<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<blockquote type="cite"
cite="mid:ad2fd09a-9631-44ea-a9b5-943d73b68ab0@www.fastmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
<div>After researching cell phone OSes and installing Graphene, I
suddenly have a lot of opinions about privacy and security in
cell phone operating systems. I now have a fully degoogled
Android phone, and I'll talk about that.<br>
</div>
<div><br>
</div>
...
<div>* I want my phone to be private, secure and free, of course,
but how is this accomplished? .... I need Secure Boot, so that
an evil maid or border security guard with access to my phone
cannot replace or modify the OS without my knowledge. ....<br>
</div>
<div>...<br>
</div>
</blockquote>
<p>I don't want to downplay usefulness of mentioned measures at some
levels. But on the perfection level only the wiki style of keeping
your devices on you at all times is secure, however inconvenient
that is, cause, ... there must be an analog hole.<br>
</p>
<p><br>
</p>
<p>The following is inspired by an attack on modern, luzzuree carz.
There we have a key which proximity is sensed by the vehicle,
convincing it to open doors and may be even drive it away. The
fellas at night come close to the place/person that has a key,
following with an equipment that talks over a long distance to a
second box near the target vehicle, passing airwaves as if it were
the key fob.<br>
</p>
<p>Two points to note. (a) Impersonation that convinces actor to
divulge information. (b) Attack needs communication over longer
distance, and defender never discards reactions with delays that a
necessary at least due to light speed. We note this for later.</p>
<p><br>
</p>
<p>So. Let's imagine the following. You place your phone for a
second, without touching it, close your eyes for a second, or look
away, being distracted, turn back and grab a phone that is now
something that looks like your original device, but actually grubs
info about what you do/press/say/move streaming it into a second
box that keeps your actual phone, reproducing actions on it, and
sending to device in your hand video/audio and tactile reactions.</p>
<p>I think it is a perfect attack that can be done only on targeted,
human scale level. But it is our analog hole that is always
present.<br>
Bonus points, if your device is not customized be unique scratches
(guerrilla glass?).<br>
Bonus points, if there are covers and skins that can be quickly
replanted onto an impostering device to avoid spooking your
subconscious.</p>
<p><br>
</p>
<p>May be the way out is to have a smaller device, like a watch,
that never leaves you, and that can perform an attestation on your
other device, with procedure that takes into account timing, so
that tested device can't be, say 1 meter away from the watch, as a
fix for (b).</p>
</body>
</html>