So long as basebands are not audited, and smartphones do not possess IOMMUs and have their operating systems configure them in a way that effectively mitigates the threat, no smartphone can be trusted for the integrity or confidentiality of any data it processes.
This being the case, the quest for “secure” phones and “secure” communications applications is rather bizarre. There are only two possible roads to a secure phone: auditing baseband or using an IOMMU. There can’t even begin to be a discussion on secure communications applications until the security of the hardware is established.
I’ve written about this a long time ago, and it remains true today. Your phone is not secure, by definition, regardless of platform. Governments should legally demand phone manufacturers to fully publish all source code to the baseband chips they use, or be barred from sales. Mobile phone networks have become a crucial pillar of our society, and as citizens, we have the right to know what’s going on in baseband chips.
Of course, that’s not going to happen – governments benefit from the inherent lack of any form of security in our mobile phone network – but one can dream.
Remember IME (Intel ME) ? No use in having “secure” OS (e.g. Linux) when everything before it is not secure.
Anyway, I think people are getting a little paranoid by now, probably thanks to Snowden and his revelations (not saying it is a bad thing, we just need to keep perspective IMHO).
That’s why you contact AMD to request a list of CPU/APU SKUs that predate the introduction of ARM TrustZone cores. AMD doesn’t yet have an on-die management solution.
The Osmocom project is actually working on free / open source baseband software for mobile phones.
https://bb.osmocom.org/
It is not practical for everyday use. And of course running your own non-certified GSM transmitter can get you in trouble if you are not very careful.
In the future, it won’t even matter whether you government wants the baseband firmware out in the open, as international agreements will put an end to governments’ ability to demand public source code.
No they shouldn’t. There is a way to force a corp to do something without forcing them to “spill the beans” of how they ‘ll do it: Contracts.
Companies making baseband chips should be forced to sign a contract their chip doesn’t have any surveiliance code and that they ‘ll reveal any exploits and fix them. That’s all.
Stop trying to present your open source dream as a moral obligation…
Cute.
Believing companies would ever “spill the beans” on their competitive advantage: Even cuter.
No Qualcomm is going to spill their beans so every MediaTek of this world can benefit for free, thank you.
And stop pretending the government should legislate this. It’s people proposing “my ideals are for everyone” legislation like this that turns people against regulation.
Edited 2016-01-15 17:44 UTC
I have to agree with Thom, Thats crazy nuts. Companies will just sign it and do what ever they’re doing today. There isn’t any teeth in that proposal. If they ever get discovered, they’ll do a Volkswagen and blame low level engineers. The only way to protect against that is signed ,verified binaries from open source.
It’s even cuter when one says a company will not honor a written contract, but will happily publish source code and nirvana will follow.
If I had to choose between buying a phone for which (a) I can download the source of all software running on it, and (2) get a signed document from the manufacturer it contains no known backdoors and they will commit to fixing any newly discovered holes, I’d most likely go with (2). It’s just a better offer.
What does “publish source code” do for me as a customer? Exactly nothing. Even assuming I have the knowledge to read and understand the code, there is no guarantee that the same source code, in compiled form, is what is actually running on my device. If there is a guarantee, it will be in some form of a contract (a legally binding document). As a party to said contract I have a right to have it enforced by the court and seek damages if necessary.
(In)security via obscurity can well work even if full source code is available — I am not buying the idea that there will be some good and qualified Samaritan ready to review the source code for the hundreds of phone models in all their versions in a timely manner. Even if that happens, still no guarantee the phonemaker will fix any holes discovered and reported.
Open source is nice (I use a lot of open source software) but it is simply not related to the issue. A wrong tool, if you’d prefer.
Finally, I do not recall a “right” to be able to see source code. Not in any legal document I remember reading. Would be nice, but let’s not confuse things. I’d be happy if someone provides a pointer to a legal document saying otherwise.
Lucky for you there *are* other people in the world beside you and the smartphone manufacturers.
A long time ago, telephones used wires (which are long threads of conductive metal) connected to some central facilities full of relays for making electrical connections between the distant phones.
Before that, ladies actually plugged phones using jacks on large panels.
Imagine, all these communications directly available for police to listen.
Alas, ruthless criminals imagined some evil method for hiding their guilty activity by changing words, a casual conversation about grandma’ could actually detail some massive delivery of drugs or alcohol to a speakeasy.
Even more, during WW2, some native Americans* used their own arcane language for communicating over unencrypted radio waves, in addition to use the criminal’s method of replacing words. Is it fair to use such a diabolic scheme ?
So, there is no secure Smartphone ?
Meh !
(* Yes, Navajos)
Your talk is pure noise 😉
True noise is mathematically not filterable.
You don’t need an IOMMU if you just don’t give the goddamn baseband processor DMA. It’s effectively a NIC, so why not just stick it on something like an internal USB channel?
I believe the BlackPhone eliminates it by removing the DMA access. I don’t think they use a USB-channel for comms but they do something similar as far as isolation.
Thom, this would private them of very reliable state vector attack?
On top of that, ecosystem is crumbling down. WebOS to LG. FireOS to Panasonic?
Not wining in all the fronts shouldn’t mean the next pass is to give up. Right reasons are not to be abandoned. The implicit statement on renouncing to keep the effort on doing rightly is shameful beyond the worst.
In memoriam Ian.