Against the Law: Countering Lawful Abuses of Digital Surveillance
July 21, 20162 Versions
Not Featured in any Journals


@article{AgainsttheLa2016, title={Against the Law: Countering Lawful Abuses of Digital Surveillance}, author={Andrew 'bunnie' Huang, Edward Snowden}, year={2016}, note={version: 57a22cab5a4037b8e01ad5dc}, publisher={PubPub}, }


Andrew 'bunnie' Huang, Edward Snowden. (2016). Against the Law: Countering Lawful Abuses of Digital Surveillance. PubPub, [https://www.pubpub.org/pub/direct-radio-introspection] version: 57a22cab5a4037b8e01ad5dc


Andrew 'bunnie' Huang, Edward Snowden. "Against the Law: Countering Lawful Abuses of Digital Surveillance". PubPub, (2016). [https://www.pubpub.org/pub/direct-radio-introspection] version: 57a22cab5a4037b8e01ad5dc


Andrew 'bunnie' Huang, Edward Snowden. "Against the Law: Countering Lawful Abuses of Digital Surveillance". PubPub, (2016). [https://www.pubpub.org/pub/direct-radio-introspection] version: 57a22cab5a4037b8e01ad5dc
Front-line journalists are high-value targets, and their enemies will spare no expense to silence them. Unfortunately, journalists can be betrayed by their own tools. Their smartphones are also the perfect tracking device. Because of the precedent set by the US’s “third-party doctrine,” which holds that metadata on such signals enjoys no meaningful legal protection, governments and powerful political institutions are gaining access to comprehensive records of phone emissions unwittingly broadcast by device owners. This leaves journalists, activists, and rights workers in a position of vulnerability. This work aims to give journalists the tools to know when their smart phones are tracking or disclosing their location when the devices are supposed to be in airplane mode. We propose to accomplish this via direct introspection of signals controlling the phone's radio hardware. The introspection engine will be an open source, user-inspectable and field-verifiable module attached to an existing smart phone that makes no assumptions about the trustability of the phone's operating system.

Introduction and Problem Statement

Front-line journalists risk their lives to report from conflict regions. Casting a spotlight on atrocities, their updates can alter the tides of war and outcomes of elections. As a result, front-line journalists are high-value targets, and their enemies will spare no expense to silence them. In the past decade, hundreds of journalists have been captured, tortured and killed. These journalists have been reporting in conflict zones, such as Iraq and Syria, or in regions of political instability, such as the Philippines, Mexico, and Somalia.
Unfortunately, journalists can be betrayed by their own tools. Their smartphones, an essential tool for communicating with sources and the outside world–as well as for taking photos and authoring articles–are also the perfect tracking device. Legal barriers barring the access to unwitting phone transmissions are failing because of the precedent set by the US’s “third-party doctrine,” which holds that metadata on such signals enjoys no legal protection. As a result, governments and powerful political institutions are gaining access to comprehensive records of phone emissions unwittingly broadcast by device owners. This leaves journalists, activists, and rights workers in a position of vulnerability. Reporter Marie Colvin’s 2012 death is a tragic reminder of how real this vulnerability can be. A lawsuit against the Syrian government filed in 2016 alleges she was deliberately targeted and killed by Syrian government artillery fire. The lawsuit describes how her location was discovered in part through the use of intercept devices that monitored satellite-dish and cellphone communications.1
Dana Priest
Dana Priest. Washington Post. [http://wpo.st/5W2l1]
View Link
Turning off radios by entering airplane mode is no defense; for example, on iPhones since iOS 8.2, GPS is active in airplane mode. Furthermore, airplane mode is a “soft switch”–the graphics on the screen have no essential correlation with the hardware state. Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface; trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.
This work aims to give journalists the tools to know when their smart phones are tracking or disclosing their location when the devices are supposed to be in airplane mode.

Approach and Goals

Numerous researchers and extensive corporate resources have been dedicated to the task of building a more secure smart phone. However, smartphones are extremely complex and present a large, porous attack surface. Furthermore, even a perfectly secure phone will not save a reporter from “victim-operated” exploits such as spearphishing. Eliminating this vector is complicated by the fact that effective reporters must communicate with a diverse array of sources who may intentionally or unintentionally convey a malware payload to the reporter.
As a result, this work starts with the assumption that a phone can and will be compromised. In such a situation, a reporter cannot take the UI status at face value. Instead, we aim to provide field-ready tools that enable a reporter to observe and investigate the status of the phone’s radios directly and independently of the phone’s native hardware. We call this direct introspection.
Our work proposes to monitor radio activity using a measurement tool contained in a phone-mounted battery case. We call this tool an introspection engine. The introspection engine has the capability to alert a reporter of a dangerous situation in real-time. The core principle is simple: if the reporter expects radios to be off, alert the user when they are turned on.
Our introspection engine is designed with the following goals in mind:
  1. Completely open source and user-inspectable (“You don’t have to trust us”)
  2. Introspection operations are performed by an execution domain completely separated from the phone’s CPU (“don’t rely on those with impaired judgment to fairly judge their state”)
  3. Proper operation of introspection system can be field-verified (guard against “evil maid” attacks and hardware failures)
  4. Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)
  5. Difficult to induce a false negative, even with signed firmware updates (“don’t trust the system vendor” – state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)
  6. As much as possible, the introspection system should be passive and difficult to detect by the phone’s operating system (prevent black-listing/targeting of users based on introspection engine signatures)
  7. Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; “journalists shouldn’t have to be cryptographers to be safe”)
  8. Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)
This work is not just an academic exercise; ultimately we must provide a field-ready introspection solution to protect reporters at work. Although the general principles underlying this work can be applied to any phone, reducing these principles to practice requires a significant amount of reverse engineering, as there are no broadly supported open source phone solutions on the market. Thus we focus on a single phone model, the 4.7” iPhone 6 by Apple Inc., as the subject for field deployment. The choice of model is driven primarily by what we understand to be the current preferences and tastes of reporters. It has little to do with the relative security of any platform, as we assume any platform, be it iOS or Android, can and will be compromised by state-level adversaries.

Methods & Intermediate Results

The first step toward executing this work was to visit the Hua Qiang electronics markets of Shenzhen to collect samples and documentation for evaluation. These markets are ground zero for the trade and practice of iPhone repair; as such, it is a rich source of spare parts and repair manuals. The repair manuals frequently contain detailed blueprints of the iPhone 6, which were used to assist the reverse engineering effort.
Based on the phone model selection and available documentation, we can enumerate the radio interfaces available:
  • Cellular modem – 2G/3G/4G
  • Wifi / BT
  • GPS
  • NFC (Apple Pay)
Although our work can be extended to input systems such as the IMU (inertial measurement unit), barometer, microphone and camera, to focus the effort we restrict our exploration to only RF interfaces that can directly betray a user’s location. Note that a camera can be defeated by obscuring the lens; as such the final physical design of our battery case will likely include a feature to selectively obscure the rear camera lens.

Methods that Do Not Meet our Criteria

Numerous semi-intrusive countermeasures were considered along the way to our current solution, including but not limited to RF spectrum monitoring, active jamming, and the selective physical isolation or termination of antennae. Semi-intrusive countermeasures would require minimal modification to the phone itself, which is desirable as it simplifies field deployment and could even enable reporters to perform the modifications without any special tools. Unfortunately, all of these methods were deemed to be inadequate, as discussed in the following paragraphs.
RF spectrum monitoring consists of building an external radio receiver that can detect transmissions emanating from the phone’s radios. In some cases, it was hypothesized that the receiver could be as trivial as an RF power monitor within the anticipated radio bands. A simple example of such monitoring already exists in the form of novelty lights that flash based on parasitic power extracted from the GSM antennae. The problems with this approach is that 1) it can only reliably detect active transmissions from the radio, and 2) malware that passively records the user’s position and delivers it as a deferred payload when the radios are intentionally activated cannot be detected. Furthermore, this approach is subject to spoofing; false positives can be triggered by the presence of nearby base stations. Such false alarms can confuse the user and eventually lead the user to be conditioned to ignore real alerts in hazardous situations.
Active jamming consists of building an external radio transmitter that attempts to inject false signals into the radios. Thus, even if malware were to activate the radios and listen for position-revealing signals, it would, in theory, report largely bogus position information. This is particularly effective against GPS, where GPS signals are very weak and thus even a weak local transmitter should be able to overpower the GPS satellites. However, active jamming was ruled out for several reasons. The jammer’s emissions could create a signal that can be traced to locate the reporter; the jammer will require substantial battery power, and the user is left vulnerable once the jammer’s power is exhausted. Furthermore, nearby base stations may still be detected by the receivers, as modern radio protocols have sophisticated designs to protect against unintentional jamming.
Selective physical isolation or termination of the antennae consists of inserting an electronic switch between the connectors of the logic board and the antenna. The switch, when activated, would shunt the antenna to a matched resistive load, which would greatly reduce the transmission power and receive sensitivity of the radios. However, experimental verification on the WiFi subystem indicated that removing the antenna connection and permanently terminating with a shunt resistor still leaked sufficient RF into the receivers for local base stations (e.g., within the same room) to be detected, which could be sufficient information to betray a reporter’s location.

Methods that Do Meet our Criteria

Upon determining that semi-intrusive countermeasures were inadequate, we investigated options that involve measuring signals on the phone’s logic board, typically via test points designed in by the manufacturer. It is no surprise that complex systems such as the Apple iPhone 6 would have test points baked into the circuit board design to assist with debugging. These are an essential part of yield and customer experience improvement; defective units from the factory and the field are sent back to the headquarters, and engineers rely on these testpoints to determine the root cause of the device’s failure.
Using repair manual documentation acquired from the Hua Qiang electronics market, we cataloged a set of internal test points that were:
  1. Accessible with low probability of damage to the logic board by a trained operator
  2. Could provide meaningful data on the radio status
  3. Would be difficult or impossible to disable or spoof (e.g., future-proof against adversaries aware of our research).
For the accessibility criteria (1), test points were considered viable even if they required desoldering an RF shield or the SIM card connector, and manual removal of soldermask. In our experience, a trained operator can perform these tasks with low probability of irreparable damage to the motherboard. These operations are not recommended for entry-level novices. However, our experiences in Shenzhen indicate that any technician with modest soldering skills can be trained to perform these operations reliably in about 1-2 days of practice on scrap motherboards. Thus, technicians could be trained to perform the modifications in any locale with sufficient demand for modified iPhones.
The following table is a list of test points we have accessed and have found to provide introspection data that potentially meet criteria (2) and (3).
Above: table of internal signal candidates for introspection.
Above: image of the FE1, FE2 bus probe experiment. Test points from the back side of the PCB are wired to the top side for easy probing.
Above: image of the backside of the FE1, FE2 probe experiment. The test points are located adjacent to the NAND Flash, underneath an RF shield which was removed for this experiment. The test points were covered with soldermask, which was removed through mechanical abrasion.
Above: image of the UART and GPS sync probing experiment. The majority of the test points are located underneath the SIM card connector, which was removed for this experiment.
Above: image of the back side of the UART and GPS sync probing experiment. A pair of wires are run to break out WLAN_PERST and power-related signals for monitoring.

Cellular Modem Introspection

The FE1 and FE2 serial buses run at 20MHz, with a 1.8V swing. This bus is used primarily to configure the cellular modem radios. When the radios are on, there is constant traffic on these buses. When in airplane mode, the traffic completely ceases.
Above: example of bus traffic on the FE1 bus.
Cellular radios operate in a complex environment, and require constant adaptation of the antennae, power amplifiers, and band selection for proper operation. It is hypothesized that an attempt to even passively scan for base stations without transmitting will require traffic on this bus; at the very least, the antenna switches must be powered on and configured to receive. Therefore, cellular modem introspection may be as easy as noting if there is any activity on the FE buses during airplane mode.
We note for the sake of completeness that it may be possible for an attacker to statically configure the antenna, channel, and power amplifier settings and convert the device into a radio beacon that blasts out a signal that is inconsistent with the cellular modem standard but detectable through other means. In this mode, one would observe no traffic on the FE buses, but one could, in theory, triangulate the location of the transmitter with modified base stations or specially deployed receivers. This scenario can be mitigated by doing deep packet inspection and noting the addresses that should be hit to power down the cellular modem systems. If any devices are skipped during the power-off sequence, that would be flagged as a potentially hazardous condition.
However, this scenario would require modifications to the cellular modem transport specifications, and as such one would need to deploy modified base stations across the territory to gain adequate surveillance coverage. This would likely require extensive cooperation of both the baseband radio vendors and cellular providers to craft and effectively deploy such an exploit. Because of the difficulty, we imagine such an exploit would be available only to well-organized government-level adversaries.
Finally, the phone’s vendor, Apple, could volunteer (or be coerced) to push a signed update that sends random “NOP” packets over the FE buses during airplane mode to force false positives and make this technique less effective. Again, in such a case deep packet inspection could help to discard chaff from signal. Although future hardware versions could encrypt this bus to foil observation, we believe it is not possible to introduce bus encryption with a software-only change: the peripheral devices on this bus lack loadable firmware. Thus, at least for current phone models, deep packet inspection should be robust.

WiFi & Bluetooth Introspection

The WiFi subsystem interfaces to the CPU through multiple buses, namely, PCI-express and a UART; the Bluetooth subsystem interfaces to the CPU through a UART, with a separate UART channel for coexistence. Because of the Bluetooth subsystem’s relatively simple interface, it should be possible to robustly detect Bluetooth activity by simply monitoring the BT UART signals.
The WLAN UART signals seem to carry configuration and status information regarding WiFi configuration, as evidenced by the UART trace below.
Above: example data on the Wifi UART as decoded by a Tek MDO4014B.
Further exploration of the data contained within the signals is necessary to determine if it is possible for an adversary to perform access point scans, which is an effective means of geolocation, without invoking the UART. Unfortunately, the WiFi power remains on even in airplane mode, so monitoring WiFi voltage levels has no correlation with radio activity.
Significantly, WLAN, BT, and GPS risks can be mitigated by forcing the WLAN PCI bus into reset. By holding WLAN_PERST low prior to power-on and throughout boot, WiFi will fail to enumerate on the PCI bus. iOS will continue to boot and is fully usable, but in the Settings panel, WiFi will appear to be off and cannot be switched on. Attempts to switch on Bluetooth fail, and GPS, although active, cannot access its antenna as the antenna for GPS is shared with WiFi. Note that forcing WLAN_PERST low during normal operation forces a phone reboot, so disabling WiFi using this technique effectively necessitates a reboot.
This is a simple but effective method to force several critical subsystems to be off, with no chance for an updated firmware to bypass a WiFi hardware reset. However, the failure of Bluetooth and GPS subsystems to activate may be due to firmware-only dependencies. It is hypothesized that these systems rely on WiFi to initialize before activating the respective antenna switches for these subsystems, since they all share a common antenna port. Thus it may be possible for an exploit to be developed to force Bluetooth and GPS to be on even if WiFi is in reset. Furthermore, it may be possible for malware to fingerprint systems where the WiFi has failed to initialize, and flag these users for further monitoring.
Thus, depending on the user’s threat model, the WLAN_PERST defeat may be a simple but effective method to defeat several radios with a single signal, but it may also give away information to advanced adversaries on the presence of an introspection engine. Because of the effectiveness of the WLAN_PERST trick, we would present users with the option to activate this, but not require it.
Significantly, repair manuals indicate that the WiFi/Bluetooth module includes a hardware “RFKILL” pin. Apple leaves this pin unconnected and very difficult to access through mods, but if phone vendors wanted to support efforts like this, future revisions of phones could break such pins out to offer a more graceful defeat that doesn’t require rebooting the phone or leave a measurable signature while disabling these radios.

GPS Introspection

To date, we have identified three possible methods for detecting GPS activation. One is to look for activity on the BB UART bus. When GPS is active, coordinate data seems to be transmitted over the BB UART bus. A second is to look at the GPS_SYNC signal. When GPS is active, the GPS_SYNC signal pings the base band at a rate of about once per second, with a pulse width inversely proportional to the quality of the GPS lock. A very wide pulse indicates a high degree of uncertainty in the GPS signal. Finally, the GPS has an independent power regulator which is turned off when the GPS is not active, to save power.

NFC Introspection/Defeat

For NFC, we decided that the risk/reward of selectively enabling and monitoring Apple Pay is not worth it. In other words, we do not expect journalists operating in conflict zones to be relying on Apple Pay to get their work done. Therefore, to simplify the effort, we opt to fully disable Apple Pay by disconnecting the RF front end from its antenna.
Fortunately, the NFC’s antenna is connected to the main logic board via a single screw. By removing this screw and separating the antenna from the main logic board, we hope to substantially and selectively reduce the sensitivity of the NFC radio. Further testing is required to determine if this is sufficient to guard against attacks by adversaries using high-power amplifiers to query the Apple Pay NFC feature. If found inadequate, further countermeasures, including but not limited to permanently removing the Apple Pay NFC RF front end chip from the mainboard, are options to prevent exploitation of the radio without leaving a clear signature that can be detected by an adversary.
Above: location of the Apple Pay antenna connection, highlighted in pink. Original image courtesy iFixit, CC-BY-NC-SA licensed.

Next Steps and Field Deployment

Now that a set of viable signals has been identified for introspection, the next step is refining the system for field deployment.
From the outside, the introspection engine will look and behave like a typical battery case for the iPhone 6. However, in addition to providing extra power to the iPhone 6, the case will contain the introspection engine’s electronics core. The electronics core will likely consist of a small FPGA and an independent CPU running a code base completely separate from the iPhone 6’s CPU. This physical isolation of CPU cores minimizes the chance of malware from the phone infecting the introspection engine.
Above: Conceptual rendering of a "battery case" style introspection engine, piggybacked on an iPhone6.
The battery case/introspection engine will also feature an independent screen to update the user on radio status; for example, it can inform the user on time elapsed since the last traffic was detected on any radio bus. Thus, users can field-verify that the bus taps are in place by briefly bringing the system out of airplane mode in a safe location. Any radio that does not report traffic out of airplane mode would indicate a hardware failure of the introspection engine. Of course, the system will also feature an audible alarm that can be set to trip in case any activity is seen on any set of radios. It might also be desirable to incorporate a “kill switch” feature which forcibly disconnects power to the phone in the case that a radio is found to be errantly transmitting.
In order to facilitate the robust wiring of the signal taps, a custom flexible printed circuit (FPC) will be designed with contacts pre-loaded at signal test point locations. This will streamline phone modifications while making the final product more robust. As the SIM card has to be removed for access to key test points, the FPC will also connect to the SIM card signals. An additional FPC will then exit via the existing SIM card port, making available to the introspection engine both the bus taps and the SIM card signals.
Above: The orange highlighted part is a proposed FPC which exits via the SIM card port and routes signals from the modified iPhone6 mainboard to the introspection engine's electronics.
This architecture opens the possibility of the introspection engine featuring multiple SIM card slots. Although the system will still need to be rebooted when switching SIMs, it can be convenient for certain users to be able to switch SIMs rapidly without the use of any extra tools or worry of dropping and losing the tiny SIM cards. This is especially problematic, for example, when switching SIM cards during transit on unpaved, bumpy roads. It should be noted that changing SIM cards is no defense against geolocation; the IMEI remains constant despite the SIM card swap. The SIM card swapping feature is simply a convenience to reporters who need to maintain several numbers or data plans appropriate for multiple regions.
Over the coming year, we hope to prototype and verify the introspection engine’s abilities. As the project is run largely through volunteer efforts on a shoestring budget, it will proceed at a pace reflecting the practical limitations of donated time. If the prototype proves successful, the FPF may move to seek the necessary funding to develop and maintain a supply chain. This would enable the FPF to deploy modified iPhone 6 devices for field service among journalists in high-risk situations.
The techniques developed in this work should also be applicable to other makes and models of phones. Pervasive deployment of radio introspection techniques could be assisted with minimal cooperation of system vendors. By grouping radio control test points together, leaving them exposed, and publishing a terse description of each test point, direct introspection engines can be more rapidly deployed and retrofitted into future smartphones.
Furthermore, direct introspection may be extendable beyond the radio interfaces and into the filesystem layer. We theorize an introspection engine attached to the mass storage device within a phone; for example, an FPGA observing the SD bus between the CPU and the eMMC in a typical Android phone implementation. This introspection engine could observe, in real time, file manipulations and flag, or even block, potentially suspicious operations. With further system integration, the introspection engine could even perform an off-line integrity check of the filesystem or disk image. The efficacy of filesystem introspection is enhanced if the system integrator chooses to only sign OS-related files, but not encrypt them. As core OS files contain no user data or secrets, baring them for direct introspection would not impact the secrecy of user data while enabling third-party attestation of the OS’s integrity.


Dana Priest. Washington Post. [http://wpo.st/5W2l1]
Show Threads
While the idea of a phone case-like design for a final product is a good idea, the presence of a screen might cause it to be visible to hostile regimes. With the display located on the back of a phone, wouldn't holding a phone up vertically (in the normal, touchscreen-facing-the-user position) mean the backside of the phone is visible to all? Anyone (such as, say, an officer) may be able to spot and identify such devices during a stop and confiscate the modified device, for example. For the final product, will there any mechanisms in place to hide the screen, make the modifications look like a normal phone case, or otherwise address this sort of visibility problem?
Alternatively, this may not be in scope; one could argue that if an officer is close enough to see a modified device, the journalistic effort has already been detected. Either way, I'd love to hear thoughts.
Maybe the display could be masked in a flip-cover sort of case.
Or, maybe, the case could cover all of the phone's back and the top part of it be a foldable display.
I was invited to review the article by TJOE:


Having low-level access to the radio control signals is a feasible method for user verification that the hardware is doing what the user expects. Bunnie and Edward's approach is very plausible.

The manuscript is free of technical errors as far as I can tell. I cannot verify the assumptions about bus functions or test points but test points are common and I have faith that with appropriate documents (and I am confident I could get the tech docs in the Shenzhen repair market) I could find the test points they describe.

Problem: The introspection method will only be feasible for a few years, maybe months. This method is only viable where the various radios are external to the main IC and there is a bus between GPS, BT, NFC, Cellular modems. As silicon manufacturers push costs down and integration up we will see less buses exposed, making this approach less effective. It's not many years (or months really) before a single IC does everything and no bus is exposed for 'introspection'.


It's very good.


It's good. There will be many readers commenting about EMF sleeves or wrapping the phone in aluminum or tin foil. This creates a Faraday cage and completely isolates the phone from all RF reception. I think Bunnie/Ed could add to the article to address this argument before it is made. The case needs to be addressed: in what situation does a reporter need to use their phone but not any of the RF features (cellular, GPS, BT, NFC, etc)? All I can think of is maybe recording audio, like an interview. If I was a high-value target I would not have a phone on me and would rely on other technologies that don't have radios (ie, tape recorder, pen/paper, etc). The article could benefit from addressing this (maybe I missed it).


I would ask Bunnie/Ed for higher res photos of their prototype to show the test point (TP) locations. This would help with credibility and confirmation. It would also open up the design (more open source/transparent).

Their approach to gaining access to the TPs: Removing solder mask through abrasion is hard. Removing a SIM card holder is another level of difficulty. I could do it. 100s, maybe 1000s, of people could as well. I think TP access is feasible if someone was *really* motivated, and I think this is inline with the opening remarks about high-value targets.
Kickstarter, Indiegogo, Bitcoin, Litecoin, etc... How can we help make this a reality?
So it identifies when a broadcast is occurring, but doesn't actually stop it. At that point isn't it already too late for a high-risk endeavor?
I get it. Having a recognizeable case (that says hey, I care about my security/anonymity) might not be very covert. I stand by the effort being put forth here. This is low level reverse engineering, expansion, etc.. all through SIM card, etc... to anyone already putting forward suggestions to the design, you should kinda STFU. Horse before the cart. First lets make this awesome idea come to life, see how it's limited by materialism and then hone it from there.
the IMEI remains constant
Could IMEI spoofing be added to this device?
Significantly, repair manuals indicate that the WiFi/Bluetooth module includes a hardware “RFKILL” pin. Apple leaves this pin unconnected and very difficult to access through mods, but if phone vendors wanted to support efforts like this, future revisions of phones could break such pins out to offer a more graceful defeat that doesn’t require rebooting the phone or leave a measurable signature while disabling these radios
Can you be more precise about what you mean by ‘phone vendors’? Would skilled enough technicians be capable of this mod, or does it need to happen at a factory level?
I was invited to review this important, timely, and sound article from a non-technical standpoint by TJOE. My comments focus on making more explicit the urgent current need for such a case and other technical solutions for end users, and not just in conflict areas or in illiberal states.
1) The authors might want to underscore more explicitly at the beginning something they know very well: that targeting journalists with their phones is no mere theoretical possibility, but a rapidly expanding practice aided and abetted by offensive security corporations, such as Hacking Team, for governments in many shades of authoritarianism (here worth citing some of the fantastic work of Citizen Lab, such as https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/ and the rest of their important reports; ( readers of TJOE would appreciate in particular the more technical forensic reports there).
And as I needn’t tell the authors, it’s worth perhaps stressing explicitly this isn't simply a problem with so-called authoritarian countries: the targeting of journalists within liberal democracies appears, likewise, a growing concern, as the roiling controversy about Canada’s CSIS (from yesterday: https://www.thestar.com/news/canada/2016/12/14/csis-breaches-promise-to-report-on-past-media-surveillance.html). I know E.S. has spoken often about this, but worth including explicitly.
2) US probably led the way with the declaration that dialing information has no reasonable expectation of privacy in Smith v. Maryland, and the subsequent application of this precedent to metadata writ large (for the longer story of phone interception, might cite Landau and Diffie’s great book).
But if US protections around metadata rather weak, they are considerably weaker in Five Eyes partners, notably the UK RIPA’s shockingly cavalier treatment of “communications data” and the Australian “telecommunications data,” all available with little legal friction to a broad range of domestic agencies, not just spooks and cops, e.g. at http://www.zdnet.com/article/61-agencies-after-warrantless-access-to-australian-telecommunications-metadata/ and in the text of RIPA itself. In other words, all sorts of quotidian domestic journalism and activism potentially affected now, in liberal democracies and illiberal polities alike: not just national security, but everyday domestic stories may be implicated.
3) Most importantly: I’d encourage the authors to outline briefly but a bit more thoroughly the diverse sorts of dangers posed by telephony metadata, better to explain the risk model focused on here: 1/ bulk collection generally, 2/ pattern of life analysis, and 3/ tracking of individual phones. This project, of course, cannot solve the larger problem of metadata associated with a particular sim or phone being accumulated and analyzed over time. But it would be extremely useful for 2/ and 3/. (A good citation for 2/ might be https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/index/assoc/HASH01fd/9744a8b9.dir/doc.pdf )
The article is quite clear.
-The text does not cover anything about the updating process for the case and the attack surface this may provide; given that government seizure of phones at border crossings of US and others seems on the uptick, any sense of how to guarantee the integrity of the case’s software and hardware if seized even for a few minutes?
-While the ability to switch sims would very convenient, perhaps the display should remind the user than changing sims doesn’t alter the IMEI—a point most security aware users should know, but may forget. Perhaps an explicit reminder of this on the screen.
-Like the other reviewer, I’d urge the authors to address “why not a simple faraday” cage more forthrightly.
- Some of the points here and above would benefit from some illustration. If need the perfect graphic for the article, two NSA slides perfect: “who knew in 1984…that the would be big brother” [picture of Jobs holding iPhone] (https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/index/assoc/HASHc240.dir/doc.pdf )
Little is said here about the software for the case’s independent cpu. Is there any envisioned auditing process to guarantee integrity of that software?
There will always be the "DE-BUNKERS" and "ILL-WISHERS" of the world because they did not come up with the idea first. I think That Huang and Snowden are onto something and it MUST BE PUT FORWARD, Not maybe or yea sounds good. Things like this are needed to protect you from "ALL PRYING EYES" and there are TO MANY OF THOSE EYES OUT THERE! Snowden popped the lid OFF the can...it is high time the PEOPLE OF THE WORLD take the world back and get rid of all the corrupt and inept politicians and GANG-LAND gunslinging police to say nothing of the people and gangs out to destroy us all. I say go for it, get it up and move forward with "OUR PROTECTIVE RIGHTS" as humans!
The idea is genial - relatively simple and very efficient. And it can serve as a basis to implement additional features.
In my thesis "Detection and countermeasures of attacks on smartphones" I described a possible solution with a so called Turbo SIM. Analyzing the communication of the SIM card can also be done with a WiFi- or NFC (Waver) Turbo SIM. That means you don’t have to connected the „battery case“ with the SIM Card slot. If people think this device looks to too obvious, it would be possible to place it inside a 2,5 HDD case for example.
I am looking forward to this project - big respect!
"genial" means great! 😃
Until this become feasible for everyday use, there's a company called Silent Pocket making Faraday cage cell phone sleeves. I have one, and use it every day, except for at work and home. It blocks cellular, GPS, wifi, gps, and bluetooth. I've tested it many times using 3 different cellular carriers and 8 different wifi spots with no issue to date.
https://silent-pocket.com in case you're interested.
It will be hardened phone at the end of the day competing with other hardened phones that try hard to provide solutions to all types of eavesdropping as well. as it requires physical hacking connections inside the phone, porting this to any phone vendor is not realistic. also, what about other threats like SS7 snd MITM attacks based...
While a fantastically conceived idea, I doubt the engineers are naive enough to not have considered the potential for such a cloaking device to fall into the hands of those with intentions more nefarious than altruistic journalists and activists. While an intention of such high-value targets is certainly to prevent becoming the recipient of unwanted and unwarranted attacks, could the same device not also be used by those looking to play the role of the aggressor? If individuals on no fly lists are still able to gain access to weapons, wouldn't those same or even more individuals find it beneficial to improve their ability to stay "off the grid" with this device? Perhaps even while visiting areas known to provide ways and means to train and assist atrocities on a global scale. Additionally, if companies such as Apple are already being taken to federal court over a reluctance to discern something as simple as a password what would prevent the insistence that hardware be laid out in a way so as to prevent the tap points necessary for this introspection device? Wouldn't such a cat and mouse game stymie the creativity we demand from our technology companies? Having said that, I find this a brave and encouraging push toward the inherent quest for privacy - a right we all deserve.
A similar argument can be made for encryption, or really any privacy enhancing technology. Just because a technology could assist "nefarious" individuals doesn't mean that the technology shouldn't be made available to all.
This device just tells you when the radios on your device are in use. That is all it does. It does not "cloak" anything. If you want to communicate with anyone, the radios must be on. What this device does do is it tells you if your phone is communicating with others at times that you don't explicitly want it to, which gives you an indication of if your phone is not acting entirely under your command.
How will the public be notified that the case/blocker is commercially available?
To hide the back, the case should wrap around the entire phone, with the entry hole (to insert the phone in the case) at the top or bottom. This would imply an elastic body with the counter-measures mixed into the elastic substance (such as a blocking metal that can be added to the liquid rubber when cooling) or the counter-measures grafted into the elastic substance.
It should be generic looking with no identifying brand or mark.
I have long held freedom of speech dear, however, I have to say that Mr Snowden has a childlike view of the modern world. I would like this device banned because it will work against our security services' constant struggle to keep us safe from terrorists and terrorist inspired maniacs. Our security services in the UK have been doing such a fantastic job, goodness knows they need our help to fight their quiet war against those who want to murder us and our children. A little self sacrifice to this end would not go amiss.
Naive Minnie
Far from naive, it's all about balancing risks and priorities. while I feel for people who risk their lives to fight brutal and repressive regimes, I have two beautiful children. Have you seen the pictures from Nice? We all know what the security services around the world get up to, but the vast majority of us live such boring lives that they are no risk to us. IS inspired nut jobs are a far greater risk. The enemy of my enemy is my friend (this doesn't mean I agree with all that they do) and so helping our security services fight IS is worth a considerable amount of self sacrifice. Grow up and live in the real world.
Our security services already have all this, yet things like Nice still happen. How many terror attacks have been prevented by our security services by using data like this? Very few, if any.
The chances of you being harmed by a terrorist attack are so vanishingly small that they're negligible. The risk to you from being spied upon is much greater.
You've got children, so you're willing to do anything to protect them. But realise you're not just giving up your rights and privacy, but those of everyone and your children too.