Against the Law: Countering Lawful Abuses of Digital Surveillance
September 20, 2016
Nathan Seidle. (2016). Reply.


I was invited to review the article by TJOE:


Having low-level access to the radio control signals is a feasible method for user verification that the hardware is doing what the user expects. Bunnie and Edward's approach is very plausible.

The manuscript is free of technical errors as far as I can tell. I cannot verify the assumptions about bus functions or test points but test points are common and I have faith that with appropriate documents (and I am confident I could get the tech docs in the Shenzhen repair market) I could find the test points they describe.

Problem: The introspection method will only be feasible for a few years, maybe months. This method is only viable where the various radios are external to the main IC and there is a bus between GPS, BT, NFC, Cellular modems. As silicon manufacturers push costs down and integration up we will see less buses exposed, making this approach less effective. It's not many years (or months really) before a single IC does everything and no bus is exposed for 'introspection'.


It's very good.


It's good. There will be many readers commenting about EMF sleeves or wrapping the phone in aluminum or tin foil. This creates a Faraday cage and completely isolates the phone from all RF reception. I think Bunnie/Ed could add to the article to address this argument before it is made. The case needs to be addressed: in what situation does a reporter need to use their phone but not any of the RF features (cellular, GPS, BT, NFC, etc)? All I can think of is maybe recording audio, like an interview. If I was a high-value target I would not have a phone on me and would rely on other technologies that don't have radios (ie, tape recorder, pen/paper, etc). The article could benefit from addressing this (maybe I missed it).


I would ask Bunnie/Ed for higher res photos of their prototype to show the test point (TP) locations. This would help with credibility and confirmation. It would also open up the design (more open source/transparent).

Their approach to gaining access to the TPs: Removing solder mask through abrasion is hard. Removing a SIM card holder is another level of difficulty. I could do it. 100s, maybe 1000s, of people could as well. I think TP access is feasible if someone was *really* motivated, and I think this is inline with the opening remarks about high-value targets.
