Edward Snowden Proposes Smartphone Privacy

Uploaded on 2016-08-31 in NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Whistle-blower turned Russia-based privacy advocate Edward Snowden has proposed a device that will inform users when their phones are tracking or disclosing their location.

Named “The Introspection Engine”, this will be an open source, user-inspectable and field-verifiable module attached to an existing smart phone “that makes no assumptions about the trustability of the phone’s operating system”.

In a lengthy article, Snowden said: “Turning off radios by entering airplane mode is no defense. Furthermore, airplane mode is a “soft switch”; the graphics on the screen have no essential correlation with the hardware state. Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface; trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”

Snowden intended the application to be for journalists working in sensitive areas, as “smartphones are extremely complex and present a large, porous attack surface” and “even a perfectly secure phone will not save a reporter from ‘victim-operated’ exploits such as spear-phishing”.

He intended the Introspection Engine to monitor radio activity using a measurement tool contained in a phone-mounted battery case, which engine has the capability to alert a reporter of a dangerous situation in real-time. “The core principle is simple: if the reporter expects radios to be off, alert the user when they are turned on,” he said.

“This work is not just an academic exercise; ultimately we must provide a field-ready introspection solution to protect reporters at work. Although the general principles underlying this work can be applied to any phone, reducing these principles to practice requires a significant amount of reverse engineering, as there are no broadly supported open source phone solutions on the market.”

He said that from the outside, the Introspection Engine will look and behave like a typical battery case for the iPhone 6 and as well as providing extra power to the iPhone 6, the case will contain the introspection engine’s electronics core.

“The electronics core will likely consist of a small FPGA and an independent CPU running a code base completely separate from the iPhone 6’s CPU,” he said. “This physical isolation of CPU cores minimizes the chance of malware from the phone infecting the introspection engine.”

Snowden intends to build a prototype over the coming year, and verify the introspection engine’s abilities, and will be built for the iPhone 6 and later for other makes and models of phones.

“By grouping radio control test points together, leaving them exposed, and publishing a terse description of each test point, direct introspection engines can be more rapidly deployed and retrofitted into future smartphones,” he said.

However Cesare Garlati, chief security strategist at the prpl Foundation, doubted how this would aid the confidentiality, integrity and authenticity of mobile communications.

He said: “There is an easier way to make sure your mobile device doesn't send unwanted communications: turn it off and remove the battery, and if you really care about this, don't buy ‘sealed’ devices that don't allow you to remove the battery.”

Infosecurity: http://bit.ly/2aiZrNz

« Psychological Warfare On Social Media
Humans And The Robotic Future »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

SANS Institute

SANS Institute

SANS is the most trusted and by far the largest source for information security training and security certification in the world.

iTrinegy

iTrinegy

iTrinegy is a world leader in Application Risk Management offering solutions to mitigate all networked application deployment risks

SenseOn

SenseOn

SenseOn’s multiple threat-detection senses work together to detect malicious activity across an organisation’s entire digital estate, covering the gaps that single point solutions create.

US Secret Service

US Secret Service

The US Secret Service has a pivotal role in securing the nation’s critical infrastructures, specifically in the areas of cyber, banking and finance.

BTblock

BTblock

Blockchain and cybersecurity is a vital combination for Enterprise success. BTblock is a Force Multiplier for its clients.

Meriplex

Meriplex

Meriplex is a Managed Services provider specializing in Intelligent Networks, Cybersecurity and Cloud Communications.

Boeing

Boeing

Boeing is the world's largest aerospace company and leading manufacturer of commercial jetliners, defense, space and security systems.

MVP Tech

MVP Tech

MVP Tech designs and deploys next generation infrastructures where Security and Technology converge.

Trellix

Trellix

Trellix is an extended detection and response (XDR) solutions provider created from a merger of McAfee Enterprise and FireEye Products.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

Cyber Security Works (CSW)

Cyber Security Works (CSW)

Cyber Security Works is your organization’s early cybersecurity warning system to help prevent attacks before they happen.

Zitec

Zitec

One of Europe's largest and most prominent full-cycle software development services companies, Zitec is the digital transformation partner to companies in the EU, UK, USA, Canada and ME.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.

Defimoon

Defimoon

DeFimoon is the International Blockchain Development & Security Agency. We provide professional services and solutions at the highest quality on world-leading chains.

Neptune Shield

Neptune Shield

Neptune Shield's mission is to deliver cutting edge Maritime focused Cyber Security & Threat Protection through our Hampton Roads based Tech & Cyber Security Hub.

Cloudbox

Cloudbox

Cloudbox build and maintain a highly secure, compliant IT infrastructure for our clients – with total peace of mind – so they can focus on the market.