Phones Backdoored By The FBI Are Being Sold To Unsuspecting People Just Wanting A Cheap Replacement Device
from the retooling-the-tools-of-the-trade dept
Now that it's been revealed the FBI -- along with an unnamed conspirator linked to encrypted phone development -- created a honeypot device to harvest communications between suspected criminals, the backdoored devices are making their debut in the (non-criminal) public domain.
Following the exposure of the FBI-created "Anom" chat service -- a backdoored service placed on secure phones supposedly only sold to members of large criminal organizations -- multiple law enforcement agencies announced the arrest of dozens of suspected criminals. The devices, however, are still out there. And they're showing up on classified ad sales sites and potentially suckering in people just looking for a cheap Android device.
Whatever the price is, you're getting screwed, as Joseph Cox reports for Motherboard.
Unlocking the Google Pixel 4a with a PIN code reveals some common apps: Tinder, Instagram, Facebook, Netflix, and even Candy Crush. But none of those apps work, and tapping their icons doesn't do anything. Resetting the phone and typing in another PIN opens up an entirely different section of the device, with a new background and new apps. Now in place of the old apps sit a clock, a calculator, and the device's settings.
Clicking the calculator doesn't open a calculator—it opens a login screen.
The devices have a sole purpose: to enable secure chats between owners of these devices. Their original usefulness was subverted by law enforcement agencies able to intercept the compromised communications. Now that they're ostensibly free of law enforcement meddling, they're equally useless. The only option is a chat app known to be a honeypot for law enforcement investigators. Whether or not they're still being monitored no longer matters. That the service itself is compromised makes it an untenable option.
If you want a phone that doesn't do phone stuff, these pre-compromised devices are an option, I guess.
"I bought this phone online, for ridiculously low price, now I understand why," that second person said. That person also provided Motherboard with photos and a video of their device. In that case, the Anom login screen appeared inaccessible, but other settings such as the decoy PIN code remained. "Probably this phone was used by some drug dealer :D," they said.
Hobbyists and other developers are trying to help people who've purchased phones that do nothing more than offer them the opportunity to share their communications with law enforcement agencies around the world. If they can get them to work like other Android devices, purchasers may find themselves with potentially more secure devices once they abandon the Anom app crafted by FBI agents.
There appears to be no way to activate location tracking (or turn it off, for that matter), suggesting these phones do not harvest this data. A built-in option allows for PIN scrambling that randomly rearranges digits to defeat shoulder surfing when detained perps input their passcodes. Users can also set up a wipe code that will wipe the device from the lockscreen or perform this task automatically if the phone is not logged into after a certain amount of time. This feature can be accessed from the status bar, making it ideal for quick deletion of incriminating content.
But those features can only be trusted if one assumes the limited OS is not also compromised. Given what we know about the built-in chat service, only the ignorant would assume any of these features would actually prevent investigators from recovering data.
So, if you're in the market for a pre-compromised phone, there are options out there. But most people looking for a cheap phone aren't going to be happy with the limitations of this device and even less so when they discover these are little more than an investigational tool for law enforcement agencies around the world.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anom, backdoors, doj, fbi, honeypots, resale market, used phones
Reader Comments
Subscribe: RSS
View by: Time | Thread
As far as I understand, these phones are essentially paperweights: the settings were disabled in the UI not because the capabilities were disabled, but so that criminals couldn't identify that they were being tracked. The FBI also locked the bootloader so that you can't re-flash the phones with a different OS. Essentially, the only thing these phones will do is allow a user to log in to the FBI-hosted Anom chat service where they can chat with other Anom users (others who bought these dumped phones and drug dealers who aren't paying attention).
[ link to this | view in thread ]
Re:
No, no... I imagine that in the hands of a dedicated forensic analyst, one of these phones could say a lot about law enforcement techniques, honeypot servers, and phone pwnership.
And hey, Anom. For the discerning troll.
[ link to this | view in thread ]
I want one!
The FBI will be so bored, they will pay me to give it back.
[ link to this | view in thread ]
Those phones were only designed to be bought by drug dealers and criminal gangs who thought they were totally secure but were actually sending all data to a server which was being monitored by interpol
and dutch police.
eg those phones were part of a honeypot,surveillance network.
buying one of those phones will likely bring you to the attention of police
if its connected to wifi or a 4g network.
[ link to this | view in thread ]
Like our phones aren't already?
[ link to this | view in thread ]
Re:
"Like our phones aren't already?"
Well...yes, but then again, no. We trust third parties with significant insight and power over the most intimate details of our lives every day. The post office, census bureau, DMV and IRS (or non-US equivalents) stand out as government squids right into our private lives.
ISP's, Telcos, Banks, Messenger Services, lawyers, credit checking services, security companies and online retailers stand out as the private sector obtaining massive amounts of highly personal information.
A phone OEM is just one more.
The only problem I see with that is that out of those only banks and legal services are really under serious confidentiality regulation. For the rest, good faith must apply. Caveat Emptor.
However, when law enforcement enters the retail market with the sole motive to spy on customers "buyer beware" takes on a whole new dimension of risk awareness. I have yet to hear of a single police force which didn't abuse the hell out of secret intelligence gathering in order to make the investment look good upstairs - even if they had to go on fishing expeditions and start harrassment campaigns to show they're trying to earn their keep.
[ link to this | view in thread ]
If it's online, it's hackable. Don't let anybody $ell/tell you otherwise.
[ link to this | view in thread ]
Potential?
I’m not following completely:
If these are full phones that have been flashed over with government software,
Couldn’t you just do a full diagnostic level reflags and restore your hr phone?
Not advocating blind sales but for people like me who don’t really care, a previously compromised flagship phone for $20 is worth it to me. If it’s said up front.
What are they going to do, look at funny pet pictures? Dr appointments.
Random “hi” texts.
Hey, you want boredom have at it yall.
Seriously though, again, if these are full phones a tech could just do a reinstall.
[ link to this | view in thread ]