I'm surprised HN readers don't already know this. It still astonishes me how so many so called "tech savvy" users are content with surrendering their privacy and freedoms to Google or Apple so that they can run the latest "apps".
This is why I'm backing the Neo900[1]. It might be a bit pricey and low spec'ed by today's market (a consequence of it catering for a niche market meaning it won't be mass produced) but in my opinion that's a small price to pay to actually own your phone (it's actually more akin to a mobile computer than a phone).
I don't think any one with even basic understanding of technology thought that an intelligence agency can't breach their cellphone.
You have a GPS receiver, a microphone, camera, and a data capable modem on you all the time this is pretty much a cold-war era dream come true to those agencies.
Heck the layman is probably more "aware" of this than people with better understanding of technology simply because they do not understand the technical difficulties that might be involved in remotely accessing a mobile device.
As for the Neo900, It's a nice project and it's has been posted on this site many time, but you should have serious doubts about it being any more NSA proof than a burner you pickup at the bargain bin at Walmart. Yes they have all their physical electronically resetable fuses that in theory will allow you to disconnect the modem, and they do some power usage analysis to ensure that the radio is actually off, but still they are using regulated off-the-shelf hardware, if the NSA wan't to break into that phone remotely they'll find a way if they won't have a way in straight of the bat to begin with which is also quite likely.
If the interconnections are limited to the extent said off-the-shelf hardware just can't have privileged access to the other parts of the system, it's safe. That said, it doesn't matter if modem is hacked if it can't do much.
Backdooring an MCU so it'd allow access on a secret code from anywhere is surely possible in theory, but it'll be hard to hide the cost of adding such backdoor.
The baseband can be compromised, the SOC can be compromised, the OS can be compromised, the SIM card can be compromised, and more importantly the base station it self can be lawfully and unlawfully accessed.
The safe part is in theory, there are only a handful of companies that could actually audit a mobile system in any effective matter pretty much all of them are also the vendors of various mobile interception, tracking, and exploitation solutions.
Dealing with any type of security requires you to identify and quantify your threat agents, if your threat agents are a foreign or a national intelligence service of any note i wouldn't bet anything on the N900 nor on any other cellphone.
If you ask anyone, layman or expert what is a secure device that the NSA could not hack the only thing that they might come up with is a brick, and i wouldn't even trust that[1].
At best the N900 might give you some reliability that when it's off and when the radio is turned off it's actually off, considering that sleep mode power consumption can vary by quite a bit in the same SOC based on conditions like temperature it wouldn't surprise me if you could fool that as well.
Everything in theory could be compromised, that's the story of computer security but that doesn't mean we should ignore any threats. That's like saying I might as well use dictionary words for all my passwords because they are easy to remember and there's no such thing as a secure system. The point is that the Neo900's baseband sandbox will provide significant protection that no other device can offer. _If_ a government agency decides they want to try to break the sandbox of a device owned by only 400 people, maybe they'll find a vulnerability that they can exploit, but it may take them many man hours to do so and even then there's no guarantee that they will find anything.
Accessing the base station controller (or any other part of the cellular infrastructure for that matter) lawfully or unlawfully, is indeed possible but that does very little to help an adversary take over your device. What it does help them to do is to read your communications. If you are paranoid about that, you can use your own encryption. If you are paranoid about your location being tracked then just turn off the modem or don't use a mobile phone. The difference between the Neo900 and everything else is that when turn off the modem, you know it actually is off.
Again with the "significant" protection, there is no evidence that the Neo900 or any other commercially available "secure" phone actually will provide any significant level of protection against state sponsored threats.
I look at this from another perspective if http://goldelico.com/ could create a phone which is NSA proof on any level from commercial over the shelf hardware than the NSA is a colossal failure, but they aren't.
The number of users that will use the phone is also irrelevant, because you look at this as only 400 people, the NSA looks at it as these are 400 people that intentionally attempt to evade our surveillance lets check it out.
Back to the phone part everything they've done might seem right, and might seem to be harder to break, but as it seems that not a single phone that is actually used by government agencies in the states is build that way, the NSA certifies certain devices, they do not allow any of them to be used to store or communicate secret information, but it's allowed to be used for confidential matters.
If the NSA could build a phone that they would think it secure, they would do, which again leads me to strongly believe that all of these measures are pointless, yes they might offer some additional level of protection against non-state agents or states without a sufficiently advanced intelligence services but even that might be doubtful because it's unlikely that we'll see this phone going head to head against commercial phone exploitation solutions.
It's not the Neo900's goal to be protected from high-profile targeted attacks. That's hardly feasible.
However, that doesn't make it pointless. Neo900 aims to protect as much as possible from fishnet style mash surveillance. On most devices you simply cannot protect yourself from that, since any E2E encryption you'd employ could be easily attacked by shared RAM access from the completely uncontrolled (and often known to be exploitable) modem firmware.
When you don't completely control your device, you cannot do anything to protect your privacy. When you do (and there are also other reasons to want it aside of privacy), you can start thinking about it. It won't help when you're specifically targeted by super secret agency, but it will in 99% of other, more common cases.
Everything can be backdoored, but what about costs?
If the interconnection between the baseband and SoC is restricted in a way baseband can't just do DMA requests and mess with the system, the compromised baseband has to talk to the the compromised SoC to compromise the OS.
NSA have to either develop a specific backdoor for a specific device (or, better say, schematically similar devices group) and hook into their supply chain (hmmmm...), or develop a quite cost-adding generic backdoor system.
They surely have resources to design anything and even beyond that, but added cost to the production just can't be easy to conceal. There must be some sane limit to NSA's possible omnipotence.
And then there are reverse engineers who love to peek what's done in silicon. NSA has to shut up not only original part vendor (easy for them, sure), but a bunch of engineers around the world, stealing designs for the chips so they'd make a clone. You know, some countries are famous for that stuff.
Add: as for base stations - they're outside the phone. We don't consider plaintext data outside to be secure. If you're about the voice calls - E2E-encrypted VoIP to the rescue.
The cost is irrelevant, the NSA doesn't calculate how much it would cost them to tap Bob's phone, but how much it would hypothetically cost them if they couldn't.
Considering from the NSA exploit catalog we've seen that they target very specific and niche devices I don't think they care about scale when it's not possible.
Yes the base band doesn't have DMA since it's connected over USB but it still wouldn't trust it if my life would depend on it in even the slightest of ways.
For all we know the baseband and all basebands are compromised to the point where the NSA can tap into them DMA or not, there might be some undocumented remote debugging interface that opens a serial connection to the baseband over cellular, there could be a 1000's other things. And while USB does not support DMA it still doesn't mean it's safe by any means, attack over USB can still happen.
As for NSA's omnipotence, yes there is a limit to it, but that limit won't be reached by a group of engineers building a phone with commercial off-the-shelf hardware and open source software. If the NSA's reach could be that easy to defeat than they would be very very bad at their jobs, in fact a simple commercial device like this that some how even remotely limits their ability to task their targets would be a reason to shake the NSA up completely and light a fire under their asses because they've been sleeping on the job.
But as we all know they aren't sleeping on their job, in fact they act like a bunch of hyper intelligent teenagers on adderall, the NSA and their counter parts shown us for the past 70 years that no system, no network, no form of communication device is safe from them, that's their job, doesn't mean that they should have the mandate to do it all the time, but if they can't they aren't fulfilling their role.
The cost of backdooring is put not on NSA but on hardware vendors. They have to add extra silicon and that stuff costs. And there is a huge market of reverse-engineered mostly-compatible clones, too.
My idea was that I'm practically sure that if I'd take a small-enough MCU or FPGA it'd be NSA-free. Just because putting a backdoor there (and that backdoor has to be quite smart and listen for signals on a lot of pins, while being discrete about that) would seriously increase complexity and cost of the device. And that would be noticeable. Just don't believe this would went unnoticed for any long.
As for SoCs - yes, they're complex enough and their interconnections are quite standardized. So, you're probably right.
The NSA doesn't have to tamper with hardware to backdoor it, they can just as easily find a hardware/microcode bug.
And as far tampering with the actual silicon goes, well if the device is complex enough to require substantial logic then you'll probably have room to plant a bug, a simple device won't need a complicated bug to begin with.
And silicon tampering doesn't require you to implement an entire bug in the silicon it self it can be as simple as intentionally added flaw that causes an error or an errata when say exposed to certain radio frequency which in conjunction with other external or internal attacks might lead to an effective backdoor.
Incorporating something like that into silicon won't be that expensive, and all that it needs to do is maybe short 2 pins that put the chip into debug mode and GL discovering that in a postmortem.
You're not accomplishing what you want to accomplish with this
> are content with surrendering their privacy and freedoms to Google or Apple so that they can run the latest "apps".
You have the choice of not running apps. Get a feature phone.
You can create a fake account on Google (or even better,
get an Amazon fire phone, or some Chinese one that is based
only on stock Android). Or just Ubuntu Phone/Cyanogen mod it
> it's actually more akin to a mobile computer than a phone
Based on the original N900 let me say it is going to be a much worse experience than your Average android phone, especially running Debian and having a resistive touchscreen.
And the phone company will still know your location
> You're not accomplishing what you want to accomplish with this
How do you know what it is that I want to accomplish? I will accomplish everything that I want to accomplish.
> You have the choice of not running apps. Get a feature phone.
Except that I do want to run and write my own software. With a feature phone I would have very little control over the operating system and other software, not to mention the baseband modem.
> You can create a fake account on Google
Do you suggest a Google account every task I undertake? One single fake Google account for everything I do would be pointless. Of course you've already made the assumption that I want to use Google services (which I don't).
> (or even better, get an Amazon fire phone, or some Chinese one that is based only on stock Android). Or just Ubuntu Phone/Cyanogen mod it
You continue to assume that I want to use an operating system designed to collect as much information as possible on me. Replicant would be a better choice than Cyanogenmod, however neither that nor Ubuntu Phone solve the closed hardware problem where the baseband modem is not isolated from the rest of the device.
> Based on the original N900 let me say it is going to be a much worse experience than your Average android phone, especially running Debian and having a resistive touchscreen.
That's your own opinion. I still use my N900 because there isn't a device that comes close to what it offers. As a Linux/Unix professional, I much prefer the experience over any Android phone. I run Debian natively which I can't do on any Android device. I much prefer the stylus precision of the resistive touchscreen than the fat-fingers capacitive mentality.
> And the phone company will still know your location
Not when you choose to switch off the modem they can't.
> Based on the original N900 let me say it is going to be a much worse experience than your Average android phone, especially running Debian and having a resistive touchscreen.
The N900s resistive touchscreen is more sensitive and accurate than any capacitive touchscreen I've ever used. Also, unlike capacitive screens, you can use it when your fingers are sweaty, wet, or gloved, and anything in arm's reach can be a stylus, rather than having to wait for Apple to grant you one.
Using a capacitive screen after getting used to the N900s resistive one feels like I'm navigating with my elbow. And that elbow had better be completely dry, and not a pencil eraser.
I have no idea how Apple managed to force the meme that capacitive screens are not shit compared to resistive ones. Maybe at some point there was a glut of cheap Chinese tablets and phones with crappy resistive screens?
Maybe because of the n900s form factor resistive screens were better
I remember other Nokia phones with resistive screens and they were passable at best, and not comparable with capacitive ones (at least most of them, I remember seeing a Motorola phone with an awful capacitive screen)
You don't need to wait for Apple for a stylus, really
Swiping on a resistive screen is a frustration as well
"This is why I'm backing the Neo900[1]. It might be a bit pricey and low spec'ed by today's market (a consequence of it catering for a niche market meaning it won't be mass produced) but in my opinion that's a small price to pay to actually own your phone (it's actually more akin to a mobile computer than a phone)."
You misunderstand.
neo900, while interesting in many ways, has a standard, off the shelf (closed) baseband, and that baseband has control over your processor and memory as deep as DMA.
Your carrier owns you. Your carrier can literally flip bits in your memory with silent OTA updates that you have no knowledge of, or control over. This is not to mention the other, third computer in your hand, which is the SIM card, which you also have no control over and which your carrier can upload arbitrary executables to, which run outside of your control.
"and that baseband has control over your processor and memory as deep as DMA"
No, that's false. The Neo900's baseband is connected to the main application processor by USB (and UART). Yes, it is closed, but it has exactly the same access to your memory as a USB dongle connected to your laptop.
Modem and SIM are the blackboxes outside of the user's control, that's right. That's why the rest of the system is designed with keeping that in mind.
Feel like this is begging the question a bit. While a phone is a massive attack vector it is pretty non obvious that from a text message a user can have a stealth rootkit installed and persisted to all their devices.
The firmware of the gsm-modem, called the baseband, can be updated by the service-providers at any-time. Triggering any kind of exploit of the user OS is trivial then. Heck, you don't even need to think as complicated as that, looking at the permissions granted to the most installed apps.
Absolutely. The article didn't provide much color on it, but I am thinking about a <$20 pay as you go phone that is turned off, with the known information of simply a cellphone number. While the gov't has crazy access to these telco companies, there is really zero friction if this is universal.
Scenario: If you infect 'target 0' you now have a seed to feed to your maliscious googleR00t bot, that just indexes a phone book and sends these root sms messages out. Possible/likely even to and from powered off phones. They could even do a badbios/thunderstrike-like attack on a laptop or otherwise airgapped computer. If you find one person who has that number in their phone, even if never turned on, when it does, it connects to the network. Broadcasts the location and data, and becomes a carrier of some pretty next-level malware.
Now, if you think critically I guess the OTA phone attack thing is a conclusion you could draw. However, 'the Government' is a huge organization. The capabilities are clearly staggering and somewhat known, but who has access? Imagine if Edward Snowden, or someone like him, got the exploitDB and all the source? Who would know? The gov't can't admit it has zero days to every piece of technology and have packaged up these payloads into something as easy to use as a rails API or SMS message. That hacker for sure wouldn't let the public know because unknown vulns === big money. So, who is to say this hasn't happened, won't happen, or even how many people are 'legally[0]' allowed to use this in Virginia.
As far as I'm aware, UMTS has not been hacked. You can tell the device to connect to UMTS only. Of course this doesn't stop carriers from giving government agencies direct access to communications. If secure communications is your concern then you should always encrypt your calls and data.
The Neo900 modem is sandboxed at hardware-level, monitors all activity and gives the user complete control over it so you will know if something fishy is being attempted and you will be able to prevent it. This makes it very difficult, if not impossible for an adversary to take over the device. Regular Linux (by that I mean not Android) can be installed so it is far less likely to contain any backdoors.
If triangulation of your location is a concern, just switch off the modem.
It still astonishes me how so many so called "tech savvy" users think they can do the technological equivalent of defending themselves from the military with a store-bought handgun.
Looking at the state of security in GSM and related technologies, it's not necessarily the military you may want to protect yourself from. I'd be rather worried about agencies doing mass surveillance and/or script kiddies.
When you're specifically targeted by big guys, you're screwed. Otherwise, you have plenty of ways to defend yourself. Many (me included) believe that it's still worth it.
This is why I'm backing the Neo900[1]. It might be a bit pricey and low spec'ed by today's market (a consequence of it catering for a niche market meaning it won't be mass produced) but in my opinion that's a small price to pay to actually own your phone (it's actually more akin to a mobile computer than a phone).
[1] http://neo900.org/