Maybe NitroKey are surfacing something useful and potentially concerning, but they way they do it is so cheap that it completely turns me off their brand. It’s a bunch of negativity-hype with a “so buy our phone” tacked on.<p>If you handed a Nitrophone to any competent security researcher, I bet they’d find a ton of issues. Same with the NitroKey; that feature list is far too extensive to not have issues.
Related ongoing thread:<p><i>Smartphones with Qualcomm chip secretly send personal data to Qualcomm</i> - <a href="https://news.ycombinator.com/item?id=35698547" rel="nofollow">https://news.ycombinator.com/item?id=35698547</a> - April 2023 (263 comments)
I've criticized the original article for lack of information here: <a href="https://news.ycombinator.com/item?id=35698547#35703662" rel="nofollow">https://news.ycombinator.com/item?id=35698547#35703662</a><p>However, this blog post takes it too far:<p>> It proceeds to not show the contents of this HTTP request because it would show that it's not at all interesting. It does not contain any private data.<p>You don't know that, nor do you take any steps to actually prove your claim. This blog post is just as bad as the original post for not providing any evidence to your claims.<p>To add to that: OP seems to summarize the HN comments section without even citing it.<p>I'm double disappointed :)
Also to mention... A-GPS is <i>extremely</i> crucial to the underpinnings of the e911 system. Having rapid fixes means quicker positioning data being sent over the wire to the 911 center.
The author didn't address the list of things the devices allegedly sent when downloading A-GPS files, from the original article:<p>1. Unique ID<p>2. Chipset name<p>3. Chipset serial number<p>5. XTRA software version<p>6. Mobile country code<p>7. Mobile network code (allowing identification of country and wireless operator)<p>8. Type of operating system and version<p>9. Device make and model<p>10. Time since the last boot of the application processor and modem<p>11. List of the software on the device<p>12. IP address
Well, a device can get the time via GPS only.<p>If for whatever reason the system's time is just SO wrong then there's a change the HTTPS connection might fail because of certificate not valid yet / expired.<p>For this I think it's OK for it to be served over HTTP.
Reminds me of your typical "Windows support" impersonator telling people to look at all the spooky errors and warnings in Event Viewer and "all I need is for you to install this remote access tool and I can fix all your problems for you".
Was just looking at NitroKey after realizing my SoloKey v2[1] won't come for yet another few months.<p>Given that they use similar firmware, the headline scared me a bit. However the article is about their marketing of an entirely different device, not their new Yubikey replacement.<p>The wait continues... not super-surprised though, crowd funding hardware is super-risky and I knew that.<p>[1]: <a href="https://solokeys.com/" rel="nofollow">https://solokeys.com/</a>
So, presumably if I bought one of their phones and turned it on, I would wait ten minutes to get a GPS fix instead of it using a almanac and working out the lat and long of three cell towers at certain signal strength?<p>Does anyone know if it's possible to get at this info from user side ? Some API access? sounds fun
IP packets should not be sent or received behind our backs, and certainly firmware should not be bypassing the operating system to do this.<p>Whether it is useful for A-GPS does not matter. It must be done on top of the operating system or not done at all.
/e/OS answered at /e/OS answered at <a href="https://community.e.foundation/t/qualcomm-chipsets-data-collection-linked-to-the-a-gps-service-in-e-os/48982" rel="nofollow">https://community.e.foundation/t/qualcomm-chipsets-data-coll...</a>