[kwlug-disc] cell phone security and privacy

[Doug Moen]

Jason: Thanks for the NoPhone link. At some point I will upgrade to this.
Immutable objects are a well known security technique, and the NoPhone is the
ultimate expression of this.

Mikalai: Installing Graphene via the Linux command line is a complex procedure.
Suppose I want to hire somebody to do this for me, including the locking procedure
(so the phone can't be tampered with while in transit to my house).
That would not be allowed by the GPL 3.
(In the language of the Graphene FAQ, an "immutable root of trust" is incompatible
with the GPL 3.)

Chris: Any phone where the Broadband processor can scribble over memory is not
secure, and will not be supported by the Graphene project. Graphene has a list of
requirements for "secure hardware". I mentioned secure boot, but another one is
that any memory sharing with a coprocessor is controlled on the CPU side using
an IOMMU. This means the coprocessor can only read or write memory pages designated
by the operating system. Pixel phones meet all the security requirements.

The FAQ thoroughly addresses your concerns: https://grapheneos.org/faq

quote:
Devices need to be meeting the standards of the project in order to be considered as potential targets. In addition to support for installing other operating systems, standard hardware-based security features like the hardware-backed keystores, verified boot, attestation and various hardware-based exploit mitigations need to be available. Devices also need to have decent integration of IOMMUs for isolating components such as the GPU, radios (NFC, Wi-Fi, Bluetooth, Cellular), media decode / encode, image processor, etc., because if the hardware / firmware support is missing or broken, there's not much that the OS can do to provide an alternative. Devices with support for alternative operating systems as an afterthought will not be considered. Devices need to have proper ongoing support for their firmware and software specific to the hardware like drivers in order to provide proper full security updates too. Devices that are end-of-life and no longer receiving these updates will not be supported.

If you care about Silent SMS messages, and you think Graphene isn't secure enough, then check out the Armadillo phone, which uses a "hardened fork" of Graphene running on a Pixel 3a.

  https://www.armadillophone.com/about

"The Radio Sentinel mitigates cellular network attacks that can track your location, intercept your communications and hack your phone. Radio Sentinel only allows 4G connections by default. Radio Sentinel detects IMSI catchers, silent SMS and some SS7 attacks. It will automatically disconnect if it detects an attack."

The Graphene FAQ says that silent SMS will "trigger an alert" but I don't know what app (if any) you can use to see these alerts. Other than the Radio Sentinel app, but I don't think that is separately available. Armadillo says "Radio Sentinel requires extensive modifications to Android, so unfortunately it can’t easily be ported to other devices."

Right this instant there is a big discussion going on in the Graphene matrix chat about vulnerabilities in Broadband firmware and the attacks you are exposed to. If you run Graphene *and* your device is still getting firmware updates (not Pixel 3) then you are as well protected as any phone can be. You can switch Graphene to LTE only mode to reduce your attack surface. Or better, upgrade to NoPhone.

  https://app.element.io/#/room/#grapheneos:grapheneos.org

Mikalai: Keeping your phone on your person at all times, as a security measure, doesn't work when you are crossing a border. One of the things that can happen (if you are randomly selected for extra security screening) is that the border guard asks for your phone, goes into a back room, does something, then comes back and returns your phone. You'll be asked to unlock your phone. In Canada, refusal to unlock is a minimum $1000 fine, maximum $25,000, and up to a year in jail.

Chris: The thing I found ludicrous about the Pinephone vulnerability wasn't the severity of the vulnerability, but the fact that the code shown would not pass even a cursory code review by somebody with security knowledge. I used to write security sensitive network code, and I wouldn't have let that code go into a system. I'm confident that the Graphene code base is written to a high security standard using best practices, and that's not true for Pine Phone.

Quote:
  the executable uses system() in 233 different places across the file. That's… quite a lot.

You shouldn't use 'system()' at all in this kind of security sensitive code. But if you do, you should *at least* check the return code. It wouldn't have helped, but no error checking is very lazy.

I do understand your point about there being resource constraints in Pine Phone development,
and I still think it's awesome when viewed as a fun hobby project.

I've looked at Silverblue, and I can't get excited about having a trustworthy OS on my
laptop, because I want to download anything interesting I find on github and run it, and
I want to hack everything. So Pine Phone is a handheld computer with this ethos.
And that's fine. I only object to branding it as secure and private.

I'm working on some ideas for a "trustworthy" programming language and environment that is
totally hackable, but it works using totally different principles than what you find in a
Linux distro or a mainstream language. Meanwhile I use Linux and conventional languages for
my hacking, and yeah it isn't trustworthy. I don't use my phone for hacking so I have
different goals there.

YES the modem is a surveillance system, but I leave it off most of the time.
My purpose in owning a phone is to have a handheld web browser that works anywhere.
The modem is only on when I am actively using the phone and there is no wifi.
That's good enough for me, but see Radio Sentinel for an extreme attempt to
mitigate cell phone surveillance. (Also, stock Android turns wifi and bluetooth into a
surveillance system, tracking people to generate more accurate and location sensitive ads,
and Graphene mitigates all this, including a WIFI anonymity feature enabled by Pixel hardware
that I hadn't heard of before.)

I think I'm actually running Graphene because it's cool (because it embodies true security
in a very real and serious way), I want to learn about that, and what I learn might feed
into my future "trustworthy computing" project. Also, I don't like surveillance capitalism,
and I want a degoogled phone so I can learn from that experience.

I don't think the GPL 3 thing is FUD. You can buy preconfigured locked Graphene phones on the
internet, this is a valuable service, and if Graphene used GPL 3 libraries then the library
owners could sue for GPL 3 violation. From an FSF perspective this would be no different
from Apple iOS using GPL 3 libraries. Graphene respects your freedom and Apple doesn't, but
the language of the GPL 3 doesn't make allowance for Graphene. I think that writing a legal
text for the GPL that accurately embodies the spirit of the GPL is a difficult and unsolved
problem.

Sorry, I misunderstood something I read in the Graphene docs. Once you lock
the bootloader (which I've done) you can't modify the OS without wiping the phone, and there
is no further step of "permanently locking it". Graphene does not support "Factory Reset
Protection". You can always wipe a Graphene phone.

Thanks for including the story of Daniel Micay and the Graphene project history.