
Edward Snowden's New Research Aims to Keep Smartphones from Betraying Owners - secfirstmd
https://theintercept.com/2016/07/21/edward-snowdens-new-research-aims-to-keep-smartphones-from-betraying-their-owners/
======
jakobdabo
When I place my smartphone on the desk near the computer speakers any time it
is going to ring the speakers start making a funny noise a second or two
before the ringing starts. So I presume it must be possible to DIY a cheap
sensor for GSM signal detection based on a little speaker.

~~~
retox
This is a silly question but I'd like to understand if it's possible for a
human to sense those same signals. So many times I have had a sensation that
my phone will ring and then moments later it does.

Probably confirmation bias or maybe I'm subconsciously hearing the
interference in speakers and taking the hint from there. It doesn't happen
every time and I don't receive a lot of calls.

HN seems a decent place to settle it once and for all.

~~~
kcorbitt
It seems very unlikely that you would be able to sense those frequencies,
except indirectly through something like audible speaker interference.

However, this would be pretty easy to test! Just have a friend call you at
random times throughout a 2-hour interval or something, and record every time
you think the phone is about to ring, and every time it actually does. If
there's a close enough correlation between the two, that's fairly persuasive
evidence.

~~~
michaelvoz
This is still anecdotal. You would need hundreds of people, also, the very
fact that you are expecting calls pollutes that experiment already...

~~~
monocasa
A large sample size of people isn't necessary to verify the ability.

Case in point, the woman who can smell Parkinson's disease, to some
ridunculous p-value.

[http://www.scientificamerican.com/article/one-woman-s-
abilit...](http://www.scientificamerican.com/article/one-woman-s-ability-to-
sniff-out-parkinson-s-offers-hope-to-sufferers/)

------
smartbit
The poor mans way of stopping your iDevice from transmitting, is by putting it
in _DFU mode_ [0]. This regretfully will prevent you from using it for
anything else too, unlike _airplane mode_. And some will probably argue that a
nation state could mimic DFU on an active phone, but it is a viable option
that anyone afraid of being under surveillance could chose. The timing of DFU
mode can be quite difficult, this video [1] has been help to millions.

Alternatively some use an iPod with only Signal installed. As stubborn Moxie
requires access to the address book [2], the iPod address book is exclusively
used for Signal addressees.

[0]
[https://www.theiphonewiki.com/wiki/DFU_Mode#Entering_DFU_Mod...](https://www.theiphonewiki.com/wiki/DFU_Mode#Entering_DFU_Mode_on_iPhone.2C_iPad_or_iPod_touch)

[1] [https://youtu.be/bITIiGswjF](https://youtu.be/bITIiGswjF)

[2] [https://whispersystems.org/blog/contact-
discovery/](https://whispersystems.org/blog/contact-discovery/)

~~~
willstrafach
This advice does not make much sense, DFU Mode is for performing a full
restore on a device. It is not a way you'd just carry a device around, I
believe it actually reboots after a certain amount of time.

At that point just walking around with a powered off device makes more sense
than DFU.

~~~
smartbit
Maybe this is not an option for you and you prefer turning it off if you want
to protect yourself against _nation state attackers_. I assume the DFU mode
ROM is hardcoded and therefore more difficult to attack, but if you have heard
of DFU mode attacks/simulations/circumventions, by all means let us know.
Turning a device off can be easy simulated on a jailbroken device as Snowden
argued by asking journalist to put their devices in the fridge.

I wasn't aware that an iDevice comes out of DFU mode after some time, please
enlighten us. According to the instructions [0] I understand you need a
special set of actions to return to the normal firmware.

~~~
willstrafach
I am curious where your thoughts on DFU come from. I am very familiar with it
as it was the bootrom-level recovery mode my team utilized when we worked on
jailbreak tools that exploited SecureROM.

DFU has a single purpose: wait for an Apple-signed firmware file to be sent to
it over USB for it to execute. You seem to indicate that it's something you
would carry your phone around in...in which it would just reboot into iOS
after awhile.

Asking the obvious: Have you booted an iOS device into DFU mode before? Maybe
the iPhone Wiki made it sound like it is a "mode" you can boot iOS into? I am
not sure exactly what you think it is, but again, the device screen is
completely black and indistinguishable from being off, OS is not booted and
nothing is happening at all, besides the fact that (again) it is indeed on and
"spinning" as it waits for the USB interrupt.

------
dewster
Probably just showing my ignorance, but there is a processor running in the
phone, and it is connected to the various chips on the board, and you can run
your own apps that could query the chips directly? If the OS disallows this,
I'd be hacking the OS, rather than the hardware.

How did we get to this point, where our personal computing devices are
completely out of our basic control? We live in bizarro world.

~~~
heartsucker
You can buy unlocked Android phones and run whatever custom Android ROM you
want (Cyanogenmod, Paranoid Android, etc.). The situation isn't as dire as you
make it seem.

~~~
dewster
I'm curious as to why Snowden didn't simply recommend everyone go this route
instead of bending over backwards trying to fix the iPhone?

~~~
heartsucker
I was more responding to this:

> our personal computing devices are completely out of our basic control

I can't speak about the security of the latest iOS versus the latest custom
ROMs. There may be a reason he didn't recommend these. Or maybe he knows some
people are too attached to Apple to move away and is trying to do the best he
can for them.

~~~
dewster
I wonder why Apple isn't responding to this directly? It would seem like a
natural since they've given a lot of lip service to security issues lately.

~~~
heartsucker
My guess: they can't respond to everything, so with some randomness legitimate
security concerns don't get an official response.

------
semi-extrinsic
No disrespect to Snowden and Bunnie, but it seems to me that a much simpler
solution giving you a much higher OPSEC is to buy a smartphone with a
removable battery. No battery, no radios are on.

And if you are truly paranoid, it's simple to disassemble the phone and look
for/remove any backup batteries. I know, I had to pull the backup battery from
my wife's Moto G after it fell in the sink.

~~~
nfjstjstns
Actually, regardless of whether or not smartphones have a removable battery,
there's always a small second battery connected to the baseband for emergency
purposes. I've confirmed this firsthand by taking apart several models, and
you make out small coin cells on most online disassembly documentation as
well.

The one in my old Atrix was a good 250mAh.

~~~
walterbell
What would the baseband transmit in an emergency and how would it know that
there was an emergency, if the phone itself had lost power?

When a phone is off or out of power, is the baseband periodically pinging cell
towers?

~~~
yardie
If it has a 250mAh battery then that is good for a continuous 1/4W
transmission for 1 hour. But I imagine the batter is mainly there for the
watchdog and RTC. Which is why you never have to set the clock every time you
turn the phone on.

~~~
jeffbush
You don't need to set the clock when you turn on the phone because it gets the
time from the network when it registers.

~~~
yardie
Pull your sim and battery. Reinsert the battery and turn the phone on. The
time is still there, network or not.

------
pigeons
The Neo900 is designed to detect unauthorized radio transmission from the
modem and power the modem down in a fraction of a second, and notify you. It
seems to be the only device that will have that capability.

[https://neo900.org/](https://neo900.org/)

[http://neo900.org/stuff/cccamp15/ccc2015talk/neo900-wpwrak_C...](http://neo900.org/stuff/cccamp15/ccc2015talk/neo900-wpwrak_CCC2015.webm)

------
ISL
Why go through test points rather than directly detecting RF emission?

In addition to the required hardware modification, a sufficiently nefarious
attacker might be able to spoof test points. RF power detection, on the other
hand, can't lie. If it's going to communicate, the phone must transmit.

An RF-detection tool would be as easy as a phone case (and could double as a
backup battery for the phone). It'd be far simpler and easier to adopt than
directly hacking on the hardware.

Edit: My concerns are partially addressed in the actual paper:
[https://www.pubpub.org/pub/direct-radio-
introspection](https://www.pubpub.org/pub/direct-radio-introspection)

~~~
milesokeefe
One nefarious method malware could use to get data off the device without RF
would be to play sub 20kHz audio through the speakers, assuming there was a
device with a microphone near by that's able to receive the signal, and of
course that the speakers can play a frequency that low.

Along the same lines, but only successful if the user isn't looking, would be
to use the flashlight LED.

Or maybe very short low power vibrations, if the receiving microphone is on
the same surface.

All of these require somewhat particular situations, but fun to think about in
any case :)

~~~
brian-armstrong
If anyone would like to see this in action, try this out on your laptop
[https://quiet.github.io/quiet-js/](https://quiet.github.io/quiet-js/)

</plug>

~~~
tripzilch
Cool! I always wondered what the accuracy/success rate of such a sidechannel
would be, nice that your tool allows me to test this easily :)

Interestingly enough, after some fiddling I could get it from my speakers to
phone mic, and phone speakers to laptop mic, but only in the audible spectrum,
not in the ultrasonic. Only response I got was one time, an error--probably
one packet that failed the CRC check, but the rest of the time nothing.

I didn't have time to mess with the code and try different modulation
frequencies yet. But it's definitely a cool toy! :D

~~~
brian-armstrong
Would you mind sharing details about your setup? I assume you have an Android
phone since in mobile Safari you can't access the mic, full stop.

I'm also curious to hear what the error was. Do you mean an error occurred in
the JS console? That isn't supposed to happen in any event.

If you want to more thoroughly test, try [https://quiet.github.io/quiet-
profile-lab](https://quiet.github.io/quiet-profile-lab) although it's worth
noting that this tool can only work on one device, transmitting to itself

Finally, it's intended to be a production library, not just a toy ;)

edit: it's worth noting that if your receiver is Firefox, you'll never get
anything from ultrasonic. That's because firefox resamples to 32kHz, cutting
off any frequencies above 16kHz

~~~
tripzilch
My apologies for calling it a toy!! ;-) Still fun to play with though ;-)

I used Chromium Linux on the laptop and and Chrome for Android on the phone
end. I normally use Firefox as my main browser but I opted for Chrome because
I assumed it was a PoC and you'd need a lot of uninteresting work to make it
smoothly cross-browser and most people here develop for Chrome first--I'd save
that effort for the weaponised exploit ;) Or _production library_ , in your
case ;) (what is the use case there btw?)

Thanks for the heads-up on Firefox's resampling, so I know not to try that ;)
Wonder if they chose that for security reasons? Seems a solid protection
exactly against this. If so, then comes the question how good their lowpass
(resampling) filter is, if nothing leaks through and you can't secretly grab
ultrasonics anyhow via longer statistical methods trying to infer which freqs
are aliased and which aren't :)

So, I tried the audible signal first, to be sure it was making sound (I have
my Firefoxes locked down rather tightly, JACK and PulseAudio often fight, so
unless it's a mediaplayer or audio-production tool, it doesn't make sound
usually). But Chromium did (after re-enabling Pulse). I got decent results for
both ways (sometimes partial text, I didn't try images), so recording worked
too and the multimedia JS code seems to work fine.

One idea on that end; And I never wrote JS audio (I plan to, though) so I
don't know if this is hard, but maybe next to the "listen" buttons, you could
add a simple VU-meter bar for the mic, so I can clap my hands and check if the
mic is indeed receiving (maybe your profile-lab already does this, havent
checked).

The error I saw looked like an intentional popup-message you wrote in the
code. It was a modal DIV popup, styled like the site, more like a debug
message perhaps. I didn't quite understand it, so I don't remember it exactly:
that it received 1/100 packets, and failed checksum ... sorry I can't be more
specific, I only saw it once. It seemed to indicate it detected one packet but
it was an incorrect one, or something similar. Given the config mentions CRC
checks, I assumed it was that.

I didn't check the JS console for messages, but the behaviour of the site
didn't indicate to me that there were actual JS errors.

Extra info: The sound from Chromium Linux was played through high quality
large speakers, the microphone is built-in (Eee 1215B netbook, rather old
thingy) so probably not very good. On the phone side, it's running Cyanogenmod
on a Samsung S4. I believe the mic on the phone is better than on the laptop
because it's rather old and quite noisy.

Is there a reason the profile-lab tool only works for one device transmitting
to itself? Cause that's part of the fun (yeah yeah no toy :p), transmitting
data between two devices that have no connection to each other. If I was to be
thorough, I'd set it to airplane mode just to prove the fact :)

I'll have another play with quiet.js and also the quit-profile-lab. If I see
the error message again or find anything I didn't describe above, I'll report
back. If you got any specific things you'd like me to test, let me know.

~~~
tripzilch
Ok, followup:

First, I played again with quiet.js

This time it seemed harder to get it to detect even audible signals. I'm
pretty sure I don't have more background noise today than yesterday, but my
laptop fan can be pretty loud (and is less than a foot from the mic), so maybe
it's spinning louder today.

I have to hold my phone (mic) real close to the speakers to get it to do
anything (yesterday as well, btw). The other way around, I also have to hold
my phone (speakers) real close to the laptop mic. But IMHO that might be more
expected since the phone speakers are so tiny and tinny, and the laptop mic is
so crappy.

I also got the error messages again! (and I misremembered, they're not modal).
Seems it's just the message you get when it loses _some_ packets. Yesterday I
just happened to get either 100% loss or perfect transmission, so it wasn't
immediately clear what ".. set the volume to 50%. Packet Loss: 1/1 (100%)"
meant. For a production library, I'd definitely take note, for usability. I'd
like to have a clear indication that the mic is actually receiving (can be
very minimal, even just a little circle that fades from black to red depending
on the level). Also "set volume to 50%" is (for me at least) quite ambiguous
:) I have ALSA, Jack and Pulse applying their dB levels, through my laptop
jack to my stereo amp which has again a big volume button, I won't even ask
what is 50% here, because there is no answer :) I presume this is to prevent
distortion artifacts, which may be present on phone and laptop speakers (but
not my big ones ;) Are there maybe any modulation schemes that are (somewhat)
robust against (overdrive/amp) distortion?

Here's screenshots of the messages:
[http://imgur.com/a/4x3Tu](http://imgur.com/a/4x3Tu) . First one is mobile
(receiving), also IIRC that's the exact message I got yesterday on the laptop.
The second one is from the laptop today (also receiving), only after seeing
that message I understood what the earlier really meant because the numbers
were more arbitrary ;) (1/15 7%)

I didn't try the ultrasonic frequencies because I couldn't get the audible
ones to work reliably (I'll leave the no-fun debugging of something you can't
hear to the _professionals_ ;) )

Then I tried the quiet-profile-lab. I can't get it to work. The mic frequency
spectrum visualiser works well, showing frequencies as expected, also for
other sounds like clapping my hands. But "Frames Received" stays at 0.
Screenshot: [http://i.imgur.com/Jj0UWwx.png](http://i.imgur.com/Jj0UWwx.png)
\-- I set the centre frequency to 8kHz for this one, because it has a lot of
noise on the low and the high ends. The low noise is probably the crappy mic,
but the high-freq noise is somewhat surprising to me. I'm not sure at what
freq my laptop-fan is whooshing, but it sounds like a low-mid tone plus
mid/high-mids noise to me (based on the sound, not visualiser). Also tried
other centre-frequencies, no luck.

Oh WOW, trying quiet-profile-lab on my phone, the mic is so much clearer, it's
not even funny, check the screenshots:
[http://i.imgur.com/iUpWpOW.jpg](http://i.imgur.com/iUpWpOW.jpg)
[http://i.imgur.com/MtrEYrb.jpg](http://i.imgur.com/MtrEYrb.jpg) loud and
clean signal at 4kHz (centre freq) and a much quieter harmonic at 8kHz (and
you can even see a tiny 3rd hardmonic at 12kHz). And also in the ultrasound,
look at this nice clean spectrum:
[http://i.imgur.com/9DUO7V7.jpg](http://i.imgur.com/9DUO7V7.jpg)

So, I guess if you guys want to improve accuracy on crappy systems like my
laptop, you may get much better results after a noise-removal filter? From
experience a lot of my laptop mic's noise is quite stationary. A tip: the
Audacity wiki on its noise-removal filter is quite extensive, technical and
informative. Also the (C++) source code for that filter is surprisingly
readable (bit long, but most of it is comments). Reading it, I gained a lot of
respect for that feature and believe it's one of the better ones out there
(definitely in FOSS).

Sorry I'm not going to play with the quiet-profile-lab on my phone much
further, because it's not a toy and I've already spent 1.5 hour on my saturday
evening ;-) [what can I say, I love DSP, and I love side-channels]

Friendly advice on the quiet-profile-lab UI (even though it's not for
production): You got the settings left and the output right. Occasionally, a
change in settings wasn't always applied right away, so I figure it would be
nice if the output column would display a short summary of the parameters on
the left, that it is currently playing.

I'm not that familiar with various modulation / operating modes, but I assume
the flow goes like: listen to sound > detect a packet > decode+checksum the
packet. Maybe it'd be nice to visualise this onto a slow-moving (cyclical
buffer) waveform of the mic input: black=just sound, blue=possible packet,
red=decoded bad checksum, green=decoded correct checksum.

So! I hope this extensive feedback is useful to you! Sorry if it's a bit
rambling but it's weekend so I'm not going to edit (the thread is old enough
I'm sure no one will mind this mammoth post). If you make got a cool new
feature or improvement in your library, I'd love to hear about it and you can
hit me via email (see my profile).

afterthought: it's kind of disturbing the difference in perceived level
between 14.5 and 15.5 kHz, I can hear it but need to turn it up quite a bit, I
am 35 years old. Even higher and it disappears further but replaced by a
cleaner mid-frequency "windy" noise (that isn't quite there at lower centre
freqs). quite a difference from when I tested my hearing range using pure sine
tones generated in audacity (when you do this, tip: always add a fade-in
otherwise the click makes it even harder to tell if you're hearing something
or not). also I really feel for the person who has to test this setup every
day ;-) given it's a serieous project, do you ever invite kids into your
office? I work with kids in a creative science-lab / hackerspace type of
centre, so we did the hearing tests a couple of times, as I said for the 15kHz
I need to turn it up to be able to hear it clearly, when I did that with kids
in the room (ages 9-13) they were all like "AAAAAAAAAAAA TURN THAT OFF!!" at
the level when I felt, "I can comfortably detect this tone". And kids can
easily hear a few kHz's higher than that even. But for me, the perceived level
sharply _plummets_ after a certain frequency. So maybe interesting to check,
those sounds you perceive as barely audible might be distressingly loud beeps
for other people. (fun fact: on the low end, 20-30Hz, seems we're all pretty
much equal regardless of age--you need quality headphones to test those freqs
though or the sound you think you hear is in fact harmonics from distortion).

~~~
brian-armstrong
Thanks for all the testing and feedback. I'm just as baffled by the high
frequency noise in your mic -- I've never seen anything like that, but I don't
have a ton of extensive tests. Given the even spacing of it, some of it looks
to be harmonics?

Overall, I'm not really sure how much faith I'd place in noise reduction here.
I feel that in general, applying another non-linear process to the signal may
just make matters worse. It's hard for me to say since all of the noise I've
encountered has been low-frequency ambient/fan noise, which can be easily
avoided by just shifting the signal further up. At any rate, the process of
cancelling noise for human speech versus modulated tones would look completely
different. The hardest obstacles to overcome so far have been non-linear
blocks in the receiver, which cause much more distortion than tinny speakers
or a mediocre mic.

------
walrus01
The problem that got Colvin killed is at the RF/layer 1 layer in the OSI
stack... Iridium and Inmarsat phones operate in the L and S bands (1.2 to 2.0
GHz) which is not difficult to do radio frequency direction finding on, if the
Tx source remains active. Particularly easy if you have access to Russian
military grade DF equipment. The protocol layers and crypto are moot if you
are radiating and have a determined DF adversary.

~~~
sievebrain
Yeah, I'm not sure if the article starting that way was meant to suggest this
device would have saved Colvin or if it was just meant as a vague
illustration. Because as it points out, journalists do actually use their
phones for calling people and receiving calls quite a lot, so the utility of a
phone that is forced offline - for a journalist - would seem to be very low.
Why have it powered at all, in that case? Couldn't you just buy a tablet that
doesn't have any long-range radios to begin with? WiFi signals don't travel
far.

~~~
walrus01
A typical handheld satellite phone doesn't stay powered up and on net much, if
it's in a backpack or being carried around... You need to be standing with a
clear sky view to use one. But if you're a journalist in a war zone sleeping
in the same location 3 or 4 days in a row and making one 5-minute phone call a
day, or sending iridium SMS a few times daily from the same lat/long, that is
enoigh to DF you.

------
jmiserez
If you can't trust your phone, how would you ensure that it doesn't just
record everything (audio, etc.) when in airplane mode and uploads it somewhere
later, once you disable airplane mode.

Seems to me that removing the battery would be safer.

------
phones
Of interest perhaps, here is a full source code of an Android phone software
and its baseband firmware:

[https://github.com/mtker/MT6735_Longcheer](https://github.com/mtker/MT6735_Longcheer)

Actually there is some .o files in the baseband but easy to pull apart in IDA.
Each one relates to a single .c and there are export symbols.

------
DigitalJack
This does seem feasible for the specific use case of a protected phone for
"clandestine" meetings.

My initial thought was they'd have to redesign it for every phone, but that's
not necessarily the case. If eaves dropping is such a concern for you, I would
think you would be okay with not having the latest gen phone. Or having an old
one just for these sorts cases.

I suppose the concern then shifts to whether this device is easily subverted,
or whether it's easy to determine if it has been subverted.

~~~
DamnYuppie
Why does not wanting to have someone eaves drop on me mean I have to use
inferior technology? I find that to be offense in the extreme. Everyone should
be concerned about or more ideally not have to worry about people accessing
their phone without their knowledge.

------
sangnoir
How hard would it be to make the following after-market modifications?

1\. add a physical "off" switch that cuts battery power to everything

2\. (Hard Mode) Cut power to all radio chips/subsystems (GSM, WIFI, bluetooth)
while leaving the rest smartphone operational for taking pictures or recording
audio?

------
rosser
How does this address masking "bad" transmissions behind "good" ones? Instead,
the spooks will just make sure not to upload your chat logs until you start
Tindering the next time, or something.

~~~
mzs
Interestingly in the paper they address this somewhat for alternatives they
discarded. Since they are proposing an introspection engine it should also
drown-out the mic and cover the cameras. But then you still have the shock
sensor that could record steps. I'm really inclined that a true power switch
with introspection engine to verify things are really off is a better
approach.

------
cowardlydragon
Almost like you need a faraday cage for the phone, with an internal antenna, a
"router" through the faraday cage that you have hardware/software control, and
then an antenna to rebroadcast outside the cage.

Basically, a radio firewall. So you can enforce absolute radio silence if
needed. And log the signals.

------
zanny
You know, if we had source access and hardware blueprints to these devices and
actually _owned_ them, this wouldn't be a problem.

But trying to solve an obvious problem (proprietary basebands, phones, and
hardware) with bandage solutions kicks the problem down the road. We need to
liberate the hardware eventually for liberty's sake.

------
contingencies
If Freedom of the Press Foundation set up a supply chain of modified phones
then the NSA and their ilk will likely intercept and compromise any mailed
devices before they reach the intended recipients.

------
venomsnake
Isn't that device a Faraday cage?

And if you are in war zone - using a phone with removable battery is
absolutely mandatory IMO.

~~~
milesokeefe
As nfjstjstns notes, very often there is "a small second battery connected to
the baseband for emergency purposes".

~~~
dmitrygr
This is entirely false for most modern phones

~~~
fhdhchffnfjc
Except it's not.

[https://security.stackexchange.com/questions/65382/is-it-
pos...](https://security.stackexchange.com/questions/65382/is-it-possible-for-
a-phone-to-be-transmitting-even-while-turned-off-and-the-batt)

Do you have a vested interest in the matter?

~~~
dmitrygr
I've opened many phones and have one open in front of me. I have schematics of
a few open too. Some have supercaps for RTC. No extra batteries.

~~~
dmitrygr
Show me a picture on a teardown on ifixit with this in a nexus phone?

Or in an iPhone?

No? Yeah...

------
frockwearer
This same sort of approach has been used by terrorists in the past.

~~~
misnome
So?

------
calebm
I wonder if the use of the word "betraying" in the title is a subtle jab at
Snowden.

~~~
akshayn
Unlikely - the founding editor of The Intercept is Glenn Greenwald, one of the
journalists who published the original Snowden stories.

