Slashdot Mirror
Inside Boeing's New Self-Destructing Smartphone
mpicpp writes "It looks thicker than most of the phones you see at Best Buy, but Boeing's first smartphone isn't meant to be used by the average person. The company that's known for its airplanes is joining the smartphone game with the Boeing Black, targeted at people that work in the security and defense industry. One of its security features is self-destructing if it gets into the wrong hands, although not quite in the Mission Impossible sense. According to the company's letter to the FCC, the phone will have screws with a tamper-proof coating, revealing if a person has tried to disassemble it. 'Any attempt to disassemble the device would trigger functions that would delete the data and software contained within the device and make the device inoperable,' writes Bruce Olcott, an attorney for Boeing."
Starting price is $10,000...
" . . . this phone message will destroy your phone in 15 seconds . . . "
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
So...take a dremel and cut the case around the screws.
... Will it run Angry Birds and Candy Crush? ... Will it run Crysis? ... Will it run Slashdot Beta?
Oh, and you generally don't do a tamper 'proof' coating on screws, you do a 'tamper-evident' coating.
Want your own tamper evident coating? Buy a bottle of the cheapest, cheesiest glitter nail polish you can find. Coat the screws with a layer. Take a high resolution picture of each screw. Suspect tampering? compare the current coating with the picture.
As for deleting the data off the device, I'd probably simply encrypt everything on the device, with the key stored in a specific chip designed to dump said key if anything triggers it. No Key = No Data.
I don't read AC A human right
How would it go if it were chilled right down, liquid nitrogen or colder so the electronics stopped working and then disassembled. (I don't know if it's possible, just kicking the idea around.)
I see they're using the same battery technology they used in the Dreamliner then.
A hundred and twenty characters ought to be enough for anyone...
When I worked in the ATM industry we already had that feature built into the keypad (EPP). If you tried to extract the keys any number of ways (freeze spray, remove back cover, cut front cover, etc.) it would dump the memory and leave the attacker with nothing. All you have to do is contact one of the companies that built those EPP's and they can guide you into a LOW COST hardware method of dumping everything. You don't need to go with a fancy "custom coating" that might fail or have alternative issues. I would not buy this phone as it is over-priced, and I can do the same thing with a common android smartphone and a little software and hardware tweaking. Epoxy is your friend for keeping people out of things they don't need to see, as is encryption with delete upon failure to decrypt. What a joke, but they will sell a bunch of them to Gov. and "special" people.
Does it delete its own data when battery runs out?
Until someone figures out a way around it.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
They are basically claiming they have a HSM here. Now, HSMs are as expensive as they are for a reason (50'000 USD/EUR is quite standard). One is that attackers have to pay a lot to get their hands on one for analysis. Another is to have several layers of protection, several independent power sources, solid steel tamper barriers, etc. Still, they are designed to be secure when in a 19" rack in a secured data-center and when it becomes obvious fast that one has been removed.
I expect that a good hardware hacker can get into these phones with at most a few weeks of work and 3-4 devices to burn. After that opening one of these should be easy. And then there are the myriad ways of attacking this thing via software.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The title says "Inside Boeing's New Self-Destructing Smartphone" which is somewhat misleading; as it only refers to a mainstream news article - not any technical information about the 'inside' of the device.
will it blend?
No, it is meant to stop sophisticated attackers. It will be interesting to see what happens the first time the police decide they need to access one of these and request that Boeing help them. If designed correctly there should be nothing Boeing could do to help them, but considering all the fat defence contracts and government money that goes their way I doubt they would have neglected to put an NSA approved back-door in.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Not sure where to go with this one. Is the joke supposed to be "So, Boeing has teamed up with Sony to use their batteries in a new smart phone..." or "Leveraging the battery technology used in the 787 Dreamliner..."
Is it just my observation, or are there way too many stupid people in the world?
The only difference seems to be that with this phone, if an attacker tries to get at the data you end up with a non-working phone and an attacker without data, while with an iPhone you end up with a working phone and an attacker without data. OK, this phone has also some more security claims, but of course they are not proven.
So, where's the added summary about the "related story" of how Google admits that Android's focus isn't on security and that malware writers should target their OS rather than Apple's or Microsoft's?
Or was that story only related when Slashdot was attempting to water down the discussion of Google's comments with a topic that actually had nothing what-so-ever to do with Google's comments?
Don't worry. I already know the answer to those questions.
It was nice when this site did a better job of disguising it's biases...
you disassemble them in a Argon or other non oxygen environment ot get around their "self destruct".
Guarantee they have a way to get all the data off of them for Law enforcement. It's not secure, it's marketing.
Do not look at laser with remaining good eye.
The Boeing "Black" will competete with the General Dynamics "Sectera Edge"...
http://www.gdc4s.com/sectera-edge-(sme-ped)-proddetail.html?taxonomyCat=141
Explosives, generally speaking, are their own oxidants. If (and it's a big if) this device is meant to blow itself up and not slowly burn away to nothing, an inert atmosphere isn't going to help.
I really doubt it is actually meant to blow itself up though.
No kidding!!! What do you say at this point?
The way I'd have the destruct work would be to encrypt everything and keep the key in a special tamper chip that will dump the key if a tamper trips.
Anyways, there are options to screw up your little proposal, such as a sensor inside that looks for disturbance. A light sensor where there should be no light, for example. Put a series of wires along the inside of the case, and if the resistance changes, such as from somebody cutting a wire trying to dremel their way in, trigger the tamper. Another option would be a button or something that's depressed normally. Remove a section of the case and it trips.
I don't read AC A human right
I don't think it is anything physical. It is just that it will automatically execute "sudo rm -rf /" when it detects any tampering, which will be done by more than one unspecified mechanism. And, of course, use a destructive form of rm.
Consciousness is an illusion caused by an excess of self consciousness.
I was going to say, I read about this at Ars a couple days ago, but then I saw this "article" links to an ABC news "article" - what's more, the "summary" is a direct quote of pretty much the entire ABC piece. But then I saw this "article" also links to the much superior Ars article. So, I say, bravo, Slashdot! Bravo.
I am Audience.
The biggest issue with this phone is not weather it can be tampered with without the owners knowledge, but that anyone that has one of these phones will be instantly noticeable as a high value target. The only people that this device makes sense for are public figures, senators, congressmen, CEO's of large defense contractors, ... Everyone else will be better protected by following simple security precautions and not carrying around a large flag that says I'm worth the effort.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
I really doubt it is actually meant to blow itself up though.
If they used the right kind of battery it could ;-)
The simplest way to self-destruct data on the device is to simply encrypt it using a large key stored in CMOS embedded in the SoC's hardware crypto-engine and clear it (either with an actual reset signal or simply killing power) if tampering is detected to instantaneously render all stored data useless. The next time the boot-loader runs if the device is ever powered up again before being restored to factory specs, it can generate a new encryption key and start erasing storage to make the data completely unrecoverable.
I would not be too surprised if they only implemented the device encryption part of this with managed encryption keys so devices can be decrypted if ever recovered.
This sounds not like it will protect your data but will keep crypto researchers from finding that the NSA has put a back door into the product. Quite simply if it comes from the US, Canada, Australia, or the UK the product is not to be trusted. Which is sad as I am a Canadian and would love to make crypto products but at this point wouldn't trust even a company that had US citizens working for it let along based in the US.
This might be the most solid argument against these spy agencies, whatever "attacks" they are preventing, and whatever manipulations they are doing do not possibly equal the damage they have and are doing to the tech industries in our countries. I am willing to bet that the damage done to Cisco, google, IBM, and others will easily total the financial damage done in 9/11. Plus in all likelihood the plans for the next 9/11 will work just fine as they fully know not to trust any US comm technology.
'Any attempt to disassemble the device would trigger functions that would delete the data and software contained within the device and make the device inoperable,'
Wouldn't the fact that your phone is now a brick be enough to let you know that someone had tried to tamper with your phone?
FIPS-140 (and 140-2) address exactly this. http://en.wikipedia.org/wiki/F...
At FIPS-140 Level 4, the crypto keys are stored on a unit that actively monitors for attack by environmental, electromagnetic, and physical methods.The physical is usually handled by a mesh of gridwires over the die.
The problem, of course, is Boeing is in bed with the government for Billions (Trillions) of dollars worth of military hardware, so don't think they'd sell you an Android phone before having a friendly chat with their friends at [A-Z]{3}.
All you'd need to do is build it on a flammable PCB with a nichrome-wire-style electrical ignition element embedded within it, and discharge the (I would assume normally inaccessible without tripping the destruct) battery through it. The destruct could even have it's own built-in and seperate battery
*Poof*, original "Mission Impossible"-style.
"Good morning, Mr. Phelps..."
Sometimes the old tech is the best tech. ;-)
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
In that case it should be easy and in this case it will be a feature.
http://www.usatoday.com/story/...
Layers upon layers - there's the "common" model that goes out to all field personnel and is assumed to be compromised within a few months.
Then, there's high security model that is designed to look like the common model, but goes only to high value targets and might be redesigned and redeployed every time one gets lost.
Then, there's the higher security model that is designed to look like the high security model, but....
Is it any wonder that a toilet seat can cost $9,000?
I see two attack vectors. Run the battery down and then open it.
Capcom and other arcade game manufacturers solved this already. Battery goes too low to maintain the encryption key in SRAM? Dump the encryption key.
I don't think that the self-destruct feature is even supposed to be completely invulnerable. It's a nice addition to the bag of various security features. Some uninformed attacker might not know that this phone has such anti-tamper measures, leading to this protection working as intended. Or some other attacker might be aware of the feature, but it is enough for him to not bother with sophisticated tools to open the phone. On the other hand, using specialized tools to crack it open will also increase the time required to steal the data. And so on.
[Disclaimer: I work for The Boeing Company, buy my comments are my own and do not reflect the position of the company.]
Let me state that this is probably a very good idea, even through this is the first that I've heard about the device. Often the biggest problem when dealing with smartphones is protecting sensitive data, be it emails or documents being stored on the device. Commercial solutions are often lacking in security, which is why Blackberry still exists as a company. Their offerings are much more secure 'out-o-the-box' than any iPhone or Android device and doesn't have to resort to third party add-on software to improve the security.
So if you want to have a smartphone that is more state-of-the-art and be more compatible with today's services and offerings, then the only way may be to design your own device, make certain that it'll meet security requirements to protect data (your own and the government's), and add in a feature that allows for the device to be rendered inoperative if lost, stolen or tampered with. And there is going to be a market for these devices, believe it.
All you'd need to do is build it on a flammable PCB with a nichrome-wire-style electrical ignition element embedded within it, and discharge the (I would assume normally inaccessible without tripping the destruct) battery through it. The destruct could even have it's own built-in and seperate battery
Oh, that's *all* you'd need to do, eh?
And here I thought the solution would be complicated.
1) Buy one
2) Open it up, not caring that you wiped it
3) Determine location to drill to sever battery cable, and how to defeat/avoid physical tamper detection
4) Steal one
5) Follow results of #3
6) Profit!
Just use a high voltage burst to be released through the electronics. (High voltage in this case can be less than 50V, since most chips in phones runs at just a volt or so)
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Just burn out the memory chips with a high voltage pulse.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Yes, we're replacing the capabilities he compromised.
Well that's the problem right there (if true).
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Yeah, because obviously they'd design a secure, self-destructing phone to be trivially abusable over USB. I bet it even has autorun enabled by default.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Well, that'd slow thing down a little, but a battery-based self destruct could be circumvented by simply waiting a few days/weeks while the phone struggles to find a decent signal. Less time than the Apple law enforcement request backlog IIRC.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Extrapolating I find that within the next 10 years there will be no company left that is not at its core in the smartphone business.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
Governments aren't the only ones who want security. I bet you the anti-corporate espionage market is far, far larger, especially for something like this that only costs pocket change. Lot's of people would like to keep their phones safe from discrete data harvesting while they're enjoying the jacuzzi.
You think Apple's got folks on an upgrade treadmill? Imagine the pressure to upgrade "the most secure phone in the world" every time a new bypass technique is developed. Forget OS upgrades, you need a whole new phone with enhanced physical security devices every six months. And oh yeah, don't forget to melt down your old phone to keep the data secure, everyone knows all the buyers in the second-hand market are actually espionage agents.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
As we're going along here, we seem to be getting tighter security for the cost of a steadily increasing chance of one of these customers accidentally destroying all their data.
I was under the impression that it had become straightforward to plan for destruction of an Internet-connected device by making automatic backups that are encrypted while at rest and while in motion. Encryption key dumped? Replace the device, associate the new encryption key, and restore.
just freeze it with liquid nitrogen before taking it apart... then pull out the flash memory before it gets wiped. full secure wipes take quite a long time
That would not necessarily work: it would definitely fry the IO front-end but most of the NVRAM matrix would likely remain intact and recoverable by stripping the top encapsulation and top metal layers then scanning the NVRAM cells with a magnetic force microscope.
Also, if the devices self-destructs through high voltage, someone who has already dissected one of these phones before would know where the high-voltage components are, how they operate, how they are triggered and would likely be able to come up with a way to prevent the high voltage pulse from reaching the NVRAM chips such as using a pneumatic framing nailer to destroy/short the high voltage circuitry faster than it can be triggered by tamper sensors.
So, even with physical destruction built-in, you would still need strong device-level encryption as a fail-safe.
The most beautiful thing about having a decryption key embedded in a secure microcontroller managing tamper-proofing sensors (which is itself embedded in the SoC running the rest of the device's functions) is that disabling tamper-proofing is impossible to do without disabling the secure micro-controller and disabling it either physically or by cutting power kills the decryption key just like tripping tamper-proofing sensors would.
No, it is meant to stop sophisticated attackers. It will be interesting to see what happens the first time the police decide they need to access one of these and request that Boeing help them. If designed correctly there should be nothing Boeing could do to help them, but considering all the fat defence contracts and government money that goes their way I doubt they would have neglected to put an NSA approved back-door in.
In the case of the iPhone, there is no back door, but there is a front door. The only way to get into an iPhone is to either crack a 256 bit key (per file), or to enter the passcode. Only software code-signed by Apple can unlock an iPhone. In normal use, that's the software that runs when the user types in his passcode. Apple and Apple only can replace this software. And then they can try to unlock the phone at the amazing rate of ten attempts per second (the passcode hash function is calibrated to use one tenth of a second). They can crack a four digit passcode. However, you can set a twelve digit, or twelve digit and letter or longer code. 10 digits should take about 3 years, 10 digits and letters is uncrackable.
Of course that requires that the police has the phone, and that they have a legal warrant.
No, it is meant to stop sophisticated attackers.
Given what TFA had to say about who could actually get their hands on one of these phones, I think you're right. I've been involved in anti-tamper design and implementation for DoD projects, and the level of paranoia and secrecy associated with the whole subject is extremely high. I'm going to guess that anything that has been publicly "revealed" by Boeing regarding the anti-tamper implementation is probably untrue, or at least misleading. Anti-tamper is like Fight Club; you're not supposed to talk about it. And the goal of anti-tamper is not to make it impossible to tamper with a device; it's to make it expensive and time consuming. No anti-tamper implementation that has been reviewed and approved by a government V&V team is going to be defeated by a Dremel-wielding neckbeard.
I doubt they would have neglected to put an NSA approved back-door in.
I understand it's fashionable to believe, and it might even be true, that the NSA is sticking their nose any place they can, but based on my experience in the field they would not want a back door that bypasses an anti-tamper implementation. NSA is the agency that developed, and continues to actively develop, anti-tamper guidelines and rules for DoD. Any back door usable by NSA is a back door that could be exploited by an adversary. However, NSA would definitely be privy to the details of the anti-tamper implementation, and would be able to defeat it.
There are many ways to make the memory inside it proof against intrusion.
I know of a company with a chip design that includes a mesh and a vacuum compartment. The mesh can detect electrical, thermal, or physical intrusions. The vacuum compartment, if breached, is another way of telling someone is trying to access the physical memory substrate. There's also some other detection mechanisms as well. All of them zeroize the memory well enough to prevent anyone getting anything useful off of it.
This sort of tech can also protect sea-of-gates style arrays in which code execution can live.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Why do you suspect only apple has this software and can deploy it?
The latest exploit *we know of* made apple's update vulnerable to a man-in-the-middle attack. If that's the case, then any OS module could be overwritten to introduce a backdoor, apps could be introduced which had backdoors, etc.
Beyond that, the 256 bit key is only as good as the RNG that cranked it out. That might or might not be a bulletproof one depending on where they got their key generation algorithm and implementation and what sources of entropy it uses to generate random numbers.
If Apple can do it, someone else can figure out how to. If the NSA can't keep its secrets and programs hidden in-house, what makes you think Apple can over the longer term? Or even has, for all you know?
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
As, yes, a troll: http://www.theguardian.com/sci...
Recommendation: Curl up and die, you have negative worth as a person.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Layers upon layers - there's the "common" model that goes out to all field personnel and is assumed to be compromised within a few months.
Then, there's high security model that is designed to look like the common model, but goes only to high value targets and might be redesigned and redeployed every time one gets lost.
Then, there's the higher security model that is designed to look like the high security model, but....
Is it any wonder that a toilet seat can cost $9,000?
Almost correct. What actually happens is that the "higher security model" is the standard model with a higher price tag and a slightly changed UI so the morons spending a lot of taxpayer money on this cannot tell.
If they really "redesigned and redeployed every time one gets lost", the cost would be more like 10 Million per piece. This is a low-cost device in relation to what it claims to be.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The article didn't say what kind of security they're offering in this phone. But any serious secure device is going to have tamper evidence and tamper detection, which will permanently brick the crypto engine if triggered. This is required for certain levels of FIPS, as well as Suite B or anything higher.
-Dave Haynie
Probably running some variation of the NSA's SE Android. Pure SE Android only links to your company's secure server via VPN, using the strong hardware crypo, regular key rotation, etc. You have way bigger things to hack before you can even get to hacking Android itself.
-Dave Haynie