
A review of the Blackphone, the Android for the paranoid - suprgeek
http://arstechnica.com/security/2014/06/exclusive-a-review-of-the-blackphone-the-android-for-the-paranoid/
======
Tepix
Why does the blackphone lack a physical switch for

* the microphone

* the GPS chip (or if not possible, the GPS antenna)

* the GSM chip (or if not possible, the GSM antennae)

* the camera(s)

I have talked to the Silent Circle people at MWC in barcelona and they
acknowledged the current security issue with the closed source, black box
baseband. This first blackphone is of course just a first step.

However, physical switches could help against certain attack scenarios.

~~~
huhtenberg
Mike switch alone would go a long way. It would also make a great marketing
point.

------
Sephr
This has a closed source baseband that was also not designed by the company
producing the phone. The baseband is pretty much guaranteed to be backdoored
by your favorite state security agency, so why get this over any other Android
phone?

~~~
skeletonjelly
I remember getting the OpenMoko phone and pretty sure this was an issue way
back then

~~~
seba_dos1
It always was an issue and still will be for a long time. Neo900 project takes
another way to neutralize the modem - by sandboxing and monitoring its
activity. This alone probably makes it much more secure and privacy-friendly
than Blackphone.

~~~
freeduck
[http://neo900.org/faq#privacy](http://neo900.org/faq#privacy)

------
nawitus
One thing I hate about Android phones these days are the opt-out sync
features. All my data is synced to a magical location, and once synced they
can never be erased. If you make a single mistake, then all your data has been
essentially stolen.

For example, I created a 'Samsung account' to try out the heart rate monitor
on S5. I didn't know that if I create an account like that, the phone
instantly uploads (syncs) my pictures, contacts etc. to a server somewhere.
Sure, maybe that was mentioned in the long EULAs, but it's not practical to
read through all the EULAs everytime I crete an account.

In addition, the 'Samsung account sync' app was installed on default, so I
didn't even get to accept the app (or even read what access rights it had).

~~~
mhurron
Is Apple any better on this? I'm thinking that my next phone is going to be an
iPhone because of the regular updates over Android, but is it as hard to stay
away from iCloud and not accidentally send everything there?

~~~
m_mueller
From my experience, iOS rather asks twice than not at all. I have yet to
detect a sharing feature where the intentions are not clear. Also, every
privacy related access is prompted separately, a freshly installed app has no
permissions on anything - so it's usually a non issue when installing apps.

------
not_rhodey
not to be a bummer, but it doesn't seem like anything special was done with
this special purpose hardware. why go to the trouble to engineer and advertise
this as a piece of security enhancing hardware when it's really just "PrivOS"?
also, any plans on open sourcing "PrivOS"?

did I miss something in the writeup? OSS modem firmware, OS wifi chipset,
_anything_ hardware or firmware related?

~~~
dublinben
You're missing the fact that this can be sold (at an outrageous markup) to
large enterprises and government agencies because it looks secure/private.

Beyond that, it provides _literally nothing_ that you can't install for free
on any Android device. I could make you an equally "secure" or "private"
device for $300 and an hour's time.

~~~
coldpie
> Beyond that, it provides literally nothing that you can't install for free
> on any Android device. I could make you an equally "secure" or "private"
> device for $300 and an hour's time.

Yeah, this was my takeaway from the article. They even link to the Google Play
store entries for the software that comes packaged on the phone. Missed
opportunity, I think.

------
ris
"We found that Blackphone lives up to its privacy hype."

In all fairness I wouldn't say Ars Technica, good though some of their
coverage is, are really the people to determine this.

Especially in an article in which at no point do they ask "where's the
source?".

~~~
aragot
On the other hand, how could they skip this topic in an article about a
"privacy" phone?

If find the trustworthy value of a phone is about equal to the privacy leak
bounty. If each customer trusts the phone with, say $300 worth of information,
then that should be a hell of a big bounty.

So Ars Technica should have talked about "where's the source" and "how much is
the bounty".

~~~
ris
Not all information has a monetary value.

------
walterbell
See also the OnePlus One with Cyanogenmod 11, $299 unlocked, but for now can't
be purchased without an invite.

CM11 hardening: [https://blog.torproject.org/blog/mission-impossible-
hardenin...](https://blog.torproject.org/blog/mission-impossible-hardening-
android-security-and-privacy)

~~~
dublinben
The most crucial step in that recipe is using a device without a GSM baseband.
That rules out anything sold as a 'phone,' such as the OnePlus One.

~~~
swetland
I think that's possibly overkill. Provided the baseband processor is
independent of the apps processor, communicates over a managed bus (usb, high
speed serial, dedicated dual-port ram), instead of having direct access to
main system memory, and the apps processor has the ability to power it up and
down at will, you're in a pretty good state _and_ you can still hop on a
cellular voice or data network when you want to.

This scenario is true of plenty of smartphones shipping today, but of course
it's not something that manufacturers advertise and it's potentially difficult
to verify.

One should probably also be concerned about wifi firmware, though smartphone
wifi is almost exclusively connected via sdio and not able to directly affect
main memory.

The biggest concern in systems where baseband and wifi radios are not-too-
deeply integrated is driver bugs where input from those subsystems is overly-
trusted or not adequately validated -- of course solid drivers should never
trust the hardware, even if not actively malicious, it can be horribly buggy.

~~~
rdl
Which phones have this memory architecture vs. dma?

~~~
Tepix
I know no recent LTE baseband phones that have this isolation.

------
idiot900
No mention of the baseband source code. Unless everything running on the phone
is open source, there cannot be a guarantee of privacy.

~~~
pantaril
If i understand it correctly there is no open source baseband available
because of various patented technologies and it is imposible to create one.
But why not treat the baseband as part of insecure transit network? I'd like
to see phone where voice data and text messages would be securely encrypted
before sending to baseband chip and securely decrypted on the other side. I
think there would be great demand for such device but i don't see any in
existence. Am i missing something?

~~~
tonylemesmer
I think its because the baseband processor can access the microphone, screen
and RAM semi-directly so its pointless having any encryption when you can just
"key log" the screen as the user inputs the message. Please someone correct
me.

(I posted a sort of question below along these lines but not yet had a
response)

~~~
philtar
Basically, baseband can read the RAM. If you can ram dump you can do virtually
anything, including get encryption keys.

------
ofutur
This phone seems like a better option for people worried about privacy
[http://www.cryptophone.de/en/company/news/gsmk-introduces-
ne...](http://www.cryptophone.de/en/company/news/gsmk-introduces-new-
groundbreaking-secure-mobile-phone/)

"Baseband firewall: Based upon three years of cutting-edge research in
baseband processor security, the new patent-pending GSMK CryptoPhone Baseband
Firewall™ offers unique protection against over-the-air attacks with constant
monitoring of baseband processor activity, baseband attack detection, and
automated initiation of countermeasures. A global first, the CryptoPhone 500’s
Baseband Firewall provides a revolutionary line of defence against over-the-
air attacks not available on any other product."

------
Cowicide
I'm really getting tired of writers who keep casually equating those who value
their own privacy to those who are suffering from paranoia. It implies that
people are mentally unstable just for wanting privacy.

Even in jest, it's insulting and increasingly out of touch in our post-Snowden
world to keep calling privacy-minded people paranoid and I wish people would
knock it off.

------
ralmidani
If the phone's software is not free (as in freedom), are Silent Circle's
assurances of security and privacy any more meaningful than Google's 'don't be
evil'?

------
tonylemesmer
For my own understanding on the issue with a closed source baseband. Is it
analogous to having a network card in every desktop computer that can directly
access the screen, keyboard and microphone and therefore compromise all
interaction with the phone regardless of tunnelled networks?

------
Rhapso
I wonder if they fixed the broken-since-introduction Android Always-on VPN
support?

------
tmosleyIII
I work in the corrections industry and need a device that is the polar
opposite.

------
throwawayaway
missed a beat, should have been called "Paranoid Android".

~~~
aeosynth
"Paranoid Android" is already a thing -
[http://paranoidandroid.co/](http://paranoidandroid.co/).

~~~
stan_rogers
Call it Marvin, and let people make their own connections.

------
giancarlostoro
It doesn't look like it does well in benchmarking either. You sure this isn't
an advertisement for the iPhone 5S?

~~~
iLoch
It's not trying to do well in the benchmarks, so no surprise there really.

------
rpupkin
Just a two word review: Shit sandwich. #TapIntoAmerica

