After the "trust nothing" security model in the rest of the article I found it funny to complain that a hardware kill switch is useless when you can just trust the software to do it for you
> The switch is useless in either of these threat models:
> To prevent cell tower triangulation, you can simply enable airplane mode and it is just as effective.
Agreed. Having use linux and FOSS since the late 90s, it is interesting to see how much we've had to lock down mobile devices and proprietary operating system because we can't trust the applications (and in some cases, the OS) that run on them anymore.
My Linux laptop runs all open source software, from "trusted" sources. My pinephone runs all open source software from "trusted" sources. If I don't trust Fedora or Alpine, I can download the source rpms and build them myself.
My devices still give _me_ control over them, and allow _me_ access to inspect what my applications are doing. If I am paranoid, I can run `lsof` or `strace` and see every file touched by an application. I can monitor my network and see ever egress host.
It is a completely different threat model than you would have with an Android or iOS device, where you have no trust in your applications or ability to inspect what is happening on your device.
Mostly agree, though isolation is still useful against security flaws. You access untrusted content with software you trust but which might be imperfect.
I wouldn't mind a bit of isolation between apps on my Linux desktop (and phone). I would mind the cost of bringing one or several additional copies of a Linux system and degraded performance though, so I'm not a fan of Flatpak for this reason.
Do you find that you really have degraded performance with Flatpak? On my pinephone running postmarketos, all my non system applications are from Flatpak, which allows sandboxing and easy updates. I can't say I've noticed any performance differences (unlike with Snap last time I tried it).
I think that when the app is actually running, it runs fast, but boot time is higher, and I suspect increased memory usage.
I end up not installing a lot of Flatpak apps because of disk space usage anyway. Each package choose a different base system so they end up sharing nothing and taking hundreds of megs each, it's quite annoying.
On the PinePhone I only have OSM Scout Server and Pure Maps installed like this, and that's really because there are no Debian packages for them.
Not 100% sure that open meant security. It can be spotted and traced no doubt. But harm still can be done. This is particularly if they’re a web of dependence. If one goes …
Despite reading the article, I don't understand how the security exploits would get on your phone.
This isnt some iMessage that is pre-installed that is full of 0 click exploits. This is FOSS that has been tried and tested for a few decades. Sure there might be some cases where someone didn't update software for an exploit, but you'd still need to have that specific software, and I imagine that you'd need to chain a few to make it useful.
I can't see how a Linux phone is more dangerous than an iPhone. (aside from social engineering scams)
I agree there is less bloat like iMessage and less installing random crap apps. The biggest holes if an attacker is determined are probably the browser and images/video, and maybe common networking libraries or networked games which often have poor security. Once the image/video decoder is exploited and you get RCE (if in the browser you'd have to escape the browser sandbox too), there are less exploit mitigations on desktop Linux and maybe less chaining you'd need to do. And the lack of/worse verified boot than Android/iOS if that's something you need to worry about.
There is plenty of software written in memory-unsafe languages that interacts with untrusted input: browsers are the most prominent example, but also email clients, media players, PDF viewers, archivers, IRC clients, torrent clients... not to mention all the network stack and firmware involved. iPhones and Pixels have many defense layers, both on software (sandboxing, JITCage...) and hardware (Secure Boot backed by root of trust, IOMMU for hardware isolation, PAC, PPL, MTE soon on Armv9...). The Linux desktop stack, including Linux phones, has none of this.
Linux phones might be good as a hackable/tinkering-friendly gadget, but they are definitely not secure.
I suppose we can give credit to Pixels, but iPhones and their 0 clicks are so prevalent that I don't think they are a good comparison for 'good' security in this conversation. Everything you mentioned is still optional, where as iMessage is not.
I'm not sure of ANY linux 0 clicks found in the wild.
>I'm not sure of ANY linux 0 clicks found in the wild.
Some sizable fraction of that is because there is not as big of an audience, so there's less money and attention on developing exploits targeting that OS.
I half believe this because we see that Apple was never actually good at security, but they could claim they had few 'viruses' back in the day because few people used this.
But also FOSS doesn't rely on security by obscurity. We'd see way way more linux based server hacking. Right now, it seems like these are almost exclusively social engineering attacks.
Are we expecting people to run tried and true FOSS on their phones?
I would have expected users to be running software specific to mobile devices, which is very niche and much less tried than it’s closed source competition.
That's definitely the appeal for many of its users, being able to escape the locked down and restrictive environment of Android/iOS and having the functionality of a general purpose desktop Linux device in your pocket.
This sounds very appealing, but since the earliest days of Android, we've been able to set up a chroot environment and install any distro and Linux app we want. Apps like UserLAnd make this trivial. I can't think of anything I'd want to do on a phone that I couldn't do with Termux.
I can see the appeal of having a fully libre phone, but since that isn't possible, it's hard for most people to justify going full Linux.
If you want to be able to run most command-line programs (and probably GUI apps through VNC) in an isolated environment (similar to WSL or Chrome OS), then it will suffice, but there are some that appreciate having the desktop Linux environment and functionality across the whole of the device (like what sxmo is doing). Definitely a niche within a niche (desktop Linux users), I currently just avoid using a phone aside from the most basic tasks like using it as a phone to call/text or where it's required like banking.
The article seems to concentrate on the lack of security of the software (which is arguably true) and the hardware (that I can't really opine on in a reasonable manner) - but I think before security, usability would be much more important.
There is still no real Linux (or any kind of FOSS) mobile-oriented userapplication scene. As long as a mobile Linux distro is a hacked together desktop distro, I think this should be improved.
At this time it's a pain to use these phones. Hacking them (in the sense of evil hackers with baklava over their head) is even bigger pain (unusual things usually panic the kernel often) - and the reward is very small (as due to the pain very few people use them in a serious manner)
> Linux phones lack any significant security model [...]. They do not have modern security features, such as full system MAC policies, verified boot, strong app sandboxing, modern exploit mitigations and so on, which modern Android phones already deploy.
Fair enough, not untrue. But same goes for most modern Linux server/desktop distros.
The point being the threat model, where Linux users are generally expected to understand what they are doing. Whereas with Android and iOS there is a (mildly curated) ecosystem of millions of apps pushed onto users. The apps are an obvious attack vector for all kinds of privacy invasion and worse mischief, that need to be mitigated by sandboxes, privilege management, signed images, etc.
Not saying a Linux phone doesn't need those protections in depth, but come on; Librem / Pine are in their infancy, give them a break. If I get a Linux phone to call people, make photos and run Firefox — I'm happy! Much rather have developers invest time in hardware support, battery life, etc. upstreaming contributions into the kernel, than waste their time going re-doing Android.
Moreover, it's a sad security blog. I always think it's sad when security professionals limit themself to talking/writing/teaching about security, pointing out problems.
The happier security blogs are those that then go on contributing/demonstrating solutions to security problems. Why not start from what can I, as a security professional do to fix some of these problems?
> what can I, as a security professional do to fix some of these problems?
Informing companies about the flaws in their products is one of the major things a security professional van do to fix some of these problems.
Alternatively, they could get hired by Purism, convince the CEO to put major investments into an OS overhaul and work closely with several teams of programmers to secure the software. Should be doable with minor mind control powers and a couple years of runtime.
The hardware is out there and can't be altered. The software is out there and is the result of decades of hard work. Many of the fixes are out there already, but the company writing the software hasn't looked for them or didn't care to include them.
What exactly do you expect one single security-aware customer to do about this? Best you can do with a blog is warn about the security risks of practically any Linux phone so that people who care about security know the risks and snakeoil involved, and probably just buy an iPhone or Samsung if they really care about not getting hacked.
> Informing companies about the flaws in their products is one of the major things a security professional van do to fix some of these problems.
Yes, but it is a common misconception that "informing others" is at the core of their contribution. I think is mostly rooted in what earlier generations of security professionals were doing, ie. researching and reporting.
There are merits to knowing the unknowns, but if this happens in a vacuum, it merely causes FUD and stasis, not solutions. (Warranted FUD, but nevertheless fear, uncertainty and doubt.)
In many cases (especially with more modern security professionals) the ones finding the problems have the skills, means, time and resolve to do something about it as well. I therefore invite those to get into the trenches and do the tough work of contributing fixes and improvements, balancing their pet peeves against other aspects, features, etc.
You don't need to convince the Purism CEO of anything, it's all open source. If you feel an overhaul is needed, give it a go. I'm sure they'll consider it if it's an improvement, and if not, have their customers decide.
> What exactly do you expect one single security-aware customer to do about this?
We're talking about a hobbyist device. Battery issues. Tinkering. Enthusiasts. Not some mass market bling trusted upon by millions.
A single security-aware customer of Pine/Purism hardware is likely to be a tinkerer too. On her/his own, she/he can't fix everything — you need a community. But single customer can't expect their Linux phone vendor to fix everything either. This isn't Apple or Google.
If a single customer writes a critique on software design, people shrug. But for some reason, it the critique is not about esthetics, performance or ease of use but about securitah, there is often this kind of entitlement that their critique should be taken seriously, instantly.
Sometimes, the "security expert" wouldn't know how to fix the problem they found. But often they do have the skills, but somehow are afraid to get their hands dirty. I think that's sad.
and if they implement backdoors on purpose so the French government can turn on your mic and cam anytime without you noticing.
You mix that with the recent news of an AI being able to determine what you're typing from keystroke sounds, and a hacker having access to the backdoor can't only hack your phone but also steal your pc credentials
It would be curious to see the same evaluation of an Android or iOS device circa 2010-2012. Mainstream devices have over a decade of progress by tech companies with billion-dollar budgets, while Librem5 and PinePhone have about 3 years. PinePhone’s software is developed mostly by enthusiasts; Librem pays their developers (I don’t think there are that many), but the software is still FOSS.
> The switch is useless in either of these threat models:
> To prevent cell tower triangulation, you can simply enable airplane mode and it is just as effective.