A Hardware Privacy Monitor for iPhones

Andrew "bunnie" Huang and Edward Snowden have designed a hardware device that attaches to an iPhone and monitors it for malicious surveillance activities, even in instances where the phone's operating system has been compromised. They call it an Introspection Engine, and their use model is a journalist who is concerned about government surveillance:

Our introspection engine is designed with the following goals in mind:

  1. Completely open source and user-inspectable ("You don't have to trust us")

  2. Introspection operations are performed by an execution domain completely separated from the phone"s CPU ("don't rely on those with impaired judgment to fairly judge their state")

  3. Proper operation of introspection system can be field-verified (guard against "evil maid" attacks and hardware failures)

  4. Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)

  5. Difficult to induce a false negative, even with signed firmware updates ("don't trust the system vendor" -- state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)

  6. As much as possible, the introspection system should be passive and difficult to detect by the phone's operating system (prevent black-listing/targeting of users based on introspection engine signatures)

  7. Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; "journalists shouldn't have to be cryptographers to be safe")

  8. Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)

This looks like fantastic work, and they have a working prototype.

Of course, this does nothing to stop all the legitimate surveillance that happens over a cell phone: location tracking, records of who you talk to, and so on.

BoingBoing post.

Posted on September 11, 2017 at 6:12 AM • 61 Comments

Comments

JohnssonSeptember 11, 2017 6:43 AM

Hello Bruce

Could you elaborate on risks involved with O365 cloud, pulling in large govt orgs and business into one single container solution ?
Thanks, ill follow yr blogs with great appreciation.

Dan HSeptember 11, 2017 6:46 AM

In 2013 Russia ranked 148th out of 179 countries in the Press Freedom Index from Reporters Without Borders. According to the Committee to Protect Journalists, Russia is a more dangerous place now than it was during the Cold War. Only Iraq and Algeria outrank it on the list of most life-threatening countries for the press.

Snowden is living in Russia. I don't see how they'd allow him to produce this device. Perhaps he will meet his terminal fate over this. That would be rather ionic.

keinerSeptember 11, 2017 7:55 AM

@JG4

"I'll also raise the very difficult question of how to manage the conflict of interest..."

Book this under "cost of freedom". If you're not willing to pay, move to North Korea. Or Turkey.

Clive RobinsonSeptember 11, 2017 7:58 AM

@ DanH,

Snowden is living in Russia. I don't see how they'd allow him to produce this device.

Firstly, the device is probably of more use to those in power than it is to journalists (a point JG4 raises above).

Secondly you need to consider the "first to market" issue that has become more prevalent since the Internet. The simple fact is that as with Torvand the USG it's better to have your supposed enemy close rather than distant.

Thirdly, not being nasty but the technology BH&ES have talked about is a very very long way from being all encompassing. I suspect that it will not take long for people to find ways around. Historically look at the ECM / ECCM / ECCCM arms race, this device is just an example of an ECM device.

I could go on, but to be blunt I don't think this is a "better than nothing" solution. The journalist would security wise be actually better off without a phone.

And I am very sure that the Russian's are well aware of this to. Thus in their eyes --if they have even thought about it,-- it might make the game harder --which benifits them as well,-- but importantly it means the game goes on, not stops.

Clive RobinsonSeptember 11, 2017 8:37 AM

I think people need to have a think about the way technology works.

Communications is mainly carried out by the conduction and radiation of energy. As per the fundemental laws of physics.

When energy is conducted or radiated some of it gets transported down to heat as would be expected as it is doing work. Thus the signal when conducted gets weaker with distance (1/d). However radiated energy also gets spread out over the surface of a sphere thus gets weaker by the square of the distance (1/d^2).

Thus there are advantages and disadvantages with both.

From the point of view of security we can look at the two types of communication as conducted being two tin cans and a piece of taught string and radiated as shouting.

If private two way communications is required then the tin can option will be the first thought soloution. However that bit of taught string has a disadvantage because it clearly links the two communicating parties for those that can see it.

Shouting in effect denies privacy and identifys the party broadcasting the message. However provided the listening party just listens they will be difficult to identify thus in effect their location and who they are is unknown to an observer. If you address the privacy problem seperatly by the use of encryption etc then all you leave the observer with is that a message has been broadcast at a certain time. Thus if as the broadcasting party you shout out an encoded message at regular intervals and pad them to always be the same length the observer learns little if anything (hence we have the likes of Numbers stations).

Mobile phones are realy the tin can solution and thus both parties are pinned like butterflys to cork as far as the observer is concerned. A shortwave radio and only one the safe party broadcasting is much more secure for the party at risk.

It's a fundemental issue that civilians have to get their head around. Mobile phones are a distinct liability and their use is way to dangerous because of it's conveniance and illusion of privacy.

Vojectile PomitSeptember 11, 2017 9:11 AM

Clive Robinson:
> The journalist would security wise be actually better off without a phone.

Agree.

Clive Robinson:
> Mobile phones are a distinct liability and their use is way to dangerous because of it's conveniance and illusion of privacy.

Agree.


However, if you're using a latest generation iPhone, pair locked with Mobile Device Management, with up to date software, you can already be quite sure that no one, not even a state, can compromise your hardware or OS. While I wouldn't trust my life to that, I'd probably trust my life savings.

That said your device can still be tracked/geolocated: iOS does MAC randomization for WiFi, but there's always standard location identification via IMEI that you have to be wary of. And while you can use encrypted communications, using a VPN means your adversary just has to detect that someone at that access point tried to reach that particular VPN server... And without a VPN you have to expect DNS to be compromised... So if you don't want to be located, don't use a phone.

keinerSeptember 11, 2017 9:19 AM

@Vojec

eehm, why should one trust the DNS-servers of some opaque (at best) VPN providers more than, let's say DNSSEC?

Peter S. ShenkinSeptember 11, 2017 10:00 AM

"You don't have to trust us."

That is just wrong. This blog has been full of reports of people who put up security apparatus that has failed, because the authors didn't know enough about security to do it right. It's easy to imagine you do know enough, and you are likely wrong.

How, then, am I, who am at least smart enough to know that I don't know very much about security, going to be able to analyze this app's vulnerabilities? Most people will just trust the creators, because they have little recourse.

It's good that it is open source, and thus others, whom I might have greater reason to trust, can vet it; but then there's the hardware. I suppose the hardware design is open-source, too, and also subject to audit, but then there is the question of backdoors installed in the components -- even the components that one might buy oneself if one should choose to cobble together such a device. How are you going to audit the chips? Or if they give you an FPGA design, who is going to do a security audit on it?

Ultimately, you do have to trust someone, and most users will likely trust the "us" in the assertion, because there may be nobody else to trust. In other words, they do have to trust the creators, after all, or do without.

Ross SniderSeptember 11, 2017 10:34 AM

Great intentions, but I'm afraid its vaporware. Right now it has the "branding" of Snowden, but seriously if this thing ends up trying to do all the things its trying to do and Apple thwarts it rather than fully participates it's going to be basically impossible to anything close to what they want to promise.

That in turn would very likely damage Snowden's credibility.

Which is turn would (ironically) make us all less safe because people are more likely to take surveillance statehood seriously.

Biggest risk here, by far.

Vojectile PromitSeptember 11, 2017 10:42 AM

@Vojec:

I would never trust a "VPN provider". I run my own. But that's the problem. I can be located by it because no one else uses my VPN servers... I have privacy in what I'm doing, and security doing so, but I can be located.

SofaSeptember 11, 2017 10:53 AM

@Shenkin

It's as if you don't know the names Andrew "bunnie" Huang and Edward Snowden, and Bruce himself saying, "This looks like fantastic work, and they have a working prototype."

The bottom line is you have trust the names behind the work. Some names you trust more than others, but lumping these names in with shadetree backyard home cryptographers is wrong. Regardless of what you do there will be tradeoffs. Those tradeoffs are essentially the opportunity cost of choosing the path you select. Defensing against wet opens you up to dry, defensing against dry opens you up to wet. The same goes for strength vs. speed, light vs. dark, or any number of other polar opposites. Once you do one, you have essence canceled out the other. At some point you accept the tradeoffs and go with what you have.

WaelSeptember 11, 2017 11:25 AM

Good work with limited usage for some people. First of all, journalists need to work under the assumption that they are being monitored and tracked. Having a solution like the one described adds little value. Furthermore, if the accuracy of detection is say 95%, then that leaves a 5% chance of missed detection that can threaten the life of the journalist.

Second, it's too invasive a product. and there are ways to detect the existence of such a device, no matter how passive it is because it will introduce detectable footprints that can be measured by firmware. Nothing is invisible.

On the technical functionality side: The device operates under the assumption that tracking happens when the radio is expected to be off, and that's a flawed assumption: Data exfiltration, location tracking, WiFi access point mapping activities, etc. can happen during regular radio usage such as when a target visits a web page, sends an SMS text, or is on a phone call. The proposed device needs to distinguish between all these activities and be able to analyze the payload - something it's not currently doing.

My assessment: Limited usage for some corner cases. A Faraday cage plus a local burner phone with a local SIM, and good OpSec is a better option than this solution. Perhaps the next revision will take this feedback into consideration.

albertSeptember 11, 2017 12:53 PM

Did any of you guys read the paper?

This looks like a good first effort to me. Drawbacks and shortcomings are discussed in the paper.

. .. . .. --- ....

rachelSeptember 11, 2017 12:57 PM

Can any one feedback on Bunnys book The Hardware Hacker? I'm actually wondering if its suitable for a teenager to give them a push or if its too arcane and adult. Wael I did pick up your discussion with Nick P about Principles of Electronics the seminal hardware text, to take someone from 0 -100 project by by project- thanks for that. I had to dig into reviews to learn it assumes trig and algebra foreknowledge. Not sure if teens know that but still, a recommendation for aspiring Bunny's.

this device is a bit strange in light of all we know.
I wonder if they've Red Teamed it yet, guess its still a prototype. Any advice about avoiding Geek Squad for the install..

Dan HSeptember 11, 2017 1:04 PM

Snowden has name recognition, but beyond that, does anyone really have knowledge of his technical skills?

Could he go head-to-head on cryptography with Bruce or Whitfield Diffie?

Could he go head-to-head on TCP with Bill Joy?

Could he go head-to-head with Steve Wozniak on hardware?

Could he go head-to-head with Alan Turing, James Gosling, Brian Kernighan, Donald Knuth, Ken Thompson, Niklaus Wirth?

rachelSeptember 11, 2017 1:11 PM

good point by Ross. It only requires one appropriate hardware bypass by Apple to render this obsolete, and Apple is smart enough to engineer a software solution for every other phone. Be interesting to observe what response if any Apple make. The louder the noise the more dishonest its likely to be. Oh and the feds will complain it prevents them monitoring the phone of a dead suspect ;-)

just seems an interesting choice of time and resources for two bright people

Joshua BowmanSeptember 11, 2017 2:56 PM

@Wael

The device operates under the assumption that tracking happens when the radio is expected to be off, and that's a flawed assumption: .... The proposed device needs to distinguish between all these activities and be able to analyze the payload - something it's not currently doing. .... A Faraday cage

Good points, but the primary use case seems to be for people who turn their phone off at a sensitive meeting, and want a device just to ensure that it's actually off, without having to carry a cage. It doesn't really serve a purpose when the phone is on and regularly squawking to everything nearby.

Unfortunately, the obvious easy workaround is to just record a conversation, then exfiltrate it once the phone has turned back on. A Faraday cage can't guard against that either, though it might muffle the sound some. You'd have to monitor the chip's electrical levels at a much deeper level than seems possible here to guard against that.

WaelSeptember 11, 2017 3:26 PM

@Joshua Bowman,

Right. Had a similar discussion back in the good old days with @Mike the goat on EM shielding as a counter-measuer and a reply here

The whole thread is interesting...

people who turn their phone off at a sensitive meeting, and want a device just to ensure that it's actually off, without having to carry a cage.

So the guy is sitting in a meeting with the phone turned off, and they are having a confidential interview, then all of a sudden the device lights up like a Christmas tree. Ooops! too late! Don't take the phone along. Leave it behind.

AlexT September 11, 2017 3:41 PM

Ok I admittedly have not had time to delve into the details but surely this device does more than check that the radio on the iPhone is really off...!?

MarkHSeptember 11, 2017 3:52 PM

@Dan H:

Russian journalists are beaten, maimed and murdered for the articles they publish ... not the secrets they keep.

Putin's mafia state doesn't need high-tech surveillance, in order to draw up its "hit list."

They simply read the newspapers, periodicals, blogs and social media.

MarkHSeptember 11, 2017 3:57 PM

Corrigendum:

Actually, their algorithm is less laborious than that; they're a lazy lot.

They don't much care what anybody writes, as long as it doesn't "get in their hair."

When people start coming to them with complaints, or they see signs of popular agitation, they ask "who stirred this up?"

At that moment, danger sets in.

Clive RobinsonSeptember 11, 2017 4:34 PM

@ Rachel,

I'm actually wondering if its suitable for a teenager to give them a push or if its too arcane and adult.

I'm an engineer by training and had a quick read of the book on a book shop. I did not buy it because you can find better easier to understand information on sites like hackaday and various maker sites.

If you are trying to get a teenager interested in electronics it has to be easy steps to getting a "cool gadget" otherwise it quickly becomes just more "school work".

A few years ago amature radio, electronic music devices, model railways, radio control, and robotics were the way in with teenagers. However amature radio has taken a real hit due to mobile smart phones. Musical add ons like fuzz boxes for guitars have got replaced with computers and electronic music. Model railways... well theres that train spotter image. As for Radio Control it's drones and racing cars these days, the electronics are not where enthusiasts play as it's mostly COTS kit.

Which leaves robotics as a way in. The way that appears to be going is increasingly COTS with the likes of Adruino / Raspberry Pi SBCs and their interface sheilds.

If you are talking pre/early teen the likes of Lego Technics and their ARM based computer brick will get them in fairly easily and safely. Unfortunatly Technics kits tend to be much more expensive than ordinary Lego bricks and they are over priced (which is maybe why Lego has had a real drop in fortune since patents etc have expired and other players have entered the market).

There are ways to carry on using technics with the likes of the Raspberry Pi and the various shields. The thing is there is little electronics to start with mostly just making wiring harnesses for motors and sensors.

However this gives the sense of accomplishment that will get them sufficiently hooked to take them further forward.

If you want a couple of good books go have a look at the ARRL website for basic electronics and building your own test equipment and also one on workshop practices that gives simple but very usefull advice not just on the electronics side soldering, making PCBs etc but the mechanics of making cases and front pannels etc.

Also find a local Maker group or amature radio group with a strong bias on the "making" side. It's way easier to keep with something if you have peers encoraging and rewarding you. Also they will have access to test kit that you would not consider buying untill you are much further into electronics (think signal generators, oscilloscopes and more specialised kit such as Logic/Spectrum analysers). The advantage of having access is you can make your own test kit that is less accurate fairly simply, you just have to calibrate it sufficiently to make it indicative. You can then use that to get a project to the point that you actually need the more professional kit to finish a project off.

Now I don't know much about the education systems outside of the UK but basic (DC) electronics is usually taught as part of Physics and some other trade/craft related workshop causes. The advent of Arduino boards in schools means they are getting used not just in CompSci but Art classes as well. So check out the local education policies.

@Figureitout --if he's reading-- can probably also give you advice as well, as he has indicated he's "gone pro" and looking at it as a career, so can give you fresher insight.

Oh and yes I have a teen that I'm breaking in to electronics, he has an interest in satellites and wants to follow that as a career (luckily for him he has access to people that design them and can advise him).

Fred PSeptember 11, 2017 4:43 PM

@AlexT - I'd call it more of an early prototype than a device. That said, the paper showed:
1) Airplane mode does not actually turn off GPS or WiFi on an iPhone 6.
2) There is often a short burst of activity (on various test points they thought should be off), followed by what appears to be the GPS unit transitioning power states whenever a user first transitions a phone out of standby mode into a screen-on mode.

These cause problems for their current prototype (which pretty much outputs the values of various test points on an iPhone 6). They suggest a couple possible changes to make the prototype work better, and also suggest that perhaps disabling wifi, GPS, bluetooth and baseband radios might be more useful (and they discovered an easy way to do this on an iPhone 6).

They then noted that disabling wifi rendered a Nexus 5X unable to boot (unlike an iPhone 6).

Finally, they conjecture a hypothetical device/software mixture that may allow for App usage without revealing their location.

Sancho_PSeptember 11, 2017 5:17 PM

It seems the particular page is down at pubpub, or not accessible from Spain.
Bad coincidence?

WaelSeptember 11, 2017 5:24 PM

@Sancho_P,

Still accessible from the US.

Bad coincidence?

Depends on the frame of reference!

KimberlySeptember 11, 2017 7:32 PM

Is there a mirror of this paper? I'm trying to avoid surveillance, and, ironically, assets.pubpub.org blocks Tor users. (I found the link through a search engine; the link from the blog post contains nothing but Javascript.)

John SSeptember 11, 2017 11:32 PM

Bruce and readers, are you aware of the Purism Librem 5 phone currently in a fund-raising campaign? (I've already put my money where my mouth is - though they'll only charge after successful full funding) Definitely check it out!

https://puri.sm/shop/librem-5/

It's a fully FLOSS GNU/Linux phone, including open hardware, centered around privacy. Even has physical hardware kill-switches for mic, camera, wifi/bluetooth, baseband - better than your sticker.

What's awesome and unique about this project is that it's planned to run full GNU/Linux and Gnome (or KDE), the most popular Desktop environment - which means the development that happens for this phone is going to push the entire community toward many real and tangible alternatives to the security-flawed and privacy-encroaching options we have now. The entire community needs this to be successful!

65535September 12, 2017 12:20 AM

This is an interesting project. I see a lot of merit to it. I hope it becomes a reality.

I see the "bunny" is listed in the foot notes. I believe he is they guy in the field of microcontrollers in non-volatile memory, from memory sticks to SSD drives. I admire his work in the low level controlers of flash. That is an important area of hardware subversion.

I think this is the "bunny" guy but correct me if I am wrong:
https://en.wikipedia.org/wiki/Andrew_Huang_(hacker)

WaelSeptember 12, 2017 12:46 AM

Demis Rousses was a visionary. Stay away from Faraday cages. There was an ultra-vulgar version, but his publishers didn't let him do it. It sounded something like this. This is the mild version. More than 30 years ago. Such a talent!

There’s a spooky van that’ll take your
Faraday
Faraday, so fairy fairy Faraday
you'll be in dismay
through another band they’ll break your Faraday
Faraday, so fairy fairy Faraday
disk will hum betray

Somebody knows, who will share
all your files secure and bare
but all my spies guarantee
that you’ll be a detainee

We’ll nail your ar*e by golly
you shall pay, you shall pay
and soon you will stay
at Guantanamo bay

Through another band they’ll break your Faraday
Gitmo bay, boogie woogie Gittmo bay
shove will woe the way

Somebody knows who will share
all your files secure and bare
but in your mind I can see
that you like young nudie

Snowden knows who will share all your
trove
but in your “eyes” a long pole greased with ghee
Snowden knows who will tear
your boor skin and hair
and up your ar*e I foresee
the NSA’s small wee wee
Snow-den knows who will share all your
trove

SteveSeptember 12, 2017 1:55 AM

Fascinating project, but hasn't Snowden claimed before that iOS cannot be fully-secured since iOS could be compromised or modified to attack a specific person and we'd never know it? I'm no expert, so the real question is how / can his solution purport to solve that problem? Isn't it better to just try and get people to use something like Copperhead OS + better op sec?

WaelSeptember 12, 2017 2:10 AM

@Steve,

I'm no expert, so the real question is how / can his solution purport to solve that problem?

It doesn't solve that problem. It's equivalent to an IDS (Intrusion Detection System) -- it's not an IPS (Intrusion Prevention System.) It's supposed to alert, not prevent.

Isn't it better to just try and get people to use something like Copperhead OS + better op sec?

Copperhead OS, not sure. Better OpSec, definitely. Good work though. I still believe that good attackers don't make good defenders. Good defenders are usually capable of becoming good attackers, imho. That applies to many fields.

RachelSeptember 12, 2017 2:36 AM

Clive
I'll continue in this thread until if/when Squid. A supportive insightful response thanks so much.
Its a16yo, tiny bit aspergers potential to do great things, deeply tech interested as a vocation but no one around to guide or prompt at all. i'm thinking electronics/hardware as provides great scope for life skills and experiences a coder in a room never gets. Too old for lego technics so will look at your other suggestions. Indeed Arduino and Rasp Pi. Not metro enough for radio makers group to exist close by but its still fantastic idea. Your son sounds very fortunate :-) Thanks too JG4 re sound card sounds very cool!
When one looks at high achievers and how they scaled the slopes, the reoccurring theme is they had a mentor from a certain age. If kids don't have that, well, its really hard to progress consistently if at all. According to the Hardware Hackware book backflap Bunnie is the Nazz - I'm certain he only achieved such a elite status with a lot of direction and support very early on

Clive RobinsonSeptember 12, 2017 3:12 AM

@ Steve,

hasn't Snowden claimed before that iOS cannot be fully-secured

That is true of all Smart Phones as well as those old fashioned non smart phones. It's a requirment in the GSM specifications for "Health and Safety" reasons that an operator be able to listen in. Likewise the USA insisted again for "Health and Safety" reasons that every mobile phone has a GPS that an operator can interrogate.

These "Health and Safety" features along with Over The Air updates are requirments for the phone getting certification. Further they are controled by the operator of the network you are connected to, not who you have your phone contract through.

Further many Smart Phones are "Doubly walled gardens" you have the walled garden of the OS developer which gives you the "App Store" and also the manufacturer/supplier of the Smart phone who loads on that intrusive software you can not realy remove (go look up what CarrierIQ did).

I could go on at length but you should now have the correct feeling that you do not actually own the mobile phone even if you purchased it directly and not via a contract.

@ John S,

It's a fully FLOSS GNU/Linux phone, including open hardware, centered around privacy. Even has physical hardware kill-switches for mic, camera, wifi/bluetooth, baseband

Assuming they can get it certified with the mic disabling feature installed. There is still the problem of GPS etc.

So whilst you make your phone deaf and blind it will still know where it is either via the GPS or via the tower connectivity. Then there are all those other sensors as well that can leak information such as what you might be typing, the light level the phone is in and the temprature etc.

That's a lot of switches, which is going to be a reliability impact on the phone. And as was noted above some phones are designed so that they will not function at all if they can not bring up all the devices. The reason being it's a fairly standard way for consumer electronics to be designed.

The official reasoning is "Rather than confuse the user with status messages, get them to return it to a service center" the unofficial side effect is it means the user can be fleaced for half the value of the phone by the service center or the user will just get a new phone, or if the manufacturer gets lucky the user will do both. Which is "win-win-win" for the phone manufacturer, that does not wnt in any way to make repairs or do re-work for multiple reasons, and only does so as the "legislative price" of entering a market (see the EU WEEE legislation etc).

Hopefully the designers of the phone you are investing in will not go down that line.

RachelSeptember 12, 2017 3:37 AM

Mr Schneier posted a piece dated 30 June 2014 'the first review of the blackphone' . Searching Blackphone should bring it up as first. (can't link sorry!)
There is some superb technical commentary there particularly from Wael and Nick P about what is really required of a phone and a breakdown of vectors. highly relevant reading for anyone interested in the present project. JG4 you are in comms with Bunnie, you could send the relevant excerpts?

reading your comments Clive on the new foss phone and what would be required I laughed as it was like you were explaining, yet again, the question posed ' how do i make this cup of poison safe to drink? but please, i really want to drink it. Surely if I stir it a certain way..'

Clive RobinsonSeptember 12, 2017 4:08 AM

@ Rachel,

tiny bit aspergers potential to do great things, deeply tech interested as a vocation but no one around to guide or prompt at all.

Almost the definition of any engineer with design abilities is "a little bit aspergers". Thirty odd years ago the IEE realised that the offspring of their members had around a 12-15% greater chance of being autistic than the normal population. Back then it was thought that it was to do with having children later in life (something that is very common in aspergers suffers for now obvious reasons).

[I]'m thinking electronics/hardware as provides great scope for life skills and experiences a coder in a room never gets.

As a modern day electronics design engineer it's way more likely they will spend more time at the keyboard than they will with a soldering iron and test equipment.

A way to get a feel for this is to look at the way Amature Radio is going "all digital" from the antenna down with Software Defined Radio. Many hams are now using digital not voice communications you only have to look at the likes of PSK31 usage etc[1]. Likewise the use of GNU Radio [2,3] to build new modes of operation. It's also now become of interest to the "security" community [4] quite a while after I expected it to.

The thing about SDR is that you can with a little knowledge turn it into test equipment that even a few years ago would have been in the 5000-10,000USD range. In fact in some of that test kit from the likes of HP it's easy to see that it uses a single board computer (SBC) running MS Windows NT driving a LCD in the front pannel with the buttons and dials connected back via a USB 1 enabled micro controller...

From simple playing and following other peoples "scripts" you get drawn into Digital Signal Processing that has been "the way of the future" for some time now.

Importantly it will support people all the way from curious teenager into post PhD research and leading edge product development including satellite and high end military covert radio equipment.

As I've told my son, "Humans love to communicate, and always will do" you only have to look at people glued to their smartphones and tablets to see that. And if that does not convince you look how fast Internet connection speeds have risen since it became publicly usable in the 1990's.

Oh and if you get the right skills people will pay unbelievable amounts of money to be that little bit faster. Just look at the lengths High Frequency Traders will go to to shave a few billionths of a second off of their communications times...

[1] http://www.ws1sm.com/Digital-Modes.html

[2] https://www.gnuradio.org/

[3] http://hackaday.com/2015/11/11/getting-started-with-gnu-radio/

[4] http://blog.opensecurityresearch.com/2012/06/getting-started-with-gnu-radio-and-rtl.html

JG4September 12, 2017 6:19 AM


I'm a little short on time today, so my rant will be less tedious than usual.

@Dirk P. - not sure if you saw my comments about filtering this blog. filtering down to your favorite subset of Titans will avoid the need to even know that there are crass people in the room. if and when Bruce implements a login (or one that works with TOR) to create additional impedance for sockpuppets, that will further harden the effect of filtering. there are other powerful reasons for filtering, including better access to infrequent topics, the ability to quickly find books, the ability to put Clive's and other Titan's comments in sequence chronologically, etc. in general, I'm going to steer back from political issues pertaining to security to technical ones, but I wanted to better understand how we arrived at this particular point in space-time and what our momentum, velocity, and acceleration vectors imply about the future. to quote another uncanny and very old text that was mistranslated, "We struggle not against flesh and blood, but against psychopaths and sociopaths." at least to the extent that we want a free and prosperous society, or better, a free and prosperous planet. I stand by conflict of interest analysis as being very valuable.

@keiner - your point about freedom is well taken and that is the reasoning that cost a number of US lives from gun violence at least measurable on the scale of US losses in all wars put together. to the extent that distributed military force prevented a Nazi-style, Soviet-style or Maoist-style genocide in the US, maybe it is the cost of freedom. the freedom to step on the gas pedal may have cost more lives in the US than all of our wars put together (my rough estimate puts them equal, not counting the 15 to 20 million Asians killed in US wars, and an unknown number of Africans and South Americans, and letting the Europeans take credit for their own political problems, not that the US is blameless there either), and we generally view that as the cost of doing business. we have yet to understand the negative cascading consequences of the climate impact of the easy-motoring utopia, but that could cost a lot more lives around the world, besides making people angry. it is instructive to look up the automobile fatality rates in China, India and Thailand, where the composite cost of the freedom to step on the gas pedal is in the range of a million lives a year. some people ride motorcycles there, including Marc Faber, but I don't know if the appalling fatalities are broken out separately. one of my friends got 80 stitches in his arm, after the tuk-tuk driver died in his arms.

@Rachel and Clive - you are spot on that it is a short step from sound cards and all they entail (sonar, spread-spectrum, beamforming, nonlinear conversion, free space optical, Lissajous, synthetic music, voice recognition, voice spoofing, system identification, polydimensional data analysis, etc.) to SDR platforms and all they entail (radar, spread-spectrum, beamforming, datacom, signal detection/recognition, signal spoofing, system identification, polydimensional data analysis, etc.) Not sure if the chipsets have been pwned, but that is a necessary step to get them to do exactly what you want and only what you want. I have posted Melissa's DEFCON talk before, but it took a while to find the link (below, need that more powerful filtering technology, as well as a local copy of the archives to grind day and night on the silicon wheel of pain).

my essay "threat models few have considered" broaches some of what can be done with sound. there have been plenty of other contributions to this general topic, including the example of measuring rooms. all within reach of a hobbyist with some sound cards. I think that the lower end of sound cards is about $15 for USB stick flavors.

https://www.schneier.com/blog/archives/2015/10/friday_squid_bl_499.html#c6709471

I don't think that explicitly said that the audio data diode can defeat audio beamforming in crowds and every other emission or recording by your phone, but it is a very powerful approach to having cell phones do what you want and only what you want. that is the same topic we dance around day by day with regard to computers doing what we want and only what we want, not what deeply conflicted actors want. there are frequency-selective surfaces that are quite inexpensive. it is technically feasible to wrap a cell phone in a filter material that excludes GPS frequencies, but still allows the cell phone frequencies to pass. I have the references to the textbooks, which are shockingly expensive. it also is feasible to put the cell phone inside a Faraday cage at all times, using optical data diodes to pass selected RF signals in and out of the cage. I believe that the local oscillator emission problem can be roundly defeated on this path as well, as well as allowing arbitrary delays to dilute position information and restrict the number of cell towers. I know some of the components to use and I'd be willing to write up how to do it. interestingly enough, I know how to do many things, but my cognitive disabilities prevent me from doing a lot of them.

there's a typo in this one, as it was only 4.5 cubic meters. it contains the link to Melissa's talk and to the USB radio sticks

https://www.schneier.com/blog/archives/2016/04/friday_squid_bl_524.html#c6723070

the construction of audio data diodes is within reach of a hobbyist with a sound card. the proof of concept work can be done on old PCs using SciLab. to harden it for actual secure communication would require running the code on secure hardware. it would be handy to have a 3D printer to make the audio cage for the cell phone, which would need to mount the appropriate microphones and speakers and seal out the local sound environment. I have posted the microphone links before, going up to 85 kHz. I haven't looked closely at the anti-aliasing filters on sound cards, but there are similar 24-bit ADCs that go well beyond 85 kHz. if there is enthusiasm for this road, I'd be willing to write it up. it has to be complementary to what bunnie is doing. I have sent him a few emails in recent years, but have not heard back. I assume that what I am teaching is fairly obvious to the MIT brain trust, even if it took me 4.5 cubic meters of beer and 30 to 40 years to figure it out.

https://www.schneier.com/blog/archives/2017/08/nsa_collects_ms.html#c6757419
...
I introduced yesterday the concept of an audio data diode that uses some flavor of pseudorandom white noise as a carrier. actually, a pair of them to couple secured content in and out of an insecure cell phone. there are a lot of useful elaborations on what can be done with cell phones using the basic building blocks that I laid out. the ones that don't tamper with the RF will be immune to FCC rule changes that can be expected if there is any meaningful adoption.

I have only exposed a small portion of the idea space thus far, but it clearly overlaps what Doctorow, Snowden and Huang are doing.

@whoever critiqued my choice of links, including, but not limited to, vigilantcitizen. I am only a conduit of the relevant links from NakedCapitalism. in general, I am not endorsing the content, unless I post excerpts and commentary that is favorable. what I am endorsing is looking at the bigger picture and seeing how the moving parts in security relate to each other. especially the humans in the loop and how their feedback paths taint them and their organizations. the entire reason that I found my way here is an early example of corporate stupidity with sensitive data. I am still rabid about it to the point of favoring a hemp solution, after fair and speedy trials. in some sense, I am a systems guy, which is an accident of genetics, epigenetics, feedback systems, cold war brainwashing, fasting, fetal alcohol exposure, 4.5 cubic meters of beer, a decent college and graduate school education in science, more reading than Asimov wrote and a lot more environmental effects, including serving in the imperial forces and doing time.

vas pupSeptember 12, 2017 3:34 PM

@Wael • September 11, 2017 3:26 PM
I heard that bankers removed their batteries out of their blueberries during important meeting as full proof option. Unfortunately, iPhone does not let you remove battery, but Samsung does.

@John S • September 11, 2017 11:32 PM.
Finally, kill switch will get its place in phone. As @Andrew informed all of us, laptop with kill switch is on the market.

@all. I hope to outlive the time when one of our respected bloggers notify us that Samsung or LG finally provide kill switch on their smart TV, tablets. same applied to all Apples devices.

I still can't understand why such obvious security feature was not part of hardware design from the very beginning.

Regarding Edward, I heard old story about monk working for Pope during Dark Ages of Inquisition. He developed some kind of choking machine which killed victim gradually (about 24 hours or something like that) providing huge suffering before actual death. Then, monk had some kind of argument/disagreement with Pope and was submitted to his own machine to taste its action by personal experience.

That story is good warning for all technical and science gurus regarding conditions of cooperation with those who are in power.

Sancho_PSeptember 12, 2017 4:28 PM

@Wael, re pubpub

I’ve tried again, to no avail.
In Safari with disabled javascript even the pubpub.org startpage remains blank without any further hint - really a disappointment nowadays but that could be called low standard.
However, with enabled JS the start page loads, it takes 21 seconds to show the static background image and text, after 28 sec the page is complete. A show stopper.

There the linked “Daisy-chain gene …” publication is blank for another 25” and then it delivers visible content within 4”.

But the “Against the law …” publication remains blank, Web Inspector reports (within 7”):
1 Error
“Failed to load resource: the server responded with a status of 404 (Not Found, https://cdn.polyfill.io/v2/Intl.min.js.map)”
and 89 Warnings, mostly:
“(blocked) The page at blabla was not allowed to display insecure content from bloblo”.
The spinning circle never stops, Little Snitch reports in total 353 servers contacted for the “Against the law …” session, that seems to be a very sophisticated platform / stuff / ad, so count me out here.

Thanks anyway!

Simon HartleySeptember 12, 2017 6:43 PM


A commercial device came onto the market several years ago that checks the integrity of a smartphone, without having to trust the smartphone itself -- Kaprica's Skorpion.

https://www.technologyreview.com/s/519651/a-smartphone-charger-that-sniffs-for-malware/

Consumer app-level security tools and moble device mangement (MDM) environments are good as far as they go -- far better than doing nothing.

This is reflected in their widespread usage. However, they still must trust the device itself.

WaelSeptember 12, 2017 6:48 PM

@Sancho_P,

I’ve tried again, to no avail.

You're not missing much. In my opinion, it's a flawed concept! We already know there are telemetry and other probes going on. Do we really need to get the additional assurance? Leave the phone behind! How difficult is that? What if one of the attendees has a phone that's not equipped with the proposed device? Will one have to ask everyone else to go buy and install one? Oh, no time? Then ask them to leave their phones behind, right? Well, the journalist might as well do the same.

This wasn't exactly a joke! This is reality. The only thing missing is a specification update. Like ummmm: a policeman can stop a driver and check their device's state to see if the driver texted during driving, or or or...

RachelSeptember 13, 2017 7:33 AM

I used to wonder bout the veracity of flight/aeroplane mode. Is it really off? I was reassured that, for safety reasons, the FCC or similar legally requires radio off to mean radio off.
Here we are informed actually no, emissions still occur. Is this not rude,irresponsible and illegal of Apple? phones go into all kinds of EM critical environments with the owner trusting their phone is safely secure. Can anyone comment on the legality of this?

RachelSeptember 13, 2017 11:52 AM

Clive! Before I start, on a totally unrelated tack I was musing today upon the certain emotion I had of observing colourful ANSI graphics slowly flow into up my VGA monitor creating a welcome page as the 2400baud modem piped the local call dial up BBS to my 286! Theres a memory.

Thankyou SO much for the fantastic details about ways to support a teen get started in electronics, and super extremely interesting links about Software Defined Radio. I love it! what a truely enlightened subject, its so enthralling. I look forward to scouring this site for references to it. I like how its a technology simply not going to become obsolete.
When the teen has some quantifiable progress of some sort or another in the not too distant future I'll be sure to look you up here and let you know how they are going!
Mere words cannot provide much of the whole that makes a human being. Physical experience is essential to understand another. But yet with only words, you provide so much scope. And you impart beyond the norm. For, your staggering technical knowledge is not the greatest thing you offer. It's your humanity, and awareness of what humanity means, I find so inspiring.
A great many in your concentric circles of relations must feel extraordinarily privledged to know you. When I read you I feel encouraged to be a better person. Thats a high level gift to impart

( okay everyone, your turn. It's lets turn Clive Mr Pink Ears time! And its about time! Just start on Squid though)

Sancho_PSeptember 13, 2017 6:03 PM

@Wael, re personal surveillance device (PSD):

Right, with contemporary technique we should be aware that nearly any item could record what we do / talk (and transmit it later, when we left).
As often, there may be a good and a bad side of this fact.

To detect whether the personal tracking device is really switched off a very simple (3 transistors) and contactless (EMF) probe would suffice.
But agreed, the best solution is to leave the tracker at home.

WaelSeptember 13, 2017 9:59 PM

@Sancho_P,

o detect whether the personal tracking device is really switched off a very simple (3 transistors) and contactless (EMF) probe would suffice.

That, or a passive circuit. If you add the transistors, then you may need to add a power source, or get more clever.

Clive RobinsonSeptember 14, 2017 12:18 AM

@ Sancho_P, Wael,

To detect whether the personal tracking device is really switched off...

It's actually not that easy. What the probe picks up is a small fraction of the energy consumed by the circuit you are trying to check. The standby current on some circuits is less than the self discharge rate of the rechargable batteries that power it.

If the clock rate for timing is not important it can be done with an RC circuit which means that the switching frequency could be very low certainly well below the lowest of the audio frequencies. Picking up any EM signal down at those frequencies would be difficult and very time consuming.

All in all there would be quite a few type 1 and type 2 errors in non laboratory usage.

WaelSeptember 14, 2017 12:58 AM

@Clive Robinson, @Sancho_P,

What the probe picks up is a small fraction of the energy consumed by the circuity you are trying to check.

I'm confused!

Yes, law of conservation of energy, efficiency of the transmitter (the RF PA, specifically), power loss in the path, and the receiver. This doesn't matter for an active circuit receiver where the active components (transistors) can amplify the weak signal. For a "passive" receiver, this will be an issue to consider, although it should work. Example: What's the strength of the electric field (as a function of the the transmitter's power) of a radio transmitter say a 100 miles away (Hint: Use a Poynting vector and assume the wave is planar, not spherical at a 100 mile distance)? That signal can be picked up by a crystal receiver that uses no power source (crystal earphone + a good antenna and a diode.) Question: How much power does the probe (receiver's antenna) pick out of the energy consumed by the circuit (the radio transmitter)? Not surprisingly it's a teeny weeny fraction - I think we all know that, unless I missed what you meant.

If the clock rate for timing is not important it can be done with an RC circuit which means [...] Picking up any EM signal down at those frequencies would be difficult and very time consuming.

Either you didn't have your morning tea, or I need to go to bed early - which is actually true tonight as I can't keep my head straight. Actually not feeling well at all, but... What are you talking about? If the RF signal is pulsed below the audio range, so what? We are trying to detect the carrier that's in the GHz range be it CW or pulsed.

All in all there would be quite a few type 1 and type 2 errors in non laboratory usage.

Yes, if not instrumented properly. Get the cell phone in an insulating pouch, calibrate your detection antenna so stray EM fields are "normalized", then turn the cell phone off and stick it in the pouch next to the detector's antenna. Should work, right?

I actually was going to order the diode in the diagram and went to Digikey but the "Shopping Cart" gave me a hard time, so I said screw it, I am not doing it. My comprehension capabilities are at a minimum tonight, and I am feeling extra goofy so be careful with your reply ;)


Clive RobinsonSeptember 14, 2017 1:47 AM

@ Wael,

Either you didn't have your morning tea, or I need to go to bed early

I suspect you are not thinking about the problem the same way.

@Sancho_P said,

    To detect whether the personal tracking device is really switched off

The diode probe circuit you show will not tell you if the Device Under Test (DUT) is "really switched off" or not. It will only tell you if the DUT is "emmiting a high frequency EM signal" with sufficient voltage level picked up in the loop that it will turn the diodes on in the detector sufficiently to cause a DC current that will cause the meter needle to deflect.

Now you said,

We are trying to detect the carrier that's in the GHz range be it CW or pulsed.

Sorry, no we are not, we are trying to identify if the DUT has power connected or not. Because it's up to the DUT if and when it emmits a signal via one of it's transmitters.

The only EM signal it can not avoid emmitting is that of it's internal clock for it's logic. As I noted that can not only be very low in frequency it can also be incredibly low power (in theory below the noise floor due to impedence differences between the circuit and freespace).

You would do better looking for the static magnetic field around a conductor caused by the current flowing in it or the static electrostatic field of the EMF of the battery. This would need the modern equivalent of a magnetic compass or Gold leaf electroscope. Or the difference in heat signiture between ambient and the DUT due to it's inefficiency.

WaelSeptember 14, 2017 1:59 AM

@Clive Robinson, @Sancho_P,

To detect whether the personal tracking device is really switched off

Ok. You read what @Sancho_P said literally, and I read it in the context of this thread. What @Sancho_P (within my defective compression) meant:

Is the radio really turned off, as in is it transmitting at certain intervals. You read it as you described. False alarm -- Your sanity is intact - Your comments almost[1] make sense now, scared me for a second.

[1] Almost because there are other complications that we don't need to get into, such as: What does it mean for a cell phone to be off.

Sancho_PSeptember 14, 2017 10:45 AM

@Clive Robinson, Wael, re device switched off:

“What is off” is an interesting question, and my statement meant to detect something between sending and off.
While @Clive is right that you can clock down these ICs to nearly DC operation (be aware of capacitors not working at DC [1]), to get some work done (record speech / video, ADC, CPU) it takes more than standby power and a clock frequency, at least say 10 kHz for speech plus the according slew rate (contemporary chips are designed to run on MHz clocks, so their throughput / efficiency will be limited with low clock frequencies).

However, the 3 transistor device also works with a magnetic pic up, e.g an inductor from a wall wart as antenna (but it doesn't make much difference with my phones).
OK, I have never tested a specially crafted low power low clock device, so @Clive may be right, the simple 3 transistor design could be too simple to detect sophisticated spyware.

[1]What we see as a digital circuit in fact is analog electronics, there are myriads of possibilities between 0 and 1 resp. input and output.

Sancho_PSeptember 14, 2017 11:04 AM

@Rachel, re airplane mode (”rude, irresponsible and illegal of Apple?”)

(Disclaimer: I’m not an expert in anything, let alone FCC rules, but your question wasn’t answered yet)
Air plane mode is cellular network off only, otherwise you couldn’t watch movies or run inflight entertainment.
AFAIK it’s a matter of RF emission (power). The LAN circuit (range up to 20m) is much weaker than the phone sender (range 7km and more), also the waveform / pulses are different.
I can hear an incoming call in (from) my (standby) DECT cordless telephone before (!) my mobile phone rings, and some instruments in my lab go crazy in case the mobile starts silently to re-negotiate connection conditions (output power) with the cell tower(s) (both masts within reach are far away from my home).
Imagine 250+ phones desperately searching for better connections during take off or landing, what a (RF) noise!
But emmission also depends on the phone model (and age).

When you switch on a phone during the flight it will be completely (RF) passive (um, @Clive is right, not completely), until it receives a signal / command from a cell tower which is ready to listen (to negotiate), so it will remain silent until going down for landing.

WaelSeptember 14, 2017 11:22 AM

@ Sancho_P, @Clive Robinson,

the simple 3 transistor design could be too simple to detect sophisticated spyware.

Sophisticated spyware will be hard to detect unless the spy catcher "solution" is able to capture all ingress / egress traffic to / from the phone, analyze the payload and correlate it to expected functionalities.

One form sophisticated malware can take: Sometimes I wonder what happens when I update the firmware (or the operating system) on my smart phone. Is the phone downloading the firmware only, or is it sending my whole filesystem to the mothership at the same time for offline analysis? Never had the chance to Wireshark the process, but I suspect something fishy is going on during the upgrade process - Phone is connected to charger too. So what to do? Clean all confidential material from the smart phone before you start an OS upgrade session.

I can imagine what the maintainers of the mother ship say after I upgrade my smart phone OS.

Senior Peeping Tom: Damn, boi! That guy has a 100 books on his smart phone and only read like two pages here and there.

TLA implant at same location: Any dirt you have on the guy? Go search his file system for "anomalies"...

Senior Peeping Tom: Well, he visits Wikipedia a lot and does some shady Google searches on technical material. Then he goes and presents crap on Schneier's blog as if he's an expert on the matter.

TLA implant at same location: Yea. I don't like his songs and lyrics. Go to https://www.rhymezone.com and mess it up. That'll teach him. Oh, any books he claimed he bought but really didn't? Let's make sure we tarnish his reputation.

Senior Peeping Tom: He doesn't give a ...

RachelSeptember 14, 2017 11:37 AM

Sanco P
Thankyou. Sorry I dont follow your reasoning. I disagree with your definition of flight mode though. Radio off means off. To me, aeroplane/flight mode means no bluetooth, no wifi cellular or NFC. One has a right to know their unit is notRF active when activating that mode. There are a variety of reasons one may require such a state, nothing to do with air travel. one is led to believe this the radio is off in that mode. This paper indicates otherwise. And if I was to need inflight blahblah I can active wifi independently of the other signals ( if apple even lets you do that??)
it is obviously sufficient enough a pulse to be of concern to Snowden and Bunnie,('we didn't realise...') without factoring in Clives level of detail

Sancho_PSeptember 14, 2017 5:44 PM

@Wael, re update ;-)

Usually I do not update (‘cause I know that something will be messed up if I do).
But: If I can’t avoid an update I’ll first visit our local winery.
The other day, when I encounter what is messed up, I’m going to write 100 times
by hand “I will never again update” by hand.

Sancho_PSeptember 14, 2017 5:48 PM

@Rachel, re radio off

OK, but is it called “airplane mode” or “radio off” mode?
Anyway, you may always assign your own meaning to any term you want, just don’t be disappointed if it isn’t reality ;-)
Out of curiosity I’ve checked with wikipedia and found their article more than confusing, not to say fishy. Even the linked reference to FFA regulation 2014-10-31 links to a document from 2013.
In fact, both my phones (iOS and Android) disable only the “cellular connection” when in airplane mode.

But see point 1a of:
https://www.faa.gov/other_visit/aviation_industry/airline_operators/airline_safety/info/all_infos/media/2013/info13010.pdf
”The operator should continue to require passengers to place their PEDs in “Airplane Mode” (cellular transmitters off) from the time the aircraft takes off until it lands. ”


(You may be also interested in reading this lengthy PDF to see that it’s a “complicated” matter:
https://www.faa.gov/regulations_policies/rulemaking/committees/documents/media/pedarc-11082012.pdf )

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.