SMS involves inherent security risks

RESOLVED WONTFIX

Status

Firefox OS
Gaia
RESOLVED WONTFIX
4 years ago
3 months ago

People

(Reporter: WDM, Assigned: Martin Kurze)

Tracking

({privacy})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
Impact: SMS is cleartext, to so the location feature involves transmitting the users location in cleartext over the SMS network. 

Fix: Without prior authentication there isn’t much we can do to protect geolocation data
(Reporter)

Updated

4 years ago
Status: NEW → ASSIGNED
(Reporter)

Updated

4 years ago
Blocks: 1083953

Comment 1

4 years ago
True, Sure but thats the risk a user would take in order to localize the phone. 

If we really need to be that protective we can add a warning while turning the feature on. However, I believe that then we should set the same warnings in the SMS app - saying that anyone can intercept your discussions. 

And its not users location that it is transmitted but his phone. So actually apart from the moment when he finally finds it - there is little risk here that I see.
Flags: needinfo?(wmathanaraj)
(Reporter)

Comment 2

4 years ago
paul/frederik - do you find this is acceptable for us? I think there is a valid logic in Marta's description above.
Flags: needinfo?(wmathanaraj) → needinfo?(fbraun)
It's just a shame that we have a pre-shared password that could be used as a cryptographic key, but can't make any use of it (it would require support in the phone that you are borrowing from a friend to locate your device).

So I guess this is WONTFIX, unless Paul disagrees.
Flags: needinfo?(fbraun)
(Reporter)

Comment 4

4 years ago
lets get paul's confirmation when he is back on earth in 10 hours in Sydney
Flags: needinfo?(ptheriault)
(In reply to marta from comment #1)
> True, Sure but thats the risk a user would take in order to localize the
> phone. 
> 
> If we really need to be that protective we can add a warning while turning
> the feature on. However, I believe that then we should set the same warnings
> in the SMS app - saying that anyone can intercept your discussions. 
> 
> And its not users location that it is transmitted but his phone. So actually
> apart from the moment when he finally finds it - there is little risk here
> that I see.

Maybe warning is a little strong - some explanation on what the difference is between FindMyDevice might be good though? I'll think about it on the plane.
(In reply to Paul Theriault [:pauljt] from comment #5)
> (In reply to marta from comment #1)
> > True, Sure but thats the risk a user would take in order to localize the
> > phone. 
> > 
> > If we really need to be that protective we can add a warning while turning
> > the feature on. However, I believe that then we should set the same warnings
> > in the SMS app - saying that anyone can intercept your discussions. 
> > 
> > And its not users location that it is transmitted but his phone. So actually
> > apart from the moment when he finally finds it - there is little risk here
> > that I see.
> 
> Maybe warning is a little strong - some explanation on what the difference
> is between FindMyDevice might be good though? I'll think about it on the
> plane.

No revelations I'm afraid - that's about all i can suggest.
Flags: needinfo?(ptheriault)

Comment 7

4 years ago
How would we explain? It has a different name, exactly for that reason - it is Remote Privacy Protection. And also - still I don't see the exact security risk. We assume that the user is detached from his phone, when he requests to locate it
Flags: needinfo?(ptheriault)
(In reply to marta from comment #7)
> How would we explain? It has a different name, exactly for that reason - it
> is Remote Privacy Protection. And also - still I don't see the exact
> security risk. We assume that the user is detached from his phone, when he
> requests to locate it

Assuming that it is the user using the feature. The point is, FMD is a more secure solution. Personally its not clear to me why we are implementing a less secure feature, but that aside, should we not at least inform the user about the security trade offs that they are making when choosing to find their phone via SMS  vs finding their phone via FMD ? Maybe we just need a page in the guided tour to explain the two features, and why you might use one over the other?
Flags: needinfo?(ptheriault)

Comment 9

4 years ago
Can we get some kind of conclusion here? I feel like we are not going anywhere, and we would like to proceed with the development. 
Paul, Wilfred please tell us what to do - we are perfectly open to everything but we need a final decision.
Flags: needinfo?(wmathanaraj)
Flags: needinfo?(ptheriault)
What do you think about what I suggest in comment 7?

To me, the issue is clear: we have two different features, both which perform the same function. One of these features use secure communication channels but requires a Firefox account. The other doesn't need an account, but has security trade offs. If we are going to have both in the product I think we need to at least alert users to the difference, and explain why you would use one over the other, as I said in comment 7.

Maybe this is basically the same bug as 1083789, but that bug has been marked as wontfix.
Flags: needinfo?(ptheriault)

Updated

4 years ago
Blocks: 1088565

Updated

4 years ago
No longer blocks: 1088565

Comment 11

4 years ago
We are having timing problems to add anything into the GT - this requires hiring an illustrator and so on. Will discuss it later with the UI team. Most happily would move it under the PPv2.0 bug that is 1088565. Would that be acceptable?
Flags: needinfo?(ptheriault)
(Reporter)

Comment 12

4 years ago
We did have an extensive review here from the UX team and we involved the FDM UX team to provide feedback - the feature as such I still feel is acceptable, given our agreements, to exist in PP v1.0 in parallel without any further warnings.

We can think of better ways to inform users between the different solutions. Paul could you live with this coming in next revision of Privacy Panel?
Flags: needinfo?(wmathanaraj)
Yeh sure - as with all the of the bugs that I raised (apart from the SMS-costing-money one), they were all intended as feedback to inform the next revision.
Flags: needinfo?(ptheriault)
Adding privacy keyword.
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(pbylenga)
Keywords: privacy
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(pbylenga)

Comment 15

3 months ago
Firefox OS is not being worked on
Status: ASSIGNED → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.