Hacker News new | past | comments | ask | show | jobs | submit login
Bunnie Huang and Edward Snowden’s Malware-Detecting Smartphone Case (pubpub.org)
173 points by elijahparker on Aug 26, 2016 | hide | past | favorite | 62 comments



I'm glad this title mentioned Bunnie, when the smartphone case was first announced most news outlets reported it as "a smartphone case that prevents spying by Edward Snowden and some hacker"


agreed. quite skeptical that snowden is anything other than a PR stunt for an otherwise interesting/useful project that requires hardware development expertise


Well, to be honest both of them are quite good at promoting themselves. Just in different circles...


I don't understand what kind of malware this is supposed to detect? This only seems relevant when you're using airplane mode, and why wouldn't malware just wait until you went back online before transmitting the data?


Let's say you're a journalist meeting with a source.

Let's say a certain three letter agency would like to listen to that conversation in real-time if they could.

Let's say the journalist thinks that by setting his phone to flight mode, the radio is off and he can't be maliciously tracked.

Let's say the three letter agency has various means to connect and listen in on phones in real time if it chooses.

This new smartphone case would then be able to confirm to the journalist that the phone is not sending/receiving radio signals.

Now, that might sound like a far-fetched scenario, but bear in mind that Snowden asked reporters meeting with him to put their phones in his fridge to prevent exactly that scenario from playing out.

It is therefore not surprising that he might play a part in developing a case like this.


So we assume that an adversary has dropped some malware that can silently enable the radio, activate the microphone, encode the audio stream and transmit it in real-time - and they want to avoid detection by this case.

Well, all they need to do is modify the malware to record the audio to a file and transmit it when the radio is next switched on, perhaps interleaving it with normal radio activity.

As a malware detector, this case is useless.


That was my immediate thought, if they have access to your phone at that level recording (voice, packets, gps co-ords) to a file then sending it once it has signal would be trivial. It would provide a misguided level of confidence in their security which could lead to exactly the consequences trying to be avoided.

Got a secret meeting? Don't take your bloody phone.


Of course not taking your phone is a visible data footprint if you're detected in other ways. Secrecy is a pretty hard problem now.


The objective, in this case, is to prevent recording of the proceedings, not keep the very existence of the meeting a secret.


It has been confirmed that some mobile basebands are, in fact, remotely controllable even when a device is apparently off. It isn't a far-fetched scenario.

http://www.seattletimes.com/nation-world/even-if-theyre-off-...

In this case it was a Motorola device on an iDEN network, probably using a Freescale baseband. But it is likely that most major vendors were persuaded to include similar capabilities and that network providers cooperate in providing special signaling to control these capabilities.


Not useless. Just less useful.

It pushes the capacity for your adversary to operate into (slightly) slimmer confines, which is a marginal improvement.

Otherwise, your adversary can behave in an unrestrained manner. No?


One might also argue that giving a violent prisoner left-handed scissors will slow them down and is therefore a marginal improvement.


I can't argue with that: if I had to choose between the two, I'd rather be stabbed by the non-dominant hand. Obviously not being stabbed at all is a much better choice (when available).


I guess. For the kinds of clients who would want this device, this would just be like making it so that you're only a little bit pregnant. You either prevent the eavesdropping or you don't. The only safe tactic is not bring the device anywhere you don't want to be tracked or recorded. Or to technologically prevent it from operating somehow in a way that doesn't rely on verification -- such as taking the battery out, if you can, or putting it in a verified faraday cage that you keep in a soundproof box if you can't. And if you're the kind of person with a life so interesting they need to worry about about phone implants, maybe take battery removability into consideration when you buy the device.


Baseband processors in all mobiles have direct access to the microphone and it is fairly trivial to access remotely. Comes as standard on all stingray devices available to any and all perverts willing to use it.

Only Samsung devices have been shown to give the baseband processor backdoor access to device storage. Afaik.


This also detects when the GPS is used. If the phone has GPS and cell radio (for reception and transmission) disabled, it's a lot harder for any malware to figure out its location (not impossible -- there is some research about identifying locations in a metro network using an accelerometer alone).

While it's easy to prevent the phone from recording your conversation (just place it somewhere out of earshot, maybe next to a noise source for the duration of the conversation alone), it's much harder to prevent it from learning where you're going (if you're taking it with you).


That a security measure is not impossible to defeat does not mean it's useless.


They would have to know the exact meeting time and would use space on the device, which could be noticed.

This case is not a silver bullet, but it's a useful tool.


Or they could record to file only when the radio is off, and transmit directly without recording when it is on.


The next logical question is why is this case better than putting their phones in the fridge?


Because you can't take the fridge with you on a false trail, place the phone inside at some point before deviating to the true meeting point, and then pull it back out again once the meeting has been completed and sufficient distance has been traveled.

Even some sort of electromagnetic shielding case or bag wouldn't be as convenient (so more likely to be used) or informative.


Yeah. Or have a little metal case with you into which you put your device. Or buy a roll of aluminum foil and just wrap the phone inside it (just spelling this out makes me feel like a conspiracy theory nutter). So many cheap options...


There are fairly cheap little faraday cage forensic bags that LEOs often purchase in bulk. Power off phone, slip phone in, it's not transmitting any more.


The introspection/detection part. That's the only part, actually. It doesn't stop the signals by itself.


Using this thing, you will know that you've been compromised if a transmission occurs. Fridge won't tell you that.

Knowing you are compromised, you could prepare disinformation to throw off, embarrass or otherwise humiliate an adversary.


Wouldn't a faraday cage be effective here? I suppose it doesn't confirm that you are being surveilled, but it would block radio signals.



In the fridge? Let's hope he knows how far the closest tower is for the journalist's carrier.

My Galaxy Note 4 gets a solid connection on T-Mobile in the fridge, in the oven, in the washer, and in the dryer.

It's in the range of 33ms ping, 45Mbps upload, 24Mbps download in each of those locations.

Why? T-Mobile has a neighborhood tower one short block from home.


The fridge would block the ability of the microphone to pick up sounds, not block the cell tower signal


They're trying to build something that can detect when GPS is on, to protect against phones secretly recording their owners' locations even while in airplane mode.

If it were me, though, I'd just drop the phone into a potato-chip bag.


Or one of these Faraday Cage bags. I wonder if anyone has independently tested these for emissions leakage.

https://www.amazon.com/Faraday-EMP-BLACKOUT®-Prepping-Smartp...


Those look remarkably like some anti-static bags that we bought by the thousands in China for less than a dollar a piece. I'll check on Tuesday and post back here.


Well I've tried the bags we have at the office and while they do indeed look the same my phone has no trouble staying connected while inside the bag.


I just spent a week in the Shenzhen Huaqiang Bei electronic malls and I couldn't agree with you more about the pricing. You can do so much better being there physically and negotiating the hell out of things.


Read the reviews. Multiple users report cell phones working perfectly fine while inside the bag.

As noted by dnh44, these are almost certainly bog-standard antistatic bags, which are not intended to provide any kind of RF shielding.


As all things we buy on the internet, if it seems to be too good to be true... Hence my comment about independent testing/review of such products.

However the concept of Faraday Cages is not new. There are vendors catering to the Law Enforcement market that make these bags to prevent tampering of evidence on confiscated devices.

You just have to find the right ones. I was just showing examples of such products available online.

Caveat Emptor.


The potato chip bag option would have plausible deniability. I would go for a whole lunch bag with sandwich in genuine tin foil as mylar film doesn't seem that thick to me.

Plausible deniability is really important if one expects to be frisked. Traveling in something like cycling gear could be part of the disguise, you can go through special gates at train stations and not be ticket inspected by machine. Nobody expects the guy in fluorescent clothing travelling at 15 mph.


GPS locators are passive: only receiving signals, not emitting them.


A entire section of the article is devoted to this topic. Ctrl-F "GPS Introspection".


You can't really get massive global PR with a potato-chip bag though.


Freedom crisps.


"For the iPhone, there are four different radio interfaces that could potentially be used for malicious purposes: the cellular modem, Wi-Fi, GPS, and NFC"

Well, GPS only receives... so how is it going to detect that?


Possibly the idea is to prevent malware already on the phone from logging location data while the radios are dark, and then uploading the historical location data when the phone reconnects?

That said, it's obviously a very limited form of protection. I guess it speaks to the sad state of mobile security that this is the best Snowden and Bunnie can come up with - the only sane choice for a potential target is to assume the mobile device is untrusted and try to reduce the scope for it to snitch on the user.


When the GPS antenna is on, it gives off RF interference? Just a guess. GPS draws quite a bit of power when turned on.


Probably not from the antenna, but the downconversion and signal processing chain definitely will. They are shielded, but I'm sure some gets through.


In the the linked article, it states they intend to attach signal probes to test points on the iPhone mainboard to read when certain interfaces are active.


The article mentions the answer to that.


I assume similar to the way radar detector-detectors work. Superheterodyne receivers mix incoming RF with an internal signal to make a much lower intermediate signal they can tune to. The device will leak some of the internal signal and you can detect it.


Now I wonder what the challenges would be to build a radar detector-detector-detector....


Articles like this make me wonder how journalists were able to do their jobs before the ubiquity of cellphones.

Here's an analogy to what's happening:

Since you're a high value journalist, a state actor has helpfully assigned an FBI-type agent as your minder. And now you're debating whether you should put a blindfold and earplugs on your minder before attending an important meeting with him in tow. Or, alternately, you're debating on whether you should add a gag to him to keep him from reporting back to his superiors.

But, the minder is resourceful. He has trained for the possibility of a blindfold. So he might remove it at opportune times and take a peek at what's happening. Or, when gagged, he is prepared to report back by tapping out a message with his fingers, using Morse code.

In short, I think it's a Sisyphean struggle to try to keep the minder from reporting back. Instead, just leave the minder elsewhere, far away from important discussions.

There is no way a few amateurs with soldering irons will be able to successfully and continually thwart state actors. Don't play their game!


Do play their game. Raise the costs of your opponent.


What happens when the NSA's costs are doubled? Do they track half as many targets or do they spend twice as much money?


They likely do a bit of both, and do it all less well.


Journalist enters country, has bags searched. Customs officer: "This smartphone case is not allowed in the country."

Oh well, we tried.


Iridium handheld phones are already recognized by certain countries' customs for a similar purpose, they don't want journalists to have phone call and SMS access outside of the country using a system/network entirely outside of their domestic telecoms' control. For example when reporting on internal crackdowns on dissent, political opposition, etc.


Wonder how long it will take SDRs to be recognized as similar tools.


Nothing a bit of camouflage cannot fix. If these cases start looking like regular ones, what are they going to do, ban all phone cases from entering the country...?


Better hope that the factory manufacturing this device, and the technicians installing it within the phone, are trustworthy enough not to leave their own backdoors.

A supposedly trusted device that taps into the hardware buses by design is an excellent target for malfeasance.


So it's a sort of hardware-based Little Snitch without the ability to block connections. Neat. Perhaps a useful tool for the security-minded but not a true safeguard. Remote code execution exploits are very real. All an attacker needs to do is modify your network configuration (DNS, proxy, hosts file, etc.) to disguise network traffic over a specific address that looks real enough so as to not warrant suspicion. This exploit could also be designed to sit idly while the device is in airplane mode, avoiding the case's primary detection feature.


> This exploit could also be designed to sit idly while the device is in airplane mode

This seems like a rather universal feature :)


Much better link straight to the source: https://www.pubpub.org/pub/direct-radio-introspection/


Ok, we changed the URL to that from http://www.allaboutcircuits.com/news/edward-snowden-and-bunn.... We've kept the latter article's title, although it's a bit baity; "Countering Lawful Abuses of Digital Surveillance" kinda undersells it.

Edit: but we reordered the authors' names in the title to match the order they used in the article.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: