AgainsttheLaw:CounteringLawfulAbusesofDigitalSurveillanceAndrew‘bunnie’Huang EdwardSnowden

Front-linejournalistsarehigh-valuetargets,andtheirenemieswillsparenoexpensetosilencethem.Unfortunately,journalistscanbebetrayedbytheirowntools.Theirsmartphonesarealsotheperfecttrackingdevice.BecauseoftheprecedentsetbytheUS’s“third-partydoctrine,”whichholdsthatmetadataonsuchsignalsenjoysnomeaningfullegalprotection,governmentsandpowerfulpoliticalinstitutionsaregainingaccesstocomprehensiverecordsofphoneemissionsunwittinglybroadcastbydeviceowners.Thisleavesjournalists,activists,andrightsworkersinapositionofvulnerability.Thisworkaimstogivejournaliststhetoolstoknowwhentheirsmartphonesaretrackingordisclosingtheirlocationwhenthedevicesaresupposedtobeinairplanemode.Weproposetoaccomplishthisviadirectintrospectionofsignalscontrollingthephone’sradiohardware.Theintrospectionenginewillbeanopensource,user-inspectableandfield-verifiablemoduleattachedtoanexistingsmartphonethatmakesnoassumptionsaboutthetrustabilityofthephone’soperatingsystem.

IntroductionandProblemStatement

Front-linejournalistsrisktheirlivestoreportfromconflictregions.Castingaspotlightonatrocities,theirupdatescanalterthetidesofwarandoutcomesofelections.Asaresult,front-linejournalistsarehigh-valuetargets,andtheirenemieswillsparenoexpensetosilencethem.Inthepastdecade,hundredsofjournalistshavebeencaptured,torturedandkilled.Thesejournalistshavebeenreportinginconflictzones,suchasIraqandSyria,orinregionsofpoliticalinstability,suchasthePhilippines,Mexico,andSomalia.

Unfortunately,journalistscanbebetrayedbytheirowntools.Theirsmartphones,anessentialtoolforcommunicatingwithsourcesandtheoutsideworld–aswellasfortakingphotosandauthoringarticles–arealsotheperfecttrackingdevice.LegalbarriersbarringtheaccesstounwittingphonetransmissionsarefailingbecauseoftheprecedentsetbytheUS’s“third-partydoctrine,”whichholdsthatmetadataonsuchsignalsenjoysnolegalprotection.Asaresult,governmentsandpowerfulpoliticalinstitutionsaregainingaccesstocomprehensiverecordsofphoneemissionsunwittingly

broadcastbydeviceowners.Thisleavesjournalists,activists,andrightsworkersinapositionofvulnerability.ReporterMarieColvin’s2012deathisatragicreminderofhowrealthisvulnerabilitycanbe.AlawsuitagainsttheSyriangovernmentfiledin2016allegesshewasdeliberatelytargetedandkilledbySyriangovernmentartilleryfire.Thelawsuitdescribeshowherlocationwasdiscoveredinpartthroughtheuseofinterceptdevicesthatmonitoredsatellite-dishandcellphonecommunications.[1]

Turningoffradiosbyenteringairplanemodeisnodefense;forexample,oniPhonessinceiOS8.2,GPSisactiveinairplanemode.Furthermore,airplanemodeisa“softswitch”–thegraphicsonthescreenhavenoessentialcorrelationwiththehardwarestate.Malwarepackages,peddledbyhackersatapriceaccessiblebyprivateindividuals,canactivateradioswithoutanyindicationfromtheuserinterface;trustingaphonethathasbeenhackedtogointoairplanemodeisliketrustingadrunkpersontojudgeiftheyaresoberenoughtodrive.

Thisworkaimstogivejournaliststhetoolstoknowwhentheirsmartphonesaretrackingordisclosingtheirlocationwhenthedevicesaresupposedtobeinairplanemode.

ApproachandGoals

Numerousresearchersandextensivecorporateresourceshavebeendedicatedtothetaskofbuildingamoresecuresmartphone.However,smartphonesareextremelycomplexandpresentalarge,porousattacksurface.Furthermore,evenaperfectlysecurephonewillnotsaveareporterfrom“victim-operated”exploitssuchasspearphishing.Eliminatingthisvectoriscomplicatedbythefactthateffectivereportersmustcommunicatewithadiversearrayofsourceswhomayintentionallyorunintentionallyconveyamalwarepayloadtothereporter.

Asaresult,thisworkstartswiththeassumptionthataphonecanandwillbecompromised.Insuchasituation,areportercannottaketheUIstatusatfacevalue.Instead,weaimtoprovidefield-readytoolsthatenableareportertoobserveandinvestigatethestatusofthephone’sradiosdirectlyandindependentlyofthephone’snativehardware.Wecallthisdirectintrospection.

Ourworkproposestomonitorradioactivityusingameasurementtoolcontainedinaphone-mountedbatterycase.Wecallthistoolanintrospectionengine.Theintrospectionenginehasthecapabilitytoalertareporterofadangeroussituationinreal-time.Thecoreprincipleissimple:ifthereporter

expectsradiostobeoff,alerttheuserwhentheyareturnedon.

Ourintrospectionengineisdesignedwiththefollowinggoalsinmind:

1. Completelyopensourceanduser-inspectable(“Youdon’thavetotrustus”)2. Introspectionoperationsareperformedbyanexecutiondomaincompletely

separatedfromthephone’sCPU(“don’trelyonthosewithimpairedjudgmenttofairlyjudgetheirstate”)

3. Properoperationofintrospectionsystemcanbefield-verified(guardagainst“evilmaid”attacksandhardwarefailures)

4. Difficulttotriggerafalsepositive(usersignoreordisablesecurityalertswhentherearetoomanypositives)

5. Difficulttoinduceafalsenegative,evenwithsignedfirmwareupdates(“don’ttrustthesystemvendor”–state-leveladversarieswithfullcooperationofsystemvendorsshouldnotbeabletocraftsignedfirmwareupdatesthatspooforbypasstheintrospectionengine)

6. Asmuchaspossible,theintrospectionsystemshouldbepassiveanddifficulttodetectbythephone’soperatingsystem(preventblack-listing/targetingofusersbasedonintrospectionenginesignatures)

7. Simple,intuitiveuserinterfacerequiringnospecializedknowledgetointerpretoroperate(avoidusererrorleadingtofalsenegatives;“journalistsshouldn’thavetobecryptographerstobesafe”)

8. Finalsolutionshouldbeusableonadailybasis,withminimalimpactonworkflow(avoidforcingfieldreportersintothechoicebetweentheirpersonalsecurityandbeinganeffectivejournalist)

Thisworkisnotjustanacademicexercise;ultimatelywemustprovideafield-readyintrospectionsolutiontoprotectreportersatwork.Althoughthegeneralprinciplesunderlyingthisworkcanbeappliedtoanyphone,reducingtheseprinciplestopracticerequiresasignificantamountofreverseengineering,astherearenobroadlysupportedopensourcephonesolutionsonthemarket.Thuswefocusonasinglephonemodel,the4.7”iPhone6byAppleInc.,asthesubjectforfielddeployment.Thechoiceofmodelisdrivenprimarilybywhatweunderstandtobethecurrentpreferencesandtastesofreporters.Ithaslittletodowiththerelativesecurityofanyplatform,asweassumeanyplatform,beitiOSorAndroid,canandwillbecompromisedbystate-leveladversaries.

Methods&IntermediateResults

ThefirststeptowardexecutingthisworkwastovisittheHuaQiangelectronicsmarketsofShenzhentocollectsamplesanddocumentationforevaluation.ThesemarketsaregroundzeroforthetradeandpracticeofiPhonerepair;assuch,itisarichsourceofsparepartsandrepairmanuals.TherepairmanualsfrequentlycontaindetailedblueprintsoftheiPhone6,

whichwereusedtoassistthereverseengineeringeffort.

Basedonthephonemodelselectionandavailabledocumentation,wecanenumeratetheradiointerfacesavailable:

Cellularmodem–2G/3G/4GWifi/BTGPSNFC(ApplePay)

AlthoughourworkcanbeextendedtoinputsystemssuchastheIMU(inertialmeasurementunit),barometer,microphoneandcamera,tofocustheeffortwerestrictourexplorationtoonlyRFinterfacesthatcandirectlybetrayauser’slocation.Notethatacameracanbedefeatedbyobscuringthelens;assuchthefinalphysicaldesignofourbatterycasewilllikelyincludeafeaturetoselectivelyobscuretherearcameralens.

MethodsthatDoNotMeetourCriteria

Numeroussemi-intrusivecountermeasureswereconsideredalongthewaytoourcurrentsolution,includingbutnotlimitedtoRFspectrummonitoring,activejamming,andtheselectivephysicalisolationorterminationofantennae.Semi-intrusivecountermeasureswouldrequireminimalmodificationtothephoneitself,whichisdesirableasitsimplifiesfielddeploymentandcouldevenenablereporterstoperformthemodificationswithoutanyspecialtools.Unfortunately,allofthesemethodsweredeemedtobeinadequate,asdiscussedinthefollowingparagraphs.

RFspectrummonitoringconsistsofbuildinganexternalradioreceiverthatcandetecttransmissionsemanatingfromthephone’sradios.Insomecases,itwashypothesizedthatthereceivercouldbeastrivialasanRFpowermonitorwithintheanticipatedradiobands.AsimpleexampleofsuchmonitoringalreadyexistsintheformofnoveltylightsthatflashbasedonparasiticpowerextractedfromtheGSMantennae.Theproblemswiththisapproachisthat1)itcanonlyreliablydetectactivetransmissionsfromtheradio,and2)malwarethatpassivelyrecordstheuser’spositionanddeliversitasadeferredpayloadwhentheradiosareintentionallyactivatedcannotbedetected.Furthermore,thisapproachissubjecttospoofing;falsepositivescanbetriggeredbythepresenceofnearbybasestations.Suchfalsealarmscanconfusetheuserandeventuallyleadtheusertobeconditionedtoignorerealalertsinhazardoussituations.

Activejammingconsistsofbuildinganexternalradiotransmitterthatattemptstoinjectfalsesignalsintotheradios.Thus,evenifmalwarewereto

activatetheradiosandlistenforposition-revealingsignals,itwould,intheory,reportlargelyboguspositioninformation.ThisisparticularlyeffectiveagainstGPS,whereGPSsignalsareveryweakandthusevenaweaklocaltransmittershouldbeabletooverpowertheGPSsatellites.However,activejammingwasruledoutforseveralreasons.Thejammer’semissionscouldcreateasignalthatcanbetracedtolocatethereporter;thejammerwillrequiresubstantialbatterypower,andtheuserisleftvulnerableoncethejammer’spowerisexhausted.Furthermore,nearbybasestationsmaystillbedetectedbythereceivers,asmodernradioprotocolshavesophisticateddesignstoprotectagainstunintentionaljamming.

Selectivephysicalisolationorterminationoftheantennaeconsistsofinsertinganelectronicswitchbetweentheconnectorsofthelogicboardandtheantenna.Theswitch,whenactivated,wouldshunttheantennatoamatchedresistiveload,whichwouldgreatlyreducethetransmissionpowerandreceivesensitivityoftheradios.However,experimentalverificationontheWiFisubystemindicatedthatremovingtheantennaconnectionandpermanentlyterminatingwithashuntresistorstillleakedsufficientRFintothereceiversforlocalbasestations(e.g.,withinthesameroom)tobedetected,whichcouldbesufficientinformationtobetrayareporter’slocation.

MethodsthatDoMeetourCriteria

Upondeterminingthatsemi-intrusivecountermeasureswereinadequate,weinvestigatedoptionsthatinvolvemeasuringsignalsonthephone’slogicboard,typicallyviatestpointsdesignedinbythemanufacturer.ItisnosurprisethatcomplexsystemssuchastheAppleiPhone6wouldhavetestpointsbakedintothecircuitboarddesigntoassistwithdebugging.Theseareanessentialpartofyieldandcustomerexperienceimprovement;defectiveunitsfromthefactoryandthefieldaresentbacktotheheadquarters,andengineersrelyonthesetestpointstodeterminetherootcauseofthedevice’sfailure.

UsingrepairmanualdocumentationacquiredfromtheHuaQiangelectronicsmarket,wecatalogedasetofinternaltestpointsthatwere:

1. Accessiblewithlowprobabilityofdamagetothelogicboardbyatrainedoperator2. Couldprovidemeaningfuldataontheradiostatus3. Wouldbedifficultorimpossibletodisableorspoof(e.g.,future-proofagainst

adversariesawareofourresearch).

Fortheaccessibilitycriteria(1),testpointswereconsideredviableeveniftheyrequireddesolderinganRFshieldortheSIMcardconnector,andmanualremovalofsoldermask.Inourexperience,atrainedoperatorcan

performthesetaskswithlowprobabilityofirreparabledamagetothemotherboard.Theseoperationsarenotrecommendedforentry-levelnovices.However,ourexperiencesinShenzhenindicatethatanytechnicianwithmodestsolderingskillscanbetrainedtoperformtheseoperationsreliablyinabout1-2daysofpracticeonscrapmotherboards.Thus,technicianscouldbetrainedtoperformthemodificationsinanylocalewithsufficientdemandformodifiediPhones.

Thefollowingtableisalistoftestpointswehaveaccessedandhavefoundtoprovideintrospectiondatathatpotentiallymeetcriteria(2)and(3).

Above:tableofinternalsignalcandidatesforintrospection.

Above:imageoftheFE1,FE2busprobeexperiment.TestpointsfromthebacksideofthePCBarewiredtothetopsideforeasyprobing.

Above:imageofthebacksideoftheFE1,FE2probeexperiment.ThetestpointsarelocatedadjacenttotheNANDFlash,underneathanRFshieldwhichwasremovedforthisexperiment.Thetestpointswerecoveredwithsoldermask,whichwasremovedthroughmechanicalabrasion.

Above:imageoftheUARTandGPSsyncprobingexperiment.ThemajorityofthetestpointsarelocatedunderneaththeSIMcardconnector,whichwasremovedforthisexperiment.

Above:imageofthebacksideoftheUARTandGPSsyncprobingexperiment.ApairofwiresareruntobreakoutWLAN_PERSTandpower-relatedsignalsformonitoring.

CellularModemIntrospection

TheFE1andFE2serialbusesrunat20MHz,witha1.8Vswing.Thisbusis

usedprimarilytoconfigurethecellularmodemradios.Whentheradiosareon,thereisconstanttrafficonthesebuses.Wheninairplanemode,thetrafficcompletelyceases.

Above:exampleofbustrafficontheFE1bus.

Cellularradiosoperateinacomplexenvironment,andrequireconstantadaptationoftheantennae,poweramplifiers,andbandselectionforproperoperation.Itishypothesizedthatanattempttoevenpassivelyscanforbasestationswithouttransmittingwillrequiretrafficonthisbus;attheveryleast,theantennaswitchesmustbepoweredonandconfiguredtoreceive.Therefore,cellularmodemintrospectionmaybeaseasyasnotingifthereisanyactivityontheFEbusesduringairplanemode.

Wenoteforthesakeofcompletenessthatitmaybepossibleforanattackertostaticallyconfiguretheantenna,channel,andpoweramplifiersettingsandconvertthedeviceintoaradiobeaconthatblastsoutasignalthatisinconsistentwiththecellularmodemstandardbutdetectablethroughothermeans.Inthismode,onewouldobservenotrafficontheFEbuses,butonecould,intheory,triangulatethelocationofthetransmitterwithmodifiedbasestationsorspeciallydeployedreceivers.Thisscenariocanbemitigatedbydoingdeeppacketinspectionandnotingtheaddressesthatshouldbehittopowerdownthecellularmodemsystems.Ifanydevicesareskippedduringthepower-offsequence,thatwouldbeflaggedasapotentiallyhazardouscondition.

However,thisscenariowouldrequiremodificationstothecellularmodemtransportspecifications,andassuchonewouldneedtodeploymodifiedbasestationsacrosstheterritorytogainadequatesurveillancecoverage.Thiswouldlikelyrequireextensivecooperationofboththebasebandradiovendorsandcellularproviderstocraftandeffectivelydeploysuchanexploit.Becauseofthedifficulty,weimaginesuchanexploitwouldbeavailableonlytowell-organizedgovernment-leveladversaries.

Finally,thephone’svendor,Apple,couldvolunteer(orbecoerced)topushasignedupdatethatsendsrandom“NOP”packetsovertheFEbusesduringairplanemodetoforcefalsepositivesandmakethistechniquelesseffective.Again,insuchacasedeeppacketinspectioncouldhelptodiscardchafffromsignal.Althoughfuturehardwareversionscouldencryptthisbustofoilobservation,webelieveitisnotpossibletointroducebusencryptionwithasoftware-onlychange:theperipheraldevicesonthisbuslackloadablefirmware.Thus,atleastforcurrentphonemodels,deeppacketinspectionshouldberobust.

WiFi&BluetoothIntrospection

TheWiFisubsysteminterfacestotheCPUthroughmultiplebuses,namely,PCI-expressandaUART;theBluetoothsubsysteminterfacestotheCPUthroughaUART,withaseparateUARTchannelforcoexistence.BecauseoftheBluetoothsubsystem’srelativelysimpleinterface,itshouldbepossibletorobustlydetectBluetoothactivitybysimplymonitoringtheBTUARTsignals.

TheWLANUARTsignalsseemtocarryconfigurationandstatusinformationregardingWiFiconfiguration,asevidencedbytheUARTtracebelow.

Above:exampledataontheWifiUARTasdecodedbyaTekMDO4014B.

Furtherexplorationofthedatacontainedwithinthesignalsisnecessarytodetermineifitispossibleforanadversarytoperformaccesspointscans,whichisaneffectivemeansofgeolocation,withoutinvokingtheUART.Unfortunately,theWiFipowerremainsoneveninairplanemode,somonitoringWiFivoltagelevelshasnocorrelationwithradioactivity.

Significantly,WLAN,BT,andGPSriskscanbemitigatedbyforcingtheWLANPCIbusintoreset.ByholdingWLAN_PERSTlowpriortopower-onandthroughoutboot,WiFiwillfailtoenumerateonthePCIbus.iOSwillcontinuetobootandisfullyusable,butintheSettingspanel,WiFiwillappeartobeoffandcannotbeswitchedon.AttemptstoswitchonBluetoothfail,andGPS,althoughactive,cannotaccessitsantennaastheantennaforGPSissharedwithWiFi.NotethatforcingWLAN_PERSTlowduringnormaloperationforcesaphonereboot,sodisablingWiFiusingthistechniqueeffectivelynecessitatesareboot.

Thisisasimplebuteffectivemethodtoforceseveralcriticalsubsystemstobeoff,withnochanceforanupdatedfirmwaretobypassaWiFihardwarereset.However,thefailureofBluetoothandGPSsubsystemstoactivatemaybeduetofirmware-onlydependencies.ItishypothesizedthatthesesystemsrelyonWiFitoinitializebeforeactivatingtherespectiveantennaswitchesforthesesubsystems,sincetheyallshareacommonantennaport.ThusitmaybepossibleforanexploittobedevelopedtoforceBluetoothandGPStobeonevenifWiFiisinreset.Furthermore,itmaybepossibleformalwareto

fingerprintsystemswheretheWiFihasfailedtoinitialize,andflagtheseusersforfurthermonitoring.

Thus,dependingontheuser’sthreatmodel,theWLAN_PERSTdefeatmaybeasimplebuteffectivemethodtodefeatseveralradioswithasinglesignal,butitmayalsogiveawayinformationtoadvancedadversariesonthepresenceofanintrospectionengine.BecauseoftheeffectivenessoftheWLAN_PERSTtrick,wewouldpresentuserswiththeoptiontoactivatethis,butnotrequireit.

Significantly,repairmanualsindicatethattheWiFi/Bluetoothmoduleincludesahardware“RFKILL”pin.Appleleavesthispinunconnectedandverydifficulttoaccessthroughmods,butifphonevendorswantedtosupporteffortslikethis,futurerevisionsofphonescouldbreaksuchpinsouttoofferamoregracefuldefeatthatdoesn’trequirerebootingthephoneorleaveameasurablesignaturewhiledisablingtheseradios.

GPSIntrospection

Todate,wehaveidentifiedthreepossiblemethodsfordetectingGPSactivation.OneistolookforactivityontheBBUARTbus.WhenGPSisactive,coordinatedataseemstobetransmittedovertheBBUARTbus.AsecondistolookattheGPS_SYNCsignal.WhenGPSisactive,theGPS_SYNCsignalpingsthebasebandatarateofaboutoncepersecond,withapulsewidthinverselyproportionaltothequalityoftheGPSlock.AverywidepulseindicatesahighdegreeofuncertaintyintheGPSsignal.Finally,theGPShasanindependentpowerregulatorwhichisturnedoffwhentheGPSisnotactive,tosavepower.

NFCIntrospection/Defeat

ForNFC,wedecidedthattherisk/rewardofselectivelyenablingandmonitoringApplePayisnotworthit.Inotherwords,wedonotexpectjournalistsoperatinginconflictzonestoberelyingonApplePaytogettheirworkdone.Therefore,tosimplifytheeffort,weopttofullydisableApplePaybydisconnectingtheRFfrontendfromitsantenna.

Fortunately,theNFC’santennaisconnectedtothemainlogicboardviaasinglescrew.Byremovingthisscrewandseparatingtheantennafromthemainlogicboard,wehopetosubstantiallyandselectivelyreducethesensitivityoftheNFCradio.Furthertestingisrequiredtodetermineifthisissufficienttoguardagainstattacksbyadversariesusinghigh-poweramplifierstoquerytheApplePayNFCfeature.Iffoundinadequate,further

countermeasures,includingbutnotlimitedtopermanentlyremovingtheApplePayNFCRFfrontendchipfromthemainboard,areoptionstopreventexploitationoftheradiowithoutleavingaclearsignaturethatcanbedetectedbyanadversary.

Above:locationoftheApplePayantennaconnection,highlightedinpink.OriginalimagecourtesyiFixit,CC-BY-NC-SAlicensed.

NextStepsandFieldDeployment

Nowthatasetofviablesignalshasbeenidentifiedforintrospection,thenextstepisrefiningthesystemforfielddeployment.

Fromtheoutside,theintrospectionenginewilllookandbehavelikeatypicalbatterycasefortheiPhone6.However,inadditiontoprovidingextrapowertotheiPhone6,thecasewillcontaintheintrospectionengine’selectronicscore.TheelectronicscorewilllikelyconsistofasmallFPGAandanindependentCPUrunningacodebasecompletelyseparatefromtheiPhone6’sCPU.ThisphysicalisolationofCPUcoresminimizesthechanceofmalwarefromthephoneinfectingtheintrospectionengine.

Above:Conceptualrenderingofa“batterycase”styleintrospectionengine,piggybackedonaniPhone6.

Thebatterycase/introspectionenginewillalsofeatureanindependentscreentoupdatetheuseronradiostatus;forexample,itcaninformtheuserontimeelapsedsincethelasttrafficwasdetectedonanyradiobus.Thus,userscanfield-verifythatthebustapsareinplacebybrieflybringingthesystemoutofairplanemodeinasafelocation.Anyradiothatdoesnotreporttrafficoutofairplanemodewouldindicateahardwarefailureoftheintrospectionengine.Ofcourse,thesystemwillalsofeatureanaudiblealarmthatcanbesettotripincaseanyactivityisseenonanysetofradios.Itmightalsobedesirabletoincorporatea“killswitch”featurewhichforciblydisconnectspowertothephoneinthecasethataradioisfoundtobeerrantlytransmitting.

Inordertofacilitatetherobustwiringofthesignaltaps,acustomflexibleprintedcircuit(FPC)willbedesignedwithcontactspre-loadedatsignaltestpointlocations.Thiswillstreamlinephonemodificationswhilemakingthefinalproductmorerobust.AstheSIMcardhastoberemovedforaccesstokeytestpoints,theFPCwillalsoconnecttotheSIMcardsignals.AnadditionalFPCwillthenexitviatheexistingSIMcardport,makingavailabletotheintrospectionengineboththebustapsandtheSIMcardsignals.

Above:TheorangehighlightedpartisaproposedFPCwhichexitsviatheSIMcardportandroutessignalsfromthemodifiediPhone6mainboardtotheintrospectionengine’selectronics.

ThisarchitectureopensthepossibilityoftheintrospectionenginefeaturingmultipleSIMcardslots.AlthoughthesystemwillstillneedtoberebootedwhenswitchingSIMs,itcanbeconvenientforcertainuserstobeabletoswitchSIMsrapidlywithouttheuseofanyextratoolsorworryofdroppingandlosingthetinySIMcards.Thisisespeciallyproblematic,forexample,whenswitchingSIMcardsduringtransitonunpaved,bumpyroads.ItshouldbenotedthatchangingSIMcardsisnodefenseagainstgeolocation;theIMEIremainsconstantdespitetheSIMcardswap.TheSIMcardswappingfeatureissimplyaconveniencetoreporterswhoneedtomaintainseveralnumbersordataplansappropriateformultipleregions.

Overthecomingyear,wehopetoprototypeandverifytheintrospectionengine’sabilities.Astheprojectisrunlargelythroughvolunteereffortsonashoestringbudget,itwillproceedatapacereflectingthepracticallimitationsofdonatedtime.Iftheprototypeprovessuccessful,theFPFmaymovetoseekthenecessaryfundingtodevelopandmaintainasupplychain.ThiswouldenabletheFPFtodeploymodifiediPhone6devicesforfieldserviceamongjournalistsinhigh-risksituations.

Thetechniquesdevelopedinthisworkshouldalsobeapplicabletoothermakesandmodelsofphones.Pervasivedeploymentofradiointrospectiontechniquescouldbeassistedwithminimalcooperationofsystemvendors.By

groupingradiocontroltestpointstogether,leavingthemexposed,andpublishingatersedescriptionofeachtestpoint,directintrospectionenginescanbemorerapidlydeployedandretrofittedintofuturesmartphones.

Furthermore,directintrospectionmaybeextendablebeyondtheradiointerfacesandintothefilesystemlayer.Wetheorizeanintrospectionengineattachedtothemassstoragedevicewithinaphone;forexample,anFPGAobservingtheSDbusbetweentheCPUandtheeMMCinatypicalAndroidphoneimplementation.Thisintrospectionenginecouldobserve,inrealtime,filemanipulationsandflag,orevenblock,potentiallysuspiciousoperations.Withfurthersystemintegration,theintrospectionenginecouldevenperformanoff-lineintegritycheckofthefilesystemordiskimage.TheefficacyoffilesystemintrospectionisenhancedifthesystemintegratorchoosestoonlysignOS-relatedfiles,butnotencryptthem.AscoreOSfilescontainnouserdataorsecrets,baringthemfordirectintrospectionwouldnotimpactthesecrecyofuserdatawhileenablingthird-partyattestationoftheOS’sintegrity.

References[1] DanaPriest.WashingtonPost.[http://wpo.st/5W2l1]

ThisworkislicensedunderaCreativeCommonsAttribution4.0InternationalLicense.