Slashdot Mirror
Phil Zimmermann's 'Spy-Proof' Mobile Phone In Demand
An anonymous reader writes "BlackPhone was designed by Phil Zimmermann (inventor of PGP). The 4.7" display phone features a 2 GHz NVIDIA Tegra 4i ARM Cortex-A9 quad-core processor with 60 GPU cores, 1GB RAM and 16GB storage [more specs]. The OS is a customized version of Android called PrivatOS which offers encrypted calls, texts and emails that can't be unscrambled even by spy agencies. It also offers built-in resistance against malicious software which will be most welcomed for users worried about free Apps that are becoming increasingly invasive, if not pure data collection spyware for unknown 3rd parties. It's coming out this June, and many Fortune 50 companies have already ordered the phone to protect against industrial espionage."
Does he have Qualcomm on board or what?
I can see how this would work for blackphone-to-blackphone communication. What about people who call me or text me who don't have a blackphone? Those calls and texts are not going to be encrypted.
I think the market for this thing will be limited, at least for the immediate future.
Proverbs 21:19
I wonder if the bootloader is unlockable so one can make their own ROM for it. The ideal is the ability to type in "fastboot oem unlock", flash a ROM, then relock the bootloader. That way, if someone wants to reflash, they have to re-unlock the bootloader (triggering an erase and TRIM cycle of the /data partition.)
You can develop all the security technologies you like. They'll be worth precisely nothing when the NSA sends a pup of an agent with a national security letter to seize your files, equipment, and force your co-operation under penalty of imprisonment. The courts remain the ultimate root-kit.
May the Maths Be with you!
Lifetime membership in the NSA's Super Special Pals club! They'll be thinking about you all the time!
"When information is power, privacy is freedom" - Jah-Wren Ryel
How big does the battery have to be to keep all those cores running? Must take up half the interior.
Nvidia through their acquisition of Icera. It's a software modem.
Yet only has 1 gig of RAM. I won't even look at a phone unless it has at least 2.
In all seriousness, what US carriers will let you use this phone? I can't see this being offered in-store to every Joe Friday that walks in off the street (the demand isn't high enough, depressingly) and most carriers like you to buy a particular phone to use on their particular network. How do I go about using one of these (well, two of these) in day-to-day activities?
Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
It's not directly connected to the microphone. That's connected to an audio codec controlled by the application processor.
RTFS
many Fortune 50 companies have already ordered the phone to protect against industrial espionage.
I'm going to go with ... "Half a Brain" FTW!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
It doesn’t (necessarily) need to be, though it would be nice. If the Android-level interface to the baseband is sufficiently limited, and if all “secure mode” operations (encryption) are handled purely in Android and passed off as a ciphertext stream through the baseband, a subverted baseband would have limited ability to cause issues.
Problems for an untrusted baseband are:
1) If the OS will (or can be forced to) accept any type of control from the baseband (rather than exclusively the other way around), the baseband can take over the “secure” OS.
2) The baseband can leak private information passed through it to a third party.
Note that as a special case of #1, audio stream communication between baseband and OS is often implemented as some variety DMA or shared memory. Care would be required to ensure the baseband was incapable of reading or writing any portion of system memory other than what was explicitly setup by the OS for DMA. A hardware MMU or even physically separate DRAM circuitry could ensure this.
So long as the baseband has no avenue for exerting control over the OS, the OS can’t be tainted by a subverted baseband. If all information passed through the baseband in indistinguishable from entropy, the baseband funneling it off somewhere else has limited value absent some other attack on the crypto (including $5 wrench).
The last remaining attacks would be location leaks (which can be carried out against even an untainted baseband with CellCo assistance anyway) and the possibility of injecting forged traffic that might trick the user into doing something insecure. Well-designed UI should ensure that cryptographically authenticated communications are always distinguishable from untrusted.
Not saying having a fully open baseband wouldn’t be a really nice thing, but there are well established and sufficiently secure ways for sandboxing an untrusted baseband within an otherwise secure design.
Your argument is defeatist.
Court or not, this is a great step towards "doing all we can" to counteract unlawful snooping.
What would be nice is if ALL external communications was on a separate processor. That way a security breach in your OS won't let the NSA intercept your data, and a security breach in your baseband won't let an attacker access your data/camera/microphone. The biggest issue is key handling/exchange. For you to talk with another phone you must share a key. How exactly do they manage that?
from other people, interfering with theirs?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
I have seen theories its a numbers station lol. Who knows why people do most the weird shit they do though.
The NSA already knows about those live goat porn sites you browse, that you like to dress up like a nun and get spanked with a toilet brush on Friday nights and they already have a picture of your dong. So really, what do you need a secret spy phone for, again?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I think any designer of a "secure" phone needs to assume that the baseband is running hostile software.
If the baseband has write access to application cpu ram, you're screwed.
There needs to be uncompromised hardware enforced protection to ensure the baseband cannot write to application ram or to the flash memory of the application processor. I'd be very suspicious of DMA capabilities under control of the baseband unit.
I'm not saying it's impossible to make a secure phone, but you as a creator of such should assume that every byte of code not under your control is out to get you. (including closed source graphics drivers).
I'd also be nervous of the toolchain/compiler. That classic Thompson compiler attack (http://cm.bell-labs.com/who/ken/trust.html) is a worry.
Ian Ameline
Have you honestly never heard of people buying SIM cards for existing phones? Outright purchase? Unlocked phones?
Science is all about firing a drunk pig out of a cannon just to see what happens.
Or "off" is consuming far more power than you would think.
Your ad here. Ask me how!
>For you to talk with another phone you must share a key. How exactly do they manage that?
Well if they both offer a rear-facing camera for video chat you could point the screens at each other for a moderately high bandwidth QR code based video stream. A few dozen bytes a frame (Version 3 QR code = 50 characters@5.5bits), times maybe 10 frames per second should be crude enough and slow enough to provide reliable data link, and it would be fast enough to communicate a 2048-bit key in under a second (2.75kbps)
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Indeed. Perhaps it could be designed so that the baseband communicates with all the normal DMA tricks to a minimalist flipphone-grade CPU+ram, which is then internally networked to a separate, trustworthy CPU/RAM/Flash - essentially making for two phones in one. As an added bonus standby power consumption could be potentially much lower - the second computer could be powered down completely except when manually activated or woken by the power-sipping flip-phone core.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
You know Zimmerman invented the first public key cryptography software available to the general public, right? You simply send your public key, and it doesn't matter if the NSA/GCHQ intercepts it because all they can do is send you messages with it. They can't even spoof the person you are trying to communicate with because they need that person's private key to do so, and they only sent their public one.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
1) There is no such thing as spy-proof
2) If you can install an app on it, it is not secure
3) If you can connect it to a network, it is not secure
4) If you do not own and have complete access to audit all firmware, including the radio, then it is not secure
5) The Blackphone looks like nothing more than a platform from which to sell expensive annual subscriptions to quasi-private services
If all the I/O is subverted, then you better make sure you really sent your key, though.
Crazy sci-fi dystopian future scenario is that Alice's software decides to send her key as qrcodes but then actually displays Eve's key's qrcodes but also sends Alice's public key over covert channel. Then the Bob's software, wishing to display a fingerprint for its new key (Eve's) on screen, does that. Except its subverted I/O shows Alice's fingerprint instead. Bob reads the fingerprint out loud and Alice says "Yep, that's mine" (because it is) in spite of the fact that Alice really has the wrong key. Later, Eve MitMs everything Bob and Alice say to each other.
Sounds like a lot of work and requires her subverted subsystems to be quite powerful. (It has to understand the intent of everything that goes up on a screen in real time, and do replacements.) That's ridiculous and there's no way it'll happen before 2114. *sigh* That probably means someone is already doing it successfully. ;-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Is there a privacy screen filter ? The kind where you can see the screen only from a narrow angle.
Some Japanese phones, which are commonly used in crowded trains feature this. I think it is an essential privacy feature.
Ah and a physical, highly visible, camera lens cap too.