Is the TCF mobile blacklist fuelling New Zealand’s latest crime fad?

By Steve Biddle, in , posted: 8-May-2018 12:26

Stolen or lost mobile phones are a global problem. With the introduction of GSM phones in the ‘90s, the ability to simply move a SIM card between phones started a crime wave because phones were such an easy target. Once somebody had a stolen phone they could simply use it themselves, or on sell it, and the buyer could simply put their SIM card in the phone and use it – in many cases probably oblivious to the history of the phone.

The solution was blacklists of International Mobile Equipment Identity (IMEI) numbers – the serial number of the phone. Operators could block IMEI numbers to prevent devices working on their network, and share the IMEI data between themselves to stop the device working on other networks.

While such blacklists are common place around the world, no global blacklist exists, meaning that devices that are reported lost or stolen in one country can still be used in another country. This has created a global black market for phones, and I’ve seen retailers in Hong Kong selling refurbished “as new” phones that will not work with Hong Kong SIM cards, but will work outside the country.

In 2014 the Telecommunications Carriers Forum (TCF) introduced a mobile blacklist with data shared between New Zealand’s mobile networks – 2degrees, Vodafone, and Spark. Phones that were reported lost or stolen could have their IMEI added to this blacklist which would result in the phone becoming inoperable on any of the networks in New Zealand.

Prior to the introduction of the TCF backed blacklist system, blacklist data was shared between Spark (who were still Telecom at the time) and Vodafone, but not 2degrees.

This fuelled a market in New Zealand for devices that were sold on Trademe and advertised as “only works on 2degrees”, and a number of threads exist here on Geekzone detailing experiences of people people purchasing such devices. Sellers of these devices were clearly aware these devices were blacklisted on the Spark and Vodafone networks, but buyers who didn’t understand the reasons for such a statement were left perplexed when they tried to use their device on Spark or Vodafone and found it didn't work – while it did work fine on 2degrees.

Even when they were sharing IMEI data only with Vodafone, it was well known that Spark were adding IMEI numbers to the blacklist that were not only for stolen or lost devices, but from customers who had abandoned a term contract with a subsidised handset or hire purchase deal. Around this time there was even an online retailer selling new devices that were also clearly marked as “only works on 2degrees” where the source of the handsets was apparently a cancelled corporate contract.

In 2014 when the TCF blacklist was introduced, the TCF made the purpose of the blacklist service pretty clear in its voluntary code -

What it is

The IMEI Blacklisting Code allows consumers to report lost or stolen handsets to their mobile provider so it is blocked and cannot be used on any mobile network, nationwide. Purpose

The purpose of the code is to co-ordinate sharing of IMEIs between mobile networks to discourage theft and disrupt the operation of illegal markets.

Section 5.3 of the code also details what the blacklist should (and should not) be used for -

5.3 Operators shall not Blacklist or un-Blacklist an IMEI in order to gain any commercial advantage or inflict any damage on any other Operator or party.  Blacklisting cannot be used to withhold service or resolve commercial disputes (including bad debt scenarios).  Operators cannot use any contact made by a former customer requesting to Un-Blacklist an IMEI for any “win back” or sales activity.

Over the last few years I’ve seen a number of threads on Geekzone as well as a number of posts on social media from people who have purchased mobile phones both via Trademe and privately, and found that several months later the phone has suddenly stopped working. In all cases the phone has been found to have been blacklisted.

In several cases the buyer had checked the phone using the TCF blacklist  lookup when they purchased it, and saw the device was not blocked. One example of this is detailed below.

tcf imei pg1

So what’s going on?

It would seem that Spark, and possibly 2degrees, are still using the TCF blacklist for purposes outside the scope of the blacklist, ie a bad debt scenario.

A customer purchases a device on a contract or an interest free free deal, sells it to an unwilling buyer who even checks the TCF blacklist and find it passes, pays the contract for a several months, and then suddenly cancels it or decides not to pay it. The device IMEI is added to the TCF blacklist, and the third party buyer of the device suddenly finds their device doesn’t work.

They then often find themselves in a situation where there is very little they can do. The original seller is often nowhere to be found, and the buyer is stuck with an expensive brick that is now useless.

In this example I’m using from Geekzone, the seller did eventually offer a refund. In other cases people have not been so lucky.

tcf imei pg2

The TCF have pushed their blacklist search as a way for a buyer to check their handset and ensure that it’s not blocked – which is fine for checking if a phone has been blocked due to being reported stolen or lost, but it’s very clear now that this search is now pretty limited when it comes to checking the real status of any phone purchased privately. A phone that passes an IMEI check could still be blocked at any time if if the seller of the default defaults on payments.

The TCF themselves do vaguely warn of this on their website but most people would probably not realise under what circumstances this would occur. Most people would assume a second hand phone that passes the check would be safe to buy  - after all that was the whole point of the online tool to allow people to check a device.

tcf imei pg3

All of this poses the question of why the TCF are permitting carriers to use their blacklist for a “bad debt” scenario, something that would seem to be in breach of their code surrounding the use of the blacklist.

When high value products are sold by retailers on finance deals, most use the Government funded Personal Properties Security Register (PPSR) to lodge the sale – with the purpose of the database being to provide a central register of products that may have a financial claim against them. It poses the question of why mobile providers don’t appear to be using this database for high value phones, but instead relying on a blacklist.

It also poses the question of whether carrier has a legal right to effectively block a device that they have not bothered lodged a PPSR security interest over.

Right now buying a second hand phone carries significant risk unless you know exactly where the device came from, and can be certain that no money is owed on the phone. My attempt to check an IMEI with Spark showed they are unwilling to provide this information when asked, as any information relating to the phone or IMEI seems to be regarded as personal information. With no authority to access the account of the person who originally purchased the phone, it’s impossible to get a clear answer from them.

Right now the TCF searchable blacklist is essentially broken – and urgently needs to be fixed. If carriers aren’t going to stop blacklisting devices for bad debts, the TCF urgently need to expand the search to include whether money is owed on a phone.

People are being scammed, and the TCF online search is being used to benefit the scammer and hurt the unwitting buyer. That is simply wrong.

 

UPDATE:

I have received the following response from Spark regarding the issue.

Spark do not blacklist IMEI numbers if a customer has bad debt, or defaults on a payment. The exclusive purpose of blacklisting handsets is when devices are either stolen, lost or involved in fraud.

There are a number of steps Spark take to determine fraud or fraudulent activity before we blacklist a device. Where it is deemed that fraud or fraudulent activity has occurred the case must satisfy the burden of proof and the following must apply:

  • There must be documentary and/or other evidence which prima facie supports the allegation of fraud; and,
  • There must be sufficient evidence to lay a Police complaint.

However, fraudulent activity can take some time to identify – which is why telecommunication companies have up to 120 days under the blacklist policy.

We understand it is very frustrating for individuals who find their phone has been blacklisted months after they have purchased it, but this is unfortunately a risk when purchasing from a second-hand site such as Trade or Facebook Marketplace.

While Spark say that a device will not be blocked due to a bad debt, it’s a grey area between defining a “bad debt” and “fraud”. Somebody buying a device with falsified details and defaulting on a payment would likely be treated as a case of fraud, and the device blocked.

The response from Spark really emphasises the failings of the TCF system. A individual buying a second hand device can have no certainly at all that the device will not be blocked at some point in the future after they have completed the sale, and more importantly after they’ve checked the TCF mindyourmobile site and verified that the device they are wanting to buy is not listed as blocked on the site.

People know they can easily on sell devices to unsuspecting people who will check the blacklist, but have no idea the phone effectively has a security interest registered against it, and more importantly no way of actually knowing this or being able to check this. That's a broken system, and it needs to be fixed.

If a device is purchased on account or as part of an interest free deal and effectively has a security interest registered against it this should be lodged with the PPSR, and the TCF website should be doing a lookup against that to not only show the current status of the IMEI, but also whether security is lodged against it. This would allow any potential buyer to be fully aware of the risks associated with buying the device.

Anybody looking to purchase a second hand phone needs to be fully aware of the risks. You could easily end up with an expensive brick despite through no fault of your own, and then find there is very little you can do when you’re in this situation.



Yet another Mikrotik RouterOS exploit is in the wild

By Steve Biddle, in , posted: 24-Apr-2018 06:56

Users of hardware running Mikrotik RouterOS are urged to ensure their devices are secured after news of yet another security vulnerability affecting the platform.

The vulnerability allows a hacker to access the device remotely using Winbox port 8291 and then download the user database file from the router, extract valid usernames and passwords, and then access the device. It affects RouterOS versions 6.29 to 6.43rc3.

This vulnerability follows closely behind two others in the past month that have affected web access to the devices, and the SMB functionality.

All users of RouterOS should immediately ensure their hardware is upgraded to v6.42.1 (current) or  v6.43rc4 (release candidate). It’s important to note the 6.40.x bug fix only release channel does not currently have a fix available. If you are running 6.40.x restricting access via firewall rules to safe IP range(s) is essential to protect your device.

Best security practice is to also to not have a device exposed to the entire Internet on port 80 or 8291 for remote access. If these services are restricted to safe IP range(s) the risks of a device being compromised are reduced.

More information is available on the Mikrotik forums https://forum.mikrotik.com/viewtopic.php?f=21&t=133533



Android’s broken software update model

By Steve Biddle, in , posted: 28-Nov-2017 07:52

Keeping your mobile phone software up to date is more important than ever in light of recent security concerns. Whether you’re a Google Android or Apple iOS fan, one thing everybody has to accept is that Apple’s software update model works a lot better in practice than Google’s.

When Apple release an iOS update it’s immediately available to all users of every device supported by the update. The “supported” life has exceeded 4 years for numerous Apple iPhone and iPad devices.

In the Android world things are a lot more complex. Assuming a manufacturer does decide to make Android updates available (plenty of Android manufacturers don’t make any updates available), the process to get those updates to end users is often long and complex. For many phones there is a requirement for the manufacturer to send software updates to the mobile networks for testing, and once they’ve tested the software it then becomes available from the manufacturers as a software update.

Apple’s model isn’t necessarily perfect – bugs in iOS have caused grief for both networks and end users in the past.

Changes to signalling caused headaches for mobile networks as they become flooded with signalling traffic after an iOS update, and on multiple occasions Apple have introduced WiFi changes that have meant nothing but grief for end users. In such situations it’s not just the odd user or mobile network that’s affected – it’s every user and mobile network.

HTC released this infographic detailing the Android update model a while ago http://www.htc.com/us/go/htc-software-updates-process/

I saw a post on Geekzone recently asking about software updates for the Sony Xperia Z5. The poster asked whether users of the Spark New Zealand branded Xperia Z5 were ever likely to see the Android 7.1.1 update. As it has been available now for months for non Spark branded handsets, it’s not an unrealistic to expect that it should be available.

image

The Xperia Z5 is a handset I had previously owned, and after purchasing it in Hong Kong in 2016 I flashed it with the generic Australian firmware. In the year I owned this phone updates were pretty regular, with Android 7.1.1 appearing for it in early July, a week or so after Sony made it available. I was surprised to see that the update was not yet available for the Spark branded Z5.

I upgraded to a Hong Kong sourced Xperia XZ in July, and get regular updates for this including monthly Android security updates that often appear within weeks of being released by Google. I’ve long regarded Sony as being great with updates for all of the Xperia phones I’ve had, and Sony have typically made updates available for 2 years from the release of the phone.

A few days later there was an update after the user contacting Sony -

image

I reached out to Spark to ask them about the situation and got this response -

"The latest build we have tested for the Z5 is 7.0 – which we approved on 28/02/2017. We don’t have a new build from Sony on the radar at this stage, we've asked them to see if we will get it or not. "

A 3rd party tool called Xperifirm allows Xperia users to download official firmware files from Sony’s servers and install it on their phones. Simply by running Xperifirm you can easily see the latest software release available for any Xperia handset.

image

image 

As you can see from the list Android 7.1.1 (32.4.A.1.54) is available from a number of carriers. Android 7.0 builds (32.4.A.0.160 and 32.3.A.2.33) are available from the rest. Your phone is tied to the latest release available for your CDA code, so even if a newer update may be available for your device, the CDA code defines the software available to you.

The good news is that reflashing a Xperia handset with a different firmware version (which will change the CDA code) isn’t difficult but does carry some risk. If you don’t fully understand what you’re doing you do run the risk of turning your phone into an expensive brick.

The downside of flashing different firmware onto your device is that it means your phone may not be fully compatible with the network you’re using it on. Despite 3G and 4G being standards, many networks have customised settings for features such as Carrier Aggregation (CA) that may mean your phone won’t be able to take advantage of the CA features offered by your network. In some circumstances it can also result in delays connecting to networks while roaming, or reconnecting to your home network when you come back to New Zealand.

Security updates appear most months for Android. Some of these updates are minor. Some fix critical bugs. By not running the latest available software on your device you’re potentially being exposed to bugs that do exist in the wild and could theoretically result in data or personal information on your device being compromised.

In light of the recent KRACK WiFi exploit, the issue was raised by a number of people as to whether consumer law in New Zealand provided cover for end users. Any product sold in New Zealand must be “fit for purpose” under our Consumer Guarantees Act (CGA).

Manufacturer obligations under the CGA can exceed those that exist under a regular product warranty – even if a product is out of warranty and fails the manufacturer and/or retailer could still be liable if the product is not deemed “fit for purpose” and is within an accepted lifetime of the product.

Consumer guarantees for products

The CGA gives you rights if the products you buy or are supplied by a business are faulty and do not meet the guarantees below under the CGA.

All consumer products must:

  • be of acceptable quality (durable, safe, fit for purpose, free from defects, acceptable in look or finish)
  • be fit for any particular purpose you have told the supplier
  • match a description, sample or model shown to you
  • have good legal title, eg be able to be sold and not have any security interests registered against them
  • be a reasonable price if no price is set
  • arrive on time (within a reasonable time if not agreed) and in good condition
  • have spare parts and repair facilities available (manufacturer is responsible). This does not apply if you are told about limited availability before you buy.

There has been plenty of debate in the online world as to how phones should be treated under the CGA. Most discussion centres around what a reasonable expectation is for the lifespan of a phone. Cases in both Australia and New Zealand have seen warranties on phones move to 2 years as standard – with many people deeming 2 years to be considered a reasonable lifespan for a modern device. It’s a timeframe I agree with.

Google publically state their support policy for current Google branded Nexus and Pixel phones on their support page. They commit to updates for 2 years from the release of their phone, and security updates for 3 years from the release of the phone.

Many devices out there (particularly low end), will never receive updates, meaning the end user could potentially be exposed to data loss or encounter issues that may be fixed in newer releases. Could a lack of software updates for a phone mean that you could lodge a CGA claim over a handset because it’s no longer “fit for purpose”? That’s something there aren’t simple answers for, and something that probably needs to be tested in court.

In the case of the Xperia Z5 it’s hard to decide where fault lies. Software updates for the Z5 exist in many other markets but don’t exist for the Spark branded Z5. Spark are saying they haven’t received any new updates from Sony. Are Sony simply deciding that it’s not worth investing in development of updates for Spark customised firmware in a small market such as New Zealand where it’s unlikely that significant numbers of Z5 handsets were sold? We can really only speculate.

In light of the CGA should all manufacturers of handsets that are sold in New Zealand be required to commit to disclosing  publically their support timeframes for handsets? Google already do this. Should mobile networks be required to publically list all handsets they have sold and the current firmware levels and upgrade status? Maybe.

It shouldn’t be up to an end user to have to search the Internet to work out how to download and flash their handset with foreign software to update it to the latest release available, but right now for many people in New Zealand this is the only way to get the latest updates on their hardware. That’s wrong, and to me shows how broken the update model is.



No, AT aren’t stealing your money. How Stuff confused a nation.

By Steve Biddle, in , posted: 10-Sep-2017 18:25

New Zealand’s biggest news site today wrote a story basically accusing Auckland Transport (AT) of being thieves. I’d hate to be working at AT tomorrow having to be dealing with the fallout from this alt fact fake news.

image 

This story has resulted in mass confusion from AT HOP card holders and lead many people to believe they’re going to lose the credit on their AT HOP cards if they don’t use them every 60 days. Nothing can be further from the truth.

The woman in the story topped up her AT HOP card online. The key point here is that AT HOP card, like any other stored value public transport card has the balance stored on the card itself. There are two ways to load credit onto the AT HOP card – the first is to do this at a retailer or AT HOP kiosk, and the second is to do this online.

Until the balance is physically loaded onto the card it doesn’t actually exist.

When you top up a AT HOP card at a kiosk or retailer it’s a real time transaction and your card balance update is immediately applied.

When you top up your card online it’s a two part process. First off you “buy” the credit online using your credit card. Typically this payment data is downloaded to every AT HOP terminal across the network in every bus, train and ferry overnight. When you now tag on to a bus, train or ferry, or ask for a balance query at a AT HOP terminal that new balance will be applied to your AT HOP card.

The woman in this story purchased the credit online but ignored the very clear instructions provided during the online top up process. Her balance never “mysteriously dropped to zero” as it was always zero. As she didn’t use the new card within 60 days of the online transaction her balance was never applied to her card.

Many people who have read the story now mistakenly believe that they will lose their AT HOP card balance if they don’t use it every 60 days.

hop1

hop2

hop3 

hop4

hop6

hop7

hop8

The actual story here is the 60 day period that exists between purchasing credit online and using your AT HOP card on a bus, train or ferry, or asking for a balance at an AT HOP terminal. If you fail to use your card within 60 days of an online top up, your top up is removed from the system.

As explained above every night every AT HOP terminal is loaded with a file that contains online payment details and card numbers. Every time a person taps on to a bus, train or ferry this database needs to be queried to check if credit needs to be applied to the card.

A typical HOP transaction takes around 350ms to occur – in this time the card is read, the database queried to see if the card is valid or blocked, the top up database is checked to see if a top up balance needs to be applied to the card, and lastly the new balance is written back to the card. Every step of this process takes time, and time is critical. If transaction times were doubled to 700ms for example it would cause considerable delays to the tag on process and would create significant delays for people boarding their bus.

Best practice for any ticketing solution anywhere in the world is to have a period of time where online top up data is stored on terminals before it’s removed. If this data is stored indefinitely it would simply slow down card processing times to the point where the customer experience would be impacted.

Many people have accused AT of theft. This can’t be further from the truth. The credit is sitting there waiting for the AT card holder to tell them what to do with it, and it seems AT are only too happy to credit this back when people do make contact.

An analogy of this would be to compare it to ordering and paying for a product online from a click and collect retailer but never actually going to the store to pick it up. When you finally do the retailer has sent the product back to the warehouse because they don’t have room to store it. They’ve simply been waiting for you to contact them to tell them what you’d like to do.

Automatically refunding the balance back to the credit card that was used is not a good solution. Credit card numbers change and the card used may also not belong to the card holder.

AT’s best approach should be to make contact with the card holder if the top up isn’t applied within 60 days. I have no idea if this is process or not, but as a card has to be registered to be topped up online AT should have contact details for the card holder.

If you’re an AT HOP card holder you can be rest assured your balance will not expire if your card is not used every 60 days. As per AT HOP terms and conditions (section 9) any credit on an AT HOP card will expire if an AT HOP card is not used for a period of 6 years.

If you’re somebody who tops up online, ensure you use your card within 60 days by either taking a journey or checking the balance at an AT HOP kiosk or retailer so the balance can be applied.



Sangoma Roadshow heads to New Zealand in September

By Steve Biddle, in , posted: 4-Sep-2017 07:25

Anybody who’s ever spent time in the VoIP space will be well aware of Sangoma Technologies. The Canadian company become well known for it’s Vega gateways and telephony cards which were very popular favourite among Asterisk users from the very early days of Asterisk in the early 2000s.

In 2013 Sangoma acquired Schmooze Com, the maintainer of the FreePBX GUI and FreePBX distro. They have continued to grow the world’s most popular Asterisk distro as well as add new hardware and products to their product portfolio.  Sangoma now have a wide range of products including FreePBX, PBXAct, IP Phones, VoIP gateways and Session Border Controllers (SBCs).

As a frequent visitor to the Astricon Asterisk user conference in the US, I’ve met many of the great guys from Sangoma over the years. Now it’s their turn to come to New Zealand with a roadshow covering both New Zealand and Australia in September that will show off their product range.

The show in Wellington is on Tuesday 26th September and is free to attend. Registration is essential.

image

For more details see the official roadshow page - https://www.sangoma.com/events/event/sangoma-roadshow-australia-new-zealand-tour-september-2017/



The perils of using Airbnb during big events

By Steve Biddle, in , posted: 3-Sep-2017 15:56

Those of you who know me will know I’m a pretty prolific traveler. As is the case when you fly somewhere you normally need somewhere to stay, and over the past few years I’ve spent somewhere in the vicinity of 60 – 80 nights per year in hotels both for work and leisure.

Despite my need for accommodation, I’ve never been a big user of Airbnb. On a recent trip to to Europe I spent a week staying in Airbnb properties with friends, and on a trip to Europe several years ago also spent a week staying in a number of properties with friends. Apart from minor issues such as broken air conditioning that would be easily fixed in a hotel (they move you to another room) I’ve never had any major issues with Airbnb and have stayed in some fantastic properties.

So why don’t I book Airbnb more often? Much of it comes down to the fact that staying in a hotel is just so much easier. I can get to a location, head straight to the hotel, check in, and head to my room. With Airbnb the process normally involves meeting with people to arrange keys and/or access which simply isn’t as quick or simple. Like being an Apple or an Android user I appreciate both options – and in my case I simply prefer hotels for much of my travel. When traveling with friends however, a large house or apartment that can sleep 3 or 4 people is much preferable to booking multiple hotel rooms.

Those of you in the tech world will know all about CES. It’s the biggest tech show in the world and sees Las Vegas turned into a city of chaos for 5 days as 170,000+ people from around the world all converge on it. It’s somewhere I’ve been before, and somewhere I’m heading to again in January along with several other Geekzone users.

As you can imagine with so many people visiting Las Vegas, accommodation becomes very important. While hotels in Las Vegas can be dirt cheap for much of the year, CES is an opportunity to make money. Rooms that are normally US$25 a night can go for US$250. Rooms that are US$250 night can easily go for US$1000. Look at an accommodation site such as Expedia right now and you’ll struggle to find a hotel room in Las Vegas for a week for under NZ$2000 during CES. Want something more upmarket? A stay at the Venetian or Palazzo will easily set you back NZ$7000 for a week long stay! At other times of the year you’d pay roughly 1/4 of this price.

In May when I booked flights to Las Vegas I immediately started looking for accommodation. The traffic carnage that ensues during CES means that buses, taxis and Uber simply end up being the traffic congestion. Roads are clogged, and getting around takes a very long time during both the morning and evening rush hours. Despite Las Vegas being a big city, walking is the best way to go. Finding somewhere to stay within 20 mins walk of the Las Vegas Convention Centre and The Strip really is the perfect place to be.

I looked at both hotel and Airbnb options before settling on an Airbnb property that cost me NZ$1150 for the week. The apartment looked great, and the location was also great. Everything was great.. Until several days ago when I received an email from Airbnb saying my booking had been cancelled.

Immediately I asked Airbnb what they could do for me and have been in contact with their team both via email and phone. Their customer service has been great, but right now I still don’t have anywhere to stay. Several other suggested properties are literally miles away. Others that are closer are still not as good or as well located as what I had previously.

Due to the fact many hotels have sold their cheap rooms and most good Airbnb properties are now booked, finding something else to book is proving difficult. There is nothing in the price range that I paid that’s in a location I want. Airbnb are willing to offer me a US$100 credit for the inconvenience, but when properties that are suitable are up to twice the price I paid that’s hardly a great deal. Staying in a cheap hotel may be the best option, but that’s going to cost me another NZ$500ish or so for the week.

All of this shows the problem with the Airbnb model. Short of a major disaster, a hotel selling rooms isn’t going to suddenly disappear – once you pay your money your booking is confirmed and you’ll have a room.

Paying for a property with a strict refund policy on Airbnb meant I was locked in to that property and was not eligible for a refund if I cancelled. Nothing however prevents the Airbnb host from cancelling under an extenuating circumstances policy. This property has now been removed from Airbnb so there is nothing to suggest the host is doing anything dodgy such as cancelling so he can relist it for a higher price, but a recent change to the listing suggests it was being turned into a long term stay rather than short term.

Under many circumstances such a cancellation may not be a major deal – the problem is in somewhere like Las Vegas during CES it’s now me who’s dealing the the extenuating circumstances of a cancelled booking and the fact rebooking somewhere to stay will cost me significantly more money.

I don’t necessarily think expecting Airbnb to front up and offer me another NZ$1000 in credit to book a property in a similar location to where I had booked is fair – but I also don’t think me having to pay a single cent more than I had already paid for a booking is fair either. Ultimately they’re the ones who have inconvenienced me, so why should I have to settle for a property or location that means my holiday experience is ruined?

While this won’t put me off ever using Airbnb again, it’ll certainly put me off booking Airbnb ever during a peak travel period or for an event where accommodation is busy. The risks of having your host cancel and being left to find accommodation that will cost significantly more simply isn’t worth the risk.



How to remotely control your heat pump from your phone for under NZ$25

By Steve Biddle, in , posted: 16-Jul-2017 12:46

A heat pump is now the most common method of heating New Zealand homes. With winter now in full force it’s safe to say most will be in use to combat the current cold weather.

One feature of relatively new heat pumps is the ability to connect them to your WiFi network and control them from a phone app. Being able to turn your heat pump on remotely as you’re on your way home, or schedule daily timer settings that can’t be easily set from the remote become incredibly handy features to have.

But what if if you’ve got an older heat pump that doesn’t have built in WiFi and an app? There are now a growing number of 3rd party hardware solutions that will allow you to control your heat pump from your phone - several New Zealand developers have even entered the market offering products.

These solutions are all very similar, consisting of a hardware Infrared (IR) transmitter that connects to your WiFi network, and an app that connects to the transmitter, typically via a cloud based server on the Internet. Simply by configuring your brand of heat pump the app can send commands to the IR transmitter which in turn sends the IR commands to the heat pump, emulating the regular remote control.

While many of these solutions work incredibly well there is one downside – the price. Many are well over NZ$200 for the hardware and app.

What if I told you that you could control your heat pump remotely from your phone for under NZ$25? You can.

Broadlink is a Chinese hardware manufacturer who builds IR transmitters and smart switches. Their miniature sized RM Mini 3 is a USB powered IR transmitter that’s perfect for controlling your heat pump, or in fact any other IR controllable device such as a TV, stereo or set top box.

Newest-Broadlink-RM-Mini3-Black-Bean-Smart-Home-Universal-Intelligent-WiFi-IR-4G-Wireless-Remote-Controller 

The Broadlink RM Mini 3 is available from a myriad of usual sources of Chinese electronics goods such as Aliexpress, Banggood and eBay, with prices typically between US$13 and US$19 including free shipping to New Zealand. A quick search of TradeMe has shown several New Zealand sellers who are probably just importing this hardware from similar sellers and reselling it with a fairly hefty margin.

I don’t want to directly link to any Aliexpress sellers to avoid anybody accusing me of favouring a single seller. A quick search of Aliexpress will show plenty of sellers across the price range.

The Broadlink RM Mini 3 is USB powered but does not come with a power supply. Any surplus USB phone charger will work fine. Obviously the device needs to be permanently powered, and located within line of sight of the heat pump (or other device you want to control) so the IR transmitter will work.

Once powered up configuration is relatively straight forward. The device will broadcast it’s own WiFi network, so once you’ve installed the Broadlink app on your phone connect to this network. From the app you’ll now be prompted to enter the WiFi SSID and password for your home WiFi network. Once this is done the Broadlink RM Mini 3 will connect to your WiFi network and is ready to go.

Adding a heat pump is also relatively simple. Simply select the menu option to add a device and then follow the prompts on screen – simply by aiming your existing remote at the RM Mini 3 and pushing a button on the remote will allow the hardware to match the IR code with it’s database and know the brand of hardware you have. Setup is now complete.

Screenshot_20170716-121501

Controlling the heat pump is now simple. Open the app, select your device and you’ll see a screen replicating your existing remote control.

Screenshot_20170716-115852

 

From the menu you can also configure multiple timer settings across the week. You can configure one off events, or daily events to switch the heat pump on or off.

Screenshot_20170716-115916

The Broadlink app is available for both Android and iOS. It’s fair to say it’s not the most beautiful app, or the best designed, but it serves it’s purpose allowing you to easily turn your heat pump on or off remotely.

For those are looking to take things further the Broadlink RM Mini 3 hardware can be integrated with openHAB or Apple Homekit via the Homebridge gateway. Fellow New Zealander Nic Wise has written up a great guide for integrating this hardware with Homekit.



Why a 24hr parking limit won’t fix the Wellington airport parking issue.

By Steve Biddle, in , posted: 9-Jun-2017 12:22

Unless you’ve been living under a rock you’ll be well aware of the issues surrounding car parking at Wellington airport and the surrounding Miramar streets. Streets nearby to the airport have become a popular alternative for both travellers and staff working at the airport to avoid what many consider to be be excessive parking charges at the airport.

The issue reached breaking point earlier in the year when a local resident was charged and jailed for slashing the tyres of cars parked in streets near his home. This spurred the Wellington City Council into reviewing the situation.

Last week the Council (who are a part owner of the airport) announced that nearby streets within an approximate 700m range of the airport will have a 24hr parking limit. Local residents will receive a single parking permit per property allowing them to park a single vehicle in this area.

This was exclaimed as a “solution to the problem” by media and Council however this can’t be further from the truth – anybody who thinks such a limit will be a magic fix for the problem really are living in a dream world. Rather than actually looking at the issue and why it occurs they’ve implemented a “solution” that’s nothing but a knee jerk reaction.

image

From an economics point of view parking at the airport is a finite resource and with significant numbers of parks currently unavailable due to construction of both a new multi story parking building and hotel, many would argue that pricing needs to be set accordingly to ensure demand is matched with supply. With this in mind it’s clear the airport’s parking pricing model is fundamentally flawed – offering long term parking for $125 for up to 9 days and then $5 per day for additional days simply ties up parking space at the airport, meanwhile those who want to park at the airport for a weekend trip away can easily find themselves paying roughly between $64 and $90 for parking. With such high pricing for short term stays it’s hardly surprising people are looking for cheaper alternatives for a day trip or weekend away.

As a frequent flyer I used to be a regular customer of Air New Zealand’s airport parking. This parking space was shared with Air New Zealand staff and consisted of both outdoor and under cover parking using the former Air New Zealand hanger. I was happy to pay $18 per day to park 5 minutes walk away from the terminal and had the option of using the provided shuttle if I so desired. As a result of the demolition of the hanger in early 2017 this land is no longer available to Air New Zealand and their public parking has been discontinued. Air New Zealand Airpoints Elite customers are also disadvantaged with no ability to use their parking vouchers that are allocated each year as a customer benefit.

It’s not the first time that Air New Zealand have been involved in a dispute with the airport company over parking – their valet parking was discontinued several years ago after the airport company announced a significant price increase for the use of car parks near the terminal.

The alternative is now $32.30 per day to park in the airport’s own parking near the terminal. This significant jump in parking prices has turned me into a “street parker” and it’s something I don’t feel guilty about. An 80% increase in the cost to me is a fairly significant price hike.

Many would argue the solution is to encourage alternative forms of transport to the airport including public transport. Public transport during the day is great, but is not an option for those arriving for early morning international or domestic departures, and is also not available for late night international arrivals.

While a taxi or shuttle is an option (complete with an airport surcharge) the airport company refuses to let ride sharing service Uber operate from airport land and continually threatens to trespass drivers despite some legal advice which says they’re unable to do so. The airport company are so unhappy with Uber that they’ve even gone as far as blocking access to the Uber website using their free WiFi meaning it’s not possible to make a booking using this. This means that the hundreds of users per day of the Uber service are typically picked up from the nearby Burger King & Z petrol station which is a 5 minute walk away. Such draconian measures from the airport company towards Uber does nothing to encourage the use of alternative means of transport.

With a 24 hour parking limit set to soon be in place in nearby streets the big question will be what impact this has on those streets. Local residents will only be permitted to park a single vehicle outside their house in the zone – and one assumes if you have more than one vehicle that you will simply find somebody else’s street nearby outside the zone to park it in. Those staff at the airport who aren’t eligible for free staff parking will presumably continue to park in the streets as they’re under the 24 hour limit. Travellers parking for under 24 hours will presumably continue to park in nearby streets as they won’t be affected by the new restrictions. Those who are parking in the street for more than 24 hours will presumably just park outside the 700m zone, because after all an extra 5 minute walk is highly unlikely to change their mindset.

Vehicles breaking the new rules will be liable for a $57 fine or face being towed away. As parking for 28 hours at the airport will cost more than $57 such a fine seems pointless – every car caught breaking the rules would need to be towed for it to be affective as simply paying the fine will be cheaper than airport parking.

Rather than fixing the problem this change is simply going to move the problem further into the suburbs and potentially even increase the problems on the Kilbirnie side on the airport which is easily accessible via the underground subway under the runway.

So what am I going to do? For my regular day trips away I’ll likely still be parking in the street. For weekend trips I’ll just park beyond the 700m zone and walk. I was happy to pay $36 for parking at Air New Zealand for a 30 hr weekend away in Auckland – I’m not happy to pay the $64 the airport want for their parking. For that extra $28 I could even park in a nearby street and catch a taxi or Uber and still save money. Watching what happens over the next six months will be interesting to observe.



CCTV exposed. Why understanding network security is so important.

By Steve Biddle, in , posted: 18-May-2017 07:44

For those of you who are regulars on Geekzone you’ll know one of my pet peeves is people who don’t understand the huge security risk associated with port forwards. Configuring a port forward in your router or firewall is something configured by people every day, with the vast majority probably failing to consider the security risks of something that’s so easily done.

Opening up your network to allow traffic from anywhere on the Internet to directly access your PC or hardware behind your router and/or firewall removes an entire layer of security, and allows anybody on the Internet to directly access your PC or hardware on the port(s) that have been forwarded. If there are security exploits in either the software on your PC or the hardware it could easily compromise your entire network and your security.

If you’re running a VoIP setup and port forward port 5060 you’re opening your IP PBX or phone system up to what will be a never ending attack from bots and scripts trying to find holes your system for the purpose of routing illegitimate calls.  By setting up a port forward to CCTV equipment you run the risk of your security cameras being left wide open for anybody on the Internet to view for both entertainment and for possible malicious purposes.

In recent days we’re once again seen a mainstream media article on Stuff discussing compromised or poorly configured CCTV cameras in New Zealand that can be openly viewed by anybody on the Internet. While Stuff have chosen not to name where these cameras are linked from, the source is insecam.org, a site that proclaims itself as “the world biggest directory of online surveillance security cameras”. This story is very similar to another run in 2014 in the NZ Herald discussing the very same issue with cameras in New Zealand viewable on the insecam website.

cctv image 1

cctv image 3

While this site lists only lists openly viewable CCTV equipment, IoT search tool Shodan is the best resource on the Internet for discovering hardware devices (both CCTV and other) that are exposed to the Internet. Many of these devices are “compromised” because of one simple flaw – either configuring port forwards to allow remote access, or enabling UPnP allowing the devices to create their own port forwards for remote access. It’s worth pointing out here that the insecam website isn’t doing anything illegal – they’re simply aggregating content that’s all publically accessible.

If you’ve got CCTV cameras then it’s not an unrealistic requirement to want to view these remotely. Most systems these days offer web access and/or mobile apps allowing you to view your cameras from anywhere in the world, and many even pitch remote access as a key selling point. The simplest way to configure remote access is to set up a port forward allowing direct access to the camera itself, a Network Video Recorder (NVR) or a Digital Video recorder (DVR).

Some equipment may also be UPnP enabled to make this process even easier – if you have a router with UPnP capabilities and the UPnP functionality is enabled on both your router and the CCTV equipment you may have your CCTV equipment exposed to the Internet even without your knowledge. By having a port forward or UPnP enabled you’ve exposed your CCTV system to the entire Internet and it’s now as a secure as the hardware you’re using.. And that’s where the problems start.

Many people clearly never change default passwords of some of the equipment viewable on the Internet. Many brands of cheap Chinese CCTV equipment also run embedded software of dubious quality with very well known exploits and hacks. Many also contain backdoor passwords, meaning that even if you change the password these devices can still be accessed by anybody with this knowledge. As many of these systems are never upgraded by installers or end users, flaws that have been fixed can often still exist for the life of the system.

The issues also extend beyond somebody snooping on your video feeds – some of these exploits can also be used to turn your hardware into a bot capable of being used for major DDoS attacks, or even turned into a tool for mining bitcoins. In September 2016 one the world’s largest DDoS attacks against krebsonsecurity was reportedly performed with the assistance of over 145,000 compromised CCTV cameras.

In my day job as a network engineer I’ve had numerous dealings with security companies who lack even basic fundamental knowledge when it comes to networking and security. Concepts of networking are something that many people will fail to grasp, with many people relying on the advice of others or a “she’ll be right” mentality rather than seeking proper advice from an expert.

There have been many threads here on Geekzone about CCTV systems and comments posted by people who have been told that “nobody knows your IP address”, “you’re on a dynamic IP address which keeps changing so nobody will find you”, “I’ll change the port to something random so they won’t find you” or “if you make your password secure you’ll be fine”. Statements like this show a fundamental lack of knowledge, and when they’ve given by people posing to be security experts, should really be raising alarm bells. Having a public IP that changes regularly or changing ports offers absolutely nothing in the way of security. Likewise having a secure password is meaningless if a backdoor master password exists on your device.

If you’re wanting remote access to most hardware on an internal network there is only one safe way to do this – by using a Virtual Private Network (VPN). By using an appropriate router with a built in VPN server you can connect your remote PC or phone via VPN and then safely browse your cameras with no risk of your cameras or data being exposed to the entire Internet. If access is only required from specific connections then you could also look to restrict access to a locked down range of public IP addresses to ensure your cameras are not unnecessarily exposed.

If you have an IP camera, NVR or DVR that’s exposed to the Internet using port forwards or you have UPnP enabled you should be taking immediate steps to secure it. If your knowledge of networking doesn’t extend to configuring a VPN then you should be disabling remote access and/or UPnP until such time as you are able to implement a VPN or lock down access to specific IP ranges.

If your security or CCTV installer has no issues with allowing port forwards then you should be on the lookout for a new installer. You’re not just compromising your own safety and security, you’re also compromising the safety, security and end user experience of everybody on the Internet if your hardware can be compromised and used as a bot for DDoS attacks.



Anker make some of the best USB chargers and powerbanks available. Now you can get their products shipped directly to New Zealand

By Steve Biddle, in , posted: 21-Apr-2017 07:37

I’ll start by being honest. I’m a huge Anker fanboy. Since I first purchased one of their multiport USB chargers a few years ago I’ve ended up with quite a collection of their USB chargers and USB powerbanks. These days electronic devices running out of battery can be a major first world problem, so a good portable powerbank and desktop charger are must have gadgets for many people. As I travel a lot I find a good quality powerbank an essential travel item in my bag.

image

I’ve played with other brands of USB chargers and powerbanks and have quite a collection here of devices from Anker, Ravpower and AUKEY. Anker is the top selling brand of USB charging devices of Amazon, with Ravpower and AUKEY sitting just behind. Based on my experiences I find AUKEY is OK, Ravpower is great, and Anker leads the pack.

image

Purchasing all three brands is difficult as none of these are sold in New Zealand. Purchasing a good quality portable USB powerbank or desktop charger from a NZ retailer is pretty much impossible. Anker products are slowly entering the Australian market after launching there last year, so hopefully a New Zealand retailer will pick up distribution here.

You’re probably wondering about now these brands are so much better than cheap powerbanks or wall chargers. The answer to that isn’t quite so simple to explain without a long lecture on USB standards and modern devices. I’ll try and shorten that to a few paragraphs.

In the “old” days USB ports simply supplied +5VDC over the power pins and anything plugged into it charged, normally at a rate somewhere between 100mA and the 500mA maximum that the USB standard supported. As smartphones got smarter and battery capacity increased in both phones and tablets additional USB charging specifications were created allowing devices to draw far more than 500mA. If you’ve got a smart phone manufactured within the last 5 or so years you’ll typically find it can charge at up to around 1000 mA or more. Most mid to high end devices from the past couple of years support Qualcomm Quickcharge (QC) 2.0 or QC3.0 standards that supports charging rates of up to around 2000 mAh, or have a USB-C connector that supports charging rates even higher.

Years ago it could easily take 5-6 hours (or even longer) to charge a phone. Now a modern high end smart phone can often be fully charged in 60 - 90 minutes. A quick 10 minute top up charge on a modern QC2.0, QC3.0 or USB-C device can give you a few extra hours of battery life.

If you plug a modern smart phone into a “dumb” charger you’ll find that it’ll probably charge at around 400 – 500 mA maximum and charging your device can take 6-8 hours. Such examples of dumb chargers are USB connectors on plane IFE screens, hotels or in many public places. Most cheap USB chargers and powerbanks also fall into this category. It’s also worth mentioning here the importance of good quality USB cables – many cheap cables are poorly made and can also affect charging performance.

The picture below demonstrates the charging rate of my Xperia Z5 phone plugged into my Anker powerbank (left) and the IFE screen on an Air New Zealand 777 with Panasonic eX3 IFE. As you can see the Anker is charging the phone nearly 5x faster than the IFE USB port. Fully charging my phone plugged into the IFE would take somewhere around 9 hours. It would take under 2 hours with this particular powerbank.

image

A good portable powerbank or charger will support modern standards such as QC2.0, QC3.0 or USB-C and also have the smarts to detect the type of device and charge it at the maximum possible charge rate. Products from reputable brands such as Anker, Ravpower and AUKEY all do this on various models. In my opinion Anker just do it better with their PowerIQ smart charging system. Many cheap aftermarket USB powerbanks and chargers don’t have any smarts, and as a result you’ll encounter charging rates far less than you could be enjoying.

As I visit the US several times each year I tend to order a lot of products from Amazon and have found myself bringing back large quantities of Anker products for other Geekzone users. Many people can use shipping services such as YouShop to buy products from the US, but due to restrictions now in place in the aviation world in part due in part to two 747 freighter crashes linked to cargo fires involving lithium batteries, the shipment of devices containing lithium batteries is now heavily restricted.

Anker have their own eBay store and have been selling products on here for some time. At times they’ve offered shipping to New Zealand, but without reason this has suddenly ended – only to resume again months later. For several months now they’ve been shipping products to New Zealand, and the good news is it’s a) affordable (shipping is around $10 on many products), and b) they will ship some portable powerbanks.

Products such as their regular 10,400 mAh portable charger work out at just over NZ$40 incl shipping

image

Or if you’ve got a phone with QC2.0 or QC3.0 and want to take advantage of much faster charging speeds then you’ll probably be interested in one of their QC3.0 capable powerbanks. This is the model I currently use and recommend.

image

Or if you’re simply after a desktop charger for your USB-C phone then one of these will work perfectly. You will just need to purchase a NZ power cable (figure 8 plug) which will cost you about NZ$4.54 from PB Tech

image

Not all products on the Anker store can be shipped to New Zealand, but many of their powerbanks and desktop chargers can. If you’re after a great charging solution or powerbank it’s a great time to buy now in case these shipping deals ever end again.

You can visit the Anker eBay store at http://stores.ebay.com/AnkerDirect



sbiddle's profile

Steve Biddle
Wellington
New Zealand


I'm an engineer who loves building solutions to solve problems. I'll also a co-founder of the TravelTalk.nz travel site. 


I also love sharing my views and analysis of the tech world on this blog, along with the odd story about aviation and the travel industry.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl PiaF, FreePBX, Elastix)
  -Polycom
  -Cisco
  -Linksys
  -Patton
  -Zyxel
  -Snom
  -Sangoma
  -Audiocodes

*Telecommunications/Broadband
  -xDSL deployments
  -WiMAX
  -GSM/WCDMA
  -WiFi

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
   
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.


+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.


You can contact me here or by email at stevenbiddle@gmail.com

twitter.com/stevebiddle