to and a short list of telephony related features. Please correct me if I'm wrong.

• by Kiboneu on 12/12/22, 5:41 PM

  Absolutely, they can change this setting, in lots of different ways. Originally emergency services were set up by fields offered by the SIM. Occasionally these settings change, so an update mechanism had to be established.

    - Android comes with a list of carriers and their required configurations; when the MNC and MMC provided by the SIM match a carrier on that list, Android uses the configuration from that list. This list updates with Android updates, and so SIM don't have to be reprogrammed. 
  
    - Modern SIMs just Java cards with a SIM app (especially if they offer IMS). The Java cards also have a secure storage element to hold subscriber keys and mitigate tampering to change these keys. They also contain signing public keys which is queried by Android whenever /Carrier Privileges/ are requested. That way, an app signed by a carrier can very against the carrier's SIM in order to get access to this configuration.
  
    - There are remote configuration protocols, so Android will have a bare configuration for carriers just to fetch the latest configuration from them (to then use it).
  

  This has been happening for quite a while. If you use(d) a carrier app for voicemail or setting up the service for the first time, you've used this. Except nowadays it seems Android actually /informs/ you about it.

  https://source.android.com/docs/core/connect/uicc

  https://source.android.com/docs/core/connect/carrier

  One could probably write a rooted Android ROM that filters / requests user permission / logs changes to carrier settings, and there's utility in that since it may be a vector for espionage / traffic redirection (provided stolen keys or an exploit of the SIM's certificate storage machinery). SIM cards are usually directly connected to the CPU, not to the baseband.

• by mFixman on 12/12/22, 3:51 PM

  Back in the day my phone carrier in Argentina would send me ultra-high-priority alerts with ads several times a day.

  A lot of people in this thread are understandably okay with good carriers doing this for good reasons, but it's very easy to abuse if there aren't strong enough communication laws. From the amount of spam I got when I lived there, I'm surprised this is not happening in America.

• by nicholasjarnold on 12/12/22, 4:17 PM

  > I must say I strongly dislike losing control over my own device. It feels dystopian to me.

  Even with a rooted device where perhaps you personally coded up the ROM you are still missing a piece which is the binary blob that runs the baseband radio. That firmware is, afaik, not something which exists in any sort of open-source or rootable manner. It's a closed blob running proprietary software on your phone, and it runs at a lower level than the ROM/OS does. So, even if you go to great lengths to secure most of the software that runs on the device (a noble goal, it's your hardware after all!) then you still must contend with the uncertainty and perhaps risk (depending on your threat model) of that untrusted code running there. You can search around the web for articles covering baseband radio exploits that span the years...

• by tehCorner on 12/12/22, 3:36 PM

  I used to work for a carrier and yes, there are some settings that can be changed. If your phone is locked to a carrier it can even hot-replace applications without you noticing (useful for embedded carrier applications that donwload a full APK when you open the one installed in the device by default)

  I believe these varies by country, since this was done for a limited set of countries my Company sas operating on

• by jmole on 12/12/22, 6:22 PM

  I bought a Pixel 7 recently.

  When setting up the device, I was asked to insert my SIM card. Usually, I'd have skipped past this screen, but I thought "Ok, let me swap out my SIM", since I was trading in an older device.

  Worst mistake ever. Even on an unlocked phone, all the verizon crapware was silently installed in the background. This doesn't happen when you put in the SIM after setting up the phone.

  Such a backwards experience.

• by izacus on 12/12/22, 3:23 PM

  Yes, Cell Broadcasts are controllable by carriers and that's even mandated in some countries (e.g in USA the carrier can send out a broadcast that will ignore all "silent phone" settings and scream loudly no matter what you've set and where). This will happen on all phones allowed to be used in those regions - whether Apple, Google, Samsung, Nokia or even Huawei.

  You can attempt to disable it, but you need to be aware that in many places it's outright illegal for phone manufacturer and carrier to allow that.

• by 255kb on 12/12/22, 3:03 PM

  1) yes, but only got the warning once. 2) I think you need to root and disable OTA updates, but never tried. 3) Hate it, but I think it's a drop in an ocean of control, and probably way more harmless than depending on Google for everything (at least in my case). Not an Apple user, but apparently this is also a thing on Apple devices: https://www.vox.com/2015/2/12/11558938/what-is-this-carrier-...

• by 7steps2much on 12/12/22, 3:10 PM

  (1) I wasn't aware of it, but I am not surprised that something like this was written into the standard (presumably. I doubt carriers rolled their own thing)

  (2) All the ways I can think off are significantly harder than rooting, so essentially no.

  (3) I don't really mind that much, I have Google services running on my phone and I am certain those can do far more than my carrier could ever dream off. I have begrudgingly accepted those, so it would be a bit hypocritical to complain about my carrier turning cell broadcast back on. Especially since "turning cell broadcast back on" is a use case that I can see the argument behind.

  It you care about this then I suggest you look up the relevant standard documents, probably you will find this behavior documented there.

• by petodo on 12/12/22, 2:59 PM

  Yes, I am aware carrier can control carrier/network settings since those are loaded from network anyway, you can try to override them, but obviously if it's something like Cell Broadcast, call forwarding/barring or caller ID and others, carrier can decide to use different settingh from yours.

  I feel like you are confusing local Android settings with carrier settings loaded from network. For instance carrier is not going to change setting of your default keyboard or ringtone without (carrier customized) system update.

• by ddtaylor on 12/12/22, 5:16 PM

  Carriers can actually send arbitrary AT commands which are more or less arbitrary modem commands. Depending on how deep you think the integration between the broadband controller and the CPU are they could potentially also do much more. I wouldn't trust much on any phone.

• by jamal-kumar on 12/12/22, 4:31 PM

  In Germany people may not be as used to natural disasters and the like, but where I've travelled where the weather is way more extreme, these are like life saving emergency alerts so you don't get sucked into a tornado like a cow or die in a flood or tsunami. I love how jarring the alerts are, there was an incident in the USA recently where some way too close menu entry got hit at an emergency alert center for a nuclear bomb and people ended up taking cover thinking they were going to get nuked in Hawaii [1]. The USA system you can understand the technical workings of here [2] while this seems to cover more of the technical workings of the EU systems [3] - These are simply service area broadcasts [4]

  [1] https://en.wikipedia.org/wiki/2018_Hawaii_false_missile_aler...

  [2] https://www.youtube.com/watch?v=sdmkTkWB40Q

  [3] https://media.ccc.de/v/osmodevcon2019-107-production-grade-c...

  [4] https://osmocom.org/projects/cellular-infrastructure/wiki/Se...

• by yourusername on 12/12/22, 4:18 PM

  I've disabled them on my phone because it's always either a test or some nonsense "it's too busy in <town> 10km away, stay away". Alerts they would never turn on the sirens for. I'd be very annoyed if my carrier re-enabled alerts.

• by burritas on 12/12/22, 4:56 PM

  A little tangential, but carriers and hackers can execute arbitrary code on your device through OTA updates with the baseband modem. It's even been done on 5G.

  Which also reminds me how the NSA has intentionally crippled standards in the past so they could eavesdrop or inject code without having to go through the carrier. This means Johnny Scriptsalot can do it too.

• by Fradow on 12/12/22, 3:17 PM

  (1) Yeah, though I definitely forgot. In my country, it used to be really hard to find a plan with mobile hotspot, which used to be a x€/month (don't remember the number) option that would just hide the setting. That was a very long time ago since I saw on but I think some plans still have those restrictions and use that method to enforce it.

  (2) Changing to a device that doesn't have that feature. Which probably means no Android and no iOS. I would not be willing to do so, I'd change carrier instead if it was problematic enough to me.

  (3) I don't mind when it's to set settings for a good reason. I assume some settings are configured that way for the phone to properly work on the carrier network. On the other hand, I hate it when it's to enforce a stupid thing or extract more money from a built-in feature.

• by ppcdeveloper on 12/12/22, 3:55 PM

  Absolutely they can. Carriers have access to the system partition aka We do what we want (hopefully they do what makes sense). This is how bloatware is installed (the things you can't get ride of).

• by exabrial on 12/12/22, 6:01 PM

  If you don't have root access to your phone (or baseband), you have no control over it. That's Google and Apple's plan. In Apple's own words "It's their platform"

• by hnarn on 12/12/22, 10:17 PM

  It’s very difficult for me, in all honesty, to even understand why the act of emergency alerts being re-enabled by a carrier leads to this kind of reaction.

• by supermatou on 12/12/22, 4:33 PM

  I'm experiencing the opposite; my wife and I have the same iPhone model (13), with the OS up to date. When we bought the phones, 18 months ago, I customized them to have identical settings; while doing that, I also disabled the Amber Alerts. Still, a few weeks ago, our phones started to emit an unheard (til then) sound in the middle of the night: it was an Amber Alert. WTH? did any of the OS updates enable the AA? I looked at the phones and - hey, where did that setting go? the alerts are no longer visible in Notifications. What's weird, is the fact that you can type "Govern" (for Government Alerts) in the Search field, and Notifications comes up - but, when you go into Notifications, there's nothing there.

  I googled the issue and it's affecting quite a lot of people. It's unclear whether the culprit is the provider or a long-standing bug in iOS (the first mention I found is a few years old). Some people suggested that you take out the SIM and the options would reappear. Didn't work in my case.

• by pfoof on 12/12/22, 6:18 PM

  Related, specification from 2019.

  https://www.etsi.org/deliver/etsi_ts/102900_102999/102900/01...

  Check Security Considerstions in 5.5.

• by MiddleEndian on 12/12/22, 7:35 PM

  Doesn't surprise me, Android lets carriers and manufacturers install all sorts of garbage you can't remove. It's a pretty terrible operating system. I just disable amber alerts when I get a new phone, never gotten any other type of alert in the US, haven't ever gotten an alert in another country. I also hear that Canada sends out amber alerts with an unblockable "presidential" priority, so if I were ever to move to Canada, I would figure out how to disable that type of alert as well.

• by precommunicator on 12/12/22, 6:29 PM

  Similar thing is with call recording, as one of my SIM card is from Germany my phone doesn't allow me to enable call recording, but, as I don't live in Germany, and it's legal to do so here, I have a manufacturer-specific app (3rd party, ofc) that basically runs in background and periodically and on boot, re-enables this setting. Wonder if something similar could be made, or exists for your phone.

• by BanjoBass on 12/12/22, 3:59 PM

  Pretty sure they're "required" in Germany and cannot be disabled by the user.

  You travel to other countries, you abide by their laws. This is no different.

• by jjgreen on 12/12/22, 2:04 PM

  (1) No, but not surprised, (2) don't have a phone, (3) I don't like it, that's why I don't have a phone.

• by lotux on 12/12/22, 3:55 PM

  I think carriers can inject apps via sim card too https://www.reddit.com/r/GalaxyNote8/comments/71of1t/carrier...

• by kornhole on 12/12/22, 6:17 PM

  If you are using the Android OS originally installed on the phone, you can deactivate many of these at the OS level (not baseband) using ADB. This does not require rooting. An easy way to find and deactivate these codes is to use the UAD (Universal Android Debloater) found on Github.

• by ddalex on 12/12/22, 3:08 PM

  It's part of the mandated law in certain countries so it's normal to be implemented there.

• by remram on 12/12/22, 6:35 PM

  Leaving the evil carrier issue aside, how much security is there? I know GSM security is not very good, as older protocols are kept around for decades.

  Is there strong crypto preventing anyone who's not a carrier or government from changing settings on device?

• by lizardactivist on 12/12/22, 5:50 PM

  Not sure if it's related or just Apple's data-greed and malice, but on a previous iPhone, iMessage and FaceTime would turn on by itself every time the phone was restarted, again 24 hrs later, and one final time 48 hrs after that.

• by gershy on 12/13/22, 2:36 AM

  I didn't read the full legal contract that came with my phone, but I assume it enumerates (in soporific detail) many of the ways in which I don't control my device. The price of convenience is a real doozy!

• by Doorstep2077 on 12/12/22, 6:46 PM

  Doesn't surprise me tbh, although I'm curious if different countries have different policies regarding this. E.G. in privacy-centric countries like Iceland, are there stricter rules / regulations?

• by _trampeltier on 12/12/22, 6:39 PM

  Is there a full list, what carriers can do and change in your phone?

• by TEP_Kim_Il_Sung on 12/12/22, 3:01 PM

  iPhone too, not just Android. At least in Germany, and Israel.

• by EastSmith on 12/12/22, 8:23 PM

  We need Linux phone.

• by theCrowing on 12/12/22, 2:14 PM

  It's a carrier side setting...lol.

• by vanillax on 12/12/22, 8:40 PM

  What if you remove the sim card? What can they do?

• by diffeomorphism on 12/12/22, 4:02 PM

  1) seems pretty obvious. 2) you don't. 3) perfectly fine.

• by wintogreen74 on 12/12/22, 9:23 PM

  what the?