189

Fairphone 4 is making hundreds of unwanted connections per day, to the same addresses. (lemmy.world)

submitted 10 months ago by Cossty@lemmy.world to c/privacy@lemmy.ml

59 comments fedilink hide all child comments

So I got Fairphone 4, with /e/ os, a couple of days ago. When I connected it to my NextDNS I saw that it was trying to connect to some weird addresses, like every 5-10 minutes. I searched Internet a bit and found out that it was something with snapdragon cpu and location services. I travel a lot and use Organic Maps for navigation, so location was enabled almost all day on the phone. I turned off location services and connections stopped, and everything was fine for a couple of days.

Today I came home, checked logs in NextDNS and saw that phone started doing the same connections almost constantly even with location turned off.

Can I do something about this, other than allowing these connections? These connections are probably so numerous because they are getting blocked. If I allowed them, phone would maybe call home once in a couple of hours. I would rather not allow them, but I don't want 20% of battery to be eaten by this.

top 50 comments

sorted by: hot top controversial new old

[-] MigratingtoLemmy@lemmy.world 126 points 10 months ago* (last edited 10 months ago)

I found a few links summarising this:

https://old.reddit.com/r/nextdns/comments/14919dp/randomly_pathnxtracloudnet_is_stopped_getting/jo5n5va/
- It's Qualcomm's URL for downloading assisted GPS almanac days
https://teddit.net/r/privacy/comments/12yii9u/comment/jhojlr7/
Graphene OS' relevant documentation: https://grapheneos.org/faq#default-connections

On 4th and 5th generation Pixels (which use a Qualcomm baseband providing cellular, Wi-Fi, Bluetooth and GNSS in separate sandboxes), almanacs are downloaded from https://qualcomm.psds.grapheneos.org/xtra3Mgrbeji.bin which is a cache of Qualcomm's data. Alternatively, the standard servers can be enabled in the Settings app which will use https://path1.xtracloud.net/xtra3Mgrbeji.bin, https://path2.xtracloud.net/xtra3Mgrbeji.bin and https://path3.xtracloud.net/xtra3Mgrbeji.bin. GrapheneOS improves the privacy of Qualcomm PSDS (XTRA) by removing the User-Agent header normally containing an SoC serial number (unique hardware identifier), random ID and information on the phone including manufacturer, brand and model. We also always fetch the most complete XTRA database variant (xtra3Mgrbeji.bin) instead of model/carrier/region dependent variants to avoid leaking a small amount of information based on the database variant.

Note sure if e/OS/ has taken as much care as Graphene has to make the requests more private. Then again, they don't claim to be the most private OS, just De-Googled.

Edit: this is also a good read for further attempts to make your device more private: https://grapheneos.org/faq#other-connections

[-] Cossty@lemmy.world 10 points 10 months ago

Android is so troublesome, I am tempted to just install Ubuntu Touch and be done with this.

[-] Deckweiss@lemmy.world 45 points 10 months ago

I have a linux phone on the shelf, because in real life I need apps that are only available on android ...

load more comments (8 replies)

[-] MigratingtoLemmy@lemmy.world 17 points 10 months ago

Ah, it's just a quirk of e/OS/. Nothing much - and you can run a DNS filter on your mobile to get rid of this problem (Bonus: won't take too much of battery since it'll not be operating a VPN since you're root)!

I haven't heard much about Ubuntu Touch - does it work well?

[-] Cossty@lemmy.world 2 points 10 months ago

I am kind of new to all these privacy things. So what do you exactly mean by getting rid of this problem? I have DNS which blocks these connections but phone is still making them. How can I make the phone stop doing that?

Ubuntu Touch is just a linux distro for your phone. I actually haven't used it yet, but according to their website, the Fairphone 4 has really good support. So I might try it.

[-] MigratingtoLemmy@lemmy.world 7 points 10 months ago* (last edited 10 months ago)

Ah, I didn't manage to recollect your mention of NextDNS in your post. There's no need to change anything regarding your DNS settings in such a case; it won't take much of your battery.

Here's a related discussion on the /e/OS forum: https://community.e.foundation/t/qualcomm-chipsets-data-collection-linked-to-the-a-gps-service-in-e-os/48982. Note that the domain mentioned in the discussion is izatcloud.net, however, for your purposes you can consider it the same as the domains you're seeing.

What can /e/OS do?

The SUPL-A/GPS case is well-know for a long time. Though it’s probably a low impact case in term of user’s privacy, we are evaluating how to prevent or mitigate it in /e/OS.

Options we have today:

Block SUPL requests using /e/OS’ Advanced Privacy tracker control. But that would probably kill the A/GPS service, making the GPS location service very, very slow.

Proxy SUPL requests to anonymize their originr. That’s an option but it can be blocked if we send too much traffic to the SUPL servers. This would likely happen because /e/OS has a lot of users, and would have an impact in term of service continuity.

Figure out how /e/OS users can use Advanced Privacy IP scrambling features to fake SUPL calls origin IP address.

…?

You might want to try option 1 and check. Please revert back to this comment after attempting to do so, so that others can benefit from this idea.

XTRA uploads the following data types: a randomly generated unique ID, the chipset name and serial number, XTRA software version, the mobile country code and network code (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the time since the last boot of the application processor and modem, and a list of our software on the device

They just forgot to mention that this data is sent with no encryption (except in the xtra3grc.bin format, hope that they’re exclusively using that now…). Of course it should be blocked. But it’s necessary to allow one of those 3 domains in order to make the GPS work properly.

And here's the Wikipedia article on what is it that the Qualcomm chip is trying to gather: https://en.wikipedia.org/wiki/Assisted_GNSS

[-] Cossty@lemmy.world 4 points 10 months ago

Thx for very detailed reply. I was trying to do the option 1, but I couldnt find how to do that. I am guesing that because dns is blocking the requests they dont show in the app. That would mean the app and dns are doing the same thing, so it doesnt really help.

I might just allow them, because I need the gps to work properly.

[-] MigratingtoLemmy@lemmy.world 2 points 10 months ago

I don't have experience with e/OS/, I can only really say what I gather from their documentation.

Note that:

when I activate fake location in AP but keep location turned off in system settings the app organic maps does not show my fake location but asks me to enable location. Therefore I presume: Yes, location off in system settings means no location for any app.

The thing about modern android and location settings is that when it is turned off that also means the GPS. So probably correct, no location for any app.

Link to discussion: https://community.e.foundation/t/advance-privacy-fake-location-with-location-turned-off/50052

I would suggest utilising the Fake my location toggle for when you would not like apps to access your location, however, I am not sure if it will work against requests from low-level firmware such as directly from a Qualcomm chip. That's a question for the developers.

Another point that is mentioned in this post is the fact that tracker detection and blocking (which is now native to e/OS/) can't work with DoT providers like NextDNS. Indeed, the app and the DNS filters you're using with your DNS provider attempt to do the same thing here.

Note that the “tracker manager” of Advanced Privacy can’t work with DNS over TLS (DoT).

load more comments (1 replies)

[-] lemann@lemmy.one 47 points 10 months ago

The Qualcomm chipset is making these requests, most likely for GPS almanac data (satellite positioning).

Older chipsets send these almanac requests to izatcloud.net, unencrypted, containing your IMEI. No idea if newer chipsets have improved things though.

[-] SpaceNoodle@lemmy.world 5 points 10 months ago

Chipsets don't make network requests. More likely some closed-source platform service does.

[-] noride@lemm.ee 14 points 10 months ago

That really isn't entirely true anymore since the TPM ecosystem came into existence. I can remotely wipe any pc at my company even if it's stolen and reformatted because a hardware chip will phone home the second a compatible os is installed and internet access is available.

[-] skullgiver@popplesburger.hilciferous.nl 16 points 10 months ago* (last edited 9 months ago)

[This comment has been deleted by an automated system]

[-] MigratingtoLemmy@lemmy.world 4 points 10 months ago

I think unless the HAP bit is specifically set to 1, Intel ME is still active on consumer boards, just without an interface for the OS to interact with it. Not sure if someone has hacked an OEM UEFI/BIOS to interact with it, but I have seen a different MAC address from my PC on my network before, and this is without any virtual adapters. This is the only explanation I can come up with.

[-] skullgiver@popplesburger.hilciferous.nl 2 points 10 months ago* (last edited 9 months ago)

[This comment has been deleted by an automated system]

[-] MigratingtoLemmy@lemmy.world 2 points 10 months ago* (last edited 10 months ago)

Thanks for your comment, much appreciated! Could you provide a source for someone who has reverse-engineered a recent version of ME and has found not much incriminating behaviour for consumer motherboards?

Unfortunately, me_cleaner doesn't seem to work too well with newer chips. Fortunately for me, I'm planning to purchase older computers, but for people who aren't, this doesn't help much (as far as I can see).

Thank you for the idea of extracting the BIOS to enable the HAP bit. Won't it require some serious reverse-engineering chops to find the HAP bit and enable it inside of such a binary blob? I'm not really used to Ghidra yet haha.

If I remember correctly, ME uses its own MAC address, but the same IP address of the host. Or maybe this is no longer the case. How would it extract packets though? Won't that require serious compute power? Or does it look for packets with specific labels identifying them?

Thanks for letting me know about MEinfoWIN. I'll try and find it!

[-] skullgiver@popplesburger.hilciferous.nl 3 points 10 months ago* (last edited 9 months ago)

[This comment has been deleted by an automated system]

[-] MigratingtoLemmy@lemmy.world 2 points 10 months ago

Thank you, that clears it up. I'm not as informed on this matter as I used to be in the past, apologies for any assumptions I might have made.

Thanks for the link and the link to the PR, I might try this with a PC or two in time. Do I need Intel Audio for Pipewire to work? I didn't quite grasp the ramifications of certain parts of the firmware not working such as Audio and Sleep; would I need to find a software solution for Sleep? Also, will this affect C-states by any chance?

That makes a lot of sense. Maybe I was looking at something different in my network at that point. Thanks again!

[-] PipedLinkBot@feddit.rocks 1 points 10 months ago

Here is an alternative Piped link(s):

deep dives like these

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[-] noride@lemm.ee 1 points 10 months ago

For what it's worth, I did specifically say ecosystem because the TPM is just one component, which is required to authenticate the remote wipe. Also the drivers are installed automatically with most modern operating systems, it's not like you install your own south bridge driver, for example. Linux of course notwithstanding.

I've seen it used successfully numerous times. Someone steals one of our laptops, rips the drive out, installs vanilla windows, and boom it reboots and performs a wipe.

Regardless, system-on-a-chip are just that, systems; they can absolutely make remote calls without user interaction, just as intimated by the comment you originally replied to.

[-] skullgiver@popplesburger.hilciferous.nl 1 points 10 months ago* (last edited 9 months ago)

[This comment has been deleted by an automated system]

[-] Cossty@lemmy.world 4 points 10 months ago

How do you deal with this? Or are you using iPhone or something else?

[-] lemann@lemmy.one 6 points 10 months ago* (last edited 10 months ago)

I don't ☹️

There is a hidden LocationServices system app from Qualcomm that proxies the communication on some devices - however removing this causes a bootloop from what I've read, and would prevent Android from being able to identify your location even if it didn't cause a bootloop.

I use a Fairphone 3 though with a bunch of Google services in the stock OS disabled, so I've settled for just keeping my location data out of Google's hands

Edit: add info

[-] SpaceNoodle@lemmy.world 3 points 10 months ago

Just decompile Qualcomm's platform service and stub out the right system calls!

[-] kionite231@lemmy.ca 5 points 10 months ago

"Just"

[-] SpaceNoodle@lemmy.world 1 points 10 months ago

You get pretty good at it after you do a couple. I also came up with a way to manually start a platform service with strace and a custom SELinux context, but that was a few years ago and I left all of that work with my previous employer.

[-] Cossty@lemmy.world 2 points 10 months ago

I actually wanted to get a Fairphone 3 because of headphone jack but I got really good deal on a Fairphone 4 so I took it instead.

[-] MigratingtoLemmy@lemmy.world 2 points 10 months ago

however removing this causes a bootloop from what I’ve read

Is this document for every Qualcomm device? I'd be interested to remove such calls from my system if possible, but I'm no systems expert, and unlike the other commenter I don't think I'll be able to decompile Qualcomm's platform service just to remove a few system calls.

[-] simonmicro@programming.dev 20 points 10 months ago

Well, sounds like blocking them is bad: https://gitlab.com/CalyxOS/calyxos/-/issues/370

[-] 0x2d@lemmy.ml 9 points 10 months ago

you can get calyx os for it (graphene isn't supported)

[-] schnapspraline@lemmy.world 4 points 10 months ago

Apparently calyx wouldn't help. https://gitlab.com/CalyxOS/calyxos/-/issues/370

load more comments

this post was submitted on 27 Oct 2023

189 points (95.7% liked)

Privacy

31172 readers

389 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS