The NSA Has Inserted Its Code Into Android OS, Or Three Quarters Of All Smartphones

Tyler Durden's picture

Over a decade ago, it was discovered that the NSA embedded backdoor access into Windows 95, and likely into virtually all other subsequent internet connected, desktop-based operating systems. However, with the passage of time, more and more people went "mobile", and as a result the NSA had to adapt. And adapt they have: as Bloomberg reports, "The NSA is quietly writing code for Google’s Android OS."

Is it ironic that the same "don't be evil" Google which went to such great lengths in the aftermath of the Snowden scandal to wash its hands of snooping on its customers and even filed a request with the secretive FISA court asking permission to disclose more information about the government’s data requests, is embedding NSA code into its mobile operating system, which according to IDC runs on three-quarters of all smartphones shipped in the first quarter? Yes, yes it is.

Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS. "All Android code and contributors are publicly available for review at source.android.com." Scigliano says, declining to comment further.

From Bloomberg:

Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device. Eventually all new phones, tablets, televisions, cars, and other devices that rely on Android will include NSA code, agency spokeswoman Vanee’ Vines said in an e-mailed statement. NSA researcher Stephen Smalley, who works on the program, says, “Our goal is to raise the bar in the security of commodity mobile devices.”

See, there's no need to worry: the reason the NSA is generously providing the source code for every Google-based smartphone is for your own security. Oh but it's open-sourced, so someone else will intercept any and all attempts at malice. We forgot.

The story continues:

In a 2011 presentation obtained by Bloomberg Businessweek, Smalley listed among the benefits of the program that it’s “normally invisible to users.” The program’s top goal, according to that presentation: “Improve our understanding of Android security.”

Well one wouldn't want their bug to be visible to users now, would one...

Vines wouldn’t say whether the agency’s work on Android and other software is part of or helps with Prism. “The source code is publicly available for anyone to use, and that includes the ability to review the code line by line,” she said in her statement. Most of the NSA’s suggested additions to the operating system can already be found buried in Google’s latest release—on newer devices including Sony’s Xperia Z, HTC’s One, and Samsung Electronics’ Galaxy S4. Although the features are not turned on by default, according to agency documentation, future versions will be. In May the Pentagon approved the use of smartphones and tablets that run Samsung’s mobile enterprise software, Knox, which also includes NSA programming, the company wrote in a June white paper. Sony, HTC, and Samsung declined to comment.

Apple appears to be immune from this unprecedented breach of customer loyalty, if only for now, although open-sourced Linux may not be as lucky:

“Apple (AAPL) does not accept source code from any government agencies for any of our operating systems or other products,” says Kristin Huguet, a spokeswoman for the company. It’s not known if any other proprietary operating systems are using NSA code. SE for Android is an offshoot of a long-running NSA project called Security-Enhanced Linux. That code was integrated a decade ago into the main version of the open-source operating system, the server platform of choice for Internet leaders including Google, Facebook (FB), and Yahoo! (YHOO). Jeff Zemlin, the executive director of the Linux Foundation, says the NSA didn’t add any obvious means of eavesdropping. “This code was peer-reviewed by a lot of people,” he says.

But that's not all:

The NSA developed a separate Android project because Google’s mobile OS required markedly different programming, according to Smalley’s 2011 presentation. Brian Honan, an information technology consultant in Dublin, says his clients in European governments and multinational corporations are worried about how vulnerable their data are when dealing with U.S. companies. The information security world had been preoccupied with Chinese hacking until recently, Honan says. “With Prism, the same accusations can be laid against the U.S. government.”

In short: the (big brother supervised) fun never stops in Stasi 2.0 world. Just buy your 100 P/E stocks, eat your burgers, watch your Dancing With The Stars, pay your taxes, and engage in as much internet contact with other internet-addicted organisms as possible and all shall be well.

Oh, and from this...

To this (courtesy of @paradism_)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
shawnmike's picture

The NSA developed a separate Android project because Google’s mobile OS required markedly different programming, according to Smalley’s 2011 presentation. Brian Honan, an information technology consultant in Dublin, says his clients in European sydney leather jackets governments and multinational corporations are worried about how vulnerable their data are when dealing with U.S. companies. The information security world had been preoccupied with Chinese hacking until recently, Honan says. “With Prism, the same accusations can be laid against the U.S. government.

CPL's picture

Wipe the rom and roll your own.

 

http://www.tabletroms.com/

 

Some good stuff in there.  Couple wickedly extend battery life.

wintermute's picture

"Security-Enhanced"

21st Century Orwellian double-speak for "Enhanced Spyware" which is used on the sheeple.

Pladizow's picture

Can you hear me now?

A rhetorical question that Verizon originally asked the NSA!

Raymond K Hessel's picture

The original IP tech was designed to be used over the AM radio frequency.  Anyone know if this is true?

philipat's picture

Paraphrased quote Obozo: "You can talk about Big Brother and all. If there are concerns about privacy then that's a debate we should have"

Um....When?

"But if you don't trust your Government, The Courts and the Congress, then we are going to have some problems"

Roger that. And stop calling me Shirley.

IndicaTive's picture

Stop being so paranoid. Google lets you go "incognito mode." Safe AND anonymous. Right?

Ban KKiller's picture

"Fingerprint File" Roling Stones...It's only Rock 'n' Roll. They knew!

 

The Thunder Child's picture

I understand the Amish a little bit more everyday....

Zer0head's picture

if it saves just one life or protects us from insider threat behavior

it is all worth it

akak's picture

Banning all air and automobile travel would save far more than one life, so it is necessary and logical to do so, yes?

Zer0head's picture

that appears to be the logic used by the majority of Americans of course that majority would have a difficult time understanding said logic

Just giv'em thar TeeVee to watch sports on and a bowl full of doritos and all is right with the world

King_of_simpletons's picture

SELinux, SE Android has got nothing to do with snooping and exposing ones privacy.  NSA developed SELinux initially in conjunction with open-source community and is now only in an advisory role to companies like www.tresys.com & Red Hat that develop policies on a full time basis.

SELinux, as I know it in its current form, is only used for securing individual systems from vulnerabilities post penetration attack.

Think for yourself's picture

Hacker wisdom, not so "tin-foil" anymore:
Can't trust the OS unless if you coded it
Can't trust the code unless if you compiled it
Can't trust the executable unless if you coded the compiler
Can't trust the compiler unless if you wrote the architecture
Can't trust the architecture unless if you fabbed the chip

How far down the rabbit hole do you want to go? I know very little about serious crypto, but enough to understand this. And if I do, I don't to know what the NSA can do. At this point, I just use vanilla google os, assume I'm treading enemy territory and that for some reason they're letting me tread it out of the "kindness of their own heart"... there's no other way about it.

Skateboarder's picture

You can build a computer entirely out of NAND/NOR gates, NOT gates, and D Flip-Flops. Of course, it will be the size of a car.

FEDbuster's picture

or you could just pull the plug (see Amish reference above).

flacon's picture

"which according to IDC runs on three-quarters of all smartphones shipped in the first quarter?"

So that's why AAPL stock is down. 

limit_less's picture

flacon - Because they are not co-operating?

GetZeeGold's picture

 

 

 

I don't have a smart phone....cause I'm smart.

 

All my cell phone can do is take phone calls....that and it's got a calculator.....but I never use that.

 

TerminalDebt's picture

If it saves one overpaid underworked government job it's all worth it

swiss chick's picture

+1

For some reason I can't up arrow you...

lewy14's picture

slightly realistic option for the dedicated:

- use an FPGA - plenty big enough. Get an eval board with plenty of flash, or a USB connector for a flash drive. And an Ethernet port. No need to fab a chip, or a board for that matter.

- use an open source, synthesizable CPU core from OpenCores. There are GCC ports for it. Bonus (if you know what you're doing): randomize the instruction set encoding some. It only affects a few header files.

- cross-compile yourself some little network stack - ssh, true crypt, proxy server, email server, ftp, etc - from open source.

The resulting machine will be pretty weak (32 bit, will run a few hundred MHZ tops; a few GB of flash) but sufficient to run a little net stack.

Build it into a tiny enclosure, plug into a router where you can hide it (you can probably rig it to be powered from the ethernet connection - don't bother with WiFi) and you will have something that will be quite a challenge to hack. It would be big enough to host some primitive BBS software for a few dozen people to collaborate.

I was seriously thinking of doing this as a hobby project a few years ago; I figured it was just stupid and nobody would care... now it seems like it might be interesting...

kralizec's picture

For the Tech-impaired...whats all that mean?

Oh, forget it.  I can either choose to keep my smartphone and torment the listeners...or just smash it to bits.

akak's picture

Or, you can do what the sanest among us have always done, and continue to do: live without a fucking cell phone.

Somehow, life did manage to go on before the advent of cell phones, and I feel absolutely no hole in my life for never having had one --- quite the opposite in fact.

aerojet's picture

You can maybe stop at the OS--the hardware isn't going to do something you don't tell it to do.  Then again, there could be microcode embedded in there to snoop, but it wouldn't necessarily work if you put a new, unrecognized OS on top of it.  All network hardware is designed with snooping in mind now--it's been know for at least a decade or more that Cisco switches and all telecom equipment has to be bug-able by law.

Suisse's picture

SELinux is generally disabled as it interferes with tons of stuff. I almost never leave it on as it's a nightmare to allow applications to function with it on.

malikai's picture

Correct. SE is not a threat, but it is a good counter-threat for post-breach control. This article either stems from a clear lack of understanding towards what SE is or it is an attempt to divert anger to places where it can be easily discredited.

Pay attention TD.

Max_Power's picture

Agreed.  I do love ZH but, every once in a while the paranoia spins out of control.

It is, in fact, open source.  Anybody can look at the code that NSA wrote to verify its innocence or insidiousness.  That it's meant to be transparent to users does not mean that they're hiding something.  In the computer world, this means it's an improvement that does not impact the user/usability of the end product.  

Just because the NSA has done bad things does not mean that everything they do is bad.  It's a bit McCarthyist to believe that EVERYTHING the NSA does is evil.

freet0pian's picture

Like "Think for yourself" pointed out it's not that simple, so you might want to refrain posting on matters you don't understand.

Are the drivers open source? Are google apps that come with it open source? Can you compile the OS for Galaxy S1-4 etc. yourself?

There is plenty of space the NSA back doors can be hiding. You can even introduce some hard to detect coding "flaw" in plain view in the truly open source portion of the system that makes the phone susceptible for attacks.

So let's recap the dark waters of code NSA might be lurking in:

1. Drivers

2. Google's own closed apps

3. OEM changes to the OS

4. OEM apps

5. Other closed bloatware

6. The cross compiler

7. CPU or other chip microcode (not that likely)

8. Ethernet, Wifi, cellular or other peripheral flash, rom or eeprom

9. The guy or company compiling the OS or apps for you

10. A hard to detect flaw in the open source code

 

Me thinks the boat got some holes.

Ranger4564's picture

You might think you're being sarcastic, but part of the feudal structure is restricted travel... there is a reason roadways were private and you had to pay toll. Some people, colloquially referred to as slaves, were prohibited from travel. So the logic flows, but you haven't yet accepted the depths of this cesspool.

I wrote about 3 years ago, that the roads will be transferred to the banks as collateral confiscated when the states cannot pay their debts. In Greece, the banks intended to confiscate shipping, train, and mass transit, to cripple movement. It's not even a stretch to imagine that the bankers will one day restrict mobility... DHS is ready.

aerojet's picture

Restricing travel would be the hill DHS dies on.

macholatte's picture

 

I believe it has already been well documented that EVERYTHING affiliated with Google is bugged by Google as well as anything they can get their hands on (see Google Earth street view spying and data mining).  The NSA, and others, have learned quite a lot from Google.  All of it done under the pretext of "market samples for advertising" and "providing the user with an enhanced experience" and other such crap.

Has any government official in any jurisdiction in any country, city, state or province ever tried to pass a law that privacy is inherent and that one should have to "opt-in" instead of having to "opt-out"?

 

"A few agents of the thought Police moved always among them, spreading false rumours and marking down and eliminating the few individuals who were judged capable of becoming dangerous..."  

-- Orwell 1984

FreedomGuy's picture

Yes, yes, but it is all good for us. You give up an insigificant amount of freedom and the NSA will only use all your private information for your good to protect you from those invisible bad guys out there.

Now, if you happen to run against your local incumbent your sexting and private photos will magically and accidentally appear during the campaign. You will definitely get an apology and a promise to "fully investigate" the matter at some nebulous time in the future.

whotookmyalias's picture

(You guys kill me, it is next to impossible to get anything on the front page of comments)

 

It appears that this may not be a new issue:

http://www.wired.com/politics/security/commentary/securitymatters/2006/05/70886

OK, tin foil hat back on for now.

/sarc

matrix2012's picture

 

European Politicians Are Realizing – Blackmail is the Game

A revelation is dawning that the excuse of the NSA looking for terrorists but taking absolutely everything, is at last causing a light to go off. European politicians realize that they are targets and the name of the game is to blackmail anyone that the NSA simply does not like.

They realize that the New York Attorney General Eliot Spitzer was targeted when he tried to go after the Wall Street Investment Bankers everyone today calls the UNTOUCHABLES. After he got rid of Hank Greenberg at AIG for Wall Street not realizing he was doing them a service, when he turned on them that was his serious mistake. They suddenly discovered checks to a hooker and his hotel in Washington was bugged when he met with her. Since then, no one has dared to investigate Wall Street.

"This is not about terrurizts. This is about monitoring society and blackmailing politicians to do as the unelected bureaucracy demands."

Behind the Curtain politicians are targets NOT TERRURIZTS and the agenda is to blackmail them to direct the political changes the UNELECTED bureaucracy demands. This is the real object of collecting absolutely everything.
* * * * * See also "US Spying on EU – A Big Charade?" The documents, seen by the Observer, show that – in addition to the UK – Denmark, the Netherlands, France, Germany, Spain, and Italy have all had formal agreements to provide communications data to the US. They state that the EU countries have had “second and third-party status” under decades-old signal intelligence (Sigint) agreements that compel them to hand over data which, in later years, experts believe, has come to include mobile phone and internet data.
Under the international intelligence agreements, nations are categorised by the US according to their trust level. The US is defined as ‘first party’ while the Anglo-Saxon sphere: UK, Canada, Australia and New Zealand enjoy ‘second party’ trusted relationships. Countries such as Germany and France have ‘third party’, or less trusted, relationships.

 

 

How to identify a limited hangout op ? By Dr. Webster Griffin Tarpley
The operations of agencies aiming at the manipulation of public opinion generally involve a combination of cynical deception with the pathetic gullibility of the targeted populations.

 

 

Additional info and analysis about 'Elvis' recent highlighted shows are also available at Gordon Duff's collection of articles at Veterans Today.

 

aerojet's picture

The problem with the whole "looking for terrorists" theme is that there aren't enough terrorists out there.  If you consider that a database error rate runs 5-15% best case, and if the percentage of the poplulation that is a terrorist is a micro-fraction of 1%, say, 0.0001%, you kind of see the problem here--it is impossible to detect a terrorist from random noise.  No amount of sophisticated technology and behavior recognition is going to help.  The best you can do is maybe do a longitudinal study of specific individuals.  Our government doesn't do that, however.  They are trying to mass surveil while baiting suspects with entrapment schemes.  It's all a crock of shit.

Dick Buttkiss's picture

 

So let's delve a little deeper into Orwell's thought via the so-called "book within the book" —http://en.wikipedia.org/wiki/The_Theory_and_Practice_of_Oligarchical_Col...— wherein he lays out the "controlled insanity" by which The Party exercises absolute dominion over everyone, quite literally in thought, word, and deed:

With the development of television, and the technical advance which made it possible to receive and transmit simultaneously on the same instrument, private life came to an end. Every citizen, or at least every citizen important enough to be worth watching, could be kept for twenty-four hours a day under the eyes of the police and in the sound of official propaganda, with all other channels of communication closed. The possibility of enforcing not only complete obedience to the will of the State, but complete uniformity of opinion on all subjects, now existed for the first time. 

. . .

[The Party] systematically undermines the solidarity of the family, and it calls its leader by a name which is a direct appeal to the sentiment of family loyalty. Even the names of the four Ministries by which we are governed exhibit a sort of impudence in their deliberate reversal of the facts. The Ministry of Peace concerns itself with war, the Ministry of Truth with lies, the Ministry of Love with torture and the Ministry of Plenty with starvation. These contradictions are not accidental, nor do they result from ordinary hypocrisy; they are deliberate exercises in doublethink. For it is only by reconciling contradictions that power can be retained indefinitely. In no other way could the ancient cycle be broken. If human equality is to be for ever averted — if the High, as we have called them, are to keep their places permanently — then the prevailing mental condition must be controlled insanity.

 . . .

On the other hand [the individual's] actions are not regulated by law or by any clearly formulated code of behaviour. In Oceania there is no law. Thoughts and actions which, when detected, mean certain death are not formally forbidden, and the endless purges, arrests, tortures, imprisonments, and vaporizations are not inflicted as punishment for crimes which have actually been committed, but are merely the wiping-out of persons who might perhaps commit a crime at some time in the future.

. . .

War is now a purely internal affair. In the past, the ruling groups of all countries, although they might recognize their common interest and therefore limit the destructiveness of war, did fight against one another, and the victor always plundered the vanquished. In our own day they are not fighting against one another at all. The war is waged by each ruling group against its own subjects, and the object of the war is not to make or prevent conquests of territory, but to keep the structure of society intact. The very word 'war', therefore, has become misleading. It would probably be accurate to say that by becoming continuous war has ceased to exist. The peculiar pressure that it exerted on human beings between the Neolithic Age and the early twentieth century has disappeared and been replaced by something quite different. The effect would be much the same if the three super-states [the equivalent of the U.S., China, and Russia, as well as their satellites], instead of fighting one another, should agree to live in perpetual peace, each inviolate within its own boundaries. For in that case each would still be a self-contained universe, freed for ever from the sobering influence of external danger. A peace that was truly permanent would be the same as a permanent war. This — although the vast majority of Party members understand it only in a shallower sense — is the inner meaning of the Party slogan: War is Peace.

The fiendish irony, of course, is that by "everyone," Orwell does in fact mean everyone. All are under the domination of Big Brother, and thus everyone is at war with everyone else, such that Hobbes' thesis that Leviathan is necesary to preclude a "war of all against all" is precisely what Leviathan descends into.

Thus is the U.S. Surveillance State merely fulfilling Orwell's prophecy, as it daily plunges the world deeper into the ordered chaos of abject sociopathy. 

 

macholatte's picture

The genius of Orwell (Eric Arthur Blair (25 June 1903 – 21 January 1950),  known by his pen name George Orwell)

was that he pretty much had it figured out long before TV. But so did the Founding Fathers long before Orwell and Sun Su long before them, as well as many others. So what does that tell you.... human nature does not change. The behaviour of dictators & tyrants is the same since the beginning of time to Caesar to Mao to Barry. The behaviour of the sheeple is also well documented.

prains's picture

and every so often a cleansing tonic starts the whole process over again

aerojet's picture

Most discussions of 1984 come to the conclusion that Orwell was writing about his time--he experienced all of it during WWII.  It was not that genius, in other words.

BLOTTO's picture

01001110 01101111 01110100 01101000 01101001 01101110 01100111 00100000 01001110 01100101 01110111 00100000 01010101 01101110 01100100 01100101 01110010 00100000 01110100 01101000 01100101 00100000 01010011 01110101 01101110 00001101 00001010 01001000 01101001 01110011 01110100 01101111 01110010 01111001 00100000 01101001 01110011 00100000 01110010 01100101 01110000 01100101 01100001 01110100 01101001 01101110 01100111 00100000 01101001 01110100 01110011 01100101 01101100 01100110

Bearwagon's picture

01000001 01101100 01101100 00100000 01111001 01101111 01110101 01110010 00100000 01100010 01101001 01101110 01100001 01110010 01101001 01100101 01110011 00100000 01100001 01110010 01100101 00100000 01100010 01100101 01101100 01101111 01101110 01100111 00100000 01110100 01101111 00100000 01110101 01110011 00100001

clones2's picture

01001001 00100000 01110100 01101111 01110100 01100001 01101100 01101100 01111001 00100000 01101000 01100001 01100100 00100000 01110100 01101111 00100000 01100111 01101111 01101111 01100111 01101100 01100101 00100000 01110100 01101000 01101001 01110011

BLOTTO's picture

01100100 01101111 01110101 01100010 01101100 01100101 00100000 01110000 01101111 01110011 01110100

HardAssets's picture

Thanks for the link. Its great to have all the pages in The Book in one place. 1984 is the work of a genius.

Thankfully, in addition to my third party erasable Kindle edition, - - -I have several copies in good, old fashioned paper.

Kiwi Pete's picture

Is that why they called it the Patriot Act? Big brother must think you're stupid.

matrix2012's picture

George Orwell - Complete works, Biography, Quotes, Essays

http://www.george-orwell.org/
cynicalskeptic's picture

'Stop being so paranoid. Google lets you go "incognito mode." Safe AND anonymous. Right?'

 

I thought 'incognito' was a signal to start recording ALL activity so they'd have easier access to all the stuff needed to blackmail you..... and you thought your obsession with big-boobed dwarfs and farm animals was a secret.......

by the way - that 'live chat/private show' you had with shortnsexxxxy38g is STILL near the top of the NSA's 'all time favorites' list