Edward Snowden Proposes Smartphone Privacy

Whistle-blower turned Russia-based privacy advocate Edward Snowden has proposed a device that will inform users when their phones are tracking or disclosing their location.

Named “The Introspection Engine”, this will be an open source, user-inspectable and field-verifiable module attached to an existing smart phone “that makes no assumptions about the trustability of the phone’s operating system”.

In a lengthy article, Snowden said: “Turning off radios by entering airplane mode is no defense. Furthermore, airplane mode is a “soft switch”; the graphics on the screen have no essential correlation with the hardware state. Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface; trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”

Snowden intended the application to be for journalists working in sensitive areas, as “smartphones are extremely complex and present a large, porous attack surface” and “even a perfectly secure phone will not save a reporter from ‘victim-operated’ exploits such as spear-phishing”.

He intended the Introspection Engine to monitor radio activity using a measurement tool contained in a phone-mounted battery case, which engine has the capability to alert a reporter of a dangerous situation in real-time. “The core principle is simple: if the reporter expects radios to be off, alert the user when they are turned on,” he said.

“This work is not just an academic exercise; ultimately we must provide a field-ready introspection solution to protect reporters at work. Although the general principles underlying this work can be applied to any phone, reducing these principles to practice requires a significant amount of reverse engineering, as there are no broadly supported open source phone solutions on the market.”

He said that from the outside, the Introspection Engine will look and behave like a typical battery case for the iPhone 6 and as well as providing extra power to the iPhone 6, the case will contain the introspection engine’s electronics core.

“The electronics core will likely consist of a small FPGA and an independent CPU running a code base completely separate from the iPhone 6’s CPU,” he said. “This physical isolation of CPU cores minimizes the chance of malware from the phone infecting the introspection engine.”

Snowden intends to build a prototype over the coming year, and verify the introspection engine’s abilities, and will be built for the iPhone 6 and later for other makes and models of phones.

“By grouping radio control test points together, leaving them exposed, and publishing a terse description of each test point, direct introspection engines can be more rapidly deployed and retrofitted into future smartphones,” he said.

However Cesare Garlati, chief security strategist at the prpl Foundation, doubted how this would aid the confidentiality, integrity and authenticity of mobile communications.

He said: “There is an easier way to make sure your mobile device doesn't send unwanted communications: turn it off and remove the battery, and if you really care about this, don't buy ‘sealed’ devices that don't allow you to remove the battery.”

Infosecurity: http://bit.ly/2aiZrNz

« Psychological Warfare On Social Media
Humans And The Robotic Future »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

SonicWall

SonicWall

SonicWall provide products for network security, access security, email security & encryption.

BGD E-GOV CIRT

BGD E-GOV CIRT

BGD e-GOV CIRT's mission is to support government efforts to develop ICT programs by establishing incident management capabilities within Bangladesh.

Claroty

Claroty

Claroty was conceived to secure and optimize OT networks that run the world’s most critical infrastructures.

DFLabs

DFLabs

DFlabs is a pioneer in Security Automation & Orchestration technology, leveraging your existing security products to dramatically reduce the response and remediation gap.

Netmarks Indonesia (NMID)

Netmarks Indonesia (NMID)

Netmarks Indonesia is an IT solutions provider offering services related to ICT infrastructure, digital transformation and cyber security.

ENAC

ENAC

ENAC is the national accreditation body for Spain. The directory of members provides details of organisations offering certification services for ISO 27001.

DataViper

DataViper

Data viper is a threat intelligence platform designed for organizations, investigators, and law enforcement.

Cybriant

Cybriant

Cybriant Strategic Security Services provide a framework for architecting, constructing, and maintaining a secure business with policy and performance alignment.

Blackbird.AI

Blackbird.AI

Blackbird.AI provides an intelligence and early-warning system to help users detect disinformation and take action against threats.

Advantio

Advantio

Advantio offers a unique combination of technologies and managed, advisory and testing services to increase your cyber resilience and compliance.

Assure IT

Assure IT

Assure IT is a Singapore company specialising in technology governance, risk and compliance.

AutoSec

AutoSec

AutoSec supports the FFI program Electronics, Software and Communication by dissemination and exploitation of the results of projects related to automotive cybersecurity.

Cybergroot

Cybergroot

Cybergroot provides Cybersecurity Assessment services and professional Information Security trainings.

EtherAuthority

EtherAuthority

EtherAuthority's engineering team has been helping blockchain businesses to secure their smart contract based assets since 2018.

Action Fraud

Action Fraud

Action Fraud is the UK’s national reporting centre for fraud and cyber crime where you should report fraud if you have been scammed, defrauded or experienced cyber crime.

SolidityScan

SolidityScan

SolidityScan is an advanced smart contract scanning tool designed to uncover vulnerabilities and proactively address risks within your code.