NitroKey disappoints me (opens in new tab)

(blog.brixit.nl)

279 pointscunidev2y ago66 comments

66 comments

Maybe NitroKey are surfacing something useful and potentially concerning, but they way they do it is so cheap that it completely turns me off their brand. It’s a bunch of negativity-hype with a “so buy our phone” tacked on.

If you handed a Nitrophone to any competent security researcher, I bet they’d find a ton of issues. Same with the NitroKey; that feature list is far too extensive to not have issues.

_rdvw2y ago

> surfacing

IZAT NLP concerns have been known for many years now, my DivestOS hasn't included it for 6+ years: https://gitlab.com/divested-mobile/divestos-build/-/commit/a...

flangola72y ago

Aren't Nitrophones just rebranded GrapheneOS Pixels?

kornhole2y ago

Yes they provide the service of flashing GrapheneOS onto a Pixel for people who are not confident enough to do it themselves. I think they kick back some of the revenue to the GrapheneOS project. It is a needed service for people who want the most secure, private, yet functional phone but not the hassle of setting it up.

1 more reply

at-fates-hands2y ago

I remember seeing a pen-test that was done way back in the mid aughts that identified a bunch of vulnerabilities. It was so long ago, I wonder if they were mitigated or just given lip service.

EDIT: I found it. Pretty interesting read: https://cure53.de/pentest-report_nitrokey.pdf

This penetration test against the Nitrokey Storage firmware, as well as the Nitrokey desktop app, was performed by a team of three penetration-testers and took eleven days in total to complete. The test is part of a larger series of security assessments. In later phases, security-focused assignments will include tests against the hardware itself, alongside detailed look into other models of the Nitrokey and its accompanying applications and tools.

DANmode2y ago

So everyone is considering the same points: are you saying this in knowledge of their published audits?

wepple2y ago

I am

Edit: to elaborate, I think it’s great that they published audits, that should be a minimum baseline but in fact it’s a fairly rare thing at this point. Also Cure53 are no joke, they have some great people who generally do good work.

That said, having spent a decade doing security assessments in a past life, they’re point in time and always have a particular scope and are time-limited. A researcher or adversary has more time, a broader (infact infinite) scope, and lacks a lot of the restrictions of a formal security assessment.

ksec2y ago

I am just sad with the modern era of marketing and PR.

hammyhavoc2y ago

It's been this way for decades, and we thought it was tacky even back then.

dang2y ago

Related ongoing thread:

Smartphones with Qualcomm chip secretly send personal data to Qualcomm - https://news.ycombinator.com/item?id=35698547 - April 2023 (263 comments)

s1k3s2y ago

I've criticized the original article for lack of information here: https://news.ycombinator.com/item?id=35698547#35703662

However, this blog post takes it too far:

> It proceeds to not show the contents of this HTTP request because it would show that it's not at all interesting. It does not contain any private data.

You don't know that, nor do you take any steps to actually prove your claim. This blog post is just as bad as the original post for not providing any evidence to your claims.

To add to that: OP seems to summarize the HN comments section without even citing it.

I'm double disappointed :)

MartijnBraam2y ago

I have not even seen the HN comment section before writing this post

kotaKat2y ago

Also to mention... A-GPS is extremely crucial to the underpinnings of the e911 system. Having rapid fixes means quicker positioning data being sent over the wire to the 911 center.

joecool10292y ago

It helps, it's not extremely crucial. There are other methods that don't require the handset's cooperation:

- https://www.mpirical.com/glossary/lmu-location-measurement-u...

- https://www.etsi.org/deliver/etsi_ts/136100_136199/136111/11...

stingrae2y ago

all these methods aren't super reliable. The combination of all of them is required for what people have come to expect from GPS.

stingrae2y ago

Also people want GPS to work seamlessly in locations where GPS is unreliable. Dense urban canyons, inside big buildings and a myriad of other locations. AGPS is absolutely necessary for this.

Without this, people will wonder why the phone's "GPS" is bad (it takes a long time to get position and it is inaccurate in many cases).

dchest2y ago

The author didn't address the list of things the devices allegedly sent when downloading A-GPS files, from the original article:

1. Unique ID

2. Chipset name

3. Chipset serial number

5. XTRA software version

6. Mobile country code

7. Mobile network code (allowing identification of country and wireless operator)

8. Type of operating system and version

9. Device make and model

10. Time since the last boot of the application processor and modem

11. List of the software on the device

12. IP address

not2b2y ago

The author claims that none of the above information is actually sent, other than the IP address which is unavoidable to download a static file. I don't know who is right because I haven't seen the actual intercepted HTTP traffic.

iudqnolq2y ago

It is odd that neither article quotes from the policies linked from the domain they're talking about.

I think the relevant section is "Qualcomm GNSS Assistance Service" on https://www.qualcomm.com/site/privacy/services

> The Qualcomm GNSS Assistance Service downloads to your device a data file from QTI containing the predicted orbits of the Global Navigation Satellite System (GNSS) satellites. The Qualcomm GNSS Assistance Service also uploads a small amount of data to us comprised of: a randomly generated unique software ID that is not associated to you or to other IDs, the chipset name and serial number, the Qualcomm GNSS Assistance Service software version, the mobile country code(s) and network code(s) (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the date and time of connection to the server, the time since the last boot of the application processor and modem, and a list of QTI software on the device.

> As with any internet connection, we will also receive the IP address the device used to send us data. We use the data we collect to evaluate, maintain, and improve the performance of our systems and to determine general location (but not specific geolocation). We do not sell (as that term is defined under the California Consumer Privacy Act) the full IP address, unique software ID, or chipset serial number, and we share personal data only under the limited circumstances described in this Policy.

2 more replies

MartijnBraam2y ago

That's not a list of things allegedly sent. That's a list the lawyers put in a legal document to not get sued in case it happens.

flas9sd2y ago

a-gps/supl ("xtra"?) and qcoms izat api (in-building location services using indeed accesspoint info) are mixed in both HN threads. If izat triggers in customroms and sends plain http needs to be shown, but the .so libs are on device firmware partitions if not actively deleted. On older devices lineage mounts them unmodified from stockrom into /vendor/

WirelessGigabit2y ago

Well, a device can get the time via GPS only.

If for whatever reason the system's time is just SO wrong then there's a change the HTTPS connection might fail because of certificate not valid yet / expired.

For this I think it's OK for it to be served over HTTP.

smileybarry2y ago

It also allows for transparent carrier caching, might even be why it's HTTP in the first place.

WirelessGigabit2y ago

But is this a file that you want to have cached?

Honest question! Not sure how often this is updated.

1 more reply

yellowapple2y ago

Reminds me of your typical "Windows support" impersonator telling people to look at all the spooky errors and warnings in Event Viewer and "all I need is for you to install this remote access tool and I can fix all your problems for you".

magicalhippo2y ago

Was just looking at NitroKey after realizing my SoloKey v2[1] won't come for yet another few months.

Given that they use similar firmware, the headline scared me a bit. However the article is about their marketing of an entirely different device, not their new Yubikey replacement.

The wait continues... not super-surprised though, crowd funding hardware is super-risky and I knew that.

[1]: https://solokeys.com/

atoponce2y ago

I was very disappointed in that Kickstarter. Yubikey ran a 54% off discount May 4th last year and not knowing when I would get my v2 SoloKeys, I purchased two. I had them within the week and have since integrated them into all my accounts.

I debated backing out of the Kickstarter as the Yubikeys were working so well for me, but decided to stick with it and see what the SoloKey experience would be like. Yeah, disappointing. I ordered USB-A and USB-C keys. The USB-A key doesn't make a good connection with the USB port. It needs to be carefully held to register with the OS, otherwise it doesn't get power.

fsflover2y ago

Why not try Librem Key (which is rebranded NitroKey with free firmware)?

ibotty2y ago

I guess I was very lucky to get my solokey v2s a few month ago. I do like them. I am a bit disappointed that they have problems for other backers.

toastal2y ago

There's OnlyKey. Mine have been fine.

lifeisstillgood2y ago

So, presumably if I bought one of their phones and turned it on, I would wait ten minutes to get a GPS fix instead of it using a almanac and working out the lat and long of three cell towers at certain signal strength?

Does anyone know if it's possible to get at this info from user side ? Some API access? sounds fun

MartijnBraam2y ago

You don't even need the cell towers. You need _very_ good gps reception though, so outside without tall structures nearby. Then you have the issue that you need to keep the GPS active enough to keep the almanac updated. Which is usually not happening due to power management.

snvzz2y ago

IP packets should not be sent or received behind our backs, and certainly firmware should not be bypassing the operating system to do this.

Whether it is useful for A-GPS does not matter. It must be done on top of the operating system or not done at all.

wepple2y ago

> IP packets should not be sent or received behind our backs

I like this idea in principle, but I have bad news for you if you ever want to own literally any modern device - phone, laptop, tablet, car, TV, rice cooker etc

The only solution is some kind of network-level allowlisting which would be impossible to maintain, and stop working the second you’re outside a known network (ie LTE)

MartijnBraam2y ago

This is not even done by firmware, it's just part of qualcomms android userspace.

snvzz2y ago

I see no reason why Android shouldn't handle A-GPS itself.

Qualcomm's userspace shouldn't be doing this.

1 more reply

charcircuit2y ago

This isn't happening behind your back. A-GPS isn't a secret feature in phones.

psychphysic2y ago

No! I want every single request my phone might make explained to me in advance!

2 more replies

biomcgary2y ago

Are A-GPS files tied to location or the same for everyone? Hopefully, the latter.

kotaKat2y ago

Static data for the entire system. A-GPS files are just a digital ephemeris[1], a form of trajectory tables for the satellites over (upcoming) time, so it knows when to expect certain satellites (and thus certain transponder frequencies to pick first in its search for signals to lock onto and triangulate from).

[1] https://en.wikipedia.org/wiki/Ephemeris

MartijnBraam2y ago

This is basically a copy of a signal broadcast worldwide by the GPS satellites. Just static data.

radicalbyte2y ago

You can transfer a lot of information in a request, it's one of the oldest tricks in the book.

Whilst I also had a bad taste in my mouth once I got to them shilling their product (it was a double-check - wait a sec this Nitro phone they're talking about it's their own bloody phone?) that doesn't change the fact that this unexpected behaviour is a problem.

What we need to see is the actual HTTP requests, either from Nitro or - even better - from a third party who verify it.

2 more replies

andrewaylett2y ago

A-GPS provides a current almanac, showing where all the satellites actually are. Without it, a cold start requires hunting for signals across a much wider range. As I understand it, older GPS receivers rely on finding a single satellite and waiting to acquire a full almanac from it while smartphones have enough compute to probably get a lock on multiple satellites without a complete dataset. The satellites will eventually broadcast the complete almanac and ephemerides, so a warm start shouldn't take as long.

D-GPS uses the known location and current readings from a nearby fixed receiver to increase the accuracy of your receiver, and does rely on knowing that you're in the vicinity, but it's not a feature of consumer phones.

VWWHFSfQ2y ago

I'm fairly sure they're just static files

amluto2y ago

How would the server even know the client’s location? By IP address? That would make GPS work poorly when using a VPN or a wireless network with unusual routing.

edit: y’all are reading this backwards. My point is that the Qualcomm server does not know the location of the client and therefore cannot usefully send anything other than a static file.

3 more replies

prince7072y ago

/e/OS answered at /e/OS answered at https://community.e.foundation/t/qualcomm-chipsets-data-coll...

dmbche2y ago

Straight, concise, clear and to the point.

Thanks!

fredgrott2y ago

Not to mention that AGPS is decades old by now. How many of you fell for the original article's narrative?

j / k navigate · click thread line to collapse

66 comments

wepple2y ago

If you handed a Nitrophone to any competent security researcher, I bet they’d find a ton of issues. Same with the NitroKey; that feature list is far too extensive to not have issues.

_rdvw2y ago

> surfacing

IZAT NLP concerns have been known for many years now, my DivestOS hasn't included it for 6+ years: https://gitlab.com/divested-mobile/divestos-build/-/commit/a...

flangola72y ago

Aren't Nitrophones just rebranded GrapheneOS Pixels?

kornhole2y ago

1 more reply

at-fates-hands2y ago

I remember seeing a pen-test that was done way back in the mid aughts that identified a bunch of vulnerabilities. It was so long ago, I wonder if they were mitigated or just given lip service.

EDIT: I found it. Pretty interesting read: https://cure53.de/pentest-report_nitrokey.pdf

DANmode2y ago

So everyone is considering the same points: are you saying this in knowledge of their published audits?

wepple2y ago

I am

ksec2y ago

I am just sad with the modern era of marketing and PR.

hammyhavoc2y ago

It's been this way for decades, and we thought it was tacky even back then.

dang2y ago

Related ongoing thread:

Smartphones with Qualcomm chip secretly send personal data to Qualcomm - https://news.ycombinator.com/item?id=35698547 - April 2023 (263 comments)

s1k3s2y ago

I've criticized the original article for lack of information here: https://news.ycombinator.com/item?id=35698547#35703662

However, this blog post takes it too far:

> It proceeds to not show the contents of this HTTP request because it would show that it's not at all interesting. It does not contain any private data.

You don't know that, nor do you take any steps to actually prove your claim. This blog post is just as bad as the original post for not providing any evidence to your claims.

To add to that: OP seems to summarize the HN comments section without even citing it.

I'm double disappointed :)

MartijnBraam2y ago

I have not even seen the HN comment section before writing this post

kotaKat2y ago

Also to mention... A-GPS is extremely crucial to the underpinnings of the e911 system. Having rapid fixes means quicker positioning data being sent over the wire to the 911 center.

joecool10292y ago

It helps, it's not extremely crucial. There are other methods that don't require the handset's cooperation:

- https://www.mpirical.com/glossary/lmu-location-measurement-u...

- https://www.etsi.org/deliver/etsi_ts/136100_136199/136111/11...

stingrae2y ago

all these methods aren't super reliable. The combination of all of them is required for what people have come to expect from GPS.

stingrae2y ago

Also people want GPS to work seamlessly in locations where GPS is unreliable. Dense urban canyons, inside big buildings and a myriad of other locations. AGPS is absolutely necessary for this.

Without this, people will wonder why the phone's "GPS" is bad (it takes a long time to get position and it is inaccurate in many cases).

dchest2y ago

The author didn't address the list of things the devices allegedly sent when downloading A-GPS files, from the original article:

1. Unique ID

2. Chipset name

3. Chipset serial number

5. XTRA software version

6. Mobile country code

7. Mobile network code (allowing identification of country and wireless operator)

8. Type of operating system and version

9. Device make and model

10. Time since the last boot of the application processor and modem

11. List of the software on the device

12. IP address

not2b2y ago

iudqnolq2y ago

It is odd that neither article quotes from the policies linked from the domain they're talking about.

I think the relevant section is "Qualcomm GNSS Assistance Service" on https://www.qualcomm.com/site/privacy/services

2 more replies

MartijnBraam2y ago

That's not a list of things allegedly sent. That's a list the lawyers put in a legal document to not get sued in case it happens.

flas9sd2y ago

WirelessGigabit2y ago

Well, a device can get the time via GPS only.

If for whatever reason the system's time is just SO wrong then there's a change the HTTPS connection might fail because of certificate not valid yet / expired.

For this I think it's OK for it to be served over HTTP.

smileybarry2y ago

It also allows for transparent carrier caching, might even be why it's HTTP in the first place.

WirelessGigabit2y ago

But is this a file that you want to have cached?

Honest question! Not sure how often this is updated.

1 more reply

yellowapple2y ago

magicalhippo2y ago

Was just looking at NitroKey after realizing my SoloKey v2[1] won't come for yet another few months.

Given that they use similar firmware, the headline scared me a bit. However the article is about their marketing of an entirely different device, not their new Yubikey replacement.

The wait continues... not super-surprised though, crowd funding hardware is super-risky and I knew that.

[1]: https://solokeys.com/

atoponce2y ago

fsflover2y ago

Why not try Librem Key (which is rebranded NitroKey with free firmware)?

ibotty2y ago

I guess I was very lucky to get my solokey v2s a few month ago. I do like them. I am a bit disappointed that they have problems for other backers.

toastal2y ago

There's OnlyKey. Mine have been fine.

lifeisstillgood2y ago

Does anyone know if it's possible to get at this info from user side ? Some API access? sounds fun

MartijnBraam2y ago

snvzz2y ago

IP packets should not be sent or received behind our backs, and certainly firmware should not be bypassing the operating system to do this.

Whether it is useful for A-GPS does not matter. It must be done on top of the operating system or not done at all.

wepple2y ago

> IP packets should not be sent or received behind our backs

I like this idea in principle, but I have bad news for you if you ever want to own literally any modern device - phone, laptop, tablet, car, TV, rice cooker etc

The only solution is some kind of network-level allowlisting which would be impossible to maintain, and stop working the second you’re outside a known network (ie LTE)

MartijnBraam2y ago

This is not even done by firmware, it's just part of qualcomms android userspace.

snvzz2y ago

I see no reason why Android shouldn't handle A-GPS itself.

Qualcomm's userspace shouldn't be doing this.

1 more reply

charcircuit2y ago

This isn't happening behind your back. A-GPS isn't a secret feature in phones.

psychphysic2y ago

No! I want every single request my phone might make explained to me in advance!

2 more replies

biomcgary2y ago

Are A-GPS files tied to location or the same for everyone? Hopefully, the latter.

kotaKat2y ago

[1] https://en.wikipedia.org/wiki/Ephemeris

MartijnBraam2y ago

This is basically a copy of a signal broadcast worldwide by the GPS satellites. Just static data.

radicalbyte2y ago

You can transfer a lot of information in a request, it's one of the oldest tricks in the book.

What we need to see is the actual HTTP requests, either from Nitro or - even better - from a third party who verify it.

2 more replies

andrewaylett2y ago

VWWHFSfQ2y ago

I'm fairly sure they're just static files

amluto2y ago

How would the server even know the client’s location? By IP address? That would make GPS work poorly when using a VPN or a wireless network with unusual routing.

edit: y’all are reading this backwards. My point is that the Qualcomm server does not know the location of the client and therefore cannot usefully send anything other than a static file.

3 more replies

prince7072y ago

/e/OS answered at /e/OS answered at https://community.e.foundation/t/qualcomm-chipsets-data-coll...

dmbche2y ago

Straight, concise, clear and to the point.

Thanks!

fredgrott2y ago

Not to mention that AGPS is decades old by now. How many of you fell for the original article's narrative?

j / k navigate · click thread line to collapse