It depends what you mean by "security first". If you're a person of interest and you're carrying around a personal spy with actual data on it and a hardware connected microphone, camera, GPS, sensors etc, which sends God knows what over the internet then yes, it's not going to go well for you.
But if you use devices with hardware kill switches and the most secure OS possible (storing nothing on device, perhaps it's a gateway to another security hardened machine).
Secure computing is possible, but it takes a lot of time, effort and dedication.
If you're just using off the shelf hardware and software you're going to have a bad time.
One thing that seems to link these Pegasus stories is that none of these targeted individuals are practising seemingly decent security ops, being hacked over WhatsApp or iMessage seems fairly trivial and hopefully now they would reconsider their threat model.
And even if you find open-source, audited, secure hardware, your carrier might compromise you. The more I think about it, the more "secure smartphone" sounds like an oxymoron.
Even if I take your comment at face value a landline phone in an NSA office is most likely still more secure than any smartphones if I am to believe that NSO/Pegasus thing.
You're probably right about what's involved in building a truly secure smartphone from scratch that we can trust.
It's an interesting thought experiment, but I wonder if we can satisfy many use cases without having to build a truly secure smartphone.
For example, if I just want to have voice calls to a handful of people with the content of the calls encrypted, then perhaps I can just plug in a "scrambler box" between my untrusted off-the-shelf phone and my audio headset?
So rather than designing a secure phone where we trust the wifi stack, the baseband stack, the bluetooth stack, the graphics stack, the USB stack, the flash storage stack because we've designed them from scratch, all we have to design is a little scrambler box that just has audio in, audio out, some mechanism for key generation and exchange, and only needs a laughably modest CPU to do the encryption.
Don't really need an OS at all - single process and static memory allocation should suffice.
The audio encoding/decoding and encryption/decryption don't sound too hard to implement from scratch. It's the interoperability with the rest of the world and the UI that makes implementing a whole smartphone so hard.
[I do wonder though how well our scrambled audio will make it through the phone network which is applying lots of clever compression designed for speech.]
If we assume we can mostly trust hardware designs that are at least 30 years old then we can probably avoid designing all the hardware from scratch - e.g. there's probably some sort of Z80 clone CPU we can copy.
The mechanism for key generation and management sounds a bit tricky though. The user would need some way to add his contacts' keys to his scrambler box.
A keyboard and LCD display to type keys in by hand would be secure but impractical for long keys.
The level of tech needed to read a key file from a FAT filing system on a USB stick might be too high to be easily implemented securely. Any ideas?
I'm aware of the famous "trusting trust" paper, but I'm not sure we need to worry too much about the compiler used to build the software running on our scrambler box. All we need to do is choose a compiler released before we started out project and never upgrade it. It is hard to imagine a compiler backdoor that would automatically recognize that the intent of our code is to encrypt data and undetectably comprise it (though it would be wise I guess to avoid any existing implementations of cryptographic primitives).
I really don't get the security model for smartphones. It seems horribly brittle. I mean, the fundamental protection is using apps from trusted sources, basically Google or Apple. Anything not trusted can't install, unless you've rooted the phone. And so old-school Windows-style malware is blocked.
However, when trusted apps are installed, they often demand all sorts of privileged access. And if they're malicious, there's no way to protect against them. Except that they get reported to Google/Apple and become unavailable. But that doesn't help people who already got pwned.
You're never 'safe' by toggling any switch. Opsec needs to be approached holistically and goes far beyond technology. This setting could be part of that but not the core. I would expect the people really at risk to be fully aware of this (or have people in their entourage that are). The best thing to do if you have state-sponsored adversaries is to assume your phone is being hacked.
I have seen some people in such positions and sometimes they don't even use a smartphone at all. I don't think they would be tricked into feeling 'safe' with something like this. I wonder if it will actually prevent the attack vectors used by something like Pegasus.
I think it will make a lot of people feel badass though :) Like most people that bought Phil Zimmermann's Blackphone.
What are the options for someone who wants a fully trusted supply chain? Is there a modern smartphone made with provably secure hardware (and which I can verify is actually running that hardware and not some behave-alike SOC)?
From my somewhat-naive perspective, it seems like the alternative is an Android phone made in China by a Chinese company, which seems not obviously superior.
Not sure who is "we" here, but yes I agree, a general purpose customer phone can't be considered secure against state-level hackers, there MUST be tradeoffs.
As an example, I consider that a secure phone MUST have boot-time full disk encryption passphrase, which needs to be different from lockscreen. For obvious reasons (which is that the user will tend forget their password), you can't have this even as an option on general purpose phones.
That being said. GrapheneOS is IMO a pretty good option wrt security (like they chose to disable JIT, which impacts performance, but supposedly improve security), even though lately their focus is no longer security for business reasons.
Architecture-wise, the best smartphone are pinephones/Librem, because of separation of modem (which is in the case of state-actors, an actual danger), and you can force encryption of all communications (it's even possible to do VoLTE encryption CPU-side rather than modem-side), but I think at the moment their OS really lags behind Android when it comes to security.
We all have had, but in the past. it isn't feasible now.
I mean, you can buy "safe" smartphone, but first you can't prove beyond reasonable doubt that it is actually safe and private, and second, you attract more attention because the same phones are being bough by the criminals.
reply