NSA whistleblower Edward Snowden has been working with hardware hacker Andrew “bunnie” Huang to develop a way for smartphone users to monitor whether their devices are making any potentially compromising radio transmissions.
“Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”
The Intercept: Since a smartphone can essentially be made to lie about that state of its radios, the goal of Snowden and Huang’s research, according to their post, is to “provide field-ready tools that enable a reporter to observe and investigate the status of the phone’s radios directly and independently of the phone’s native hardware.” In other words, they want to build an entirely separate tiny computer that users can attach to a smartphone to alert them if it’s being dishonest about its radio emissions.
Snowden and Haung are calling this device an “introspection engine” because it will inspect the inner-workings of the phone. The device will be contained inside a battery case, looking similar to a smartphone with an extra bulky battery, except with its own screen to update the user on the status of the radios. Plans are for the device to be able to sound an audible alarm and possibly also to come equipped with a “kill switch” that can shut off power to the phone if any radio signals are detected. “The core principle is simple,” they wrote in the blog post. “If the reporter expects radios to be off, alert the user when they are turned on.”
Against the Law: Countering Lawful Abuses of Digital Surveillance, paper by Andrew ‘bunnie’ Huang and Edward Snowden:
Our introspection engine is designed with the following goals in mind:
- Completely open source and user-inspectable (“You don’t have to trust us”)
- Introspection operations are performed by an execution domain completely separated from the phone’s CPU (“don’t rely on those with impaired judgment to fairly judge their state”)
- Proper operation of introspection system can be field-verified (guard against “evil maid” attacks and hardware failures)
- Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)
- Difficult to induce a false negative, even with signed firmware updates (“don’t trust the system vendor” – state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)
- As much as possible, the introspection system should be passive and difficult to detect by the phone’s operating system (prevent black-listing/targeting of users based on introspection engine signatures)
- Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; “journalists shouldn’t have to be cryptographers to be safe”)
- Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)