from the remember-DIP-switches-and-jumpers? dept.
Like with our Librem laptops, our Librem 5 smartphone will also feature kill switches; but unlike the laptops it will have three kill switches, not just two:
cameras and microphone
WiFi and Bluetooth
cellular basebandLater in this post I’m going to describe an exciting new feature for our Librem 5 phone we are calling “Lockdown Mode” that extends our normal kill switches to provide even more security and privacy
[...]One big challenge when protecting your privacy on a phone is that, unlike an average laptop, a phone is full of more sensors and other hardware that could be used for tracking and spying. A lot of security research over the past decade has demonstrated just how much information can be derived by seemingly harmless sensors that are included on a phone.
[...]While we could add kill switches for every individual piece of hardware, having three kill switches already pushes the limits with respect to space on the phone, the complexity of the hardware and the overall user experience. So if you set the upper limit on kill switches to three, there are a number of different ways you can address the problem with these extra sensors including:
Only disable those sensors with software
Group sensors with one or more existing kill switches
Lockdown ModeWe have thought through all of these different options, among others, and we decided that it was better to offer the option for extra security to those who really need it. We have selected a solution we are calling Lockdown Mode, that gives people who need this extra level of protection the option to turn all sensors off easily, without imposing extra complexity on an average user.
[...]To trigger Lockdown Mode, just switch all three kill switches off. When in Lockdown Mode, in addition to powering off the cameras, microphone, WiFi, Bluetooth and cellular baseband we also cut power to GNSS, IMU, and ambient light and proximity sensors. Lockdown Mode leaves you with a perfectly usable portable computer, just with all tracking sensors and other hardware disabled.
https://puri.sm/posts/lockdown-mode-on-the-librem-5-beyond-hardware-kill-switches/
Related Stories
Purism has finally released the specs of the up and coming Librem 5 smartphone!
Librem 5 Specs
What are your initial reactions?
Though I'm not a hardware expert by a long shot, I'm not incredibly impressed with the specs. I do feel that smartphone hardware has been "good enough" for most uses for a while now and I know they have to start somewhere. What has not been good enough is freedom, flexibility, and, you know, actual ownership of the device. Sure you could get some level of freedom by jumping through a bunch of hoops, but who has time for that? Also, in case you haven't been paying attention, most of the work-arounds are becoming more and more difficult, if not impossible to implement.
Like it or not, smartphones are the way most people interact with computers, and beyond the basics for survival, are probably among the most important of our possessions. I want devices that I control and I want my kids and grand-kids to live in a world where they don't have to be the "product". In the wake of so many failed open-smartphones, is there any way Purism has a shot?
Previously:
Lockdown Mode on the Librem 5: Beyond Hardware Kill Switches
Librem 5 Dev Kits Are Shipping
Progress Update From the Librem 5 Hardware Department
(Score: 2) by NateMich on Tuesday March 26 2019, @10:17AM (4 children)
I only have two real concerns about this device:
1) The hardware is laughably outdated
2) There will probably never even be as many apps as on fdroid currently.
It's too bad really, because a Linux phone would be something I'd really like and would even pay that kind of money for.
(Score: 4, Insightful) by MostCynical on Tuesday March 26 2019, @10:37AM (2 children)
Phone. Possibly voip calls. SMS.
Hat is all a mobile phone needs.
Add a browser, remove the need for many "apps"
Why does a phone have to double as a tablet or tiny laptop?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 5, Insightful) by Pino P on Tuesday March 26 2019, @12:23PM
Because users want "a tablet or tiny laptop" to use while out and don't feel like carrying two devices.
(Score: 0) by Anonymous Coward on Thursday March 28 2019, @02:50PM
because it hasn't really been a phone for more then a decade
it is personal portable computing and sensor device... that also has the ability to impersonate a phone
(Score: 2) by urza9814 on Wednesday March 27 2019, @01:57PM
I've seen some discussion already about porting LineageOS to the Librem, and I can't imagine it would be THAT difficult given the open nature of the device. So there's a pretty decent possibility that you WILL be able to use Android if you really want it. Personally I'm kinda hoping for a dual boot option.
And yes, the hardware is a bit dated, and it probably always will be on projects like this until/unless they become a bit more mainstream. But it does appear to be past the point of "good enough for damn near everything". There was once a time when a two year old smartphone would be horribly slow and nearly unusable. But I'm currently using a five year old device and have never once felt like it wasn't powerful enough*. You can have the latest and greatest CPU, largely for bragging rights since it doesn't make much difference in daily operation...or you can have an open and secure device. Seems like a reasonable trade to me.
* Of course, some of the slowness that people often experience also comes from using the stock rom that keeps getting updated with more and more bloatware to "make use of" newer and faster CPUs. Strip all of that crap out and you really don't need a top tier processor.
(Score: 2) by FatPhil on Tuesday March 26 2019, @10:29AM (6 children)
Of course, you could justify it as being a shortcut for a commonly-requested operation - but is it really?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by NateMich on Tuesday March 26 2019, @10:33AM
Those are good points. When I turn off wifi or mobile data on my android phone, I can see the difference in battery life without any doubt. I suppose they could still occasionally kick on and scan something though, which wouldn't satisfy someone if they're that paranoid about it.
(Score: 5, Insightful) by Anonymous Coward on Tuesday March 26 2019, @11:46AM
Too many "ifs". With a mechanical switch (and an X-ray of the circuit board that shows no extra traces that could circumvent the switch), off really means off.
(Score: 4, Insightful) by TheFool on Tuesday March 26 2019, @12:32PM
It is the only truly correct way to go about it. But yes, it's probably overkill for most.
Trusting a piece of software to be bug-free is a very bold statement (some might claim it's an impossible one), and the OS is only software. So, no, I can't trust it. I can accept that I can't trust it - but if one couldn't accept that, a physical switch is a good solution. It's near fool-proof, though I suppose depending on the location of the switches you might accidentally toggle them when putting the phone in a pocket or something.
If the entity you are worried about is close enough to flip the switches back, well... they already have your phone in their hands, and they're already concerned enough with you to pay you a visit. You might have bigger problems.
(Score: 3, Insightful) by rigrig on Tuesday March 26 2019, @12:43PM (1 child)
I might trust Purism to not insert any (intentional) malware, but bugfree 100% secure software is a myth.
Simple hardwired switches are much less likely to be affected by any of the upcoming kernel/CPU/RAM security issues.
No one remembers the singer.
(Score: 3, Interesting) by pTamok on Tuesday March 26 2019, @01:49PM
I agree.
If it is simple enough to be demonstrably bug-free, then it is not complex enough to be useful. (cf Gödel's incompleteness theorems)
Note that even in formally-proven code, there is a meta-problem of assuring that the code actually implements the intentions of the designer. As the intentions can be open-ended, there is no process for demonstrating that the code meets all possible intentions of the designer. It is an 'unknown unknowns' problem, or as Iain M. Banks might have put it, the problem of how to deal with unknown, and unknowable Outside Context Problems [wikipedia.org].
If you operate code in a virtual sandbox that is isolated from the real universe, then you can demonstrate that it operates as designed/intended within the constraints of the unreal/logical world you are analysing. Unfortunately, code has to operate in the real world, on imperfect hardware, subject to challenges not envisaged by the designers. As a result, anyone giving you a '100% security guarantee' is lying - either to themselves, because they do not understand the scope of the problem and think that they do, or to you, because they are knowingly selling you snake-oil.
Being able to physically turn of the power acts as a pretty good backstop.
(Score: 2) by Immerman on Tuesday March 26 2019, @02:41PM
>if...you trust the OS
That's just it though - you can never completely trust the OS. Even if it's not malicious in any way, it's also basically guaranteed to not be perfect, and so malware will inevitably be able to bypass any software restrictions.
As for seeing the evidence on an ammeter - assuming the hardware wasn't shut down when the CPU was idled, that's true. But how many people do you know who want to keep am ammeter in their pocket to keep a constant eye on the trustworthiness of their phone? After all, if it's been compromised by, say, an intelligence agency wanting to bug you, they're not necessarily going to be recording everything all the time - especially if they know you routinely audit your phone, they're only going to be listening when they think they're likely to hear something useful.
It's not like you can just install the software you want, test it thoroughly, and then be confident that you're safe. Not so long as you're connected to the internet so that you could be hacked at any moment, and visit websites that might carry all manner of sandbox-escaping malware.
It's an interesting idea though, and it should be fairly trivial to build completely independent hardware into the phone that can actually monitor the power state of at least the various external sensor modules and display their status on a line of LEDs - just glance at the back of your phone, and you can tell exactly which sensors are currently on.
(Score: 0) by Anonymous Coward on Tuesday March 26 2019, @04:13PM (2 children)
Remove the battery... What? You can't? Oopsy Daisy! Be careful what you buy..
Sorry folks, but if the machine has power, it is being tracked.
(Score: 0) by Anonymous Coward on Tuesday March 26 2019, @04:17PM
Well, not always [reynoldskitchens.com]
(Score: 2) by urza9814 on Wednesday March 27 2019, @01:50PM
Yes you can.
https://puri.sm/products/librem-5/ [puri.sm]
(Score: 2) by hemocyanin on Tuesday March 26 2019, @07:07PM (6 children)
That's a long explanation that doesn't answer my question. I'm sort of feeling put off by Librem's marketing-ese. Anyway, is lockdown mode a physical disconnection or a software signal based on the position of three switches?
If it is just a software signal based on three switches being set to off: totally and utterly not impressed. We have that already with every phone in existence.
If it physically breaks the power feed to all the extraneous sensors when all switches are set to off, that's acceptable though not perfect -- if you need GPS for example, you have to leave something else open to get there. Honestly, it would be better to have a 4th "everything else" switch. If there isn't room now, make the phone a smidge bigger because this device is going to appeal to people who value function over form. Appealing to the form over function people is useless -- they'll stick with their iPhone or glitzy Samsung and so they'll end up with a phone that pleases nobody and fails.
(Score: 0) by Anonymous Coward on Tuesday March 26 2019, @08:40PM (5 children)
It says right in the summary:
(Score: 2) by hemocyanin on Tuesday March 26 2019, @10:30PM (4 children)
There is too much junk there: "powering off ...." this clearly suggests shutdown on signal, ie, software switch. "Cut power" -- that sounds more like a physical disconnection but it may not be. The marketing-ese is getting in the way of clarity and I don't actually know if what they are talking about is a software off or a physical off.
(Score: 0) by Anonymous Coward on Tuesday March 26 2019, @11:23PM (3 children)
No, it really isn't marketing-ese. It is very clear they are referring to a hardware switch if you read it.
(Score: 3, Informative) by hemocyanin on Wednesday March 27 2019, @05:34AM (2 children)
No -- look at the second option: " Group sensors with one or more existing kill switches"
You are saying that "lockdown mode" is entered setting three kill switches. IF that was the case, then why mention "lockdown mode" at all -- it would be totally redundant.
If you follow the link, they have this paragraph:
ALL that stuff is based on software interpreting switch signals. So this leaves me to wonder what "lockdown mode" really is because nowhere in the article do they say it is a hardware break in the circuit, nor do they come out and say it is using switches as software signals. The materials have that breathless marketingese that makes it really hard to understand what the fuck they are doing.
(Score: 0) by Anonymous Coward on Thursday March 28 2019, @03:15PM (1 child)
So basically they have
1) hardware kill switch for the cellular modem (which is on a seperate removable m2 card)
2) hardware kill switch for wifi+bluetooth
3) hardware kill switch for camera+microphone
that leaves a whole bunch of sensors (GNSS, IMU, ambient light, proximity sensors, ...) that can also be used to gather privacy-sensitive data by malicious apps (which could then be send by the malicious app whenever you renable the network)
the lockdown mode, is a software mode that deprives all those other sensors of power when all 3 hardware kill switches are off
(Score: 2) by hemocyanin on Thursday March 28 2019, @04:09PM
So in other words, it's just another method of telling the phone's software to please shut down $sensor and you have to trust the software to actually do it. That's the issue hardware switches are meant to cure and their full page "explanation" doesn't make that in any way clear. Their marketing materials sound so much like "but wait, there's more!!!!" as they go on to hide in glowing excessive verbiage the fact that it is doing what we don't want. That annoys me about Librem.
(Score: 0) by Anonymous Coward on Tuesday March 26 2019, @10:14PM (4 children)
https://soylentnews.org/article.pl?sid=19/03/06/1449226 [soylentnews.org]
(Score: 2) by hemocyanin on Wednesday March 27 2019, @05:38AM (3 children)
When I first read that I was on Librem's side but I did look at their website marketing materials and the only people who would understand that there is no privacy when the radios are on, are the people who already understand that. You would think a company producing a phone with a privacy bias would make it stark raving clear how and when the phone protects your privacy, but they don't and I don't think that is very honest.
I still want one of these but only because there is no competition.
(Score: 2) by urza9814 on Wednesday March 27 2019, @02:09PM (2 children)
In other words, most of their target market? It's not like this thing is going to be selling to business executives to replace their iPhone...seems to me that this thing is mostly targeted to Linux nerds like myself.
(Score: 2) by hemocyanin on Wednesday March 27 2019, @05:51PM (1 child)
If their target market was those who already understand, why did they write the website in such a manner that it would entice those who don't understand into a false sense of security? I'm bothered by that.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 27 2019, @06:21PM
whoever writes their press releases is a bit of a moron. they do this all the time. they don't seem to understand who their market/demo is. they are selling something only privacy and freedom conscience people would be looking for, but they advertise to the ignorant masses. pretty fucking stupid.