[kwlug-disc] cell phone security and privacy
Mikalai Birukou
mb at 3nsoft.com
Tue Jul 26 23:17:31 EDT 2022
> After researching cell phone OSes and installing Graphene, I suddenly
> have a lot of opinions about privacy and security in cell phone
> operating systems. I now have a fully degoogled Android phone, and
> I'll talk about that.
>
> ...
> * I want my phone to be private, secure and free, of course, but how
> is this accomplished? .... I need Secure Boot, so that an evil maid or
> border security guard with access to my phone cannot replace or modify
> the OS without my knowledge. ....
> ...
I don't want to downplay usefulness of mentioned measures at some
levels. But on the perfection level only the wiki style of keeping your
devices on you at all times is secure, however inconvenient that is,
cause, ... there must be an analog hole.
The following is inspired by an attack on modern, luzzuree carz. There
we have a key which proximity is sensed by the vehicle, convincing it to
open doors and may be even drive it away. The fellas at night come close
to the place/person that has a key, following with an equipment that
talks over a long distance to a second box near the target vehicle,
passing airwaves as if it were the key fob.
Two points to note. (a) Impersonation that convinces actor to divulge
information. (b) Attack needs communication over longer distance, and
defender never discards reactions with delays that a necessary at least
due to light speed. We note this for later.
So. Let's imagine the following. You place your phone for a second,
without touching it, close your eyes for a second, or look away, being
distracted, turn back and grab a phone that is now something that looks
like your original device, but actually grubs info about what you
do/press/say/move streaming it into a second box that keeps your actual
phone, reproducing actions on it, and sending to device in your hand
video/audio and tactile reactions.
I think it is a perfect attack that can be done only on targeted, human
scale level. But it is our analog hole that is always present.
Bonus points, if your device is not customized be unique scratches
(guerrilla glass?).
Bonus points, if there are covers and skins that can be quickly
replanted onto an impostering device to avoid spooking your subconscious.
May be the way out is to have a smaller device, like a watch, that never
leaves you, and that can perform an attestation on your other device,
with procedure that takes into account timing, so that tested device
can't be, say 1 meter away from the watch, as a fix for (b).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220726/42cd9a4e/attachment.htm>
More information about the kwlug-disc
mailing list