Detecting When a Smartphone Has Been Compromised

Andrew "bunnie" Huang and Edward Snowden have designed a smartphone case that detects unauthorized transmissions by the phone. Paper. Three news articles.

Looks like a clever design. Of course, it has to be outside the device; otherwise, it could be compromised along with the device. Note that this is still in the research design stage; there are no public prototypes.

Posted on July 27, 2016 at 1:09 PM • 42 Comments

Comments

CallMeLateForSupperJuly 27, 2016 2:40 PM

This could be historic: the first example of "phone care". You know... an additional "care" to sell, joining health care, dental care, seniors care, car care, lawn care and I-don't care. ;)

WhiskersInMenloJuly 27, 2016 4:23 PM

The feature that allows you to discover the phone is live
when it should be off is a good one. GPS tracking
and logging can be 100% passive for days so this requires shielding.

In all fairness it is reasonable to make a home made pouch
that so attenuates all reasonable incoming and outgoing transmissions
that this is a don't care and is solved almost certainly with a removable
battery phone.

One real dumb thing about "smart" phones is the massive amount
of interconnection data, mail, maps and power consuming stuff that would
better be consumed & served on a modest sized tablet. Those old enough
to understand presbyopia fully understand that a phone screen is less than
ideal for most humans over forty (tethering?).

There are some that will need and some that want this class of device.
The process of talking it up will make a market and also trigger patent
wars and filing on methods to skin a cat that has black and white fur
and big smelly tail.


Anonymous CowJuly 27, 2016 5:42 PM

@WhiskersInMenlo

> In all fairness it is reasonable to make a home made pouch
> that so attenuates all reasonable incoming and outgoing transmissions

If you don't really need it to be a pouch, there are many common products that come in lidded metal cans that can be re-purposed for what you want to do.

WaelJuly 27, 2016 5:45 PM

Doesn't cover all vectors. It concentrates on DLP and egress traffic. It's inaccurate to call it "Compromise detector"...

Several people on this blog can defeat this mechanism if they chose to do so, and that includes truly yours.

SpookyJuly 27, 2016 9:27 PM

Cool. Being able to audit the phone's behavior is pretty neat but I suppose it's no panacea (as mentioned). A few things stand out here, even to me. If we assume that the phone has been compromised, there should be quite a broad range of ways to make it self-identify locally to a party equipped with purpose-built electronics designed to DX it. Periodic low- or hi-freq beacon pulses emitted by the speaker or vibratory motor, cycling instructions on the FPU or GPU to create detectable patterns of significant current draw or thermal emissions, silently enabling the Bluetooth antenna, etc. If matters are sufficiently grave that merely carrying the phone could result in a lethal outcome, then I guess I'd leave it at home in a Faraday bag. Or bury it next to the palace of the resident dictator... :-)


Cheers,
Spooky

ThomasJuly 27, 2016 10:50 PM

re: shielding

The phone may interpret the attenuation due to shielding as being really far from the base station and boost output power.
This will drain your battery nicely.

This allows a simple test: if (shielding + airplane mode) drains your battery faster (airplane mode) then your phone may be 'cheating'.

ThothJuly 28, 2016 1:12 AM

Short solution to smartphone betrayal, don't use one if you really don't want tracking and those bad stuff.

John ShillingJuly 28, 2016 1:39 AM

If Snowden is not able to explain his "introspection engine" in one brief article, it shows that the man does not understand what he is talking about. After all, Snowden is heavily overrated; he was working as a clerical employee only and has got no technical training whatsoever.

You can purchase a cell phone RF anti-radiation signal blocker bag for some $3 from mainland China. It basically is a Faraday cage. Obviously, you should switch off the cell phone prior to putting it into the bag; otherwise the battery will drain even faster. "Flight mode" as well as removing the battery (if that is possible) do not work. The cell phone has got an internal support battery and will automatically try to reach the nearest cell tower. That was an issue already discussed back in 1996...

Who?July 28, 2016 3:22 AM

@John Shilling

You got not the point. The key is not blocking signals when a phone is not in use. This way you do not know if a device has been compromised, nor receive incoming calls or use the phone. To be useful a phone needs to be out of a Faraday cage. The key is discovering unwanted transmissions, like those coming from a camera/microphone that has been turned on, when the phone is not in use.

blakeJuly 28, 2016 4:22 AM

> Snowden is heavily overrated; he was working as a clerical employee only and has got no technical training whatsoever.

You can't really say that Snowden was an unskilled clown without also admitting that the IC was outmatched by an unskilled clown. If the IC are the guys (and girls) whose job it is to protect us and our secrets, how are they going to perform when a dedicated, skilled, funded adversary shows up? (Oh yeah, that Russian DNC email article was two days ago on the 26th...)

Dirk PraetJuly 28, 2016 4:35 AM

@ John Shilling

After all, Snowden is heavily overrated; he was working as a clerical employee only and has got no technical training whatsoever.

Please get your facts right. Snowden was an IT sysadmin quite allright who among other stuff held a Windows MCSE certification. In 2010, he also took Java and EC Council ECSA training in New Delhi, India. That news made national headlines in Indian media in 2013, and I remember it only too well as a I suddenly got phone calls from Russian and other news outlets because being a former trainee there myself I was a local contact person for that training company over here at the time. And no, I never met him.

Kirk KreymerJuly 28, 2016 6:26 AM

I can't believe you guys are still taking the bait so easily. Please just leave the trolls alone.

JG4July 28, 2016 6:43 AM


It's a short step from the concept that Snowden et al have presented to a hypervisor based on sidechannels from the phone. I like looking at the main channels first, but the general approach of putting the phone in a box is a nice analogy to running processes in a virtual environment. Or to putting system blocks in prison. Because you can't trust mainstream hardware or software, you need to put it in prison and filter/monitor traffic in both directions.

John ShillingJuly 28, 2016 8:58 AM

@Dirk Praet: "... an IT sysadmin quite allright who among other stuff (sic!!) held a Windows MCSE certification.", "he also took Java and EC Council ECSA training".

I like your jokes.

@Kirk Kreymer: Keep on drinking the Snowden Kool-Aid. And thanks for the "troll".

T-FrameJuly 28, 2016 9:11 AM

It's a nice concept. It might be useful to incorporate IMSI catcher technology once it becomes more reliable.

lop1July 28, 2016 11:38 AM

@John Shilling

""Flight mode" as well as removing the battery (if that is possible) do not work. The cell phone has got an internal support battery and will automatically try to reach the nearest cell tower. That was an issue already discussed back in 1996..."

Can you remind us about this internal support battery ? ( I fix a lot of phones and never saw this battery in modern smartphones )

ianfJuly 28, 2016 1:11 PM


If Snowden is not able to explain his "introspection engine" in one brief article, it shows that the man does not understand what he is talking about.

Yes, Mr. Shilling, sir!, you are SO RIGHT, and of course you absolutely rate an explanation of what that gizmo really might be. Earlier I tried to find out, but did not come very far… clearly, Huang and Snowden are hiding something from view—that is, assuming that they even have anything above conceptware to demo, a poor relation to vaporware.


[…] “After all, Snowden was working as a clerical employee only and has got no technical training whatsoever.

I have to assume that you know something about Edward Snowden that I, an observer on the sidelines, do not. Perhaps you'd care to share those insights and your credentials, just like Ed did when asked by BBC's Peter Taylor in November 2015:

    ES: “I was an Infrastructure analyst with a PRIV AC access” [spells it as 2 words], that means there was nowhere that I couldn't get. [link].

Of course, he could be lying, risking denial from the NSA (silent), losing his hitherto stellar credibility. Then again, so could you, Mr. Shilling, sir! trying to pull a fast one on us, who have known both short-con and plenty of long-con artists. So which one might you be?

albertJuly 28, 2016 1:27 PM

It should be noted that device proposed by Huang requires a lot of hardware hacking of the phone. Definitely not a card-table home project. Faraday cages are irrelevant here.

Some of you may want to actually read the paper.

. .. . .. --- ....

WaelJuly 28, 2016 1:55 PM

@albert,

Some of you may want to actually read the paper.

I thought about it but I think it's a waste of time. The concept is shot. What assurance do we have the "device" can be trusted?

ianfJuly 28, 2016 2:00 PM


@ albert,

why bother reading about some hardware that has yet to materialize, and then may turn out to be quite different from what once was imagined? That's far closer to reality, than that the initial concept will carry the day. And from what I gathered, that" introspection engine" will first take shape as a hybrid iPhone illicit RF detector–cum–extra battery case. Sounds logical enough, and in any case[sic!] nothing contradicting what I wrote earlier about it.

    Are you challenging my words? If so, are your seconds ready to meet my seconds to arrange for a duel at dawn until only one of us is still standing? Have you written your testament yet? I suggest you do, just in case (not this yet vaporware case, a rhetorical one).

albertJuly 28, 2016 2:40 PM

@ianf, @Wael,

Welllll, it's looks like I poked some sleeping dogs.

The paper was my first exposure to the concept. It seems reasonable. That's why I said: 'that device proposed by Huang'. Of course I'm no expert on iPhones. The downside (IMO) is the hardware hacking required. An interesting experiment.

In any case, no duels required:) You guys should know that you are not the 'some of you' I was referring to.

Regarding Huang, I was impressed with his work on SD cards (or was it the exposure to SD card technology:), so I figured he might be worth a read.

. .. . .. --- ....

Dirk PraetJuly 28, 2016 4:02 PM

@ John Shilling

I like your jokes.

It would seem we've got ourselves another Trump University graduate here.

1) You make a factually incorrect statement ("Snowden never received any technical training"), assuming your audience is as dumb or as badly informed as yourself.
2) You get called out on it.
3) You ridicule the person behind the rebuttal.

May I kindly suggest you move on to this here blog maintained by some German chap who will undoubtedly be thrilled to have finally found a kindred spirit.

ianfJuly 28, 2016 4:16 PM


What's with you @ Dirk Praet? First you deploy a stupid ha-ha-funny metaphor, then you come out as a recruiter to Rolf Weber's blog. Bad 'shrooms?

John ShillingJuly 28, 2016 5:16 PM

@Dirk Praet

"Snowden worked as a subcontractor with Booz Allen at the NSA.
Snowden dropped out of high school and studied computers ...
Snowden eventually landed a job as a security guard"
From URL below.

http://www.biography.com/people/edward-snowden-21262897


"According to Reuters, a source "with detailed knowledge on the matter" stated that Booz Allen's hiring screeners detected possible discrepancies in Snowden's résumé regarding his education since some details "did not check out precisely", but decided to hire him anyway" From Wikipedia, URL below.

https://en.wikipedia.org/wiki/Booz_Allen_Hamilton


I do not know the person that you cross-linked to Google+.

For the rest, I am astonished about the aggressive tone of some of the posts (incl. yours) and leave it to the Moderator to do his or her (see: I am even PC!) duty.

May I add that Snowden is kind of a Christoph Meili of the U.S.A. (They even both worked as security guards!)

Seems, my post has hit a raw nerve...

Rest well.

TRXJuly 28, 2016 5:20 PM

You don't need an additional container if you already lug around a briefcase, man-bag, purse, or backpack that can be adapted to listen to the phone.

Dirk PraetJuly 28, 2016 6:42 PM

@ John Shilling

Seems, my post has hit a raw nerve...

Actually, yes. Your factually incorrect statements, the use of ridicule and informal fallacies (a straw man, in your last comment) are a carbon copy of the Snowden ravings the guy whose blog I referred you to has been irritating the living daylights out of this forum with for several years. He's been a bit less active lately since he got called out for trolling by @Moderator. So yes, expect to be dealt with harshly if you wish to follow in his footsteps.

@ ianf

What's with you @ Dirk Praet?

I guess I'm having a man period of some sort.

BumblyographyJuly 28, 2016 7:11 PM

@Dirk,

I call it manopause, but bad shrooms is an acceptable excuse.

John ShillingJuly 29, 2016 11:37 AM

@Dirk Praet

"I guess I'm having a man period of some sort." Perhaps you should make an appointment with a gynaecologist.

BTW: Have read the postings of the Google+ account that you have cross-linked and your postings.

I only can say: Get a life, man.

Clive RobinsonJuly 29, 2016 10:26 PM

@ Albert, Wael,

The downside (IMO) is the hardware hacking required.

I effectivly stopped reading when I got to the "hardware hacking" part.

The problem is not just one of voiding the warranty on the hardware...

Look at it this way, very few people are capable of soldering to high density surface mount PCBs it's something that even manufacturers with skilled production staff avoid. Thus the number of people "successfully" making such mods is going to be very very very small.

But there is another more serious issue which is front line "guard labour". We know that in the main they lack technical sophistication --it's not their job to know-- thus you have to try to see things from their perspective, and from that of the even less sophisticated members of the public getting into "see something say something mode".

Ask your self how many people have ever seen a phone with wires soldered into it in real life compared to the number who have seen them in "film plots" on the likes of CSI / NCIS or whatever hit US "their comming to kill us but magic special effects will save us" TV show? We even have a nice shiney name for it from the legal proffesion where it's called "The CSI effect".

So the "wisdom of the masses" will be "OMG bomb maker" or similar, which we know in these days of "doing math" and "homemade clocks" is going to ruin your day at best, even if you do end up getting an invitation to the White House. Oh and the real terrorists using mobile phones for bombs are putting them where people can not see them such as in laser printers and sending them to the US by Fedex air frate only to discover the battery goes flat or the phone can not get a signal etc etc.

But there are other issues the majority of people are less likely to be aware of, in that soldering wires to a mobile phone and then "opperating" it makes you a criminal not just in the "the wisdom of the masses" but for real. To be used legaly radio equipment has to be type approved or operated by licenced personnel who are sufficiently technicaly aware to get equipment type approved. This is especialy true for "equipment that intentionanly radiates by design" which most with a little technical experience would call a transmitter. Thus making an electrical connection to the internals of "type approved equipment" breaks the type approval and for most people using it would be a legal "No No" and at the very least would result in equipment seizure, and could result in significant fines and or imprisonment.

So even with all the best wishes in the world this project is very probably nothing but a technology show case, that will not make it out of the lab.

As some may guess from my comments about mobile phones their security is an issue I've been thinking about for many years. Not just with regards to the SigInt Services of the IC but more mundain things such as out of band authentication tokens. It was back in the early 90's I was promoting the use of mobile phones for what we now call 2FA, and I was acutely aware of the security issues with OTA "updates" SS7 redirects and unreliability of secondary services such as SMS etc back then. But as I've put my hand up to in the past I missed the "social engineering" aspects of "number transfers" etc as service providers "cut costs" and "improved user experience".

So whilst this project is in all probability little more than a technology show case, the last thing I want to stop is people digging into is mobile phone security.

WaelJuly 29, 2016 11:43 PM

@Clive Robinson, @Albert,

Seems you have more patience than I do. I saw a broken concept and that's where I stopped. The low level comments about type approval are spot on as I worked in the mobile industry and was involved with the type approval process and confirm what you said. With some types of mobile devices one can bring a metropolitan area down with the wrong HW (or modem FW) manipulations, and that's a no no.

I was promoting the use of mobile phones for what we now call 2FA...

We discussed 2FA and MFA in the distant past. Too tired to find the links, but the terminology is often misused.

vas pupJuly 30, 2016 1:36 PM

@all and moderator in particular:
I post this information on this respected blog- see below initially, but some arrogant (may be smart, but not deserve respect person under @ianf) attacked my post in uncivilized fashion including kind of mentor remarks addressing my mother). Moderator, you should probably maintain professional and respectful mode of this blog. If somebody is disagree, I suggest that AMYBODY attack point, not personality based on logic and professional analysis as Clive always doing - the best example to follow

"vas pup • July 23, 2016 12:57 PM

Snowden developed new case to block big brother and big crooks to steal data out of your phone:
http://www.bbc.com/news/technology-36865209"

Clive RobinsonJuly 31, 2016 11:34 PM

@ Wael,

First off my apologies for not getting back to you sooner, I've been at a Satellite --construction/deployment-- Colloquium from last week and over the weekend.

We discussed 2FA and MFA in the distant past. Too tired to find the links, but the terminology is often misused.

Yes it is, I know of "compliance auditors" accepting "two different passwords" as "Two Factor Authentication Compliant", which quite frankly is scary.

@ r,

... battery depletion and signal detection.

Unfortunately these are characteristics of "simple or unsophisticated misuse", kind of the equivalent of a painfully obvious "script-kiddy full on enumeration attack" to some one just glancing at an IDS log.

I've recently been thinking on how a smart phones data usage could be "watermarked" such that it will survive changing the SIM and will not need the attacker to have access to the telco networks, just traffic analysis on "a known" internet host.

By this I do not mean that the attack will "do an ET" by sending of occasional beacon packets covertly off to a logging host. Because this is it's self not realy covert, in fact at the data transport levels it's quite a noisy attack and thus would get picked up by actually monitoring what the phone transmits over the air or in the case of this Hung/Snowden device what gets sent across the internal demarc. It would be exactly the same way an IDS or similar instrumentation can log all host IP addresses packets that get sent/received and thus can be checked for anomalous behaviour.

What I'm thinking of is a piece of code that would get hidden not in the "smart" CPU code, but in the radio baseband CPU code that could be put there via an OTA update or similar.

The "watermark" would use a side channel such as "packet timing" that would modulate all data traffic from the phone, and would if the right timings were used survive most obfuscation techniques that do not address "latency issues" effectively.

For an example of how to go about this some of Mat Blaze's students some years ago wrote a paper about how to exfiltrate a low data rate signal from a keyboard out across the Internet to leak data.

Unfortunatly such signals are easy to hide and difficult to impossible to remove for most users of highly integrated equipment such as smart phones. Because the usuall TEMPEST rule of "clock the data" generaly has to be "built in" at a low level in the early stages of the product design.

WaelAugust 1, 2016 12:03 AM

@Clive Robinson,

No apologies needed...

I've been at a Satellite --construction/deployment-- Colloquium from last week and over the weekend.

Strange! And I was on an island, out of all things, reading a book! Decoded!!! Weather was lousy. No scuba, no snorkeling, and the worst of all: cloudy skies with no good night sky view!

And when I came back, I discovered that one of my cats is dying. He's refusing to eat or drink. I am giving him food, water and pain medicine with a dropper until the inevitable.

rAugust 2, 2016 2:29 PM

@Wael,

My condolences, I had a dog die last month - no warning - just 48 hours and the angel of death. Just keep your friend comfortable and don't shy away from anything humane when (and if) the time comes.


@Clive,

Sorry about not responding sooner, but I have rediscovered aspirin. I quit taking it a couple years ago due to side effects but am currently suffering from a pinched nerve causing my lungs and stomach to contract regularly. Aspirin has made me mobile again!

Thank you again, for showing us privacy/security advocates the "dark side of the moon" where the "always-on" thing is concerned.

And I completely agree, that like PRNGs leaking their seed - identifiable baseband malware may be able to persist through even the smallest of bitbuckets. Timing could be one for sure, even just holding a carrier open for an extra ms or not could provide qualified modulation. My questions always went towards embeddable techniques like sequence numbers, time (real or delta) and ACK/CTS/RTS (802.11). Hardware is an area I need to learn (I'm not one to think it's ever too late). I was denied entry into the military under the "electronics" pretense based upon being color blind (amid a couple other things I am slightly irritated about (@BlackListed)) and have always been sort-of reluctant to get directly involved with the magic smoke because of that. Standardized protocols means standardized holes (where communication is concerned at least) and I am always nervous about black boxes because of my areas of interest. But if you can't beat them, join them! And if you can't join them? GO PUBLIC. :)

Man, how the hell do you guys maintain coherence?

WaelAugust 2, 2016 5:16 PM

@r,

My condolences

Thank you.

angel of death

And I have some interesting stories about the death angel (sometimes known as عَزْرائيلُ in Arabic or עזראל in Hebrew.) You can lookup the meaning of the word, which is Hebrew, not Arabic :)

WaelAugust 3, 2016 12:57 PM

@r, @Clive Robinson,

I'm seeing multiple devices from Sprint & their MVNOs that are "SIM'd" & CDMA. It's something I'm piqued about too.

It's been a few years since I left the mobile manufacturing industry, but I still deal with it in a different capacity...

As far as I remember, it's cheaper to manufacture one SKU that supports both CDMA and GSM. The additional cost of adding a SIM slot and related components could at times be offset by maintaining a single BOM and a single model that can support either specifications. There could be other reasons, too, like the one you're apparently alluding to: tracking a SIM-less device, perhaps through CDMA functionality...

I got a smile when you reminded me of how "thick" I can be with @ianf. Oh, he's such a sport!

rAugust 3, 2016 2:44 PM

@Wael,

"As far as I remember, it's cheaper to manufacture one SKU that supports both CDMA and GSM."

Yet, they (as in SP's) don't. The devices I've seen it in are likely so you can move between Sprint/Virgin Mobile/Boost but as far as the intent behind the manufacturing? They generally a) don't allow switching subproviders (from the SP side) of the hardware and b) I don't think they're 'hybrid' radios so much as identification for provisioning services. I know it is possible to move them from Sprint<->Boost though, it's just not encouraged and there's some sort of minimum requirement like a Galaxy S2 or >. Alot of the Government subsidized phones are starting to run IMEI/IMSI(?) pairing detection so that when a SIM is stolen and put into a new phone the service is disabled, there is also ALOT of frowning upon Verizon interoperability with MVNOs running on their stations.

I wasn't going to post any of this, but then I saw:
https://www.schneier.com/blog/archives/2015/11/friday_squid_bl_503.html#c6712559

"... However, making a MNO [neither that a TLA, but an ACRNM for "Mobile Network Operator"] start tracking a SIM-less device (without it explicitly first establishing a connection with any one tower and leaving its IMEI-credentials there) may not be as simple as you make it sound. "

Where specifically Sprint <-> Boost Mobile are concerned this is obviously not true as merely swapping MVNO Sprint SIMs between handsets doesn't work. I don't devices are provisioned on a complete interoperability basis, it probably has something to do with contracted and contractless policies. But there is still unique knowledge (irrespective of what Clive is opining about) that SPs have about a device without it's "SIM". At least where CDMA is concerned.

@ianf,

Maybe there WAS a direct order from a TLA... The USG(Obama) made policy device blacklisting vs phone related beatings and reappropriations.

WaelAugust 3, 2016 2:51 PM

@r,

intent behind the manufacturing

They're flashed with different configurations and images before they go into production.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.