
Nobody’s Cellphone Is Really That Secure - matt4077
https://www.theatlantic.com/technology/archive/2018/10/president-trump-and-cell-phone-security/574096/?single_page=true
======
cube00
> Google now has its own phone—Pixel—that gets security updates quickly and
> regularly.

The Nexus 5 line used to have this until Google decided after three years to
stop supporting it despite the hardware continuing to last well beyond that.

~~~
leetcrew
three years of frequent updates is pretty much the best support you're going
to get with any android phone. i personally love my pixel 2, but they sold
about half as many pixels in 2017 as samsung sold phones in a week. [0][1]
samsung does give monthly security updates to its flagship products, but it
won't support anything for more than two years. i think it's clear that
consumers don't actually give a shit about updates when they choose their next
phone, so i find it hard to fault google for having the best update policy on
a series of phones that they struggle to break even on.

[0] [https://www.theverge.com/2018/2/13/17007104/google-pixel-
tot...](https://www.theverge.com/2018/2/13/17007104/google-pixel-total-sales-
idc-statistics)

[1] [https://www.statista.com/statistics/299144/samsung-
smartphon...](https://www.statista.com/statistics/299144/samsung-smartphone-
shipments-worldwide/)

~~~
max76
> i think it's clear that consumers don't actually give a shit about updates
> when they choose their next phone,

The people that do give a shit pick ios. Security and updates was the #1
reason I moved from Android to iOS.

~~~
kakarot
That's some intense gatekeeping... At least I can root my Android phone.

iOS security, from a targeted hacking perspective, is easier than ever to
circumvent for full control:
[https://blog.elcomsoft.com/2017/11/ios-11-horror-story-
the-r...](https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-
fall-of-ios-security/)

Apple also has a nasty habit of coercing users into upgrade to new models,
reducing the need for supporting older devices and artificially limiting the
amount of older phones in circulation: [https://www.wsj.com/articles/apple-
faces-multiple-lawsuits-o...](https://www.wsj.com/articles/apple-faces-
multiple-lawsuits-over-throttled-iphones-1522229400)

------
aaronharnly
The original NYTimes article suggested that calls would be intercepted because
of the transmission network:

 _But the calls made from the phones are intercepted as they travel through
the cell towers, cables and switches that make up national and international
cellphone networks. Calls made from any cellphone — iPhone, Android, an old-
school Samsung flip phone — are vulnerable._

Are cellphone calls different from landlines in this respect? Don’t landline
calls go through cables and switches too? I know in the old days landlines
were connected via direct circuits, but that can’t be true anymore, can it?
Can anyone shed light on this?

------
walterbell
Nokia 6.1 (2018 model) costs $270 USD with Android One (at least 2 years of
monthly security updates), metal body, fingerprint sensor (no notch),
headphone jack and hardware-based remote attestation for tamper detection.

[https://www.theverge.com/platform/amp/circuitbreaker/2018/5/...](https://www.theverge.com/platform/amp/circuitbreaker/2018/5/3/17312690/nokia-6-1-updated-
version-us-price-release-date-launch-announced)

~~~
JetSpiegel
The Xiaomi Mi A1[1] is much cheaper with similar specs. Even this year's
update is cheaper[2].

[1]: [https://www.amazon.com/Xiaomi-32GB-Factory-Unlocked-
Compatib...](https://www.amazon.com/Xiaomi-32GB-Factory-Unlocked-
Compatible/dp/B078XMZVLS?keywords=xiaomi+mi+a1&qid=1540671504&sr=8-3&tag=duckduckgo-
ffab-b-20&ref=sr_1_3) [2]: [https://www.amazon.com/Xiaomi-64GB-Camera-
AndroidOne-Smartph...](https://www.amazon.com/Xiaomi-64GB-Camera-AndroidOne-
Smartphone/dp/B07FMPVBQY/ref=sr_1_1/132-7545141-5686911?s=wireless&ie=UTF8&qid=1540671725&sr=1-1&keywords=Xiaomi+Mi+A2)

~~~
balladeer
World has truly moved on from < 5" phones and my palms stopped growing a
decade ago.

------
HillaryBriss
> _iPhones are harder to hack, which is reflected in the prices companies pay
> for new exploit capabilities. In 2016, the vulnerability broker Zerodium
> offered $1.5 million for an unknown iOS exploit and only $200 for a similar
> Android exploit._

I'm curious, given the fragmentation of the Android ecosystem, how many phones
each of those two exploits would affect.

~~~
dan-robertson
I think there are several things driving up the prices of iPhone exploits:

1\. Supply: iPhones are more secure so exploits are harder to come by

2\. Demand: It is worth more money to break into an iPhone because the users
are more likely to be wealthy or politically interesting (or rather, such
people are more likely to own iPhones)

3\. Demand: Fragmentation—an exploit for the latest iOS version is going to be
able to hit a lot more phones than one for some version of Android (maybe
limited to specific hardware too)

4\. Supply: If Apple discover an exploit they will patch it and people will
soon have software upgrades which counter it. Now that exploit is worthless
and so the supply has decreased. When an Android exploit is discovered it will
be fixed but those who were vulnerable probably won’t get updates and so there
is no need for another exploit targeting that platform.

------
kltutor
Point in case, the German chancellors phone being tapped a few years ago:

[https://www.thelocal.de/20160223/nsa-eavesdropped-on-
merkels...](https://www.thelocal.de/20160223/nsa-eavesdropped-on-merkels-
intimate-conversations)

------
jngreenlee
I submit for your approval: [https://www.punkt.ch/en/mp02-4g-mobile-
phone/](https://www.punkt.ch/en/mp02-4g-mobile-phone/)

~~~
kxyvr
I've not owned, but I'm interested in the Punkt phones and have followed them
for several years. That said, the MP01 adapted an operating system from
MediaTek, which I'm pretty certain was Nucleus RTOS:

[https://en.wikipedia.org/wiki/Nucleus_RTOS](https://en.wikipedia.org/wiki/Nucleus_RTOS)

Their new phone, the MP02, uses a cut down version of Android managed by
Blackberry. Ostensibly, Blackberry has produced some secure devices in the
past, but it's still Android, which is a large, complicated code base and the
there're dozens of comments around here about the insecurities in the Android
ecosystem. Now, given how cut down their version of Android is, is it more
secure? Possibly, but I don't think Punkt or Blackberry has committed to
releasing their source and, even if they did, it's a somewhat niche market, so
it's not clear to me that an appropriate, public audit would occur.

I really do like this device and may end up buying one, but I'm not confident
that this is the ultimate in secure devices that I'd love to have.

As an aside, it seems like all the 4G feature phones use Android or some
derivative. Does anyone know why? I can find non-Android 2G feature phones,
but 4G seems universally Android and it's not clear to me why a phone that
can't run much for apps needs that.

------
defanor
There's a typo in the title.

Edit: no more typo.

~~~
blakesterz
Yep, it's 'Schneier'

------
rudolph9
I would think the secrete service would put an always on VPN connection on
cell phones, have all calls go through a self hosted VoIP service, and then
the device is arguably as secure as any other computing device someone in the
federal government with high security clearance might use.

~~~
3pt14159
These people have blackers and all the rest. That's not the issue. The issue
is that Trump doesn't want a security hardened phone. He's being petulant.

------
beamatronic
How about an iPod Touch and FaceTime audio?

------
chiefalchemist
> "I’d say that the major international powers like China and Russia...It’s
> safe to say that President Trump is not the only one being targeted..."

Who is doing it? Anyone - not just govs - that are capable, and where the
reward outshines the risk.

Who are they doing it to? Anyone whose conversations offer (potential) rewards
that outshine the costs / risks. Finding the critical nodes isn't that
difficult. Hiding likely impossible.

Yea, ttat's a pretty wide net, and getting wider all the time.

------
mikeash
Nobody’s phone is really that secure... but an iPhone vulnerability costs more
than an average Bay Area house, while an Android vulnerability is more like
the cost of cleaning that house once.

Edit: turns out the figure for an Android vulnerability is off by several
orders of magnitude. What a garbage article!

~~~
lupire
Consider deleting your false statement, now that aaronharnly has posted a
correction.

~~~
mikeash
Better to draw attention to the fact that the article is making that false
statement. I added an edit.

