Author Topic: Smartphone - insecure by design, cannot be secured however hard you try!  (Read 2118 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 29971
  • malware fighter
A secure smartphone does not exist, however hard you may try to secure it to a certain degree.

A secure smartphone = a non-existent item.

Next to your normal Anroid OS, there are several or minimal one other OS or real time OS (RTOS). In most cases these OSes or OS is propriety OS and has full and unlimited access to all and everything on the device. Most of these somewhat older RTOS aren't safe (using insecure Hayes commands for instance).

Read: http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone

Hayes still alive! http://www.developershome.com/sms/atCommandsIntro.asp Built in in smartphones as integrated parts all with their own OS (RTOS).

A modern harddrive also has everything aboard nowadays, even the option to go wireless:  http://www.hardwaresecrets.com/anatomy-of-a-hard-disk-drive/2/  Same story could be told for modems. The basic insecurity and surveillance backdoors have been built in the hardware. Does not matter what secure software you run on insecure hardware, you are food for the birds and Mr. Mike Pompeo and his confr√®res may know everything about your smartphone.

Components also will have their own security issues like your battery:
https://www.cnet.com/news/hacking-laptop-batteries-a-new-security-threat/

So the insecurity starts at the hardware level and then software security is a second issue.

When will users really come to understand the impact of the fact that smartphones were developed,
and designed to be used as spyware for total surveillance purposes?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline isherclub

  • Newbie
  • *
  • Posts: 1
Re: Smartphone - insecure by design, cannot be secured however hard you try!
« Reply #1 on: December 19, 2016, 02:25:23 PM »
Hi Polonus, I understand where you are coming from but I have a question for you.

First, a short introduction:

1. We take a smartphone running Android.
2. We change the firmware
3. We remove all the binaries (including the baseband drivers that allow connectivity to the cellular networks)
4. We recompile Android and install it

Afterwards we pick a number of open-source community developed software and we install them:

5. We install an iptables firewall that allows only some static connections since boot time
6. We install a VPN client that starts at boot and connect to certain static IP. Authentication is made with pre-loaded certificates and pre-loaded credentials

7. We install some peer-to-peer software that allows voice, text and mail, toward other clients. Communication is end-to-end encrypted  with symmetric keys, no servers whatsoever.

8. Finally the file system is locked down in read-only mode, without the possibility to change anything in it (including updates), with an air-gap protection approach.

After 12 months we replace the phone anyway.

Yes, the device is stripped off of plenty of its original features, but the goal is to deliver secure, untraceable, anonymous communications.

The approach is the same as the one used with Tails OS or other similar OS made for anonymity and security.

Now, of course I am not asking you to give an opinion and we know that nothing is 100% secure.

But the goal is not obtaining something that is 100% secure, rather than rising the cost of hacking the device to a point in which it becomes more convenient to pursue other forms of interceptions.

Do you think this is a reasonable goal?