Maybe NitroKey are surfacing something useful and potentially concerning, but they way they do it is so cheap that it completely turns me off their brand. It’s a bunch of negativity-hype with a “so buy our phone” tacked on.
If you handed a Nitrophone to any competent security researcher, I bet they’d find a ton of issues. Same with the NitroKey; that feature list is far too extensive to not have issues.
I remember seeing a pen-test that was done way back in the mid aughts that identified a bunch of vulnerabilities. It was so long ago, I wonder if they were mitigated or just given lip service.
This penetration test against the Nitrokey Storage firmware, as well as the Nitrokey
desktop app, was performed by a team of three penetration-testers and took eleven
days in total to complete. The test is part of a larger series of security assessments. In
later phases, security-focused assignments will include tests against the hardware itself,
alongside detailed look into other models of the Nitrokey and its accompanying
applications and tools.
> It proceeds to not show the contents of this HTTP request because it would show that it's not at all interesting. It does not contain any private data.
You don't know that, nor do you take any steps to actually prove your claim. This blog post is just as bad as the original post for not providing any evidence to your claims.
To add to that: OP seems to summarize the HN comments section without even citing it.
Also to mention... A-GPS is extremely crucial to the underpinnings of the e911 system. Having rapid fixes means quicker positioning data being sent over the wire to the 911 center.
Also people want GPS to work seamlessly in locations where GPS is unreliable. Dense urban canyons, inside big buildings and a myriad of other locations. AGPS is absolutely necessary for this.
Without this, people will wonder why the phone's "GPS" is bad (it takes a long time to get position and it is inaccurate in many cases).
The author claims that none of the above information is actually sent, other than the IP address which is unavoidable to download a static file. I don't know who is right because I haven't seen the actual intercepted HTTP traffic.
If for whatever reason the system's time is just SO wrong then there's a change the HTTPS connection might fail because of certificate not valid yet / expired.
For this I think it's OK for it to be served over HTTP.
Reminds me of your typical "Windows support" impersonator telling people to look at all the spooky errors and warnings in Event Viewer and "all I need is for you to install this remote access tool and I can fix all your problems for you".
Was just looking at NitroKey after realizing my SoloKey v2[1] won't come for yet another few months.
Given that they use similar firmware, the headline scared me a bit. However the article is about their marketing of an entirely different device, not their new Yubikey replacement.
The wait continues... not super-surprised though, crowd funding hardware is super-risky and I knew that.
I was very disappointed in that Kickstarter. Yubikey ran a 54% off discount May 4th last year and not knowing when I would get my v2 SoloKeys, I purchased two. I had them within the week and have since integrated them into all my accounts.
I debated backing out of the Kickstarter as the Yubikeys were working so well for me, but decided to stick with it and see what the SoloKey experience would be like. Yeah, disappointing. I ordered USB-A and USB-C keys. The USB-A key doesn't make a good connection with the USB port. It needs to be carefully held to register with the OS, otherwise it doesn't get power.
So, presumably if I bought one of their phones and turned it on, I would wait ten minutes to get a GPS fix instead of it using a almanac and working out the lat and long of three cell towers at certain signal strength?
Does anyone know if it's possible to get at this info from user side ? Some API access? sounds fun
You don't even need the cell towers. You need _very_ good gps reception though, so outside without tall structures nearby. Then you have the issue that you need to keep the GPS active enough to keep the almanac updated. Which is usually not happening due to power management.
> IP packets should not be sent or received behind our backs
I like this idea in principle, but I have bad news for you if you ever want to own literally any modern device - phone, laptop, tablet, car, TV, rice cooker etc
The only solution is some kind of network-level allowlisting which would be impossible to maintain, and stop working the second you’re outside a known network (ie LTE)
Static data for the entire system. A-GPS files are just a digital ephemeris[1], a form of trajectory tables for the satellites over (upcoming) time, so it knows when to expect certain satellites (and thus certain transponder frequencies to pick first in its search for signals to lock onto and triangulate from).
A-GPS provides a current almanac, showing where all the satellites actually are. Without it, a cold start requires hunting for signals across a much wider range. As I understand it, older GPS receivers rely on finding a single satellite and waiting to acquire a full almanac from it while smartphones have enough compute to probably get a lock on multiple satellites without a complete dataset. The satellites will eventually broadcast the complete almanac and ephemerides, so a warm start shouldn't take as long.
D-GPS uses the known location and current readings from a nearby fixed receiver to increase the accuracy of your receiver, and does rely on knowing that you're in the vicinity, but it's not a feature of consumer phones.
[+] [-] wepple|2 years ago|reply
If you handed a Nitrophone to any competent security researcher, I bet they’d find a ton of issues. Same with the NitroKey; that feature list is far too extensive to not have issues.
[+] [-] _rdvw|2 years ago|reply
IZAT NLP concerns have been known for many years now, my DivestOS hasn't included it for 6+ years: https://gitlab.com/divested-mobile/divestos-build/-/commit/a...
[+] [-] flangola7|2 years ago|reply
[+] [-] at-fates-hands|2 years ago|reply
EDIT: I found it. Pretty interesting read: https://cure53.de/pentest-report_nitrokey.pdf
This penetration test against the Nitrokey Storage firmware, as well as the Nitrokey desktop app, was performed by a team of three penetration-testers and took eleven days in total to complete. The test is part of a larger series of security assessments. In later phases, security-focused assignments will include tests against the hardware itself, alongside detailed look into other models of the Nitrokey and its accompanying applications and tools.
[+] [-] DANmode|2 years ago|reply
[+] [-] ksec|2 years ago|reply
[+] [-] dang|2 years ago|reply
Smartphones with Qualcomm chip secretly send personal data to Qualcomm - https://news.ycombinator.com/item?id=35698547 - April 2023 (263 comments)
[+] [-] s1k3s|2 years ago|reply
However, this blog post takes it too far:
> It proceeds to not show the contents of this HTTP request because it would show that it's not at all interesting. It does not contain any private data.
You don't know that, nor do you take any steps to actually prove your claim. This blog post is just as bad as the original post for not providing any evidence to your claims.
To add to that: OP seems to summarize the HN comments section without even citing it.
I'm double disappointed :)
[+] [-] MartijnBraam|2 years ago|reply
[+] [-] kotaKat|2 years ago|reply
[+] [-] joecool1029|2 years ago|reply
- https://www.mpirical.com/glossary/lmu-location-measurement-u...
- https://www.etsi.org/deliver/etsi_ts/136100_136199/136111/11...
[+] [-] stingrae|2 years ago|reply
Without this, people will wonder why the phone's "GPS" is bad (it takes a long time to get position and it is inaccurate in many cases).
[+] [-] dchest|2 years ago|reply
1. Unique ID
2. Chipset name
3. Chipset serial number
5. XTRA software version
6. Mobile country code
7. Mobile network code (allowing identification of country and wireless operator)
8. Type of operating system and version
9. Device make and model
10. Time since the last boot of the application processor and modem
11. List of the software on the device
12. IP address
[+] [-] not2b|2 years ago|reply
[+] [-] MartijnBraam|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] WirelessGigabit|2 years ago|reply
If for whatever reason the system's time is just SO wrong then there's a change the HTTPS connection might fail because of certificate not valid yet / expired.
For this I think it's OK for it to be served over HTTP.
[+] [-] smileybarry|2 years ago|reply
[+] [-] yellowapple|2 years ago|reply
[+] [-] magicalhippo|2 years ago|reply
Given that they use similar firmware, the headline scared me a bit. However the article is about their marketing of an entirely different device, not their new Yubikey replacement.
The wait continues... not super-surprised though, crowd funding hardware is super-risky and I knew that.
[1]: https://solokeys.com/
[+] [-] atoponce|2 years ago|reply
I debated backing out of the Kickstarter as the Yubikeys were working so well for me, but decided to stick with it and see what the SoloKey experience would be like. Yeah, disappointing. I ordered USB-A and USB-C keys. The USB-A key doesn't make a good connection with the USB port. It needs to be carefully held to register with the OS, otherwise it doesn't get power.
[+] [-] fsflover|2 years ago|reply
[+] [-] ibotty|2 years ago|reply
[+] [-] toastal|2 years ago|reply
[+] [-] lifeisstillgood|2 years ago|reply
Does anyone know if it's possible to get at this info from user side ? Some API access? sounds fun
[+] [-] MartijnBraam|2 years ago|reply
[+] [-] snvzz|2 years ago|reply
Whether it is useful for A-GPS does not matter. It must be done on top of the operating system or not done at all.
[+] [-] wepple|2 years ago|reply
I like this idea in principle, but I have bad news for you if you ever want to own literally any modern device - phone, laptop, tablet, car, TV, rice cooker etc
The only solution is some kind of network-level allowlisting which would be impossible to maintain, and stop working the second you’re outside a known network (ie LTE)
[+] [-] MartijnBraam|2 years ago|reply
[+] [-] charcircuit|2 years ago|reply
[+] [-] biomcgary|2 years ago|reply
[+] [-] kotaKat|2 years ago|reply
[1] https://en.wikipedia.org/wiki/Ephemeris
[+] [-] MartijnBraam|2 years ago|reply
[+] [-] andrewaylett|2 years ago|reply
D-GPS uses the known location and current readings from a nearby fixed receiver to increase the accuracy of your receiver, and does rely on knowing that you're in the vicinity, but it's not a feature of consumer phones.
[+] [-] VWWHFSfQ|2 years ago|reply
[+] [-] prince707|2 years ago|reply
[+] [-] dmbche|2 years ago|reply
Thanks!
[+] [-] fredgrott|2 years ago|reply