Neo900: Crafting The Private Phone
-
Upload
sebastian-krzyszkowiak -
Category
Technology
-
view
148 -
download
1
description
Transcript of Neo900: Crafting The Private Phone
![Page 1: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/1.jpg)
Neo900
Crafting The Private Phone
Sebastian Krzyszkowiakdos
http://dosowisko.net/
OHSW 2014Garching, 29.11.2014
CC-BY-SA 4.0http://neo900.org/stuff/ohsw2014/
![Page 2: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/2.jpg)
2
Neo900
Merge of GTA04 and Nokia N900... and beyond
http://neo900.org/
Neo900The truly open smartphonethat cares about your privacy.
![Page 3: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/3.jpg)
3
Neo900● TI OMAP3 DM3730 @ 1 GHz● 1 GB RAM● 512 MB NAND + 32/64 GB eMMC● Cinterion PHS8/PLS8 modem (LTE)● GPS/GLONASS● Dualtouch resistive screen● Modem sandbox and monitoring solution● Hackerbus● http://neo900.org/specs
![Page 4: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/4.jpg)
4
The Hardware Problem
● I'm the admin of my PC.Why can't I be the admin of my phone as well?
● We don't use App Stores on PCs.Why should we need them on phones?
● We can choose from hundreds of systems to install on PC.Why can't we do that on mobiles as well?
![Page 5: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/5.jpg)
5
The Hardware Problem
![Page 6: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/6.jpg)
6
The Hardware Problem
Does a cellphone really differ so much from your average laptop?
It doesn't.It's just smaller and more integrated.
![Page 7: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/7.jpg)
7
The Hardware Problem
● Lack of documentation● Closed components● Porting – the neverending story● Upstream? In your dreams.● Planned obsolescence● When you have to break into your own device in
order to use it as you wish, something is completely wrong!
![Page 8: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/8.jpg)
8
Privacy
![Page 9: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/9.jpg)
9
How can your privacy suffer?● Data on your storage gets damaged or destroyed● Data gests leaked via:
– The Internet– Other wireless technology– Removable media
● Your life gets spied on:– Location tracking– Audio/video eavesdropping– Logging your activities, collecting metadata
![Page 10: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/10.jpg)
10
Privacy?
● Turns out a good, open, hackable device is a perfect first step towards better privacy.
![Page 11: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/11.jpg)
Baseband processor
● A big, proprietary black box.● Known to often be vulnerable.● All Your Baseband Are Belong To Us
Ralf-Philipp Weinmann, Black Hat conf 2011
![Page 12: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/12.jpg)
Baseband processor
● Having control under the main operating system (like Android) is not enough
● Main problem with projects like Blackphone
![Page 13: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/13.jpg)
13
Baseband processor
● The baseband is often tightly integrated with rest of the system– Direct connection to microphone– Direct Memory Access
![Page 14: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/14.jpg)
Baseband processor
![Page 15: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/15.jpg)
Baseband processor
![Page 16: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/16.jpg)
Baseband processor
![Page 17: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/17.jpg)
Baseband processor
![Page 18: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/18.jpg)
Baseband processor
![Page 19: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/19.jpg)
Baseband processor
![Page 20: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/20.jpg)
Baseband processor
![Page 21: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/21.jpg)
21
Open baseband?
● Unfortunately, it's not going to happen for both economical and legal reasons.
● Basebands are cryptographically locked and any change in their firmware results in revokation of their certification, rendering them illegal to use in public networks.
![Page 22: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/22.jpg)
22
OsmocomBB
● Open baseband firmware● Runs on TI Calypso (the same as in GTA01/02)● Illegal to use as a phone outside the lab● http://bb.osmocom.org
![Page 23: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/23.jpg)
23
Open baseband?
● However, open baseband does not magically fix all the privacy problems.
![Page 24: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/24.jpg)
24
The threats
● Tracking– Trilateration based (IPL, OTDOA, E-OTD, U-TDOA)– GPS-assisted (RRLP)
● Eavesdropping● Data leakage● Security bugs in firmware, SIM cards● Direct access to main RAM
![Page 25: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/25.jpg)
25
The threats
● GSM hacking– It's not hard to do fun rogue stuff with GSM.– Encryption (A5/1, A5/3) was broken long ago
● It was actually deliberately weakened in specs to make live of governmental surveilance agencies easier.
– Denial of Service attacks are easy– The only „protection” is... illegality
![Page 26: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/26.jpg)
„Private Phone”
Private Trustable Open
![Page 27: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/27.jpg)
27
Not solvable
● Eavesdropping of calls● Eavesdropping of Internet connection● Trilateration while connected to the network
It can (and does) happen outside of the device or is necessary for it to function. Aside from
encryption, there's nothing we can do against it.
![Page 28: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/28.jpg)
28
Neo900 concept
● Counter-surveillance rather than audit and trust
● Everything not 100% in control is considered rogue
● Rogue stuff is sandboxed and constantly monitored
![Page 29: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/29.jpg)
29
Neo900 design
x
breaker
xThe baseband processor
is locked into a cage
breaker
![Page 30: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/30.jpg)
30
Neo900 design
● If the modem is compromised, the main system remains safe use the encryption, Luke
● If the modem is supposed to be off, but it isn't – we know that and react accordingly before anything bad happens
● If the GPS is in use when not requested – we know that but the antenna will be disabled anyway
● If the modem tries to record audio when not requested – we know that but it won't be able to do it
![Page 31: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/31.jpg)
31
Neo900 design
● When modem act badly, user is notified and automatic hard reset via emergency_off line and/or hard shutdown by cutting power can be applied.
![Page 32: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/32.jpg)
32
Neo900 concept
● This way, when something fishy is going on, software kicks off an alarm to make user do efficient measures to stop the threat:– Removing the battery– Destroying the device– Hiding it under the seat in bus and leaving
● With basic solutions like external power switch, user is not aware that his device has been tampered with.– ...but it can be used post-mortem
![Page 33: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/33.jpg)
33
Neo900 design
● Our monitoring approach can also reveal some „rogue” activities from outside – like packet-storms on airports.
https://www.schneier.com/blog/archives/2014/04/gogo_wireless_a.html#c5459667
![Page 34: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/34.jpg)
34
Neo900 design
● In the end, it's the user who gets the full control over how their device works and how it reacts to possible threats.
● Staying secure may need some effort, but without it there's only false sense of security – which is even worse than no security at all.
![Page 35: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/35.jpg)
35
Interesting resources● https://srlabs.de/rooting-sim-cards/● https://srlabs.de/gsmmap/● http://openbsc.osmocom.org/trac/raw-attachmen
t/wiki/FieldTests/HAR2009/har2009-gsm-report.pdf
● https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdf
● http://events.ccc.de/congress/2008/Fahrplan/events/2997.en.html
![Page 36: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/36.jpg)
36
SIMtrace
● Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
http://bb.osmocom.org/trac/wiki/SIMtrace
![Page 37: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/37.jpg)
37
Neo900: current status
● Almost 400 devices already „preordered”– That's twice as much as we needed to proceed
● Most of the design finished● Schematics catching up with the design● Sourcing is tough – components slowly fade
away in the market
![Page 38: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/38.jpg)
38
Neo900: current status
http://neo900.org/stuff/block-diagrams/
![Page 39: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/39.jpg)
39
Neo900: next steps
● Sourcing the risk parts (like 1GB RAM)● Ordering the cases● BB-xM based proto_v2 expected in February
![Page 40: Neo900: Crafting The Private Phone](https://reader033.fdocuments.net/reader033/viewer/2022042816/559974fb1a28abe47e8b4870/html5/thumbnails/40.jpg)
40
Thank you!
http://neo900.org/stuff/ohsw2014/
http://neo900.org/resources/
QA:IRC - #neo900 on Freenodehttp://webchat.freenode.net/?channels=neo900