Why does the blackphone lack a physical switch for
* the microphone
* the GPS chip (or if not possible, the GPS antenna)
* the GSM chip (or if not possible, the GSM antennae)
* the camera(s)
I have talked to the Silent Circle people at MWC in barcelona and they acknowledged the current security issue with the closed source, black box baseband. This first blackphone is of course just a first step.
However, physical switches could help against certain attack scenarios.
This has a closed source baseband that was also not designed by the company producing the phone. The baseband is pretty much guaranteed to be backdoored by your favorite state security agency, so why get this over any other Android phone?
Reducing the number of possible attack vectors is not necessarily useless. That said, I wonder whether that phone's operating system is itself free software or not...
That wouldn't be a problem for me, provided that the baseband processor didn't have DMA access to all of system memory.
If I could be reasonably certain that the baseband only communicated with the rest of the phone via a limited modem(/similar) protocol at the hardware level - which should be possible - then I'd be happy provided that 100% of software running on the main CPU was Free Software, with sources available.
That means the bootloader, the kernel, all drivers - including video drivers, zero binary blobs - the display manager, and all provided apps, need to be Free Software. Unfortunately, as far as I can tell, the Blackphone doesn't even do that. (But I'm not 100% sure. I can't find that much info about the core OS software/drivers anywhere.)
Risk assessment is an important part of security. I'm not sure the black phone really does this very well.
Being very clear about what they can do, as well as what they can't do, would be a very good thing.
Mobile telephones are a difficult item to make secure. Getting telcos to cooperate with law enforcement doesn't seem to have posed many problems so far.
It always was an issue and still will be for a long time. Neo900 project takes another way to neutralize the modem - by sandboxing and monitoring its activity. This alone probably makes it much more secure and privacy-friendly than Blackphone.
you do realize that people like dragorn are part of the black phone project, right? someone with that kind of clout doesn't really just get pushed around by (insert state agency here)
One thing I hate about Android phones these days are the opt-out sync features. All my data is synced to a magical location, and once synced they can never be erased. If you make a single mistake, then all your data has been essentially stolen.
For example, I created a 'Samsung account' to try out the heart rate monitor on S5. I didn't know that if I create an account like that, the phone instantly uploads (syncs) my pictures, contacts etc. to a server somewhere. Sure, maybe that was mentioned in the long EULAs, but it's not practical to read through all the EULAs everytime I crete an account.
In addition, the 'Samsung account sync' app was installed on default, so I didn't even get to accept the app (or even read what access rights it had).
When I took my first couple of (private) photos with my old galaxy nexus, my phone proudly informed me that my photos had been uploaded to Google plus. (They were marked private on plus - but the app was itching to share them with everybody.)
I was shocked and horrified. It might have been fixed since then - I've become much more paranoid and turn that crap off.
Is Apple any better on this? I'm thinking that my next phone is going to be an iPhone because of the regular updates over Android, but is it as hard to stay away from iCloud and not accidentally send everything there?
From my experience, iOS rather asks twice than not at all. I have yet to detect a sharing feature where the intentions are not clear. Also, every privacy related access is prompted separately, a freshly installed app has no permissions on anything - so it's usually a non issue when installing apps.
There is absolutely no need to use iCloud with your iPhone and the settings page allows very fine grained selection of what should be synced through iCloud. I also have yet to find a 3rd party app that activates syncing through iCloud (of its content) automatically, this is generally all opt-in.
not to be a bummer, but it doesn't seem like anything special was done with this special purpose hardware. why go to the trouble to engineer and advertise this as a piece of security enhancing hardware when it's really just "PrivOS"? also, any plans on open sourcing "PrivOS"?
did I miss something in the writeup? OSS modem firmware, OS wifi chipset, anything hardware or firmware related?
You're missing the fact that this can be sold (at an outrageous markup) to large enterprises and government agencies because it looks secure/private.
Beyond that, it provides literally nothing that you can't install for free on any Android device. I could make you an equally "secure" or "private" device for $300 and an hour's time.
> Beyond that, it provides literally nothing that you can't install for free on any Android device. I could make you an equally "secure" or "private" device for $300 and an hour's time.
Yeah, this was my takeaway from the article. They even link to the Google Play store entries for the software that comes packaged on the phone. Missed opportunity, I think.
I don't think you missed anything. I don't see any reason to trust blackphone more than a properly configured Nexus.
The OS might have some neat UI for privacy stuff, but fundamentally if it's closed source and has a closed baseband (afaik, there's no phone with an open baseband), then there's no real security.
Is there no middle ground? Doesn't a device that changes your threat model from 'passive dragnet' to 'active compromise by a nation state' have some value?
On the other hand, how could they skip this topic in an article about a "privacy" phone?
If find the trustworthy value of a phone is about equal to the privacy leak bounty. If each customer trusts the phone with, say $300 worth of information, then that should be a hell of a big bounty.
So Ars Technica should have talked about "where's the source" and "how much is the bounty".
I think that's possibly overkill. Provided the baseband processor is independent of the apps processor, communicates over a managed bus (usb, high speed serial, dedicated dual-port ram), instead of having direct access to main system memory, and the apps processor has the ability to power it up and down at will, you're in a pretty good state and you can still hop on a cellular voice or data network when you want to.
This scenario is true of plenty of smartphones shipping today, but of course it's not something that manufacturers advertise and it's potentially difficult to verify.
One should probably also be concerned about wifi firmware, though smartphone wifi is almost exclusively connected via sdio and not able to directly affect main memory.
The biggest concern in systems where baseband and wifi radios are not-too-deeply integrated is driver bugs where input from those subsystems is overly-trusted or not adequately validated -- of course solid drivers should never trust the hardware, even if not actively malicious, it can be horribly buggy.
Galaxy Nexus did (though that's not particularly recent).
I suspect most Tegra-based devices do -- though they introduced a combo apps/model Tegra 4i last year, which likely shares resources.
Generally if it has a standalone apps processor that's provided by a different vendor than the modem it probably does.
Even with unified apps/modem designs, some newer SoCs are designed to provide isolation between the cores, but from a tinfoil hat perspective that requires you to trust the SoC vendor (and perhaps the fab), so if you're paranoid you'd probably avoid any combo designs.
For those who understand why that's important, what do you think about CM11 on a Samsung Galaxy Player (no GSM), using wifi VPN to a cheap phone/hotspot which does have GSM baseband, e.g. Firefox phone? Or two Firefox phones, if Android apps aren't important?
Without GSM, you only eliminate the excuse for a baseband backdoor. How do you eliminate their motivation for adding the backdoor? What if they put it it another chip connected to the bus?
Some protection against malicious firmware/hardware can come from ARM's IOMMU with an open-source Type-1 hypervisor, but these are not mainstream yet.
Whatever the technical merits of Blackphone, their marketing is increasing awareness of mobile security. If they can prove demand for this category of solution, it will increase security audits of all mobile hardware & software stacks.
> their marketing is increasing awareness of mobile security
That I agree and I really hope that it works. But on that note, I don't like the name Blackphone. When I hear "black" I associate it with nefarious activities; and that meaning suggests that only those with criminal purposes need privacy.
If i understand it correctly there is no open source baseband available because of various patented technologies and it is imposible to create one. But why not treat the baseband as part of insecure transit network? I'd like to see phone where voice data and text messages would be securely encrypted before sending to baseband chip and securely decrypted on the other side. I think there would be great demand for such device but i don't see any in existence. Am i missing something?
I think its because the baseband processor can access the microphone, screen and RAM semi-directly so its pointless having any encryption when you can just "key log" the screen as the user inputs the message. Please someone correct me.
(I posted a sort of question below along these lines but not yet had a response)
"Baseband firewall: Based upon three years of cutting-edge research in baseband processor security, the new patent-pending GSMK CryptoPhone Baseband Firewall™ offers unique protection against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures. A global first, the CryptoPhone 500’s Baseband Firewall provides a revolutionary line of defence against over-the-air attacks not available on any other product."
I'm really getting tired of writers who keep casually equating those who value their own privacy to those who are suffering from paranoia. It implies that people are mentally unstable just for wanting privacy.
Even in jest, it's insulting and increasingly out of touch in our post-Snowden world to keep calling privacy-minded people paranoid and I wish people would knock it off.
If the phone's software is not free (as in freedom), are Silent Circle's assurances of security and privacy any more meaningful than Google's 'don't be evil'?
For my own understanding on the issue with a closed source baseband. Is it analogous to having a network card in every desktop computer that can directly access the screen, keyboard and microphone and therefore compromise all interaction with the phone regardless of tunnelled networks?
* the microphone
* the GPS chip (or if not possible, the GPS antenna)
* the GSM chip (or if not possible, the GSM antennae)
* the camera(s)
I have talked to the Silent Circle people at MWC in barcelona and they acknowledged the current security issue with the closed source, black box baseband. This first blackphone is of course just a first step.
However, physical switches could help against certain attack scenarios.