
The Problem with Mobile Phones - christianbryant
https://ssd.eff.org/en/module/problem-mobile-phones
======
nextos
This is why we need more devices like Pyra [1], which was in the frontpage
today [2]. Or its sister project, the Neo900 [3].

To me, current mobile phones seem like a step backwards in many fronts, as
highlighted by the EFF or the Neo900 developers [4]:

\- It should be possible to install your preferred OS, pretty much like you do
on a PC.

\- Hardware components should be more open. When not possible, they should be
isolated like the Neo900 will do [4].

These two things would lead to much better privacy, and less planned
obsolescence. It's atrocious that many cell phones don't get software updates
past the 24 months mark.

We should get much more serious about this. The current mobile landscape is
depressing.

[1] [http://pyra-handheld.com/](http://pyra-handheld.com/)

[2]
[https://news.ycombinator.com/item?id=9463032](https://news.ycombinator.com/item?id=9463032)

[3] [http://neo900.org/](http://neo900.org/)

[4]
[http://neo900.org/stuff/ohsw2014/ohsw2014.pdf](http://neo900.org/stuff/ohsw2014/ohsw2014.pdf)

~~~
sliverstorm
Can't you already install arbitrary OS to most Android phones? See Cyanogenmod
& company.

~~~
nextos
Not really. Cyanogen is OK, but it's just Android. The hardware problems are
still there: i) no drivers so GNU/Linux can't be ported ii) the baseband
processor is usually badly isolated so it's easy to attack the device.

~~~
mirimir
Best practice here is using a WiFi-only device with a separate cell modem. So
you have hardware baseband isolation. See
<[https://blog.torproject.org/blog/mission-impossible-
hardenin...](https://blog.torproject.org/blog/mission-impossible-hardening-
android-security-and-privacy>).

~~~
j_s
working link: [https://blog.torproject.org/blog/mission-impossible-
hardenin...](https://blog.torproject.org/blog/mission-impossible-hardening-
android-security-and-privacy)

~~~
coldpie
My 2nd ever comment on HN asked them to fix this. Still broken, almost 3 years
later :)

[https://news.ycombinator.com/item?id=4112327](https://news.ycombinator.com/item?id=4112327)

------
christianbryant
The Electronic Frontier Foundation (EFF) notes in their report "mobile phones
were not designed for privacy and security". While the report is mostly
focused on the wide varieties of mobile phone tracking (from GPS to wireless
access), it illuminates perhaps the root of the issue noted in many mobile
security articles: Mobile phones now mimic personal computers, and it begs the
question: Why?

For such a ubiquitous device that holds so much personal data and is portable
in ways laptops will never be, one wonders why we are designing mobiles to be
just like tiny laptops with all the same protocols, applications and OS APIs.
First, sure, it's easy, but who ever heard of an old-school phone dying from a
DDoS attack (which now is the current major mobile threat)? Or, being taken
over by malware and every contact, password and account login sent to the
Maldives for quick smash-and-grab sessions against bank accounts and so forth?

Maybe the intrinsic issue is really that we are still doing the "make it
smaller" thing with tech and calling that innovation instead of "make it
different" which out of the box often comes with intrinsic security of its own
for actually being different.

~~~
glogla
Maybe Android is kind of like small laptop. But Windows phones and iPhones
definitely aren't.

I can use my laptop without having any cloud identity tied to it - I don't
need to give anyone my email address or card number just to log in. I don't
have to upload my contact list or communication history to the cloud. I can
install software on it that Microsoft or Apple haven't approved, and if I pay
for software Microsoft or Apple don't take a cut. I can install different
operating system, if I want. I can develop software on my laptop without
special license and without paying Apple or Microsoft. When I develop
software, I can share it with other people with laptops and they can run it. I
can access filesystem in any way I want and directly modify, share or create
files without them being transferred to the cloud.

Modern smartphones are very not like laptops.

Android is perhaps more like actual computer, but I'd guess that's mostly
legacy - if Google made Android now, I'm sure they would make it more closed,
and they are making it more closed with every release.

~~~
msftie
This is exactly what the article states. The comparison stops at them both
being computers, and that is the point and the problem.

"Most mobile phones give the user much less control than a personal desktop or
laptop computer would"

------
jf
This is part of the reason why I've been considering getting a one-way pager
and leaving my mobile phone off or in airplane mode.

This way I would only need to take my phone out of airplane mode if I happen
to be in a location where I can't use another phone to return pages.

~~~
simoncion
A pager would have the same triangulation-via-cell-tower and social-network-
analysis-via-page-history vulnerabilities, right?

~~~
jf
Not a one-way pager? My understanding is that one-way pagers (POCSAG, etc)
pagers are "receive only".

~~~
richardwhiuk
They still need to communicate two way to the cell tower to receive pages.
Pages don't get flooded to every cell all over the world!

~~~
upofadown
One way pagers only work in a particular area of the world. In that area all
the transmitters send all the pages. Such systems do not scale all that well
and as a result getting pager service over a wide area can be fairly
expensive.

~~~
doctorshady
There's a few nationwide pager networks out there; they're quite easy to build
without the task of making communication two way. Just set up a hundred or so
watt UHF transmitter at an antenna farm, feed it with PSK or FSK from a
satellite receiver, and boom! You just covered most of a large city.

------
bootload
_" Turn phones off"_

The only truly _" off phone"_, is one without batteries or in a microwave,
sans the power cord.

~~~
rsync
That's why a modular mobile phone is so interesting.

The important aspect of a modular mobile phone is not what you can add to it
(silly little consumer modules) but what you ca _subtract_ from it.

With a modular mobile phone, you could physically isolate the
GPS/GSM/LTE/bluetooth components at will.

My prediction is that the google modular phone, whatever it's called, will
have the cellular components on the base system and not removable, which is a
pity.

~~~
yohui
Project Ara? All reports have stated that the basic device will be wifi-only.

------
mrtimuk
I'm surprised A-GPS didn't get a mention. There must be data leaked when your
phone uses MSA to obtain higher resolution for the rough GPS location that it
has. (less so with MSB)

------
jacquesm
Even the ubuntu phone comes with software you 'can't install' (unless you go
beyond the normal interface) and has software of dubious origin on it
('here'). Missed chance on many fronts.

The problem isn't so much 'mobile phones' the problem is _smart_ mobile phones
and the suppliers of software for them, and for all mobile phones the big
black box that is the baseband processor and whatever goes on in there. Little
snitches does not cover it.

------
pareidolia
I'm surprised that addon cards for laptops such as the Gobi3000 aren't
mentioned yet. Are these a security risk? Is "off" really off to such a card?
Is isolation sufficient?

------
wiggumz
Some phones have baseband processors that can remain powered up even when the
phone is officially off. No malware is required.

