Thursday, November 23, 2017

Android has been a bit naughty with its location tracking

I was pointed to this article today:

https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

Basically it points out that Android has been tracking location of phones for the past year or so, even when location tracking is disabled.  More specifically, it tells Google whenever you come in range of a cell tower.  By doing this for each cell tower a phone can hear, can provide a fairly good location, especially if you integrate it over time.

The use of spyware in mobile devices is a topic we have talked about previously, both for people living in dangerous places, as well as for victims of domestic violence and other contexts where being able to locate someone further compounds their vulnerability and tips the power-imbalance in the favour of an abusive person, organisation or otherwise.

The really naughty part in this current situation, is that this was happening even without a SIM card in the phone, and even when location services were disabled in Android: There was no way to know it was happening, and no way to disable it, even if you knew.  In fact, Google realised it was naughty by more or less immediately phasing it out as soon as they had been called out on it.

This leads me to a topic that we have been quietly working on in the background for the past couple of years, that is, how can we trust modern computers and communications devices, when they are so complex that it almost requires accidental discovery by dedicated researchers to find these significant privacy and safety damaging functions, which have been silently introduced to our devices -- often through software updates long after the initial purchase.

Our response to this is to explore the creation of "simply secure" communications devices, i.e., communications devices so simple, that their security can be quickly and confidently audited by a reasonably determined user, rather than requiring a team of researchers to explore.  Such devices should also make it much easier to be assured that the device cannot communicate with the outside world -- including getting a location fix -- when you don't want it to. 

Such devices are easy to make. After all, a brick is a secure communications device, in that there isn't really any way to subvert the function of a lump of burnt clay.   But it isn't useful.  This is the opposite extreme from current devices, that are almost omnipotent, but are so easy to subvert.

The challenge is to design and create devices that sit on some sweet spot in the middle, where they are still simple enough to be confident in their correct function, yet not so simple as to be practically useless.

This is exactly the kind of device that we are currently designing, in the form of a specialised smart-phone, that will still be capable of secure email, telephone calls, SMS and so on, while being much more resistent to attack or subversion, due to its simplicity and transparent auditability. 

For example, it will have physical switches to power off the cellular modem, and the cellular modem will be completely sandboxed from the rest of the phone -- including the GPS receiver, microphone and so on. Many of these modules will also be completely removable.

It will also allow full out-of-band memory inspection of the entire system, transparent to, and independent of the processor, and provide a secure compartmentalised architecture that allows a paranoid process, for example an email decryption program, to be sure that even the hypervisor cannot interrupt it to exfiltrate private information.

We know that there are some other folks active in similar spaces, including the excellent folks at Purism. We love what they are doing, and see our thinking in this space as complementary.  The Purism laptops (and soon phone) use all open-hardware, so that if you need a full-function computer, it is as trust-worthy as possible.  What we are looking to do is a little different: We want to see how simple we can go, while preserving enough function to be useful. We are expecting the core operating system to fit in kilo-bytes of memory, not mega-bytes, and applications to be tens to hundreds of kilo-bytes, not mega-bytes. 

There are lots of questions unanswered, not the least whether the thing will actually be useful enough for anyone, but we are exploring, and all going well, hope to be able to produce a few prototype devices by the end of 2018.  We have also secured the necessary defence-related export clearance for such a device, precisely because its combined security measures place it in risk of tipping over into the category of dual-use equipment, so we have a green light there.

So my questions for all of you reading:


  1. Would any of you buy a "phone for the paranoid" along the lines of what I am describing?
  2. What are the absolute core functions that you would require, compared to the list below:
    • Make and receive telephone calls (en claire, and quite possibly end-to-end encrypted).
    • Send and receive SMS messages (en claire or encrypted).
    • Send and receive Email, including GPG or similar encrypted.
    • Very basic web browsing, using a purposely cut-down browser.
    • Ability to run 3rd-party apps in a sand-box environment.



11 comments:

  1. Nice idea!

    On other side, please consider:

    The time and power you put into such device developement are too "weak" in comparision to industry's possibilities. We (concerned developers/users) are too slow to be on same technology level as industry. Each day dozens of new "usefull" functions invented and implemented in our devices, so there is no insurance, that yesterday's technology will work tomorrow.

    IMHO, there should be other way to clean this mess...

    Best regards,
    Ivan

    ReplyDelete
    Replies
    1. Hello Ivan,

      Yes, I quite agree that the limited resources we can bring to bear is too small to keep up with commercial industry, which does create the risk you talk about. Nonetheless, we will try.

      Paul.

      Delete
    2. My English is too weak to translate it, but still, wanted to say: "Dem Wahnsinn der Kühnen verkünden wir Ruhm!" (this is nearest translation from Russian, by understanding, to original)
      I like your optimistic vision, keep it up! Wish you good luck!!!

      Delete
    3. Thanks :) Wenn es dir einfacher ist, auf Deutsch zu reden, das ist mir kein Problem.

      For those following along in English, the phrase translates roughly as "To the insanity of the brave, we proclaim them fame"

      Delete
    4. Unfortunately, I don't speak German (well, Google translate not counted)

      I've used German because given phrase is "checked for quality by time" - A. von Krusenstjerna did all hard job already. I can't do it better, so here is language choice :)

      Delete
  2. The idea sounds great. Yes, I would buy a phone like the one you dream about. And I would describe most of the functions from your list as essential core functions. SMS, is that something people still use?

    But to be able to communicate securely with my friends, it needs the ease of use from an iPhone and the modern design from an Samsung S8 (or similar). Otherwise I couldn't communicate securely with the people I want to communicate with. As much as I wish, I don't think you can pull that of.

    So how about instead focusing on secure communications for existing hardware?

    Christian

    ReplyDelete
    Replies
    1. Thanks for your reply. The trouble with trying to secure existing hardware, is that it just isn't possible to do with any confidence, because the attack surfaces are too large. I agree that in the first instance at least, that making something that is super user-friendly will be hard to do. Although, by keeping the functionality very narrow, it is at least attainable with sufficient effort. But our intention is really to make functional hardware and software in the first instance to prove the concept. It will all be open-source, so refinement can occur after that. At least that's our thinking at this stage.

      Delete
  3. Paul,

    An excellent post that, once again, shows we can never rest in terms of protecting our privacy. In terms of developing this, I would be inclined to go for the most basic device and 'ride the next wave' which is a decentralised AR ecosystem e.g. this link - https://www.lucyd.co/

    We'd love to have the security of your system integrated into such glasses for our mobility use by our 'ZipQuad ATV Oilot' drivers.

    Regards
    Ed Bell-King
    Ed Bell-King

    ReplyDelete
    Replies
    1. Always happy to talk. You have my contact details.

      Paul.

      Delete
  4. https://www.mgtci.com/content/products/pphone/index.html
    something similar to this?

    ReplyDelete
    Replies
    1. In terms of isolateable hardware, yes. However, they are still offering what amounts to a full-function android phone. I still can't imagine how I would verify the security of the software running on this device, and thus I couldn't fully trust it. It's that gap that I am trying to find ways to close. I know my solution will be imperfect, nonetheless, but I think it is important to experiment in this space.

      Paul.

      Delete