Slashdot Mirror
Sirin Labs Launches Solarin, a $14,000 Privacy-Focused Smartphone (venturebeat.com)
An anonymous reader writes from a report via VentureBeat: Sirin Labs has launched its high-end Android smartphone called Solarin. The company's mission is to create the Rolls-Royce of smartphones -- an advanced device that combines "the highest privacy settings, operated faster than any other phone, [and is] built with the best materials from around the world." Solarin promises "the most advanced privacy technology, currently unavailable outside the agency world." It has partnered with KoolSpan to integrate chip-to-chip 256-bit AES encryption, which is similar to what the military uses to protect its communications. As for the specs, Solarin features a Qualcomm Snapdragon 810 processor, with support for 24 bands of LTE, and "far superior" Wi-Fi connectivity than standard mobile phones. There's a 23.8-megapixel rear camera sensor and a 5.5" IPS LED 2K resolution display. The phone goes on sale June 1st for nearly $14,000 ($13,800 to be exact).
Do they even *know* what's in the Snapdragon SoC? I mean, even with an (hypothetical, but thanks to LowRISC perhaps reachable) open design SoC you'd have to trust the foundry to not play shenanigans on you [1], but blindly buying from Qualcomm/ARM and whatever other parties are in there, with a mutual assured destruction level of NDAs between them?
Hmmm.
[1] http://static1.1.sqspcdn.com/s...
...and then the Facebook app gets installed. Game over.
At this price tag and if they really enforce security it should come with a private app store where everything is verified thoroughly by the constructor. 256-bit AES encryption won't do any good when the user starts installing malware...
"...The phone goes on sale June 1st for nearly $14,000 ($13,800 to be exact)."
Still cheaper than the "Rolls Royce" Apple Watch models.
C'mon, you can do better than that for people who have money to burn. Where's my solid gold option? This smartphone is only the price of a car. Surely you can figure out a way to charge as much as a house would cost for an electronic device that will be obsolete in 3 years.
Sirin, did you not learn anything from Apple?
This overpriced heap of junk uses a Qualcomm Snapdragon baseband, It is dead on arrival.
https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf
https://www.youtube.com/watch?v=fQqv0v14KKY
Qualcomm often designs their basebands to have shared memory access to the RAM of the Application Processor that runs your Android/OS
Qualcomm is one of the worst from a security and privacy standpoint.
The Neo900 http://neo900.org/ is going to be much more secure, and much cheaper
Well Ennetcom produced a PGP phone, they even marketed it to lawyers as secure enough for lawyer - client privileged conversations. It was built ontop of Blackberry's platform.
The Dutch police raided it, seized its servers claiming the phone was being used by criminals hence it had the right to close it down as a tool of crime. It looked a bit from the timing like the Dutch police wanted to influence the iPhone encryption court case.
So we were sure it actually WAS secure only after this (blatantly illegal) police action.
And in turn we're also sure the Blackberry phone is backdoored, because police are very happy with that phone and make no attempt to raid Blackberry servers these days, and Blackerry CTO says they take a more balanced approach to end to end encryption than some of their competitors (i.e. Apple).
So we won't know that this phone is secure, till its shutdown by an out of control police force.
All that is needed is a pure android with some added functions to detect when you are on a government or police fake cellphone tower and other crud that leaks information.
no need to build any hardware as a nexus unlocked phone or even a oneplus unlocked phone will do what is needed. it is simply a clean install of android with no added bullshit shovelled in and some extra tools.
Do not look at laser with remaining good eye.
A supposedly secure minded phone with screen with 178 viewing angle... genius!
You may scape the NSA but you will not scape the prying eyes of your neighbor.
> Then again, gotta start somewhere.
Definitely. And (even as a free software zealot I am) I won't spank, e.g. Purism for using Intel chips, although we have a rough idea of what is in them, and it ain't pretty.
But I expect them to be up-front on it. Especially on those mass-produced SOCs, where the processor controlling the boot and having access to all of RAM isn't the one you see (it's the graphics proc or the baseband proc or whatever) and is running a firmware you don't see, which most probably is OTA upgradeable with yet another blob even the phone manufacturer has no say in.
A step in the right direction? Possibly. But don't let marketing paper over the big holes. Not when your game is security.
I guess (and I am by no means qualified to say) that as a secure appliance, this sort of solution might have something going for it. However, if you think about the threat landscape that a mobile phone has by definition to operate in, then isn't this an awful lot of money to pay for a minimal reduction in exposure? For example, here is a hastily-thought-up list of threats/attacks that even the most perfectly secure handset cannot shield you from:-
1. The remote phone numbers that you call, or, if themselves for mobile devices, send SMS messages to.
2. Potentially, the phone numbers that call you.
3. Your location, as determined by triangulation from cell towers [assuming that you don't have a compromised GPS sensor in the handset.
4. The duration of the calls you make and/or receive, plus your location, time of day, etc, whilst those conversations happen.
5. The superset of data relating to you - that is: the location and activities of the counter-parties you communicate with, the on-chain communications that *they* participate in...
6. All of your web and email activity [unless you have an effective S/MIME solution, and/or have a remote proxy server that you can configure into your phone browser.
In other words, it is trivially easy to gather so much additional data from even the most secure handset that it simply isn't possible to disguise the activities you perform through a handset. EVEN IF YOUR OBSERVER CAN'T CRACK YOUR HANDSET.
I would be very reluctant to dismiss this handset as the mobile phone equivalent of snake oil, but I wonder if clients are fully aware of the inherent limitations of the solution they are being offered, and if they think it's still worth $14,000?
Which is today, so just PM me for my address and have them ship it on over.
... that some half-wit web/mobile developer n00b can find a hack for this in under 30 minutes.
Another 100 Euros that any small Linux PC set up by a decent admin with Ekiga Voicechat over SSH is a bazillion times safer and way harder to crack for ye 3-letter agencies.
We suffer more in our imagination than in reality. - Seneca
And yet "Tempest" computing has been dead since the mid-90s. The shielding required, at least on the old model of RF emination protection, would make a handheld phone impossible.
Did you even read that blog entry?
'It's a related-key attack, which requires the cryptanalyst to have access to plaintexts encrypted with multiple keys that are related in a specific way.
The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds.'
Then start here: www.j-core.org
I know next to nothing about security, but I do know that mobile phones aren't secure no matter how your design them. Their entire purpose it to interconnect with other phones and networks. Once you enter an non-secure network you are not secure.
Unless they own the fabs, they can't guarantee the TLAs won't pown the very silicon laid down by their industry buddies. Remember when GCHQ wanted certain parts of The Guardian's laptops smashed to bits? Yeah.
From twitter:
Farewall, $14,000 phone. We hardly knew ye.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
And why does the submitter keep other figures at 3 significant digits? For consistency it should be:
"AES encryption above 250 bits (256 bits to be exact)"
"a nearly 24-megapixel rear camera sensor (23.8 megapixels to be exact)"
Sounds like a marketing scam to me, or perhaps just a scam.
I'd suspect the market for a $14,000 phone is kinda slim. Unless it lets me talk to my future self in my domed habitat on Mars, I'll pass.
I'd also suspect that anyone buying a $14,000 "privacy" phone will immediately go on a heightened surveillance list because, you know, terrorism.
In addition, who's to say it's not a front company for the CIA/FBI/DHS floated out there as a way to lure in the suckers who want a secure phone to conduct illegal business? Buying one is like sticking a bright orange patch on your back that says "WATCH ME CLOSELY, I'M UP TO NO GOOD".
Just cruising through this digital world at 33 1/3 rpm...
So I'm supposed to depend on some company I've never heard of, who doesn't own the intellectual property involved, who clearly doesn't have the resources to evaluate the code or audit the hardware properly, is "partnering" with other companies I've never heard of (who the F is Koolspan?), and who wants to sell me a phone "focused on privacy" (whatever that is supposed to mean) for an outrageous amount of money? For a piece of hardware that even if it makes it to market will be obsolete faster than the milk in my refrigerator will spoil.
Umm, ok. What a deal.... [/sarcasm]
For that price, it had better come with a beautiful girl who blows you every time you make a phone call.
If telephones are outlawed, then only outlaws will have telephones.
But cyptography and marketing don't really mix. The marketing subtext is that because this uses the very best chips and is too expensive for ordinary people to own, it's secure. But of course that's nonsense. Security is a system property. It's not the chips or algorithms, it's how you use them. And it costs money to figure out how to use them securely, an expense that you amortize over the total number of units sold.
And at number of units you'll sell at a unit price of $14K, the gross revenues you have to lavish on really serious engineering (as opposed to Lego style snap-together system integration) is pretty small.
Look at the iPhone 6. At about $700 retail, an iPhone 6 costs about 1/20 of the phone in question. At $14K, how many of these things do you think Sirin will ship? Well, whatever that gross units sold may be, people were talking at the end of last year about a slowdown in iPhone sales because Apple shipped "only" seventy-four frickin' million of them in the last quarter. What can you do with big economies of scale? You can design something like the A8 chip, which puts a pretty serious crypto-coprocessor on the CPU die so that sensitive information like encryption keys can't be read off the system bus. Does that make the iPhone 6 more secure than the an Bernadino iPhone 5 the FBI hacked? Not necessarily, because security is a system property. But it shuts off entire lines of attack where you analyze the phone in an EE lab. That's like putting a massive steel back door on your house; it's no guarantee you didn't leave a first floor window open.
There's really only one way something like this is likely to end up more secure than an iPhone 6 with encrypted storage, and that's monkeying with the security/convenience trade-off. The impressive thing about the iPhone 6's security isn't how tough it is to break (which nobody can be sure of until they try), but how much thought went into securing it without imposing any kind of user experience cost. If you're willing to impose some inconvenience on users, that would enable you to add security without assembling a committee of genius crypto and UX experts. For example you could replace a four digit user-chosen PIN with a seven digit randomly chosen PIN.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
You really do know next to nothing about security, it seems.
What custom hardware? Everything described sounds like COTS hardware.
I'd suspect the market for a $14,000 phone is kinda slim
Well, the market for cell phones is in the billions. If they only sell to 0.01% of the richest and stupidest of possible customers, that's a billion dollars of sales.
Heck, if they just sell seventy or eighty of them, that's a million dollars. Not bad for a hundred dollars worth of hardware and some coding that none of the users are likely to understand anyway.
I'm wondering at what point we'll have a phone that is a hypervisor or physical cluster under the hood, capable of delivering a virtual environment or separate physical environment for secure access.
All the insecure shit like Facebook or other dubious software applications could go in its own VM or on the "insecure" side, along with the baseband hardware. It'd be nice to be able to deploy multiple VMs for multiple VMs for various security levels.
At $14k you'd think they would round off the corners, but instead they made them taper into points. I see complaints of them wearing hold in Armani's suits left and right.
Not true, you can have a device connected to insecure networks and still be secure by using requiring VPN connectivity for everything.
The real security threat is physical access to the phone itself, but you can reduce that threat as well with encryption and strong passwords to key elements.
Toss out all the "valuable" materials (I don't give a shit if the phone is out of brushed steel or plastic, what matters is that I notice if it's been tampered with), lose the camera (privacy also means no picture), lose the insane resolution screen (it's a phone. As long as it can display numbers and letters we'll be fine). Then we're talking about a device for the security conscious, not yet another toy for people with more money than brains.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The only way to secure a modern smartphone is to shut it off, remove the battery, and then snap the thing into two pieces and then run the pieces through a shredder.
And even then I'm not so certain about it being secure.
Let's face it: once you make a call, at least the carrier and most likely the NSA, has metadata on your call. Does the phone come with a secure carrier that answers to no one? Didn't think so. Then there's GPS tracking. Then there's looking over your shoulder at the screen. Then there's the OS itself, Android, which is full of holes.
Then there's downloaded Apps phoning home information about you. You could have a $14,000 phone, but if you download Facebook you're borked security-wise. Or do you use Uber? Forget security at that point.
In short, what they are selling is a fraud. There's no way to really secure a smartphone, and anyone selling you an expensive bauble claiming security is either lying to steal your money, or is too stupid to know they are lying.
If telephones are outlawed, then only outlaws will have telephones.
Selling a secure phone (whatever that even means) but with such weeping, drooling, confident marketing speak... Well, they are just begging to be a target. This is assuming they have written their own super-duper security software version 1.0. Either this is total bullshit or they will end up with egg on their via courtesy of their hubris. Hell, if I can bypass the lock screen on an encrypted BlackBerry...
Second comment
A fool and his money are soon parted.
Brought to you by Carl's Junior.
built with the best materials from around the world
If they aren't using Monster cables, I'm not buying it.
..to read about the guy with more money than sense who buys this phone and then accidentally drops it down the toilet during a call.