from Hacker News

NitroKey disappoints me

by cunidev on 4/25/23, 9:11 PM with 66 comments

  • by wepple on 4/25/23, 9:46 PM

    Maybe NitroKey are surfacing something useful and potentially concerning, but they way they do it is so cheap that it completely turns me off their brand. It’s a bunch of negativity-hype with a “so buy our phone” tacked on.

    If you handed a Nitrophone to any competent security researcher, I bet they’d find a ton of issues. Same with the NitroKey; that feature list is far too extensive to not have issues.

  • by dang on 4/25/23, 10:03 PM

    Related ongoing thread:

    Smartphones with Qualcomm chip secretly send personal data to Qualcomm - https://news.ycombinator.com/item?id=35698547 - April 2023 (263 comments)

  • by s1k3s on 4/25/23, 10:14 PM

    I've criticized the original article for lack of information here: https://news.ycombinator.com/item?id=35698547#35703662

    However, this blog post takes it too far:

    > It proceeds to not show the contents of this HTTP request because it would show that it's not at all interesting. It does not contain any private data.

    You don't know that, nor do you take any steps to actually prove your claim. This blog post is just as bad as the original post for not providing any evidence to your claims.

    To add to that: OP seems to summarize the HN comments section without even citing it.

    I'm double disappointed :)

  • by kotaKat on 4/25/23, 9:56 PM

    Also to mention... A-GPS is extremely crucial to the underpinnings of the e911 system. Having rapid fixes means quicker positioning data being sent over the wire to the 911 center.

  • by dchest on 4/25/23, 9:48 PM

    The author didn't address the list of things the devices allegedly sent when downloading A-GPS files, from the original article:

    1. Unique ID

    2. Chipset name

    3. Chipset serial number

    5. XTRA software version

    6. Mobile country code

    7. Mobile network code (allowing identification of country and wireless operator)

    8. Type of operating system and version

    9. Device make and model

    10. Time since the last boot of the application processor and modem

    11. List of the software on the device

    12. IP address

  • by WirelessGigabit on 4/26/23, 12:14 AM

    Well, a device can get the time via GPS only.

    If for whatever reason the system's time is just SO wrong then there's a change the HTTPS connection might fail because of certificate not valid yet / expired.

    For this I think it's OK for it to be served over HTTP.

  • by yellowapple on 4/26/23, 12:27 AM

    Reminds me of your typical "Windows support" impersonator telling people to look at all the spooky errors and warnings in Event Viewer and "all I need is for you to install this remote access tool and I can fix all your problems for you".

  • by magicalhippo on 4/25/23, 9:57 PM

    Was just looking at NitroKey after realizing my SoloKey v2[1] won't come for yet another few months.

    Given that they use similar firmware, the headline scared me a bit. However the article is about their marketing of an entirely different device, not their new Yubikey replacement.

    The wait continues... not super-surprised though, crowd funding hardware is super-risky and I knew that.

    [1]: https://solokeys.com/

  • by lifeisstillgood on 4/26/23, 5:08 AM

    So, presumably if I bought one of their phones and turned it on, I would wait ten minutes to get a GPS fix instead of it using a almanac and working out the lat and long of three cell towers at certain signal strength?

    Does anyone know if it's possible to get at this info from user side ? Some API access? sounds fun

  • by snvzz on 4/25/23, 9:42 PM

    IP packets should not be sent or received behind our backs, and certainly firmware should not be bypassing the operating system to do this.

    Whether it is useful for A-GPS does not matter. It must be done on top of the operating system or not done at all.

  • by biomcgary on 4/25/23, 9:38 PM

    Are A-GPS files tied to location or the same for everyone? Hopefully, the latter.

  • by prince707 on 4/26/23, 4:34 PM

  • by dmbche on 4/25/23, 10:03 PM

    Straight, concise, clear and to the point.

    Thanks!

  • by fredgrott on 4/26/23, 12:12 AM

    Not to mention that AGPS is decades old by now. How many of you fell for the original article's narrative?