View
28.733
Download
0
Category
Preview:
Citation preview
AgainsttheLaw:CounteringLawfulAbusesofDigitalSurveillanceAndrew‘bunnie’Huang EdwardSnowden
Front-linejournalistsarehigh-valuetargets,andtheirenemieswillsparenoexpensetosilencethem.Unfortunately,journalistscanbebetrayedbytheirowntools.Theirsmartphonesarealsotheperfecttrackingdevice.BecauseoftheprecedentsetbytheUS’s“third-partydoctrine,”whichholdsthatmetadataonsuchsignalsenjoysnomeaningfullegalprotection,governmentsandpowerfulpoliticalinstitutionsaregainingaccesstocomprehensiverecordsofphoneemissionsunwittinglybroadcastbydeviceowners.Thisleavesjournalists,activists,andrightsworkersinapositionofvulnerability.Thisworkaimstogivejournaliststhetoolstoknowwhentheirsmartphonesaretrackingordisclosingtheirlocationwhenthedevicesaresupposedtobeinairplanemode.Weproposetoaccomplishthisviadirectintrospectionofsignalscontrollingthephone’sradiohardware.Theintrospectionenginewillbeanopensource,user-inspectableandfield-verifiablemoduleattachedtoanexistingsmartphonethatmakesnoassumptionsaboutthetrustabilityofthephone’soperatingsystem.
IntroductionandProblemStatement
Front-linejournalistsrisktheirlivestoreportfromconflictregions.Castingaspotlightonatrocities,theirupdatescanalterthetidesofwarandoutcomesofelections.Asaresult,front-linejournalistsarehigh-valuetargets,andtheirenemieswillsparenoexpensetosilencethem.Inthepastdecade,hundredsofjournalistshavebeencaptured,torturedandkilled.Thesejournalistshavebeenreportinginconflictzones,suchasIraqandSyria,orinregionsofpoliticalinstability,suchasthePhilippines,Mexico,andSomalia.
Unfortunately,journalistscanbebetrayedbytheirowntools.Theirsmartphones,anessentialtoolforcommunicatingwithsourcesandtheoutsideworld–aswellasfortakingphotosandauthoringarticles–arealsotheperfecttrackingdevice.LegalbarriersbarringtheaccesstounwittingphonetransmissionsarefailingbecauseoftheprecedentsetbytheUS’s“third-partydoctrine,”whichholdsthatmetadataonsuchsignalsenjoysnolegalprotection.Asaresult,governmentsandpowerfulpoliticalinstitutionsaregainingaccesstocomprehensiverecordsofphoneemissionsunwittingly
broadcastbydeviceowners.Thisleavesjournalists,activists,andrightsworkersinapositionofvulnerability.ReporterMarieColvin’s2012deathisatragicreminderofhowrealthisvulnerabilitycanbe.AlawsuitagainsttheSyriangovernmentfiledin2016allegesshewasdeliberatelytargetedandkilledbySyriangovernmentartilleryfire.Thelawsuitdescribeshowherlocationwasdiscoveredinpartthroughtheuseofinterceptdevicesthatmonitoredsatellite-dishandcellphonecommunications.[1]
Turningoffradiosbyenteringairplanemodeisnodefense;forexample,oniPhonessinceiOS8.2,GPSisactiveinairplanemode.Furthermore,airplanemodeisa“softswitch”–thegraphicsonthescreenhavenoessentialcorrelationwiththehardwarestate.Malwarepackages,peddledbyhackersatapriceaccessiblebyprivateindividuals,canactivateradioswithoutanyindicationfromtheuserinterface;trustingaphonethathasbeenhackedtogointoairplanemodeisliketrustingadrunkpersontojudgeiftheyaresoberenoughtodrive.
Thisworkaimstogivejournaliststhetoolstoknowwhentheirsmartphonesaretrackingordisclosingtheirlocationwhenthedevicesaresupposedtobeinairplanemode.
ApproachandGoals
Numerousresearchersandextensivecorporateresourceshavebeendedicatedtothetaskofbuildingamoresecuresmartphone.However,smartphonesareextremelycomplexandpresentalarge,porousattacksurface.Furthermore,evenaperfectlysecurephonewillnotsaveareporterfrom“victim-operated”exploitssuchasspearphishing.Eliminatingthisvectoriscomplicatedbythefactthateffectivereportersmustcommunicatewithadiversearrayofsourceswhomayintentionallyorunintentionallyconveyamalwarepayloadtothereporter.
Asaresult,thisworkstartswiththeassumptionthataphonecanandwillbecompromised.Insuchasituation,areportercannottaketheUIstatusatfacevalue.Instead,weaimtoprovidefield-readytoolsthatenableareportertoobserveandinvestigatethestatusofthephone’sradiosdirectlyandindependentlyofthephone’snativehardware.Wecallthisdirectintrospection.
Ourworkproposestomonitorradioactivityusingameasurementtoolcontainedinaphone-mountedbatterycase.Wecallthistoolanintrospectionengine.Theintrospectionenginehasthecapabilitytoalertareporterofadangeroussituationinreal-time.Thecoreprincipleissimple:ifthereporter
expectsradiostobeoff,alerttheuserwhentheyareturnedon.
Ourintrospectionengineisdesignedwiththefollowinggoalsinmind:
1. Completelyopensourceanduser-inspectable(“Youdon’thavetotrustus”)2. Introspectionoperationsareperformedbyanexecutiondomaincompletely
separatedfromthephone’sCPU(“don’trelyonthosewithimpairedjudgmenttofairlyjudgetheirstate”)
3. Properoperationofintrospectionsystemcanbefield-verified(guardagainst“evilmaid”attacksandhardwarefailures)
4. Difficulttotriggerafalsepositive(usersignoreordisablesecurityalertswhentherearetoomanypositives)
5. Difficulttoinduceafalsenegative,evenwithsignedfirmwareupdates(“don’ttrustthesystemvendor”–state-leveladversarieswithfullcooperationofsystemvendorsshouldnotbeabletocraftsignedfirmwareupdatesthatspooforbypasstheintrospectionengine)
6. Asmuchaspossible,theintrospectionsystemshouldbepassiveanddifficulttodetectbythephone’soperatingsystem(preventblack-listing/targetingofusersbasedonintrospectionenginesignatures)
7. Simple,intuitiveuserinterfacerequiringnospecializedknowledgetointerpretoroperate(avoidusererrorleadingtofalsenegatives;“journalistsshouldn’thavetobecryptographerstobesafe”)
8. Finalsolutionshouldbeusableonadailybasis,withminimalimpactonworkflow(avoidforcingfieldreportersintothechoicebetweentheirpersonalsecurityandbeinganeffectivejournalist)
Thisworkisnotjustanacademicexercise;ultimatelywemustprovideafield-readyintrospectionsolutiontoprotectreportersatwork.Althoughthegeneralprinciplesunderlyingthisworkcanbeappliedtoanyphone,reducingtheseprinciplestopracticerequiresasignificantamountofreverseengineering,astherearenobroadlysupportedopensourcephonesolutionsonthemarket.Thuswefocusonasinglephonemodel,the4.7”iPhone6byAppleInc.,asthesubjectforfielddeployment.Thechoiceofmodelisdrivenprimarilybywhatweunderstandtobethecurrentpreferencesandtastesofreporters.Ithaslittletodowiththerelativesecurityofanyplatform,asweassumeanyplatform,beitiOSorAndroid,canandwillbecompromisedbystate-leveladversaries.
Methods&IntermediateResults
ThefirststeptowardexecutingthisworkwastovisittheHuaQiangelectronicsmarketsofShenzhentocollectsamplesanddocumentationforevaluation.ThesemarketsaregroundzeroforthetradeandpracticeofiPhonerepair;assuch,itisarichsourceofsparepartsandrepairmanuals.TherepairmanualsfrequentlycontaindetailedblueprintsoftheiPhone6,
whichwereusedtoassistthereverseengineeringeffort.
Basedonthephonemodelselectionandavailabledocumentation,wecanenumeratetheradiointerfacesavailable:
Cellularmodem–2G/3G/4GWifi/BTGPSNFC(ApplePay)
AlthoughourworkcanbeextendedtoinputsystemssuchastheIMU(inertialmeasurementunit),barometer,microphoneandcamera,tofocustheeffortwerestrictourexplorationtoonlyRFinterfacesthatcandirectlybetrayauser’slocation.Notethatacameracanbedefeatedbyobscuringthelens;assuchthefinalphysicaldesignofourbatterycasewilllikelyincludeafeaturetoselectivelyobscuretherearcameralens.
MethodsthatDoNotMeetourCriteria
Numeroussemi-intrusivecountermeasureswereconsideredalongthewaytoourcurrentsolution,includingbutnotlimitedtoRFspectrummonitoring,activejamming,andtheselectivephysicalisolationorterminationofantennae.Semi-intrusivecountermeasureswouldrequireminimalmodificationtothephoneitself,whichisdesirableasitsimplifiesfielddeploymentandcouldevenenablereporterstoperformthemodificationswithoutanyspecialtools.Unfortunately,allofthesemethodsweredeemedtobeinadequate,asdiscussedinthefollowingparagraphs.
RFspectrummonitoringconsistsofbuildinganexternalradioreceiverthatcandetecttransmissionsemanatingfromthephone’sradios.Insomecases,itwashypothesizedthatthereceivercouldbeastrivialasanRFpowermonitorwithintheanticipatedradiobands.AsimpleexampleofsuchmonitoringalreadyexistsintheformofnoveltylightsthatflashbasedonparasiticpowerextractedfromtheGSMantennae.Theproblemswiththisapproachisthat1)itcanonlyreliablydetectactivetransmissionsfromtheradio,and2)malwarethatpassivelyrecordstheuser’spositionanddeliversitasadeferredpayloadwhentheradiosareintentionallyactivatedcannotbedetected.Furthermore,thisapproachissubjecttospoofing;falsepositivescanbetriggeredbythepresenceofnearbybasestations.Suchfalsealarmscanconfusetheuserandeventuallyleadtheusertobeconditionedtoignorerealalertsinhazardoussituations.
Activejammingconsistsofbuildinganexternalradiotransmitterthatattemptstoinjectfalsesignalsintotheradios.Thus,evenifmalwarewereto
activatetheradiosandlistenforposition-revealingsignals,itwould,intheory,reportlargelyboguspositioninformation.ThisisparticularlyeffectiveagainstGPS,whereGPSsignalsareveryweakandthusevenaweaklocaltransmittershouldbeabletooverpowertheGPSsatellites.However,activejammingwasruledoutforseveralreasons.Thejammer’semissionscouldcreateasignalthatcanbetracedtolocatethereporter;thejammerwillrequiresubstantialbatterypower,andtheuserisleftvulnerableoncethejammer’spowerisexhausted.Furthermore,nearbybasestationsmaystillbedetectedbythereceivers,asmodernradioprotocolshavesophisticateddesignstoprotectagainstunintentionaljamming.
Selectivephysicalisolationorterminationoftheantennaeconsistsofinsertinganelectronicswitchbetweentheconnectorsofthelogicboardandtheantenna.Theswitch,whenactivated,wouldshunttheantennatoamatchedresistiveload,whichwouldgreatlyreducethetransmissionpowerandreceivesensitivityoftheradios.However,experimentalverificationontheWiFisubystemindicatedthatremovingtheantennaconnectionandpermanentlyterminatingwithashuntresistorstillleakedsufficientRFintothereceiversforlocalbasestations(e.g.,withinthesameroom)tobedetected,whichcouldbesufficientinformationtobetrayareporter’slocation.
MethodsthatDoMeetourCriteria
Upondeterminingthatsemi-intrusivecountermeasureswereinadequate,weinvestigatedoptionsthatinvolvemeasuringsignalsonthephone’slogicboard,typicallyviatestpointsdesignedinbythemanufacturer.ItisnosurprisethatcomplexsystemssuchastheAppleiPhone6wouldhavetestpointsbakedintothecircuitboarddesigntoassistwithdebugging.Theseareanessentialpartofyieldandcustomerexperienceimprovement;defectiveunitsfromthefactoryandthefieldaresentbacktotheheadquarters,andengineersrelyonthesetestpointstodeterminetherootcauseofthedevice’sfailure.
UsingrepairmanualdocumentationacquiredfromtheHuaQiangelectronicsmarket,wecatalogedasetofinternaltestpointsthatwere:
1. Accessiblewithlowprobabilityofdamagetothelogicboardbyatrainedoperator2. Couldprovidemeaningfuldataontheradiostatus3. Wouldbedifficultorimpossibletodisableorspoof(e.g.,future-proofagainst
adversariesawareofourresearch).
Fortheaccessibilitycriteria(1),testpointswereconsideredviableeveniftheyrequireddesolderinganRFshieldortheSIMcardconnector,andmanualremovalofsoldermask.Inourexperience,atrainedoperatorcan
performthesetaskswithlowprobabilityofirreparabledamagetothemotherboard.Theseoperationsarenotrecommendedforentry-levelnovices.However,ourexperiencesinShenzhenindicatethatanytechnicianwithmodestsolderingskillscanbetrainedtoperformtheseoperationsreliablyinabout1-2daysofpracticeonscrapmotherboards.Thus,technicianscouldbetrainedtoperformthemodificationsinanylocalewithsufficientdemandformodifiediPhones.
Thefollowingtableisalistoftestpointswehaveaccessedandhavefoundtoprovideintrospectiondatathatpotentiallymeetcriteria(2)and(3).
Above:tableofinternalsignalcandidatesforintrospection.
Above:imageoftheFE1,FE2busprobeexperiment.TestpointsfromthebacksideofthePCBarewiredtothetopsideforeasyprobing.
Above:imageofthebacksideoftheFE1,FE2probeexperiment.ThetestpointsarelocatedadjacenttotheNANDFlash,underneathanRFshieldwhichwasremovedforthisexperiment.Thetestpointswerecoveredwithsoldermask,whichwasremovedthroughmechanicalabrasion.
Above:imageoftheUARTandGPSsyncprobingexperiment.ThemajorityofthetestpointsarelocatedunderneaththeSIMcardconnector,whichwasremovedforthisexperiment.
Above:imageofthebacksideoftheUARTandGPSsyncprobingexperiment.ApairofwiresareruntobreakoutWLAN_PERSTandpower-relatedsignalsformonitoring.
CellularModemIntrospection
TheFE1andFE2serialbusesrunat20MHz,witha1.8Vswing.Thisbusis
usedprimarilytoconfigurethecellularmodemradios.Whentheradiosareon,thereisconstanttrafficonthesebuses.Wheninairplanemode,thetrafficcompletelyceases.
Above:exampleofbustrafficontheFE1bus.
Cellularradiosoperateinacomplexenvironment,andrequireconstantadaptationoftheantennae,poweramplifiers,andbandselectionforproperoperation.Itishypothesizedthatanattempttoevenpassivelyscanforbasestationswithouttransmittingwillrequiretrafficonthisbus;attheveryleast,theantennaswitchesmustbepoweredonandconfiguredtoreceive.Therefore,cellularmodemintrospectionmaybeaseasyasnotingifthereisanyactivityontheFEbusesduringairplanemode.
Wenoteforthesakeofcompletenessthatitmaybepossibleforanattackertostaticallyconfiguretheantenna,channel,andpoweramplifiersettingsandconvertthedeviceintoaradiobeaconthatblastsoutasignalthatisinconsistentwiththecellularmodemstandardbutdetectablethroughothermeans.Inthismode,onewouldobservenotrafficontheFEbuses,butonecould,intheory,triangulatethelocationofthetransmitterwithmodifiedbasestationsorspeciallydeployedreceivers.Thisscenariocanbemitigatedbydoingdeeppacketinspectionandnotingtheaddressesthatshouldbehittopowerdownthecellularmodemsystems.Ifanydevicesareskippedduringthepower-offsequence,thatwouldbeflaggedasapotentiallyhazardouscondition.
However,thisscenariowouldrequiremodificationstothecellularmodemtransportspecifications,andassuchonewouldneedtodeploymodifiedbasestationsacrosstheterritorytogainadequatesurveillancecoverage.Thiswouldlikelyrequireextensivecooperationofboththebasebandradiovendorsandcellularproviderstocraftandeffectivelydeploysuchanexploit.Becauseofthedifficulty,weimaginesuchanexploitwouldbeavailableonlytowell-organizedgovernment-leveladversaries.
Finally,thephone’svendor,Apple,couldvolunteer(orbecoerced)topushasignedupdatethatsendsrandom“NOP”packetsovertheFEbusesduringairplanemodetoforcefalsepositivesandmakethistechniquelesseffective.Again,insuchacasedeeppacketinspectioncouldhelptodiscardchafffromsignal.Althoughfuturehardwareversionscouldencryptthisbustofoilobservation,webelieveitisnotpossibletointroducebusencryptionwithasoftware-onlychange:theperipheraldevicesonthisbuslackloadablefirmware.Thus,atleastforcurrentphonemodels,deeppacketinspectionshouldberobust.
WiFi&BluetoothIntrospection
TheWiFisubsysteminterfacestotheCPUthroughmultiplebuses,namely,PCI-expressandaUART;theBluetoothsubsysteminterfacestotheCPUthroughaUART,withaseparateUARTchannelforcoexistence.BecauseoftheBluetoothsubsystem’srelativelysimpleinterface,itshouldbepossibletorobustlydetectBluetoothactivitybysimplymonitoringtheBTUARTsignals.
TheWLANUARTsignalsseemtocarryconfigurationandstatusinformationregardingWiFiconfiguration,asevidencedbytheUARTtracebelow.
Above:exampledataontheWifiUARTasdecodedbyaTekMDO4014B.
Furtherexplorationofthedatacontainedwithinthesignalsisnecessarytodetermineifitispossibleforanadversarytoperformaccesspointscans,whichisaneffectivemeansofgeolocation,withoutinvokingtheUART.Unfortunately,theWiFipowerremainsoneveninairplanemode,somonitoringWiFivoltagelevelshasnocorrelationwithradioactivity.
Significantly,WLAN,BT,andGPSriskscanbemitigatedbyforcingtheWLANPCIbusintoreset.ByholdingWLAN_PERSTlowpriortopower-onandthroughoutboot,WiFiwillfailtoenumerateonthePCIbus.iOSwillcontinuetobootandisfullyusable,butintheSettingspanel,WiFiwillappeartobeoffandcannotbeswitchedon.AttemptstoswitchonBluetoothfail,andGPS,althoughactive,cannotaccessitsantennaastheantennaforGPSissharedwithWiFi.NotethatforcingWLAN_PERSTlowduringnormaloperationforcesaphonereboot,sodisablingWiFiusingthistechniqueeffectivelynecessitatesareboot.
Thisisasimplebuteffectivemethodtoforceseveralcriticalsubsystemstobeoff,withnochanceforanupdatedfirmwaretobypassaWiFihardwarereset.However,thefailureofBluetoothandGPSsubsystemstoactivatemaybeduetofirmware-onlydependencies.ItishypothesizedthatthesesystemsrelyonWiFitoinitializebeforeactivatingtherespectiveantennaswitchesforthesesubsystems,sincetheyallshareacommonantennaport.ThusitmaybepossibleforanexploittobedevelopedtoforceBluetoothandGPStobeonevenifWiFiisinreset.Furthermore,itmaybepossibleformalwareto
fingerprintsystemswheretheWiFihasfailedtoinitialize,andflagtheseusersforfurthermonitoring.
Thus,dependingontheuser’sthreatmodel,theWLAN_PERSTdefeatmaybeasimplebuteffectivemethodtodefeatseveralradioswithasinglesignal,butitmayalsogiveawayinformationtoadvancedadversariesonthepresenceofanintrospectionengine.BecauseoftheeffectivenessoftheWLAN_PERSTtrick,wewouldpresentuserswiththeoptiontoactivatethis,butnotrequireit.
Significantly,repairmanualsindicatethattheWiFi/Bluetoothmoduleincludesahardware“RFKILL”pin.Appleleavesthispinunconnectedandverydifficulttoaccessthroughmods,butifphonevendorswantedtosupporteffortslikethis,futurerevisionsofphonescouldbreaksuchpinsouttoofferamoregracefuldefeatthatdoesn’trequirerebootingthephoneorleaveameasurablesignaturewhiledisablingtheseradios.
GPSIntrospection
Todate,wehaveidentifiedthreepossiblemethodsfordetectingGPSactivation.OneistolookforactivityontheBBUARTbus.WhenGPSisactive,coordinatedataseemstobetransmittedovertheBBUARTbus.AsecondistolookattheGPS_SYNCsignal.WhenGPSisactive,theGPS_SYNCsignalpingsthebasebandatarateofaboutoncepersecond,withapulsewidthinverselyproportionaltothequalityoftheGPSlock.AverywidepulseindicatesahighdegreeofuncertaintyintheGPSsignal.Finally,theGPShasanindependentpowerregulatorwhichisturnedoffwhentheGPSisnotactive,tosavepower.
NFCIntrospection/Defeat
ForNFC,wedecidedthattherisk/rewardofselectivelyenablingandmonitoringApplePayisnotworthit.Inotherwords,wedonotexpectjournalistsoperatinginconflictzonestoberelyingonApplePaytogettheirworkdone.Therefore,tosimplifytheeffort,weopttofullydisableApplePaybydisconnectingtheRFfrontendfromitsantenna.
Fortunately,theNFC’santennaisconnectedtothemainlogicboardviaasinglescrew.Byremovingthisscrewandseparatingtheantennafromthemainlogicboard,wehopetosubstantiallyandselectivelyreducethesensitivityoftheNFCradio.Furthertestingisrequiredtodetermineifthisissufficienttoguardagainstattacksbyadversariesusinghigh-poweramplifierstoquerytheApplePayNFCfeature.Iffoundinadequate,further
countermeasures,includingbutnotlimitedtopermanentlyremovingtheApplePayNFCRFfrontendchipfromthemainboard,areoptionstopreventexploitationoftheradiowithoutleavingaclearsignaturethatcanbedetectedbyanadversary.
Above:locationoftheApplePayantennaconnection,highlightedinpink.OriginalimagecourtesyiFixit,CC-BY-NC-SAlicensed.
NextStepsandFieldDeployment
Nowthatasetofviablesignalshasbeenidentifiedforintrospection,thenextstepisrefiningthesystemforfielddeployment.
Fromtheoutside,theintrospectionenginewilllookandbehavelikeatypicalbatterycasefortheiPhone6.However,inadditiontoprovidingextrapowertotheiPhone6,thecasewillcontaintheintrospectionengine’selectronicscore.TheelectronicscorewilllikelyconsistofasmallFPGAandanindependentCPUrunningacodebasecompletelyseparatefromtheiPhone6’sCPU.ThisphysicalisolationofCPUcoresminimizesthechanceofmalwarefromthephoneinfectingtheintrospectionengine.
Above:Conceptualrenderingofa“batterycase”styleintrospectionengine,piggybackedonaniPhone6.
Thebatterycase/introspectionenginewillalsofeatureanindependentscreentoupdatetheuseronradiostatus;forexample,itcaninformtheuserontimeelapsedsincethelasttrafficwasdetectedonanyradiobus.Thus,userscanfield-verifythatthebustapsareinplacebybrieflybringingthesystemoutofairplanemodeinasafelocation.Anyradiothatdoesnotreporttrafficoutofairplanemodewouldindicateahardwarefailureoftheintrospectionengine.Ofcourse,thesystemwillalsofeatureanaudiblealarmthatcanbesettotripincaseanyactivityisseenonanysetofradios.Itmightalsobedesirabletoincorporatea“killswitch”featurewhichforciblydisconnectspowertothephoneinthecasethataradioisfoundtobeerrantlytransmitting.
Inordertofacilitatetherobustwiringofthesignaltaps,acustomflexibleprintedcircuit(FPC)willbedesignedwithcontactspre-loadedatsignaltestpointlocations.Thiswillstreamlinephonemodificationswhilemakingthefinalproductmorerobust.AstheSIMcardhastoberemovedforaccesstokeytestpoints,theFPCwillalsoconnecttotheSIMcardsignals.AnadditionalFPCwillthenexitviatheexistingSIMcardport,makingavailabletotheintrospectionengineboththebustapsandtheSIMcardsignals.
Above:TheorangehighlightedpartisaproposedFPCwhichexitsviatheSIMcardportandroutessignalsfromthemodifiediPhone6mainboardtotheintrospectionengine’selectronics.
ThisarchitectureopensthepossibilityoftheintrospectionenginefeaturingmultipleSIMcardslots.AlthoughthesystemwillstillneedtoberebootedwhenswitchingSIMs,itcanbeconvenientforcertainuserstobeabletoswitchSIMsrapidlywithouttheuseofanyextratoolsorworryofdroppingandlosingthetinySIMcards.Thisisespeciallyproblematic,forexample,whenswitchingSIMcardsduringtransitonunpaved,bumpyroads.ItshouldbenotedthatchangingSIMcardsisnodefenseagainstgeolocation;theIMEIremainsconstantdespitetheSIMcardswap.TheSIMcardswappingfeatureissimplyaconveniencetoreporterswhoneedtomaintainseveralnumbersordataplansappropriateformultipleregions.
Overthecomingyear,wehopetoprototypeandverifytheintrospectionengine’sabilities.Astheprojectisrunlargelythroughvolunteereffortsonashoestringbudget,itwillproceedatapacereflectingthepracticallimitationsofdonatedtime.Iftheprototypeprovessuccessful,theFPFmaymovetoseekthenecessaryfundingtodevelopandmaintainasupplychain.ThiswouldenabletheFPFtodeploymodifiediPhone6devicesforfieldserviceamongjournalistsinhigh-risksituations.
Thetechniquesdevelopedinthisworkshouldalsobeapplicabletoothermakesandmodelsofphones.Pervasivedeploymentofradiointrospectiontechniquescouldbeassistedwithminimalcooperationofsystemvendors.By
groupingradiocontroltestpointstogether,leavingthemexposed,andpublishingatersedescriptionofeachtestpoint,directintrospectionenginescanbemorerapidlydeployedandretrofittedintofuturesmartphones.
Furthermore,directintrospectionmaybeextendablebeyondtheradiointerfacesandintothefilesystemlayer.Wetheorizeanintrospectionengineattachedtothemassstoragedevicewithinaphone;forexample,anFPGAobservingtheSDbusbetweentheCPUandtheeMMCinatypicalAndroidphoneimplementation.Thisintrospectionenginecouldobserve,inrealtime,filemanipulationsandflag,orevenblock,potentiallysuspiciousoperations.Withfurthersystemintegration,theintrospectionenginecouldevenperformanoff-lineintegritycheckofthefilesystemordiskimage.TheefficacyoffilesystemintrospectionisenhancedifthesystemintegratorchoosestoonlysignOS-relatedfiles,butnotencryptthem.AscoreOSfilescontainnouserdataorsecrets,baringthemfordirectintrospectionwouldnotimpactthesecrecyofuserdatawhileenablingthird-partyattestationoftheOS’sintegrity.
References[1] DanaPriest.WashingtonPost.[http://wpo.st/5W2l1]
ThisworkislicensedunderaCreativeCommonsAttribution4.0InternationalLicense.
Recommended