Category Archives: Cyber War

Hey Android Users, How about that Bundled Permission Thing

Posted on by

A few members of congress did ask Mark Zuckerberg about bundled permissions and Zuckerberg played dumb on the question. Remember that thing when your phone asks for permission to post to Facebook? Well it goes across all your synchronized  devices. What? uh huh…read on.

  This screen in the Messenger application offers to conveniently track all your calls and messages. But Facebook was already doing this surreptitiously on some Android devices until October 2017, exploiting the way an older Android API handled permissions.

Better check and ask some harder questions…..

[Update, March 25, 2018, 20:24 Eastern Time]: Facebook has responded to this and other reports regarding the collection of call and SMS data with a blog post that denies Facebook collected call data surreptitiously. The company also writes that it never sells the data and that users are in control of the data uploaded to Facebook. This “fact check” contradicts several details Ars found in analysis of Facebook data downloads and testimony from users who provided the data. More on the Facebook response is appended to the end of the original article below.

This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received.

This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us—my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata.

In response to an email inquiry by Ars about this data gathering, a Facebook spokesperson replied, “The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”

The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

Facebook uses phone-contact data as part of its friend recommendation algorithm. And in recent versions of the Messenger application for Android and Facebook Lite devices, a more explicit request is made to users for access to call logs and SMS logs on Android and Facebook Lite devices. But even if users didn’t give that permission to Messenger, they may have given it inadvertently for years through Facebook’s mobile apps—because of the way Android has handled permissions for accessing call logs in the past. (For Facebook’s instructions on turning off continuous contact uploading, go here. )

If you granted permission to read contacts during Facebook’s installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. From Android 4.1 on, a single request from those applications would trigger two separate permission requests.

But until the “Marshmallow” version of Android, even with split permissions, all permissions could still be presented all at once, without users getting the option to decline them individually. So Facebook and other applications could continue to gain access to call and SMS data with a single request by specifying an earlier Android SDK version. Starting with Marshmallow, users could toggle these permissions separately themselves. But as many as half of Android users worldwide remain on older versions of the operating system because of carrier restrictions on updates or other issues.

Apple iOS has never allowed access to call log data by third-party apps, overt or silently, so this sort of data acquisition was never possible.

Facebook provides a way for users to purge collected contact data from their accounts, but it’s not clear if this deletes just contacts or if it also purges call and SMS metadata. After purging my contact data, my contacts and calls were still in the archive I downloaded the next day—likely because the archive was not regenerated for my new request. (Update: The cached archive was generated once and not updated on the second request. However, two days after a request to delete all contact data, the contacts were still listed by the contact management tool.)

As always, if you’re really concerned about privacy, you should not share address book and call-log data with any mobile application. And you may want to examine the rest of what can be found in the downloadable Facebook archive, as it includes all the advertisers that Facebook has shared your contact information with, among other things.

Update, March 25, 2018, continued:

Facebook responded to reports that it collected phone and SMS data without users’ knowledge in a “fact check” blog post on Sunday. In the response, a Facebook spokesperson stated:

Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provide you with a better experience across Facebook. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.

This contradicts the experience of several users who shared their data with Ars. Dylan McKay told Ars that he installed Messenger in 2015, but only allowed the app the permissions in the Android manifest that were required for installation. He says he removed and reinistalled the app several times over the course of the next few years, but never explicitly gave the app permission to read his SMS records and call history. McKay’s call and SMS data runs through July of 2017.

In my case, a review of my Google Play data confirms that Messenger was never installed on the Android devices I used. Facebook was  installed on a Nexus tablet I used and on the Blackphone 2 in 2015, and there was never an explicit message requesting access to phone call and SMS data. Yet there is call data from the end of 2015 until late 2016, when I reinstalled the operating system on the Blackphone 2 and wiped all applications.

While data collection was technically “opt-in,” in both these cases the opt-in was the default installation mode for Facebook’s application, not a separate notification of data collection. Facebook never explicitly revealed that the data was being collected, and it was only discovered as part of a review of the data associated with the accounts. The users we talked to only performed such reviews after the recent revelations about Cambridge Analytica’s use of Facebook data.

Facebook began explicitly asking permission from users of Messenger and Facebook Lite to access SMS and call data to “help friends find each other” after being publicly shamed in 2016 over the way it handled the “opt-in” for SMS services. That message mentioned nothing about retaining SMS and call data, but instead it offered an “OK” button to approve “keeping all of your SMS messages in one place.”

Facebook says that the company keeps the data secure and does not sell it to third parties. But the post doesn’t address why it would be necessary to retain not just the numbers of contacts from phone calls and SMS messages, but the date, time, and length of those calls for years. Sean Gallagher Sean is Ars Technica’s IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.

Russia’s Response to the West, Cyber War

Posted on by

The Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the United Kingdom’s (UK) National Cyber Security Centre (NCSC) released a joint Technical Alert (TA) about malicious cyber activity carried out by the Russian Government. The U.S. Government refers to malicious cyber activity by the Russian government as GRIZZLY STEPPE.

NCCIC encourages users and administrators to review the GRIZZLY STEPPE – Russian Malicious Cyber Activity page, which links to TA18-106A – Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, for more information.

*** GRIZZLY STEPPE – Russian Malicious Cyber Activity ... photo

Senator Tom Cotton: Our nation’s communications networks benefit us in ways unimaginable at the start of the digital age.  But a potential danger lurks: hidden “backdoors” in network equipment.  A hostile foreign power could use these backdoors to spy on Americans or attack our critical infrastructure by injecting viruses or launching denial-of-service attacks.  These backdoors can be designed into routers, switches, and virtually any other type of telecommunications equipment that, together, make up our networks.

This highlights the importance of our networks’ supply chain—that is, the process by which telecommunications equipment is manufactured, sold, distributed, and installed.  Whether the threat involves hacking into our nation’s communications networks or conducting industrial or political espionage at the behest of a foreign government, the integrity of the supply chain has worried U.S. government officials for years.

In 2012, the House Permanent Select Committee on Intelligence released a bipartisan report on the national security threats posed by certain foreign manufacturers.  This past year, Congress barred the Department of Defense from buying certain equipment and services from Chinese companies Huawei and ZTE on account of concerns about those companies’ connections to that country’s government.  And Congress recently banned all federal agencies from using products or services made by Kaspersky Lab, a company with alleged ties to the Russian government.

We’re committed to protecting our national security, and this proposal is a prudent step to accomplish that goal.

But the supply-chain threat persists.  Just this February, FBI Director Christopher Wray testified about “the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks.”  These risks include the ability to “maliciously modify or steal information” and “conduct undetected espionage.”  As the supply chain for our networks increasingly stretches beyond U.S. borders, this danger has become all too real.

Given the national security risks, we believe it’s time for more concerted federal action.  Among other things, that means making sure that our government doesn’t make the problem worse by spending the American people’s money on products and services from any company that poses a national security threat to our communications networks.

The Federal Communications Commission is a good place to start.  It regulates America’s communications networks.  And it administers the Universal Service Fund, an almost $9 billion-per-year program designed to ensure that all Americans have access to phone and broadband services.  The money in the Fund comes from fees paid by the American people on their phone bills.  About $4.7 billion annually is spent expanding high-speed Internet access in rural communities; $2.7 billion helps connect schools and libraries to the Internet; $1.3 billion assists in making phone and broadband services more affordable to low-income Americans; and about $300 million supports communications services for rural health-care facilities.  These are important programs.  But there’s no reason one dime of this funding should go to suppliers that raise national security concerns.  There are plenty of other providers we can use to help bridge the digital divide.

That’s why the FCC will vote on April 17 on Chairman Pai’s recent proposal to bar the use of universal service funding to buy equipment or services from any company that poses a national security threat to the integrity of our communications networks or the communications supply chain.  If approved, the proposal would also seek public input on how we should identify suspect firms and which types of telecommunications equipment or services should fall within the prohibition.  Everyone concerned about this issue will have a chance to weigh in.

Bottom line:  We’re committed to protecting our national security, and this proposal is a prudent step to accomplish that goal.  The FCC, Congress, and all government agencies must work together to safeguard the integrity of our communications supply chain.  We strongly urge the full Commission to approve this proposal and for other agencies to follow the lead.

What the Heck? Dept of Interior has Rookie IT People or What?

Posted on by

Is this a joke? Those computers had/have malware installed that was never detected even after that major OPM hack that forced the mainframes to communicate with Russia…..yes RUSSIA. So, here comes that Inspector General audit report. We are bleeding data, even classified data….So we have tech companies and social media operations that are not protecting or safeguarding our data, now for sure we have government that cant do it either…..

There was a hearing though…..ahem

Federal Data Breach Reveals Weaknesses Of U.S ... photo

 

In part from the audit report: This memorandum transmits the findings of our evaluation of the U.S . Department
of the Interior’ s incident response program. We found that the Office of the Chief
Information Officer had not fully implemented the capabilities recommended by
National Institute for Standards and Technology (NIST) in its incident detection
and response program.
We make 23 recommendations to help the Department improve its incident response
program , so it can promptly detect and full y contain cyber threats to maintain the
availability, confidentiality, and integrity of Department and bureau computer
systems and data.
In response to our draft report, the Department concurred with all recommendations
and provided target dates and officials responsible for implementation.
We consider all 23 recommendations resolved but not implemented.
We will forward the recommendations to the Office of Policy, Management and
Budget for tracking and implementation. We understand that some of these recommendations may require significant investment in cyber security infrastructure
as well as the recruitment of additional staff, but the intended timeframe to implement
these recommendations remains a concern.
Five recommendations will not be addressed for more than 5 years, and four recommendations will not be addressed for more than 3 years.
In the interim, the Department should consider additional temporary or partial solutions.
Specifically, we found that the Department:
• Was not fully prepared to respond to incidents
• Did not promptly detect or fully analyze security incidents
• Did not fully contain or completely eradicate active cyber threats
• Did not continuously improve its incident response capabilities by
learning from prior incidents

Three years after Chinese hackers stole security clearance files and other sensitive personal information of some 22 million U.S. federal employees, cyber-defenses at the Department of Interior, which hosted White House Office of Personnel Management (OPM) servers targeted in the theft, were still unable to detect “some of the most basic threats” inside Interior’s computer networks — including malware actively trying to make contact with Russia.

In a 16-month examination of Interior’s ability to detect and respond to cyber-threats, evaluators from the department’s Office of Inspector General (OIG) also discovered that Interior’s technicians simply did not implement a sweeping array of mandatory, government-wide defensive measures ordered up after the disastrous OPM hack, didn’t investigate blocked intrusion attempts, and left “multiple” compromised computers on their network “for months at a time,” according to a redacted OIG report issued in March.

Ultra-sensitive security clearance files have since been moved to the Defense Department, but, among other things, the OIG report noted that:

● sensitive data at Interior could be taken out of the department’s networks “without detection.”

● network logs showed that a computer at the U.S. Geological Survey, an Interior bureau, was regularly trying to communicate with computers in Russia. The messages were blocked, but “the USGS facilities staff did not analyze the alerts.”

● dangerous or inappropriate behavior by network users — including  the downloading of pornography and watching pirated videos on Russian and Ukrainian websites — was not investigated.

● computers discovered to be infected with malware were scrubbed as soon as possible and put back into use—meaning little or no effort went into examining the scope and nature of any such threats to the broader network. This happened, the OIG team noted, with one intruder they discovered themselves.

● simulated intrusions or ransomware attacks created by the examiners were carried out with increasing blatancy without a response—in the case of ransomware, for nearly a month

● After the devastating OPM hack, which was discovered in April 2015, the department didn’t even publish a lessons-learned plan for its staffers based on the disaster. The OIG inspectors reported that Interior started to draft an “incident response plan” that month to deal with future intrusions, but “did not publish it until August 2017”— two months after the OIG team had finished their lengthy fieldwork.

● Distressingly, the report also notes that the department’s cybersecurity operations team was not privy to a list of Interior’s so-called “high-value IT assets” prepared by the Chief Information Officer, “due to its sensitive nature.” More here.

Go Facebook Go and Take Android with You

Posted on by

Primer: Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Does this only apply to the Federal government or State government?

Humm read on….

The Mark Zuckerberg apology tour continues. There was the 87 million compromised accounts where privacy was ignored. Then there was the fact that Facebook employees track communications in the private message feature. But why would Facebook contact hospitals asking for patient information? Sheesh, really?

Facebook asked hospitals for anonymized data about their patients for a proposed research project, CNBC reported on Thursday.

The social media platform reportedly intended to compare the data, which included prescription information and illnesses, with its own data that it collected from users, in order to flag users that may need hospital care.

The proposal was paused after Facebook revealed that Cambridge Analytica improperly took data from 50 million of its users’ profiles, and reportedly never made it beyond initial planning stages.

“This work has not progressed past the planning phase, and we have not received, shared, or analyzed anyone’s data,” a Facebook spokesperson told CNBC.

The social media company discussed its plan with organizations including Stanford Medical School and American College of Cardiology.

The data the company would have collected would have been completely anonymous and only available for medical research, according to the report.

Cathleen Gates, the interim CEO of the American College of Cardiology, said in a statement provided to CNBC that Facebook’s proposed data project could help medical research.

“As part of its mission to transform cardiovascular care and improve heart health, the American College of Cardiology has been engaged in discussions with Facebook around the use of anonymized Facebook data, coupled with anonymized ACC data, to further scientific research on the ways social media can aid in the prevention and treatment of heart disease—the #1 cause of death in the world,” she said.

News of the proposed medical data collection comes amid scrutiny over how a British research firm hired by the Trump campaign, Cambridge Analytica, improperly took user data through Facebook.

Controversy over matter has sparked an outcry about Facebook’s data collection and privacy practices.

Lawmakers have been particularly vocal on the issue. Facebook CEO Mark Zuckerberg is set to testify before them on Capitol Hill in hearing on Tuesday and Wednesday during Senate and House hearings about data privacy.

*** Gonna be some interesting hearings on The Hill right? Perhaps Android should be included….

A software developer — who didn’t want to be identified — told News.com.au the social media giant should be the least of our worries, saying Android apps available on Google Play are often “saturated by spyware.”

“Google has given apps a wide open ‘side-door’ to collect personal info to all apps if users simply download and accept the listed permissions,” he said. “Of course, if you notice, the permissions are actually hard to find and Google downplays what they can do.”

He pointed to third-party keyboards as an example.

“Third-party keyboards not only have access to all dangerous permissions, but they also have access to all keystrokes — including account names and passwords,” he said.

We’ve already seen evidence of this blowing up in recent months.

In December, the popular virtual keyboard app AI.type leaked the personal data of over 31 million customers online.

Security researchers at the Kromtech Security Center said the server wasn’t password-protected, allowing anyone to access the company’s massive database.

The app stated that any text entered on its keyboard stays “encrypted and private.”

But researchers found users must allow “Full Access” to all of their data stored on the iPhone, including all keyboard data.

This meant the app would theoretically have access to all your secure usernames and passwords.

Top 10 Shooter Games For Android | Idea photo

“If you look at all the top Android keyboards and look at their requested permissions, it is alarming,” the developer said. “They often can run at start-up, prevent the device from sleeping, and have access to an extensive amount of a user’s personal data.

“They can send encrypted data anywhere in the world without scrutiny.”

A ZDNet investigation into AI.type found the company kept complete records on the device’s IMSI and IMEI number, the device’s make and model, its screen resolution, and the device’s specific Android version.

It also included the user’s phone number, the name of their mobile phone provider, and in some cases their IP address and internet provider.

As the app developer said, third-party keyboards can access the highest level of Android permissions, including personal data like passwords and credit card numbers.

According to ZDNet, one table contained more than 8.6 million entries of text that had been entered using the keyboard, which included phone numbers, email addresses and corresponding passwords, and web search terms.

It found that — for apps that contained a paid and free version, the latter was more concerning; a free version would be more likely to collect data than the paid, which the company would use to monetize with advertising.

“Other keyboards have also been found to have been collecting unsettling data, while none have been removed from Google Play,” he said.

Both the free and paid versions of AI.type are still available on Google Play.

“What is most disturbing to me is that Google apparently blindly ignores this problem, and has built in this open ‘side door’ to facilitate their won apps that collect lots of data on us. If they shut this down, they would shut down their own intrusive apps.”

‘Trading privacy for profits’

Cybersecurity expert, professor Nigel Phair, from the University of Canberra in Australia, shared several of these concerns.

He said it’s surprisingly difficult to log out of a Google service, which explains how they can store your data consecutively over many years.

“What concerns me most is that we’re not making informed decisions,” he told News.com.au. “We get free email, free apps, free directions … but people aren’t consciously making informed consent. It’s not just Google. Apple [does] the same thing.”

But he said Android users were particularly at risk. “If you go into the Facebook app on your Android device and look at the permissions, it’s broader than that of Apple devices, and can include text messages and phone calls. Android is a completely uncurated, open-sourced platform.”

This explains why Android phones were the subject of Facebook’s recent phone-scraping scandal.

So how is it that apps logging your keyboard entries and other data haven’t been shut down yet?

Phair stressed that it comes down to the open permissions laid out in the terms and conditions — which, let’s face it, very few people read. The sheer impracticality of doing so may well be the apps’ strategy.

“There’s nothing illegal about collecting data,” said Phair. “Take Facebook. By signing up, you’re basically agreeing to the terms and conditions, which are basically ‘we can do whatever we want with your data.’ That’s the get-out-of-jail-free card. If you’re going to use our servers, we’re going to collect and sell your data to third-party affiliates.”

In a recent interview, Facebook chief executive Mark Zuckerberg said Facebook’s current problems were partly because the company was so focused on connecting people during its first decade and that it didn’t pay enough attention to potential consequences around privacy.

Last week, technical consultant and web developer Dylan Curran posted a thread on Google and Facebook’s data storing that quickly went viral.

Curran posted photos of the personal data collected by Google (which users are able to download). The file was 5.5 gigabytes — the equivalent of about three million Word documents.

He said it included “every email I’ve ever sent, that’s been sent to me, including the ones I deleted or were categorized as spam.”

“Every image I’ve ever searched for and saved, every location I’ve searched for or clicked on, every news article I’ve ever searched for or read, and EVERY SINGLE Google search I’ve made since 2009.”

He found Google was storing his location every time he turned on his phone, his search history (even if he deleted this), every app and extension he used, his YouTube history, calendar, hangout sessions and the music he listened to.

Spooky stuff.

INDEED!

Foreign Espionage Spying on Cell Phones in Washington DC

Posted on by

There was an investigation and the report is complete…but who has it, where is it? Between the FBI, Secret Service, DHS, Capitol Police as well as other agencies…why the suspense? Why is it still going on?

Mysterious unidentified spying cell towers found across ...

In related reading, this site published in November of 2017: Surveillance: China’s Big Brother, America’s Also?

U.S. Suspects Cellphone Spying Devices in Washington

THE ASSOCIATED PRESS (FRANK BAJAK)

(AP) — For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages.

The use of what are known as cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies — which use such eavesdropping equipment themselves — have been silent on the issue until now.

In a March 26 letter to Oregon Sen. Ron Wyden, the Department of Homeland Security acknowledged that last year it identified suspected unauthorized cell-site simulators in the nation’s capital. The agency said it had not determined the type of devices in use or who might have been operating them. Nor did it say how many it detected or where.

The agency’s response, obtained by The Associated Press from Wyden’s office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation’s airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly.

The devices work by tricking mobile devices into locking onto them instead of legitimate cell towers, revealing the exact location of a particular cellphone. More sophisticated versions can eavesdrop on calls by forcing phones to step down to older, unencrypted 2G wireless technology. Some attempt to plant malware.

They can cost anywhere from $1,000 to about $200,000. They are commonly the size of a briefcase; some are as small as a cellphone. They can be placed in a car next to a government building. The most powerful can be deployed in low-flying aircraft.

Thousands of members of the military, the NSA, the CIA, the FBI and the rest of the national-security apparatus live and work in the Washington area. The surveillance-savvy among them encrypt their phone and data communications and employ electronic countermeasures. But unsuspecting citizens could fall prey.

Wyden, a Democrat, wrote DHS in November requesting information about unauthorized use of the cell-site simulators.

The reply from DHS official Christopher Krebs noted that DHS had observed “anomalous activity” consistent with Stingrays in the Washington area. A DHS official who spoke on condition of anonymity because the letter has not been publicly released added that the devices were detected in a 90-day trial that began in January 2017 with equipment from a Las Vegas-based DHS contractor, ESD America .

Krebs, the top official in the department’s National Protection and Programs Directorate, noted in the letter that DHS lacks the equipment and funding to detect Stingrays even though their use by foreign governments “may threaten U.S. national and economic security.” The department did report its findings to “federal partners” Krebs did not name. That presumably includes the FBI.

The CEO of ESD America, Les Goldsmith, said his company has a relationship with DHS but would not comment further.

Legislators have been raising alarms about the use of Stingrays in the capital since at least 2014, when Goldsmith and other security-company researchers conducted public sweeps that located suspected unauthorized devices near the White House, the Supreme Court, the Commerce Department and the Pentagon, among other locations.

The executive branch, however, has shied away from even discussing the subject.

Aaron Turner, president of the mobile security consultancy Integricell, was among the experts who conducted the 2014 sweeps, in part to try to drum up business. Little has changed since, he said.

Like other major world capitals, he said, Washington is awash in unauthorized interception devices. Foreign embassies have free rein because they are on sovereign soil.

Every embassy “worth their salt” has a cell tower simulator installed, Turner said. They use them “to track interesting people that come toward their embassies.” The Russians’ equipment is so powerful it can track targets a mile away, he said.

Shutting down rogue Stingrays is an expensive proposition that would require wireless network upgrades the industry has been loath to pay for, security experts say. It could also lead to conflict with U.S. intelligence and law enforcement.

In addition to federal agencies, police departments use them in at least 25 states and the District of Columbia, according to the American Civil Liberties Union.

Wyden said in a statement Tuesday that “leaving security to the phone companies has proven to be disastrous.” He added that the FCC has refused to hold the industry accountable “despite repeated warnings and clear evidence that our phone networks are being exploited by foreign governments and hackers.”

After the 2014 news reports about Stingrays in Washington, Rep. Alan Grayson, D-Fla, wrote the FCC in alarm. In a reply, then-FCC chairman Tom Wheeler said the agency had created a task force to combat illicit and unauthorized use of the devices. In that letter, the FCC did not say it had identified such use itself, but cited media reports of the security sweeps.

That task force appears to have accomplished little. A former adviser to Wheeler, Gigi Sohn, said there was no political will to tackle the issue against opposition from the intelligence community and local police forces that were using the devices “willy-nilly.”

“To the extent that there is a major problem here, it’s largely due to the FCC not doing its job,” said Laura Moy of the Center on Privacy and Technology at Georgetown University. The agency, she said, should be requiring wireless carriers to protect their networks from such security threats and “ensuring that anyone transmitting over licensed spectrum actually has a license to do it.”

FCC spokesman Neil Grace, however, said the agency’s only role is “certifying” such devices to ensure they don’t interfere with other wireless communications, much the way it does with phones and Wi-Fi routers.

___

Links:

DHS letter to Sen. Ron Wyden: http://apne.ws/eJ7JipM

DHS enclosure in letter to Sen. Ron Wyden: http://apne.ws/dBMPqWw