Insights For Success

Strategy, Innovation, Leadership and Security

LTE

Karma releases an anonymizing hotspot

GeneralEdward KiledjianComment
KarmaBlack4-1.jpg

Open a magazine, newspaper, your local nightly news or almost internet blog, and you will be confronted with news about another security breach. Breaches, breaches everywhere. 

Concerned netizens are trying to find ways to protect themselves when online and to protect their privacy. In response, I have written a bunch of articles (such as):

The above reviews were VPN services, but what if you wanted a piece of hardware that was portable and could be used with any WIFI enabled device?

A new player in the hardware category is LTE WIFI Hotspot service provider Karma. 
Karma is releasing a new LTE hotspot (for the US market) called Karma Black LTE hotspot. This device costs $149 now (will go up to $249 after the January 15 pre-order closes). In addition to the initial cost, you will have to plunk down $20 a month for its security services. Karma promises to encrypt your internet traffic and to hide other privacy-invading markers like location, browser identifiers, etc. 

It looks like you will be able to use this service with your own WIFI networks (home, office, hotel, etc.) Karma is also promising to add additional features in the future like TOR, network antivirus, ad blocking and parental control. 

Capture.PNG

In addition to the monthly security service fee, you will have to spend more money if you want to use the device's LTE connectivity feature ($3/month + $10/GB on the "drift" plan). 

Is it worth it?

I have not had a chance to test the device so everything written here is based on the documentation. 
 

We wanted to create a product that allows consumers to feel protected while surfing the web. Karma Black is that product. Our users can freely consume internet content while knowing that no one is looking over their shoulders. Consumers do not want strangers listening to their phone calls… they deserve the same security from intrusion when going online.
— Todd Wallace, Karma Mobility CEO

I believe the goal is noble but the question is "should you spend $20 a month for this level of security?".

A technical user knows that sites, threat actors, and government intelligence agencies have multiple ways to identify and track users. Even with all of the security measures deployed by Karma in its Karma Black hotspot, there are fairly easy ways to identify and its track users [here is an article that talks about TOR deanonymization].

As an example, a site that uses TLS encryption (aka most sites these days) is able to set up a secure connection between your browser and its site. They can drop a supercookie in your browser then track you as you browse the web. Facebook and Twitter did this.

There is an easy to implement technique called browser fingerprinting that would allow an online actor to create a unique fingerprint for your machine using nothing more than the information your browser willingly hands over to any site that asks. You can test this yourself here

Using a secure tunnel (aka a VPN), Karma can mask your internet traffic from your local ISP but they can see where you are going. We know very little about what they log. VPN providers like TunnelBear have clear & easy to understand privacy policies. Tunnelbear has had independent audits to confirm that they are living up to their policies. ProtonVPN has a technology that they call SecureCore to prevent privacy breaches if any of their VPN termination endpoints are compromised. 

Unfortunately, there is insufficient information about how Karma Black is actually (technically) delivering these security services, and therefore I have to take every claim with a grain of salt. You can probably buy similar protection from the Invizbox for $190 (hardware plus 12 months of IP Vanish VPN service). You then use the Chrome browser with the uBlock Origin plug-in and you should have equivalent or better protection. 

Most security professionals will tell you tech is easy and that the biggest security weakness is the user. Users normally don't have good security hygiene and even the best security tools can easily be broken why careless users.

My professional recommendation would be to hold off buying one of these devices until a "real" security professional has a chance to test one in a lab and determine how good the security controls actually are. It is easy to mess it up and unintentionally leak metadata. So caveat emptor.

Do you need a dual-SIM smartphone?

GeneralEdward KiledjianComment
sim-card-1645646_1920.jpg

Do I need a dual-sim phone? The answer is probably not. Most people sign a carrier contract and live with that service for two years. 


There is a small niche group that could benefit from a dual-SIM phone, and this is an article for them. Who are these mythical "special" people:

  • users with a personal and professional mobile phone line that want to carry one phone
  • users that travel often and want to use a low-cost SIM in their destination
  • users that live in regions were carriers aren't national providers, and "good" coverage requires service from 2 providers (much of Asia)
  • users that can find low cost unlimited data-only SIM and want another SIM for voice calls and text messaging, 

Not all dual SIM phones are created equal. 

Categories of dual sim phones

Passive dual-sim phones

Passive dual-SIM phones can only use one of the SIM cards at a time which means the user can switch between SIMs using software or a physical switch. 

Standy dual sim phones

Standby dual sim phones (often with the MediaTek chipset) use both SIMs using time multiplexing. Anytime you start using one of the sims (to make a call, send a message or use data), the other SIM is ignored. If someone calls the second sim when the first one is "active", the caller would receive a busy signal.

Active dial sim phones

Active dual-sim phones are capable of using both sims simultaneously and typically have to IMEIs since the phones come equipped with two radios. 

and we continue...

Because things weren't complicated enough, there is also the concept of unequal connectors. Some phones will be passive or active dual sim but may only be able to support full speed 4G on the primary SIM while slowing down to 3G/2G for the second sim.

Some buys mistakenly assume you can leverage both SIMs simultaneously for doubly fast data connectivity. This simply isn't the case. Dual sim capable phones do not perform network bonding to allow dual network stream aggregation. 

When I upgraded my daily drive smartphone, I switched from an iPhone 6s Plus to a Note 8 dual sim. When not travelling, the second slot hosts my SD card, but when I travel, I will load my KnowRoaming SIM. 

I know several account executives that use dual sim phones (one with their personal sim and the other with their work one). This means they can carry one device yet send/receive messages from either. Even in Canada, I know people that use dual sim phones with low-cost fringe providers. They use these providers when in their home zone for cheap service but switch to a pay as you go national carrier when outside of their "home" coverage area.

My Note 8 SIM Manager

  • I can choose if both SIMs are active.
  • I can choose which service to use with which SIM by default (calls, texts, mobile data).
  • I can even ask the phone to confirm which SIM card to use before each call.
Screenshot_20171209-143213.jpg

Another important consideration

With carriers that support VoLTE (Voice over LTE) or VoWIFI (Voice over WIFI), this functionality is typically only supported on the primary SIM slot. Don't expect both to support VoLTE and VoWIFI. 

Where do I buy a dual sim phone?

Most North American phone models do not come in dual sim versions. The most common way to buy a dual sim phone is either from an importer or you have to import one from a region that sells these devices.

My 128GB dual sim Note 8 was imported from Hong Kong by a Montreal based smartphone importer called PDA Plaza (this is not an ad and is not a sponsored post). I was able to buy my dual sim phone cheaper than what I would have paid locally from Samsung, Bestbuy or my carrier.

There are many options to choose from including Samsung, LG, Asus, OnePlus, etc. Just make sure you check the specifications and ensure the device supports the dual sim model you are looking for.

Examples

Asus Zenphone 5

Screenshot 2017-12-09 at 2.47.49 PM.png

OnePlus 5T

Screenshot 2017-12-09 at 2.49.30 PM.png

Huawei Mate 10 Pro

Screenshot 2017-12-09 at 2.51.41 PM.png

Xiamo Red Mi dual sim

Screenshot 2017-12-09 at 2.53.39 PM.png

Skyroam Solis Review: a traveller's best friend?

GeneralEdward Kiledjian1 Comment
20171201_154043.jpg

I've been using a Skyroam hotspot for many years now and my 2 most popular blog posts (for the old device and service) are here: 

They recently upgraded their back-end service and global WIFI hotspot, and I wanted to test and review it for you. 

Solis is the latest version of the Global WIFI hotspot sold by Skyroam. For those new to this company, they offer a small portable global WIFI hotspot that works in 100+ countries, costs $10US a day for unlimited data and is activated on demand.
 
Although I had many complaints about the pass purchase process with the original product, their hotspot has been part of my every day (EDC) carry kit for three years now.

The Solis improves on its older brother in 2 days:

  • it now supports LTE speeds on countries were it is available (otherwise it drops down to 3G) 
  • it can now operate as a backup battery (in a pinch) to charge your mobile phone

Nice little intro video

I have had the Solis for several months and have already taken it on a US road trip. It is a well-built successor to the original Skyroad hotspot, but the world has changed.

When I started using the original Skyroam in 2014, my carrier didn't offer a global travel package, and it was a pay per megabyte type affair. It got very expensive very fast. Today my carrier offers a US travel package for $7 a day or a global package (in 80+ countries for $10 a day).

If all you need is access on one device, then your carrier package may be more advantageous since it is immediate and does not require any changes. But.... The Skyroam Solis offers coverage in more countries and can provide wonderful internet goodness to up to 5 devices simultaneously. 

In my case, I still rely on Solis or KnowRoaming when I travel since I know that they will offer service everyone for one set price and it is one less worry when I travel. 

The device

If you look at the above picture, the Solis is a beautifully visible shade of orange. It is made of plastic that should withstand the rigours of travel very well. If the battery does weaken, you can order a replacement from Skyroam.

20171201_155849.jpg

I find the Skyroam Solis much easier to carry than its competitors (including the Geefi).

20171201_160508.jpg

Using the device

You probably noticed that the device (unlike its older brother) doesn't have a screen. To manage the device, you turn it on and connect to it from your smartphone. You will then be presented with an information page showing signal, passes left, battery level, etc. To use the device "in the field", you turn it on then press the WIFI button on the top. This automatically applies one of your day passes and you get 24 hours of internet. It knows where you are and downloads a virtual SIM for the Skyroam partner in that country. 

You can travel to as many countries as you want during that 24-hour window. All you have to do when you switch countries is turn the unit off and back on. When it starts up, it will identify the local country and download the appropriate country SIM.

You could open the a.skyroam.com captive portal from any device with a browser but it is formatted for smartphones (will look odd on a laptop). Why isn't it responsive?

The Solis is charged with any USBC adaptor which is fantastic if you have a USB C smartphone and laptop. You can charge everything with one adapter.  They provide a mini USB-C to USB-A adapter so you can charge other devices from the Solis but I wouldn't recommend it. WIFI needs every little bit of juice in that battery. 

In my testing (in zones with good LTE coverage and with 1 device connected), I was able to eek out 10-14 hours of usage on a single charge. This number will drop if the wireless signal is weak and/or if you connect multiple WIFI devices to the hotspot. When I tested it with a Chromebook and a Note 8 smartphone, I still got 10 hours of solid use (usage was primarily web pages without heavy streaming).

The software is periodically updated which is a nice touch. I recommend you start the device and let it connect to your local home network (without using a pass) before travelling. If the device needs an update, better to do it now then at a foreign airport waiting for the 15 minute upgrade process to complete. 

How fast is the connection?

I will not post speed test results because that depends on the local carrier, congestion, etc. I will say that in my testing, the Solis achieved LTE speeds comparable to an iPhone 6s Plus. The Note 8 outperformed it with is carrier aggregation technology. 

There is an LTE cap of around 500MB in a 24 hour period. After this, they throttle the connection down to 2G. They claim that this isn't automatic and done to protect the experience for all customers, but I hit this limit consistently (for testing) and saw my speed drop to dial-up performance. At the lower throttled speed, even simple apps like Google Maps took forever to load, and GPS navigation became impossible. 

I understand the need to control their costs but wish there were a way to buy more LTE access if I needed it. 

What about security?

September 2016, I reached out to Skyroam and complained about major security gaps on their online pass purchasing website. After multiple attempts to responsibly disclose the issues (with no follow-up from Skyroam), I wrote an article about it. I am happy to report that the new version of their online portal has fixes all of the issues I previously reported.

What about the general security? It is as secure as your home internet connection. My standing recommendation is to use a VPN where/when possible. You can get a VPNUnlimited lifetime VPN subscription for 5-devices for $18 (promo link), so you have no excuses.

So should I buy a Skyroam Solis?

So the question you are asking yourself is "Should I buy the Solis?". There is no simple answer. If you used the old version, then the Solis is a wonderful upgrade. Every time I tried it, it worked flawlessly without a hitch. The cost is predictable, and I have a bunch of passes purchased ready to use when needed. 

If you are a European with an EU SIM travelling within the EU, you get free roaming anyway. If you are an American with one of those great TMobile plans with free global roaming, you probably don't need this device either. 

A Skyroam PR rep had said months ago that additional functionality would be unlocked on the device (like Bluetooth and GPS), but since they are not available today, I can't factor them in as a benefit. 

For everyone that travels more than twice a year (and doesn't have free roaming), you really should consider it. The best recommendation I can make is that I own one and carry it with me every day (even when in my home country). I will be travelling considerably over the next four months (within the USA and globally) and will be using this thing a lot. 

If you travel once a year and don't want to buy a Skyroam Solis, you can rent one directly from the company. They will mail it to you or you can pick it up (US pickup is available in San Francisco, Atlanta and Austin.)

The hidden dangers of using public WIFI

GeneralEdward KiledjianComment

There are plenty of reasons to love WIFI (over wireless). It's free, fast and usually reliable. Often times though, its not a WIFI network you control (think coffee shop, retail store, mall, fast food joint, etc). Sure WIFI is ubiquitous but most of it is controlled by someone else which means is could and should be considered a hostile environment.

WIFI is a hacker playground

Man In The Middle Attack

A Man In The Midle (MITM) attack is an oldie but goodie. It allows a third party to intercept your communication. If successfully performed, an attacker can present a fake "hacker version" of a site you are trying to visit in the hopes of infecting your machine or harvesting your credentials.

An innocent use of this technology is when a WIFI provider intercepts your web browsing request (when you first connect to their network) and injects a logon or terms acceptance page (captive portal). This is a benign use of the technology but bad actors can use this to inject malicious code to infect your computer or trick you.

What you should do: Ensure any site you visit requiring a login or requesting private information is using an encrypted SSL/TLS connection (aka the green lock icon in Chrome). Look for a URL that starts with https instead of just http. Make sure the lock icon is green. 

We are seeing more and more sites switch to encrypted https but many have not made the jump yet. You should also add a free browser plug-in called HTTPS Everywhere. It is a free plug-in developed by the Electronic Frontier foundation and the TOR project which automatically rewrites requests to the secure https protocol when supported by the site. 

Fake WIFI networks

This is a very easy to use trick that is successful any time I have tested it. I basically setup a very strong signal WIFI network with carefully chosen (trustworthy sounding names) that get users connecting to it and then I simply do what I want to do and resend the traffic to the local establishment's free WIFI network thus performing a Man In The Middle attack. 

I can even use the same WIFI name as the local establishment's and your device will automatically connect to my rogue network if my signal is stronger (that's why automatic connections to untrusted WIFI networks can be a very bad thing unless you are always on VPN). I can create one of these network with cheap devices but my preferred tool is the WIFI pineapple. 

What you should do: Be weary if you see multiple networks with the same name at your local coffee shop. It doesn't always mean there is an attack happening but it should give you pause. The real solution is to always use a VPN network when connecting to a WIFI network you don't directly control.

Collecting your wireless information

Sniffing network traffic is a technique used by corporate network administrators to collect information to perform debugging and to try and identify system issues. Sniffing is basically collecting all (some or most) traffic flowing over a network. In the wireless world, this is made incredibly easy and can be done by hackers without anyone's authorization. All it requires is a special (cheap) wireless network card configured to startup in a special mode and then they can capture all the traffic flowing over the wireless network. Once you had the hardware, you simply need a free software like Wireshark to start capturing all wireless traffic. 

Anyone interested in WIFI testing should buy a WIFI Pineapple. You can't call yourself a real security pro without one. I'll wait while you go and buy from from here. (no that is not an associate link and I do not get anything for recommending them. It is just an awesome product).

What you should do: Ensure any site you visit requiring a login or requesting private information is using an encrypted SSL/TLS connection (aka the green lock icon in Chrome). Look for a URL that starts with https instead of just http. Make sure the lock icon is green. Encrypted traffic can be captured but is all garbled up and useless to the attacker. Or you can use a VPN service (which I will talk more about later).

Stealing cookies

No.. not cookies from a coffeeshop but cookies used by websites to authenticate your session. Most websites drop a session cookie in your browser after you log in so you don't have to log-in every-time you visit the site operators page. Most major sites go to great lengths to protect this cookie but many don't and attackers will try to steal these when patrons use unencrypted websites. By stealing the cookie and using it from the same location, many sites will be tricked into thinking the user is logged in and will allow him/her to perform actions without additional checks.

What you should do: Ensure any site you visit requiring a login or requesting private information is using an encrypted SSL/TLS connection (aka the green lock icon in Chrome). Look for a URL that starts with https instead of just http. Make sure the lock icon is green. Encrypted traffic can be captured but is all garbled up and useless to the attacker. Or you can use a VPN service (which I will talk more about later).

Peekaboo I see you

When organizing a security test for a company, my preferred method of attack is attacking the bag of mostly water (aka the human). Humans are usually careless, clumsy and easy to trick. It is much easier to compromise a human than an IT system.

Shoulder surfing is the art of looking over someone's "shoulder" as they type protected information info a computer system. This could be a building entry code, the PIN for your ATM card or a site password. 

This is an especially easy attack when you are in a crowded area where it feels normal to have people close by (packed coffee shop with tight tables, a bus, etc).

What you should do: When I travel, I have a 3M privacy filter on my computer screen to make it more difficult for people around me from seeing my private on-screen information from onlookers. Additionally I always cover any keypad when entering my PIN and never enter passwords when in a crowded area. The important thing is to realize this could happen and pay attention to your surroundings. 

What about that VPN option

My next article will be about 1 or 2 VPN providers that I trust and use but for now, I'll write about what a VPN is. A Virtual Private Network is a special technology that creates a secure connection between your device and that of the VPN provider. That means anyone eavesdropping (digitally) on your WIFI or LTE connection will only see garbled 

Of course the VPN provider will see all of your traffic as they send it to the general internet from their servers but at least you protect yourself from local WIFI attacks. Additionally, anytime you use an https site, that traffic is protected and even your VPN provider cannot see the content of that traffic.

As an example: 

I am sitting in a coffee shop browsing facebook via their mobile website. Their mobile website is protected because it uses TLS (https). I distrust public WIFI, I also have a VPN active.

This means that my connection (all traffic to and from the internet to my device) is encrypted inside that protected VPN tunnel [from my device until the server of the VPN provider] thus no one in the local coffee shop sees where I am browsing and what I am sending/receiving. This protects you from all those local attacks.

Because I am using the facebook website on my device, it is also using protected https which means traffic for that site is encrypted a second time between me and Facebook. This means that the VPN provider knows I visited facebook but can't see anything else.

Obviously you have to trust the VPN provider not to profile you but this is much better than trusting a coffee shop WIFI or even your wireless LTE carrier.

The US Government is moving to kill a law preventing carriers from selling user data to the highest bidder. This means even your home internet provider or wireless carrier will probably start tracking your every move on the internet and selling it to marketing companies. Many people should start thinking about running a permanent VPN from their home router to the internet to protect themselves from this type of profiling.

For those that want a fast, easy and reliable VPN appliance, read my review of the InvizboxGO here

CRTC prevents Sugar Mobile from operating on the Rogers network

GeneralEdward KiledjianComment

Canadians don't have a lot of wireless connectivity choices and this sad reality is reflected in the high prices we pay. I have previously written about Sugar Mobile and their not for everyone mediocre but cheap offering.

Today they have been dealt a blow by the CRTC (read the CRTC ruling here). The CRTC ordered Sugar Mobile to stop using the Rogers network (improperly) within 50 days. 

Ice Wireless has improperly allowed the end-users of its mobile virtual network operator Sugar Mobile Inc. to obtain permanent, rather than incidental, access to [Rogers’] cellular network
— CRTC

Obviously Sugar Mobile is disappointed by the ruling and has published this statement on their website.

The Canadian market needs competition to drive innovation and hopefully make the market more competitive. It looks like one option has been taken off the table.