It's the right trade off for most people as the only USA 2G nationwide network is T-Mobile's. They are going to turn it off in April 2 2024 (1).
There's some regional carriers in rural areas that offer the only coverage available. Like Commnet Wireless (2). These are few and far between and usually they have deployed 3G to their whole footprint. The Big Three are building out native coverage to overlap with them. But by Murphy's Law someone with an Android 14 phone is going to discover that they can't call anything but 911. Ideally there would be a button prompt enabled in No Service situations to re-enable 2G. FCC rules mandate that cellphones must support fallback to null cipher if that's what's needed to connect an emergency call.
> It's the right trade off for most people as the only USA 2G nationwide network is T-Mobile's. They are going to turn it off in April 2 2024 (1).
A US-only analysis of this seems not especially useful, since Android is used worldwide. If anything it is more popular outside of the US than inside of the US, making US-based analysis even less illuminating.
I am curious what rural areas have 2G only. I've driven all over the contiguous US and hit plenty of "No Service" and 3G, but never 2G (T-Mobile Samsung S22).
This is a T-Mobile rant about them turning off non-LTE 4G service. T-Mobile is still providing non-LTE 4G, but they will not let you activate a new non-LTE 4G device on their network. Last year I tried to do this. Before I did anything, I called them and asked if I could activate a new non-LTE 4G device. They told me it would not be a problem. Activation went fine, but after a few days, the device stopped working. I spent hours with Tech Support trying to solve it, but we couldn't, so they had me go to the store and get a new SIM. The new SIM worked fine for a few days, but then the device stopped working. Troubleshooting on my own, I swapped the SIM with a different non-LTE 4G T-Mobile device on the same account (iPad Pro). Both devices began working! After swapping the SIMs back, they both continued to work, but the new one stopped working after a few days. I called T-Mobile Tech Support again and confronted them with this proof that the SIMs and devices were fine, but service on the new device would fail after working for a few days. After hours more, they found some Tech Bulletin they were unaware of that explained it this way; Any device activated after (some day I forgot in 2022) will cease to function unless it registers 4G LTE service with a tower every 24 hours. T-Mobile would have to have written a script to implement this, and they clearly did it only for marketing purposes. My non-LTE 4G iPad Pro (2016) still works great, but I had to replace the other non-LTE 4G device with something newer. Note: I had used that same device on the T-Mobile network for several years before temporarily deactivating it for six months and then trying to re-activate it. If I had re-activated it a month earlier, it would have worked fine.
TLDR; Cellular providers make money by selling you new equipment, and they will claim a device is unsupported even when it's not true.
Which is interesting, because earlier this year in the UK, I was getting repeated nagging texts from my mobile provider that they were switching off 3G, and that 2G would be the fallback.
I think the biggest reveal I see in the article is that the lynchpin of stingray is basically an overpriced downgrade attack. Disabling 2g is arguably a potent way for ma bell to keep security companies like stingray from eating their already opulent lunch. We also dropped 2g because stingrays parlour trick also immediately outed itself as a national security threat
My Samsung S21 running the latest Android (13) doesn't offer the option to disable 2G while keeping 4G/5G. The list is literally: 2G/3G/4G/5G, 2G/3G/4G, 2G/3G, 3G only, or 2G only. If you want to keep 4G and/or 5G you're SOL. Personally, I would prefer 4G/5G (as the 2G/3G fallback on my network next to useless outside the 4G/5G coverage footprint). Hopefully when Android 14 comes to the S21 it comes at least the option to disable 2G as described in the article.
> There's been a setting for users to disable 2G for forever,
I don't think this setting does what you think it does. The description under this option has a big caveat: "For emergency calls, 2G is always allowed". So even when disabled, the phone can still use 2G networks.
It sounds like this new option is to actually disable all 2G functionality.
> In other words, the network decides whether traffic is encrypted and the user has no visibility into whether it is being encrypted.
I'm pretty sure that it was intended that the OS UI would show you when your connection is unencrypted, but none of them do because that was undesired by state actors.
Also, even if encryption is enabled it's only for the radio part of the data transmission, not handset -> handset. Otherwise you would not be able to make calls to landlines, so isn't it already trivial for a Network Operators to decrypt your raw data? It would help for scenarios like an embassy mounting a fake base station to grab data about protestors outside it, I suppose.
Also, how can they tell if the encryption key is weakened by setting lots of bits to zero, like was done in the original version of GSM?
Yes, they just ask companies for direct access. With a bit of arm twisting, they mostly get what they need because they have the law on their side and cooperation is not optional. No need for back doors if you can just come in via the front door.
Google helping with your security is similar to when those nice mafia guys knock on your door offering protection. Don't forget that Google is apotheosis of evil corporation trying to take over all your data. This is the very company that turned "don't do evil" into "do things".
It's almost like a giant company like Google have ~100,000 employees, with a complex incentive structure at different levels that are encouraged to do different goals. While I have almost completely de-googled my life a few years ago, it is just stupid to attribute malice to anything they touch -- they have plenty of good contributions, certain parts of AOSP being an example.
I would be happy to have that on a GrapheneOS phone for example, if I hadn't went with Apple.
Yes? The world is nowhere near perfect, but those mafia guys are probably actually going to protect "their" money from other gangs, and Google's obsession with your data means they have even more incentive to protect said data from other actors. In addition, of course, to the more general incentive to build features that can make more people (or in this case, organizations) choose Android.
Credit where credit's due. Google moves against our best interests very often but this is not one of those times. Let's accept this improvement graciously. Other Android-based operating systems like LineageOS and GrapheneOS will also benefit.
GrapheneOS implements a similar feature which limits to 4G cellular networks.
This is great if the phone decides 3G or 2G connectivity is better, but I know the 4G network is faster (still slow). A downside is that if the 4G network is completely overwhelmed (e.g. on a festival), the phone might not receive phone calls or sms it'd receive if it could switch to 2G (happened to me. The phone had 4G connectivity, but SMS didn't work without allowing 2G).
I may have to get rid of my Samsung phone because of this. There is no way to turn off 5G or 5G UW. I often find myself in an area where the phone will cling on to 1 bar of 5G UW and it's unusable with websites refusing to load. On an iPhone you can just turn off 5g and fall back to LTE. On this Samsung phone my only option is to physically move to another location which is unacceptable.
It's hard to imagine how they going to achieve this given that ultimately it's controlled by the closed source baseband code that's not written by Google.
There are only so many partners for cellular basebands in Android phones realistically. Qualcomm, MediaTek, and Samsung make up the vast majority of that market. Google already cooperates with them for other work I'm sure. No reason they wouldn't want to implement this.
I hope that they didn't make it any more difficult for me to MITM my own phone traffic. The latest Android releases have a couple of painfully annoying methods. The one I did (simplest, IMHO) requires rooting, installing a (somewhat obscure) Magisk module, and several more steps after. Not a fun experience, and I signed up for Android and not iOS because I want to be able to do stuff like that.
You might be able to MITM some packets meant for the cellular network, but fundamentally you're not gonna be able to MITM any cellular packets without running your own base station (i.e. a device outside your phone). Whatever mechanism you used for redirecting cellular traffic to your MITM apparatus could always be bypassed by simply sending that traffic over the actual cellular network.
Seeing all the comments, I think the best option could have been 2G default off (perhaps with a popup when nothing but 2G is available saying that "fallback to 2G temporarily? It is not encrypted" kind of alert, with the exception of emergency calls always available over 2G regardless of user prefs.
> We look forward to discussing the future of telco network security with our ecosystem and industry partners and standardization bodies. We will also continue to partner with academic institutions to solve complex problems in network security. We see tremendous opportunities to curb FBS threats, and we are excited to work with the broader industry to solve them.
I'll be honest. The stuff in this article is good, if a little underwhelming, but I feel a large amount of distrust for Google nowadays, to the point where what would've felt like unnecessary pessimism now feels only rational to me.
Ever since Google dropped WEI into our lives, I feel like they should not be allowed to be a part of any security efforts in any standards body or ecosystem. How long until carriers try to limit devices that don't support Google Play or Apple remote attestation of some kind?
> Ever since Google dropped WEI into our lives, I feel like they should not be allowed to be a part of any security efforts in any standards body or ecosystem. How long until carriers try to limit devices that don't support Google Play or Apple remote attestation of some kind?
Wait, so no Google or Apple employees involved in any standards body security efforts. What about TPM? Better ban employees from Intel, AMD, Qualcomm, Microsoft...who's left?
I mean, that's a take, but it seems like really the take away is that we should be skeptical of company motivations and security issues in standards bodies should be dealt with transparently, which all seems like a good take?
The WEI discourse is just getting comical. it may be bad for the open internet, or for the browser ecosystem. but it's not a security flaw.
to say you don't trust google to be part of any security efforts because they tried to put security in a place you don't want it is silly. you're arguing the slippery slope fallacy here, there's no reason to think that carriers would even want any sort of device attestation, or be legally allowed to do that under the terms of their spectrum licenses.
Google is a large company. One part can do good while another part does bad. It's not as if anybody thinks Pichai is directing it all with any success :)
I don't think the stuff in the article is really that great. Google is basically shoring up a few possible avenues of man in the middle attacks.
Meanwhile, the mobile ecosystem is still rife with many other avenues - your MVNO, fractured Ma Bell, Play Services still has outsized privileges on standard Android, most apps aren't E2EE (despite the article's bastardized use of the term), etc. It's just this boring corporate security narrative where we're supposed to continue ignoring the 800lb gorillas selling our personal information into countless surveillance databases and focus on how they're closing down possible independent attackers.
What would be newsworthy is if they were even talking about real security - libre baseband, mitigating protocol identifiers (eg IMEI) that allow for pervasive location tracking, etc.
> Ever since Google dropped WEI into our lives, I feel like they should not be allowed to be a part of any security efforts in any standards body or ecosystem.
Excluding Apple and Google, the remaining bodies are MS, Amazon and Facebook which presence is close to non-existent in the mobile OS market. Good luck with them?
[+] [-] supertrope|2 years ago|reply
There's some regional carriers in rural areas that offer the only coverage available. Like Commnet Wireless (2). These are few and far between and usually they have deployed 3G to their whole footprint. The Big Three are building out native coverage to overlap with them. But by Murphy's Law someone with an Android 14 phone is going to discover that they can't call anything but 911. Ideally there would be a button prompt enabled in No Service situations to re-enable 2G. FCC rules mandate that cellphones must support fallback to null cipher if that's what's needed to connect an emergency call.
(1) https://www.t-mobile.com/support/coverage/t-mobile-network-e...
(2) https://www.cellularmaps.com/regional-carriers/commnet-wirel...
[+] [-] freddie_mercury|2 years ago|reply
A US-only analysis of this seems not especially useful, since Android is used worldwide. If anything it is more popular outside of the US than inside of the US, making US-based analysis even less illuminating.
[+] [-] xxpor|2 years ago|reply
[+] [-] PaulHoule|2 years ago|reply
[+] [-] kmacdough|2 years ago|reply
[+] [-] anonymousiam|2 years ago|reply
TLDR; Cellular providers make money by selling you new equipment, and they will claim a device is unsupported even when it's not true.
[+] [-] mnw21cam|2 years ago|reply
[+] [-] nimbius|2 years ago|reply
[+] [-] debatem1|2 years ago|reply
Getting rid of null ciphers is good though. It would be nice to also refuse weak, export, etc ciphers.
[+] [-] kiwijamo|2 years ago|reply
[+] [-] Narkov|2 years ago|reply
I don't think this setting does what you think it does. The description under this option has a big caveat: "For emergency calls, 2G is always allowed". So even when disabled, the phone can still use 2G networks.
It sounds like this new option is to actually disable all 2G functionality.
[+] [-] secondcoming|2 years ago|reply
I'm pretty sure that it was intended that the OS UI would show you when your connection is unencrypted, but none of them do because that was undesired by state actors.
Also, even if encryption is enabled it's only for the radio part of the data transmission, not handset -> handset. Otherwise you would not be able to make calls to landlines, so isn't it already trivial for a Network Operators to decrypt your raw data? It would help for scenarios like an embassy mounting a fake base station to grab data about protestors outside it, I suppose.
Also, how can they tell if the encryption key is weakened by setting lots of bits to zero, like was done in the original version of GSM?
[+] [-] fodkodrasz|2 years ago|reply
[+] [-] jillesvangurp|2 years ago|reply
[+] [-] major4x|2 years ago|reply
[+] [-] kaba0|2 years ago|reply
I would be happy to have that on a GrapheneOS phone for example, if I hadn't went with Apple.
[+] [-] Angostura|2 years ago|reply
[+] [-] Dah00n|2 years ago|reply
[+] [-] mda|2 years ago|reply
[+] [-] owl57|2 years ago|reply
[+] [-] matheusmoreira|2 years ago|reply
[+] [-] goodpoint|2 years ago|reply
Fix the issue now that GSM calls are rare...
[+] [-] b8|2 years ago|reply
[+] [-] nani8ot|2 years ago|reply
This is great if the phone decides 3G or 2G connectivity is better, but I know the 4G network is faster (still slow). A downside is that if the 4G network is completely overwhelmed (e.g. on a festival), the phone might not receive phone calls or sms it'd receive if it could switch to 2G (happened to me. The phone had 4G connectivity, but SMS didn't work without allowing 2G).
[+] [-] hnburnsy|2 years ago|reply
https://issuetracker.google.com/issues/250529027
[+] [-] Ms-J|2 years ago|reply
[deleted]
[+] [-] smallnix|2 years ago|reply
[+] [-] stonogo|2 years ago|reply
[+] [-] b112|2 years ago|reply
[+] [-] hermitdev|2 years ago|reply
[+] [-] windowsrookie|2 years ago|reply
[+] [-] TheRealPomax|2 years ago|reply
[+] [-] zerof1l|2 years ago|reply
[+] [-] xvilka|2 years ago|reply
[+] [-] 310260|2 years ago|reply
[+] [-] Scene_Cast2|2 years ago|reply
[+] [-] TechBro8615|2 years ago|reply
[+] [-] can16358p|2 years ago|reply
[+] [-] acd|2 years ago|reply
[+] [-] jaimex2|2 years ago|reply
2G is long dead.
[+] [-] jchw|2 years ago|reply
I'll be honest. The stuff in this article is good, if a little underwhelming, but I feel a large amount of distrust for Google nowadays, to the point where what would've felt like unnecessary pessimism now feels only rational to me.
Ever since Google dropped WEI into our lives, I feel like they should not be allowed to be a part of any security efforts in any standards body or ecosystem. How long until carriers try to limit devices that don't support Google Play or Apple remote attestation of some kind?
I don't know what to think or do anymore.
[+] [-] magicalist|2 years ago|reply
Wait, so no Google or Apple employees involved in any standards body security efforts. What about TPM? Better ban employees from Intel, AMD, Qualcomm, Microsoft...who's left?
I mean, that's a take, but it seems like really the take away is that we should be skeptical of company motivations and security issues in standards bodies should be dealt with transparently, which all seems like a good take?
[+] [-] notatoad|2 years ago|reply
to say you don't trust google to be part of any security efforts because they tried to put security in a place you don't want it is silly. you're arguing the slippery slope fallacy here, there's no reason to think that carriers would even want any sort of device attestation, or be legally allowed to do that under the terms of their spectrum licenses.
[+] [-] esafak|2 years ago|reply
[+] [-] mindslight|2 years ago|reply
Meanwhile, the mobile ecosystem is still rife with many other avenues - your MVNO, fractured Ma Bell, Play Services still has outsized privileges on standard Android, most apps aren't E2EE (despite the article's bastardized use of the term), etc. It's just this boring corporate security narrative where we're supposed to continue ignoring the 800lb gorillas selling our personal information into countless surveillance databases and focus on how they're closing down possible independent attackers.
What would be newsworthy is if they were even talking about real security - libre baseband, mitigating protocol identifiers (eg IMEI) that allow for pervasive location tracking, etc.
[+] [-] summerlight|2 years ago|reply
Excluding Apple and Google, the remaining bodies are MS, Amazon and Facebook which presence is close to non-existent in the mobile OS market. Good luck with them?
[+] [-] Kiro|2 years ago|reply
[+] [-] ldehaan|2 years ago|reply
[deleted]
[+] [-] mistercheph|2 years ago|reply
[deleted]
[+] [-] exabrial|2 years ago|reply
[deleted]