OESF Portables Forum
Model Specific Forums => Cosmo Communicator => Cosmo Communicator - Android => Topic started by: Daniel W on January 05, 2020, 06:11:56 pm
-
Glancing [a href=\'index.php?showtopic=36010\']this[/a] Gemini related post about some outgoing IP connections that turned out belonging to the firmware updater, I found the web site of Ash Wolf (Ninji here at OESF), upon which these two blog articles:
https://wuffs.org/blog/pulling-apart-the-c....temfota-updater (https://wuffs.org/blog/pulling-apart-the-cosmos-systemfota-updater)
https://wuffs.org/blog/digitime-tech-fota-backdoors (https://wuffs.org/blog/digitime-tech-fota-backdoors)
picks apart the Cosmo Over-The-Air firmware updater, and finds, well, questionable content.
A firmware updater, reasonably, must have basically every permission, so we're kind of forced to trust whichever firmware distributor Planet Computers chooses. While I do trust Planet Computers not to be malevolent, they seem, to me, somewhat clueless at times, and, it seems, they've picked a firmware distributor whose other business, apparently, is to, via their own updater, distribute malware. Ouch.
Maybe they're only doing that as a paid service, say, on behalf of dirt cheap phone makers, who might want to make up for their low prices by exploiting their customers in any profitable way they can come up with. I'm quite certain Planet Computers isn't involved in or, as it seems, were even aware of, any such capabilities.
Yet, the way this is implemented on the Cosmo, it seems ANY app can silently get ANY Android permission, by knowing how to ask one of the updater interfaces. While nobody might specifically target such an uncommon device type as the Cosmo, probing for that interface would, to me, seem like something any competent malware author would do, in case their code happens to be on any phone where this interface is available.
As far as I understand, that can't happen, lest I'd install a malware-laden app first, but as those, according to media, once in a while, does make it onto Google Play, no matter how reasonable I'm trying to be, this feels a bit too crazy for comfort. I'm at a bit of a loss right now. After waiting over a year for my Cosmo, intending to use it as my only phone, I suddenly don't know if I could, at all, trust this device, once it arrives. Thoughts, anyone?
-
These are quite serious accusations that probably do justify a level of paranoia leading to at least postponing using one's device as a primary phone. Until there will be public reaction from PC to shed some light on the issue.
For me cosmo is already my primary device. The only mitigation I can see for myself is installing a firewall and monitoring for any networking suspicious activity. The noroot firewall successfully used by a victim post referenced in blog by itself is of questionable reputation. Thus far I was only able to find a single open source firewall application that does not require rooting - NetGuard. I am going to try to live with that.
Having rooted device would open more possibilities for mitigation. I myself is not prepared to fiddle with rooting my device due to risk of bricking it. I now really look forward anxiously for rooting solution from PC just because of this development.
-
I saw that on tweeter ( https://mobile.twitter.com/_Ninji (https://mobile.twitter.com/_Ninji) ), and PC has been contacted by this briliant guy on Dec02 about that issue. He also ported TWRP for Cosmo. My Cosmo is in its box waiting for dual boot firmware, so I can boot something else, custom if possible, far away from PC, Google and Shenzen OTA servers... Dogs are friends of mine.
PS: @Daniel W, you are missing r in the end of the first link
-
Hmm my last reply didn't seem to post. Maybe they don't allow links... Anyway, there is a discussion about this in the Gemini thread and over on the Facebook group. Ninji (the guy who found the issue) seems to come here frequesntly too.
In the Facebook group, James Liddle helpfully added:
As this is a system app it is not easy to disable without root but you can do it through ADB:
adb shell pm disable-user --user 0 com.dtinfo.tools
and then
adb shell pm enable com.dtinfo.tools
to re-enable it if you want to do a wireless update
If you're concerned, you could do this without rooting your phone, then apply the updates manually when OC release them.
-
PS: @Daniel W, you are missing r in the end of the first link
Oops. Usually I test every link after posting. Apparently I missed one. Fixed. Thanks for spotting it.
-
In the Facebook group, James Liddle helpfully added:
As this is a system app it is not easy to disable without root but you can do it through ADB:
adb shell pm disable-user --user 0 com.dtinfo.tools
and then
adb shell pm enable com.dtinfo.tools
to re-enable it if you want to do a wireless update
If you're concerned, you could do this without rooting your phone, then apply the updates manually when OC release them.
Are you able to disable it without rooting? I was under the impression that doing this via adb still required root - but I couldn't confirm since I was already rooted... I do have some code I could clean up and release which uses the backdoor to disable the FOTA app, although this will only work on Cosmo and not on the Gemini as the Gemini doesn't have that backdoor.
-
I was hesitant to post about this stuff too much because I was trying to give Planet (and originally Digitime) the benefit of the doubt, but my patience is running thin over time. I don't use my Cosmo as a main phone - my trusty jailbroken iPhone 8+ gets that, as it's usable with one hand and has a camera that isn't a joke.
But even as a side device the Cosmo still manages to disappoint - the stock firmware is buggier than most of the slapdash unofficial backported Android ROMs I've used on other devices, and performance is dire (I was simply chatting on Telegram yesterday and every few messages I would have to retype a word as the device lagged out and one keypress turned into 5-6 repeated keypresses).
What a poor way to honour the legacy of the Psion and its highly-optimised software.
I'm still amazed at the outright brazenness involved in Digitime using their OTA service as a malware distribution platform, and the fact that somehow nobody had discovered this and connected the dots before I did. Hopefully with some more attention we can get some kind of statement out of PC on this, although I am not highly optimistic.
It is also worth noting that PC and Digitime are not the only folk involved in this game - there is also EastAeon, the ODM that built the Gemini and Cosmo. Although PC downplays their involvement in most of the Indiegogo updates by referring to them as "the factory" - with the exception of the Week 19 update, where they say this:[blockquote]We also discussed how we are splitting the work between the factory and our UK/European team. Our in-house team is taking ownership of most of the high level functions such as look and feel, whilst the lower level firmware elements will be implemented by our factory partner. We agreed the exact split of work on the external screen during our visit.[/blockquote]...it is obvious from firmware analysis that they are responsible for most of the Android code and not just for manufacturing as PC would like to have you think. Even elements like the clamshell/keyboard shortcuts (which I analysed in this thread (https://www.oesf.org/forum/index.php?showtopic=35943)) appear to have been implemented by EastAeon judging by names and debug log messages in the responsible code.
I hope that the Cosmo will be redeemed for me once we get the ability to run Linux on it. The hardware has immense potential but it's held back by EastAeon/PC's inability to deliver a decent OS.
-
Are you able to disable it without rooting? I was under the impression that doing this via adb still required root - but I couldn't confirm since I was already rooted...
Yes, worked on my unrooted device:
$ adb shell pm disable-user --user 0 com.dtinfo.tools
Package com.dtinfo.tools new state: disabled-userProof:
[ You are not allowed to view attachments ]
-
Question: Would disabling the FOTA via ADB, also disable that interface, via which any app could get any Android permission?
Currently, I'm more concerned by that interface, than getting malware from Digitime. For reference, both Samsung and Google can, and sometimes does, push anything they want onto my Note, even though I've turned of automatic updates. Certain "frameworks" and such just updates themselves anyway. What Ninji found, I suppose, is, purely technically speaking, the equivalent capabilities, however shadily implemented. I'm guessing Digitime regards these "features" as a service for sale to the phone brand, rather than something they'd go about (ab)using at their own leisure. My thinking is that if Digitime did push something actively malevolent, without it being requested, and paid for, by the phone brand, or government, wouldn't they'd be found out and get sued or at least lose that brand as a customer forever?
Or am I just being naïve and/or plain wrong?
-
Nope, the fo_service backdoor is baked into the Android services framework and any app can access it. The chances seem fairly low - I've yet to find any other device it's deployed on - but it's still there...
What's particularly insidious about it is that even though the Digitime FOTA updater doesn't use it (unless the malware-like Lua worker is activated from their end), it still refuses to install updates if the backdoor is not present. Presumably this is to ensure that OEMs keep the backdoor code in their Android builds.
-
At least we're not the only ones with these kind of problems: https://www.reddit.com/r/Android/comments/e...on_all_samsung/ (https://www.reddit.com/r/Android/comments/ektg8u/chinese_spyware_preinstalled_on_all_samsung/)
-
Nope, the fo_service backdoor is baked into the Android services framework and any app can access it.
As I kind of guessed then.
The chances seem fairly low - I've yet to find any other device it's deployed on - but it's still there...
Yeah, a bit like swimming in the ocean. Sharks are rare, but still there...
What's particularly insidious about it is that even though the Digitime FOTA updater doesn't use it (unless the malware-like Lua worker is activated from their end), it still refuses to install updates if the backdoor is not present. Presumably this is to ensure that OEMs keep the backdoor code in their Android builds.
Yes, I read that on your blog. As I understood it, they check that the backdoor is there by calling a method that returns its version number. Unless that changes, could it be possible to just leave that method and remove all the other sneaky ones, or leave them in there, but patch them to do nothing, like { return null; } or similar? But, well... the odds of Planet pulling off something like that might be slim, if it would even be feasible.
As I actually do want to use a bit of google-ware, striving to go Linux-only would seem counterproductive for me, and I'm wary of rooting (in both cases, I want a daily driver that kind of just works - and has a nice keyboard). That seems to limit my options quite a bit. Is there really anything I could do, except hoping that neither Digitime nor (other) malware authors will bother, be picky about what I install, and try not to worry too much?
At least we're not the only ones with these kind of problems: https://www.reddit.com/r/Android/comments/e...on_all_samsung/ (https://www.reddit.com/r/Android/comments/ektg8u/chinese_spyware_preinstalled_on_all_samsung/)
Oh boy, great... my other phone is a (fairly recent) Samsung. Not that I'm using Device Care, since it, apparently, considers my local HTML files to be junk... but this seems to be another reason not to touch it.
-
At least we're not the only ones with these kind of problems: https://www.reddit.com/r/Android/comments/e...on_all_samsung/ (https://www.reddit.com/r/Android/comments/ektg8u/chinese_spyware_preinstalled_on_all_samsung/)
Samsung top devices can cost a fortune. This is so sad...
-
If you root the device, I suppose you can get rid of the API. What would be the steps to do that?
-
This morning I’ve been emailed by Davide Guidi (Planet’s CTO) about this situation. Their response confirms many of my suspicions: Planet was entirely unaware about the presence of this code in the Cosmo, and their use of Digitime’s software was entirely guided by advice and reassurance from their ODM.
Despite my misgivings I’m very glad to see that Planet is taking this seriously — he says that Digitime have agreed to remove the IOrgX/Y/Z backdoor services from the Cosmo and that PC is investigating alternatives to their OTA service.
This does not fully resolve my doubts - there is still a substantial amount of subterfuge involved in the system even when discounting that; see, for example, this XDA thread (linked from my second blog post): https://forum.xda-developers.com/general/se...rooted-t3863704 (https://forum.xda-developers.com/general/security/help-removing-android-malware-rooted-t3863704) - although the Gemini did not include the IOrg backdoor it still included the Lua C&C system demonstrated to be installing apps in that thread.
I however feel much more relieved about this knowing that Planet are willing to make changes and listen to feedback about this. I will be writing back to him with further information on that and why I don’t feel that simply removing the IOrg services will solve all the issues involved.
-
That was very relieving news. Thank you Ninji. I'm not too surprised Digitime is willing to remove offending code. I think there may be fairly little malevolent intent involved here, and more of what different cultures regards as acceptable or even desirable.
Many "westerners" seems to be somewhat okay with, or not care too much about, extensive surveillance capitalism, as long as it doesn't get too obviously creepy. If it provides enough convenience in return, it might even be desirable. Google Assistant, Alexa, Siri and Bixby have to know you pretty well to work (no, I don't use them). A friend of mine used to ship cable cabinets to Japan. ONE oily fingerprint on, or inside, a cabinet and it would be returned to Sweden, even if it worked perfectly. The view seemed to be that if the Swedes couldn't even keep a thing clean, you just couldn't trust that it was made with enough care.
Every culture seems to have their set of things people will or won't care about, so the acceptable trade offs are different. If you can only get apps from dodgy third parties, so what if your brand can also install crap, especially if that made the phone so cheap, it's almost still theirs anyway? Heck, some users may even want plausible deniability, when something objectionable is found on their phone, "uh, yeah, they keep installing such stuff and I just haven't been able to remove it yet...", a bit like some folks may "forget" to delete certain spam, with "interesting" pictures.
Still, and for similar reasons, I'd guess this is just a first step. Digitime will likely only delete exactly what Planet tells them to, and won't necessarily do it carefully either, not because they are "bad", but more because it's something they just can't be bothered to take too seriously, a bit like when identical cable cabinets were shipped elsewhere, no way anyone could be bothered to wipe off every single fingerprint. Without pointing fingers, I'd guess these kinds of differing views on what goes, may explain some of the many quality issues Planet has kept running into. If one, somewhat clueless party, wants to produce quality stuff as cheaply as they can, but their partner is more into an appearance of quality, to boost sales, there may be... issues.
-
I disagree; I'm certain that there is malevolent intent on Digitime's part. Why would they go so far to hide it, otherwise? The code is obfuscated, the server URLs used by the malware component use domains like 'flurrydata.com' and 'facebook-3rd.com' in an attempt to look like legitimate services, and moreover, today I discovered that Digitime actually pushed some new worker packages just 2-3 days after my email to Planet - a new empty feature-less one for the Cosmo, and a new build of the standard version for the Gretel A7.
I suspect that Planet talked to them and they went "oh crap, we've been discovered"... Curiously, they don't seem to have replaced the Gemini's (albeit I may have made a mistake in the check commands, as I don't have example packet dumps from a Gemini as I do for the Cosmo and the A7).
It's also quite amusing that the 'statistics.flurrydata.com' server that the boot module reports to appears to have stopped working; for every request it just returns a {"errinfo":"Too many connections","errcode":3} error. Probably not intentional...
I will write a follow-up blog post soon, but for now I need to catch up on university work. In the meantime, here is my reply to Planet which provides some more information:
Hello Davide,
It's great to hear from you about this, and to know that Planet is on the ball regarding the situation. My research has given me no reason to doubt Planet's privacy/security practices; my assumption all along was that Digitime was doing this without the knowledge of Planet or EastAeon.
There are more issues with the Digitime software, not just the Cosmo-only IOrgX/Y/Z backdoors. Note that there are effectively two 'sides' to the Digitime app. There is the legitimate OTA update process, which connects to the 'app.fota.digitimetech.com' server and fetches update information. This is somewhat insecure (it is vulnerable to SSL man-in-the-middle attacks) but that seems like a mistake, not malice.
The second side is the Lua service I documented in my blog posts, which is present in every Digitime SystemFota updater I have seen, including the Gemini's. It downloads arbitrary 'worker' code from domains like 'statistics.flurrydata.com' and 'facebook-3rd.com', which appears to be a deliberate attempt to hide by pretending to be part of a legitimate service. This is the system which was used to distribute malware on other devices like the Gretel A7.
There is one interesting development in this area which I only noticed today (as I had the SystemFota app disabled): Digitime have sent my Cosmo a new 'worker' package, which removes all of its functionality and leaves an empty shell. The code files in it are dated the 4th December 2019 (two days after my initial email to Planet Computers), whereas the other workers are all dated months/years older. The timing makes me wonder: did they suddenly do this in an attempt to save face after an enquiry from PC?
From my understanding, this doesn't actually disable their control over the device, as the 'boot' package (which is baked into the Android ROM's SystemFota.apk) still checks home regularly, and has the ability to download a new worker if Digitime changes their mind. This is all device-specific, so in theory, Digitime could for example decide to send a malicious code package to IP addresses connecting from certain countries, and this empty shell to IP addresses connecting from the UK (like you and I).
I have also experimented by sending requests to their server with the IDs of other known devices. If I pretend to be a Gemini, I get the regular worker that I started with on the Cosmo - not the empty shell that the Cosmo now has. If I pretend to be a Gretel A7, I get a newly built version of that worker, with a different version number, dated the 5th December 2019 - which furthers my suspicions that Digitime are trying to cover their tracks after this exposure.
I appreciate that Digitime has agreed to remove the OS backdoors, and that they seem to have disabled part of the malware-like functionality for the Cosmo, but none of these things should have been there in the first place. I personally would not trust an operator with this track record. Ultimately, however, it is Planet Computers who must decide if they want to trust Digitime with software distribution on their devices, not me - I am after all an outsider and not privy to the complex decisions that go into building a device like this.
Thank you for the detailed response and for taking my concerns seriously; it's a refreshing attitude in a world where many tech companies just sweep security issues under the carpet. Despite the teething software issues, I really enjoy the Cosmo and I can't wait to see it get better - I'm especially excited for the release of multi-boot so that I can experiment with OSes more.
Kind regards,
Ash
-
There is one interesting development in this area which I only noticed today (as I had the SystemFota app disabled): Digitime have sent my Cosmo a new 'worker' package, which removes all of its functionality and leaves an empty shell. The code files in it are dated the 4th December 2019 (two days after my initial email to Planet Computers), whereas the other workers are all dated months/years older. The timing makes me wonder: did they suddenly do this in an attempt to save face after an enquiry from PC?
From my understanding, this doesn't actually disable their control over the device, as the 'boot' package (which is baked into the Android ROM's SystemFota.apk) still checks home regularly, and has the ability to download a new worker if Digitime changes their mind. This is all device-specific, so in theory, Digitime could for example decide to send a malicious code package to IP addresses connecting from certain countries, and this empty shell to IP addresses connecting from the UK (like you and I).
I have also experimented by sending requests to their server with the IDs of other known devices. If I pretend to be a Gemini, I get the regular worker that I started with on the Cosmo - not the empty shell that the Cosmo now has. If I pretend to be a Gretel A7, I get a newly built version of that worker, with a different version number, dated the 5th December 2019 - which furthers my suspicions that Digitime are trying to cover their tracks after this exposure.
It would be interesting to extend you testing as you suggested to other regions to see if there is a difference in 'workers' sent to different regions. Could you put some quick instructions how others could do such test?
I've run your python script from December 1 post, output is below, I am not up to the task to interpret this response, I am in US.
(b'3T',
b'\x00\x01',
b'{"state":0,"gen":{
"is_gdpr":1,
"state_device":1,
"phone_id":"200109EC110001186199",
"auth_priv":0,
"auth_level":0,
"interval_hour":0,
"path2":"",
"project_id":"FTPRO16945",
"count_succ":31,
"path1":""
}
}')
-
That's awesome Ninji! Nice work!
-
I disagree; I'm certain that there is malevolent intent on Digitime's part. Why would they go so far to hide it, otherwise?
You may very well be right. I was using a Hanlon's razor, roughly "do not attribute to malice that which can be adequately explained by folly". Say management once ordered these capabilities for semi-reasonable purposes, neither seeing the slippery slope nor how it could come back bite them, but the developer(s) did, and tried to hide things. Either way, it probably means Digitime should be replaced and, if not feasible, that they need to stay under close scrutiny. Thanks again Ninji for digging through all of this muck.
-
wohoo! thanks for all the detective work on this. i am also relieved/glad that planet isnt sweeping it under the rug.
-
So, amusingly, Digitime have now even taken down their websites. Caught red-handed??
I can confirm that the next Cosmo firmware update removes all the backdoors, both local and remote. I think Planet may also be shifting away from Digitime in the long term, but regardless of that, the changes in the next update get rid of Digitime's ability to download arbitrary code and applications, so the app behaves like the legitimate updater it purported to be all along.
(While in theory, Digitime could push a rogue update through it, the Android recovery system will reject OTA packages that are not signed with the manufacturer's certificate and private key, so unless they got hold of those keys, that should not be possible...)
-
I can confirm that the next Cosmo firmware update removes all the backdoors, both local and remote. I think Planet may also be shifting away from Digitime in the long term, but regardless of that, the changes in the next update get rid of Digitime's ability to download arbitrary code and applications, so the app behaves like the legitimate updater it purported to be all along.
I'm sort of glad that I hadn't received my device yet (despite being locked since before Christmas). I just would have hoped that they would have given info on this immediately as an update either on support site or in Indiegogo.
At least we now have a confirmed Brexit with a deal so no customs duties will get tacked on even if the shipping date slips all the way to February.
-
I can confirm that the next Cosmo firmware update removes all the backdoors, both local and remote.
Would you be able to confirm that for updates targeted to different regions than yours?
-
So good to hear PC takes this seriously and are willing to deal with it in the next(?) firmware update. --- @Ninji, I can't speek in the name of every Cosmo owner, but I feel like everyone of us owe you at least a cup of coffee or glass of beer. Without any intension to insult anyone or to break any rules of this forum, I suggest you to put your PayPal or crypto address in your signature or something, if you feel like it... Thank you anway.
-
I disagree; I'm certain that there is malevolent intent on Digitime's part. Why would they go so far to hide it, otherwise? The code is obfuscated, the server URLs used by the malware component use domains like 'flurrydata.com' and 'facebook-3rd.com' in an attempt to look like legitimate services, and moreover, today I discovered that Digitime actually pushed some new worker packages just 2-3 days after my email to Planet - a new empty feature-less one for the Cosmo, and a new build of the standard version for the Gretel A7.
I'll have to color myself a bit skeptical of being overtly malevolent. More likely this is encouraged by intelligence agencies in China. They're not all that likely to think they can successfully target interesting European or US people. Likely their main target is surveillance of Chinese citizens. If the code leaks to the wider world, they may not be all that worried and will happily gather information from whomever ends up with an appropriately contaminated device.
-
Would you be able to confirm that for updates targeted to different regions than yours?
As far as I know the updater used in every region is exactly the same, so this should affect all Cosmo units. (Are there even region-specific Cosmo ROMs?)
That is and has always been under Planet's control; they receive a package containing the updater APK and then incorporate it into the ROM. I highly doubt they would want to keep a backdoored updater in for any devices - in my communications with Planet, they were very adamant that they wanted to get rid of it ASAP. The reason I can confirm this is because they actually allowed me to examine the new updater just to make sure Digitime were not pulling a fast one on them.
I'm a bit disappointed they've not made any public comment yet, especially considering they promised an update on Indiegogo before the end of the week and it is now Monday. Hopefully we will hear something soon.
So good to hear PC takes this seriously and are willing to deal with it in the next(?) firmware update. --- @Ninji, I can't speek in the name of every Cosmo owner, but I feel like everyone of us owe you at least a cup of coffee or glass of beer. Without any intension to insult anyone or to break any rules of this forum, I suggest you to put your PayPal or crypto address in your signature or something, if you feel like it... Thank you anway.
I'd be fearful of coming across as just wanting money because that's not the case - I do things like this for fun and for the betterment of the software/hardware I use, not to make money. If anyone really wants to throw a pound or two at me then I have some links on my website's homepage, but please don't feel obligated to!
I'll have to color myself a bit skeptical of being overtly malevolent. More likely this is encouraged by intelligence agencies in China. They're not all that likely to think they can successfully target interesting European or US people. Likely their main target is surveillance of Chinese citizens. If the code leaks to the wider world, they may not be all that worried and will happily gather information from whomever ends up with an appropriately contaminated device.
It could probably be used for that purpose, but all the evidence I've seen so far points to Digitime just using it to install adware. One of the APKs I found, distributed through their CDN, just sits in the background and occasionally opens up ads sourced from an obscure domain (omuchain[.]com) that just so happens to be registered with the same false WHOIS info as one of their corporate domains (qimingiot[.]com).
Of course, all we can do is speculate about their motives - they're a secretive business based in China that only deals with other businesses, most of which also seem to be based in China. I would for sure like to know what they are, but I don't know if I'll ever find out.
(Speaking of, today is the 6th day of all their public-facing websites being entirely dead... ????)