Against the Law: Countering Lawful Abuses of Digital ... · general principles underlying this work...
16
Against the Law: Countering Lawful Abuses of Digital Surveillance Andrew ‘bunnie’ Huang Edward Snowden Front-line journalists are high-value targets, and their enemies will spare no expense to silence them. Unfortunately, journalists can be betrayed by their own tools. Their smartphones are also the perfect tracking device. Because of the precedent set by the US’s “third-party doctrine,” which holds that metadata on such signals enjoys no meaningful legal protection, governments and powerful political institutions are gaining access to comprehensive records of phone emissions unwittingly broadcast by device owners. This leaves journalists, activists, and rights workers in a position of vulnerability. This work aims to give journalists the tools to know when their smart phones are tracking or disclosing their location when the devices are supposed to be in airplane mode. We propose to accomplish this via direct introspection of signals controlling the phone’s radio hardware. The introspection engine will be an open source, user-inspectable and field-verifiable module attached to an existing smart phone that makes no assumptions about the trustability of the phone’s operating system. Introduction and Problem Statement Front-line journalists risk their lives to report from conflict regions. Casting a spotlight on atrocities, their updates can alter the tides of war and outcomes of elections. As a result, front-line journalists are high-value targets, and their enemies will spare no expense to silence them. In the past decade, hundreds of journalists have been captured, tortured and killed. These journalists have been reporting in conflict zones, such as Iraq and Syria, or in regions of political instability, such as the Philippines, Mexico, and Somalia. Unfortunately, journalists can be betrayed by their own tools. Their smartphones, an essential tool for communicating with sources and the outside world–as well as for taking photos and authoring articles–are also the perfect tracking device. Legal barriers barring the access to unwitting phone transmissions are failing because of the precedent set by the US’s “third- party doctrine,” which holds that metadata on such signals enjoys no legal protection. As a result, governments and powerful political institutions are gaining access to comprehensive records of phone emissions unwittingly
Transcript of Against the Law: Countering Lawful Abuses of Digital ... · general principles underlying this work...
AgainsttheLaw:CounteringLawfulAbusesofDigitalSurveillanceAndrew‘bunnie’Huang EdwardSnowden
Front-linejournalistsarehigh-valuetargets,andtheirenemieswillsparenoexpensetosilencethem.Unfortunately,journalistscanbebetrayedbytheirowntools.Theirsmartphonesarealsotheperfecttrackingdevice.BecauseoftheprecedentsetbytheUS’s“third-partydoctrine,”whichholdsthatmetadataonsuchsignalsenjoysnomeaningfullegalprotection,governmentsandpowerfulpoliticalinstitutionsaregainingaccesstocomprehensiverecordsofphoneemissionsunwittinglybroadcastbydeviceowners.Thisleavesjournalists,activists,andrightsworkersinapositionofvulnerability.Thisworkaimstogivejournaliststhetoolstoknowwhentheirsmartphonesaretrackingordisclosingtheirlocationwhenthedevicesaresupposedtobeinairplanemode.Weproposetoaccomplishthisviadirectintrospectionofsignalscontrollingthephone’sradiohardware.Theintrospectionenginewillbeanopensource,user-inspectableandfield-verifiablemoduleattachedtoanexistingsmartphonethatmakesnoassumptionsaboutthetrustabilityofthephone’soperatingsystem.
IntroductionandProblemStatement
Front-linejournalistsrisktheirlivestoreportfromconflictregions.Castingaspotlightonatrocities,theirupdatescanalterthetidesofwarandoutcomesofelections.Asaresult,front-linejournalistsarehigh-valuetargets,andtheirenemieswillsparenoexpensetosilencethem.Inthepastdecade,hundredsofjournalistshavebeencaptured,torturedandkilled.Thesejournalistshavebeenreportinginconflictzones,suchasIraqandSyria,orinregionsofpoliticalinstability,suchasthePhilippines,Mexico,andSomalia.
Unfortunately,journalistscanbebetrayedbytheirowntools.Theirsmartphones,anessentialtoolforcommunicatingwithsourcesandtheoutsideworld–aswellasfortakingphotosandauthoringarticles–arealsotheperfecttrackingdevice.LegalbarriersbarringtheaccesstounwittingphonetransmissionsarefailingbecauseoftheprecedentsetbytheUS’s“third-partydoctrine,”whichholdsthatmetadataonsuchsignalsenjoysnolegalprotection.Asaresult,governmentsandpowerfulpoliticalinstitutionsaregainingaccesstocomprehensiverecordsofphoneemissionsunwittingly
broadcastbydeviceowners.Thisleavesjournalists,activists,andrightsworkersinapositionofvulnerability.ReporterMarieColvin’s2012deathisatragicreminderofhowrealthisvulnerabilitycanbe.AlawsuitagainsttheSyriangovernmentfiledin2016allegesshewasdeliberatelytargetedandkilledbySyriangovernmentartilleryfire.Thelawsuitdescribeshowherlocationwasdiscoveredinpartthroughtheuseofinterceptdevicesthatmonitoredsatellite-dishandcellphonecommunications.[1]
Turningoffradiosbyenteringairplanemodeisnodefense;forexample,oniPhonessinceiOS8.2,GPSisactiveinairplanemode.Furthermore,airplanemodeisa“softswitch”–thegraphicsonthescreenhavenoessentialcorrelationwiththehardwarestate.Malwarepackages,peddledbyhackersatapriceaccessiblebyprivateindividuals,canactivateradioswithoutanyindicationfromtheuserinterface;trustingaphonethathasbeenhackedtogointoairplanemodeisliketrustingadrunkpersontojudgeiftheyaresoberenoughtodrive.
Thisworkaimstogivejournaliststhetoolstoknowwhentheirsmartphonesaretrackingordisclosingtheirlocationwhenthedevicesaresupposedtobeinairplanemode.
ApproachandGoals
Numerousresearchersandextensivecorporateresourceshavebeendedicatedtothetaskofbuildingamoresecuresmartphone.However,smartphonesareextremelycomplexandpresentalarge,porousattacksurface.Furthermore,evenaperfectlysecurephonewillnotsaveareporterfrom“victim-operated”exploitssuchasspearphishing.Eliminatingthisvectoriscomplicatedbythefactthateffectivereportersmustcommunicatewithadiversearrayofsourceswhomayintentionallyorunintentionallyconveyamalwarepayloadtothereporter.
Asaresult,thisworkstartswiththeassumptionthataphonecanandwillbecompromised.Insuchasituation,areportercannottaketheUIstatusatfacevalue.Instead,weaimtoprovidefield-readytoolsthatenableareportertoobserveandinvestigatethestatusofthephone’sradiosdirectlyandindependentlyofthephone’snativehardware.Wecallthisdirectintrospection.
Ourworkproposestomonitorradioactivityusingameasurementtoolcontainedinaphone-mountedbatterycase.Wecallthistoolanintrospectionengine.Theintrospectionenginehasthecapabilitytoalertareporterofadangeroussituationinreal-time.Thecoreprincipleissimple:ifthereporter
expectsradiostobeoff,alerttheuserwhentheyareturnedon.
Ourintrospectionengineisdesignedwiththefollowinggoalsinmind:
1. Completelyopensourceanduser-inspectable(“Youdon’thavetotrustus”)2. Introspectionoperationsareperformedbyanexecutiondomaincompletely
separatedfromthephone’sCPU(“don’trelyonthosewithimpairedjudgmenttofairlyjudgetheirstate”)
3. Properoperationofintrospectionsystemcanbefield-verified(guardagainst“evilmaid”attacksandhardwarefailures)
4. Difficulttotriggerafalsepositive(usersignoreordisablesecurityalertswhentherearetoomanypositives)
5. Difficulttoinduceafalsenegative,evenwithsignedfirmwareupdates(“don’ttrustthesystemvendor”–state-leveladversarieswithfullcooperationofsystemvendorsshouldnotbeabletocraftsignedfirmwareupdatesthatspooforbypasstheintrospectionengine)
6. Asmuchaspossible,theintrospectionsystemshouldbepassiveanddifficulttodetectbythephone’soperatingsystem(preventblack-listing/targetingofusersbasedonintrospectionenginesignatures)
7. Simple,intuitiveuserinterfacerequiringnospecializedknowledgetointerpretoroperate(avoidusererrorleadingtofalsenegatives;“journalistsshouldn’thavetobecryptographerstobesafe”)
8. Finalsolutionshouldbeusableonadailybasis,withminimalimpactonworkflow(avoidforcingfieldreportersintothechoicebetweentheirpersonalsecurityandbeinganeffectivejournalist)
Thisworkisnotjustanacademicexercise;ultimatelywemustprovideafield-readyintrospectionsolutiontoprotectreportersatwork.Althoughthegeneralprinciplesunderlyingthisworkcanbeappliedtoanyphone,reducingtheseprinciplestopracticerequiresasignificantamountofreverseengineering,astherearenobroadlysupportedopensourcephonesolutionsonthemarket.Thuswefocusonasinglephonemodel,the4.7”iPhone6byAppleInc.,asthesubjectforfielddeployment.Thechoiceofmodelisdrivenprimarilybywhatweunderstandtobethecurrentpreferencesandtastesofreporters.Ithaslittletodowiththerelativesecurityofanyplatform,asweassumeanyplatform,beitiOSorAndroid,canandwillbecompromisedbystate-leveladversaries.
Methods&IntermediateResults
ThefirststeptowardexecutingthisworkwastovisittheHuaQiangelectronicsmarketsofShenzhentocollectsamplesanddocumentationforevaluation.ThesemarketsaregroundzeroforthetradeandpracticeofiPhonerepair;assuch,itisarichsourceofsparepartsandrepairmanuals.TherepairmanualsfrequentlycontaindetailedblueprintsoftheiPhone6,
whichwereusedtoassistthereverseengineeringeffort.
Basedonthephonemodelselectionandavailabledocumentation,wecanenumeratetheradiointerfacesavailable:
Cellularmodem–2G/3G/4GWifi/BTGPSNFC(ApplePay)
AlthoughourworkcanbeextendedtoinputsystemssuchastheIMU(inertialmeasurementunit),barometer,microphoneandcamera,tofocustheeffortwerestrictourexplorationtoonlyRFinterfacesthatcandirectlybetrayauser’slocation.Notethatacameracanbedefeatedbyobscuringthelens;assuchthefinalphysicaldesignofourbatterycasewilllikelyincludeafeaturetoselectivelyobscuretherearcameralens.
MethodsthatDoNotMeetourCriteria
Numeroussemi-intrusivecountermeasureswereconsideredalongthewaytoourcurrentsolution,includingbutnotlimitedtoRFspectrummonitoring,activejamming,andtheselectivephysicalisolationorterminationofantennae.Semi-intrusivecountermeasureswouldrequireminimalmodificationtothephoneitself,whichisdesirableasitsimplifiesfielddeploymentandcouldevenenablereporterstoperformthemodificationswithoutanyspecialtools.Unfortunately,allofthesemethodsweredeemedtobeinadequate,asdiscussedinthefollowingparagraphs.
RFspectrummonitoringconsistsofbuildinganexternalradioreceiverthatcandetecttransmissionsemanatingfromthephone’sradios.Insomecases,itwashypothesizedthatthereceivercouldbeastrivialasanRFpowermonitorwithintheanticipatedradiobands.AsimpleexampleofsuchmonitoringalreadyexistsintheformofnoveltylightsthatflashbasedonparasiticpowerextractedfromtheGSMantennae.Theproblemswiththisapproachisthat1)itcanonlyreliablydetectactivetransmissionsfromtheradio,and2)malwarethatpassivelyrecordstheuser’spositionanddeliversitasadeferredpayloadwhentheradiosareintentionallyactivatedcannotbedetected.Furthermore,thisapproachissubjecttospoofing;falsepositivescanbetriggeredbythepresenceofnearbybasestations.Suchfalsealarmscanconfusetheuserandeventuallyleadtheusertobeconditionedtoignorerealalertsinhazardoussituations.
Activejammingconsistsofbuildinganexternalradiotransmitterthatattemptstoinjectfalsesignalsintotheradios.Thus,evenifmalwarewereto
activatetheradiosandlistenforposition-revealingsignals,itwould,intheory,reportlargelyboguspositioninformation.ThisisparticularlyeffectiveagainstGPS,whereGPSsignalsareveryweakandthusevenaweaklocaltransmittershouldbeabletooverpowertheGPSsatellites.However,activejammingwasruledoutforseveralreasons.Thejammer’semissionscouldcreateasignalthatcanbetracedtolocatethereporter;thejammerwillrequiresubstantialbatterypower,andtheuserisleftvulnerableoncethejammer’spowerisexhausted.Furthermore,nearbybasestationsmaystillbedetectedbythereceivers,asmodernradioprotocolshavesophisticateddesignstoprotectagainstunintentionaljamming.
Selectivephysicalisolationorterminationoftheantennaeconsistsofinsertinganelectronicswitchbetweentheconnectorsofthelogicboardandtheantenna.Theswitch,whenactivated,wouldshunttheantennatoamatchedresistiveload,whichwouldgreatlyreducethetransmissionpowerandreceivesensitivityoftheradios.However,experimentalverificationontheWiFisubystemindicatedthatremovingtheantennaconnectionandpermanentlyterminatingwithashuntresistorstillleakedsufficientRFintothereceiversforlocalbasestations(e.g.,withinthesameroom)tobedetected,whichcouldbesufficientinformationtobetrayareporter’slocation.
MethodsthatDoMeetourCriteria
Upondeterminingthatsemi-intrusivecountermeasureswereinadequate,weinvestigatedoptionsthatinvolvemeasuringsignalsonthephone’slogicboard,typicallyviatestpointsdesignedinbythemanufacturer.ItisnosurprisethatcomplexsystemssuchastheAppleiPhone6wouldhavetestpointsbakedintothecircuitboarddesigntoassistwithdebugging.Theseareanessentialpartofyieldandcustomerexperienceimprovement;defectiveunitsfromthefactoryandthefieldaresentbacktotheheadquarters,andengineersrelyonthesetestpointstodeterminetherootcauseofthedevice’sfailure.
UsingrepairmanualdocumentationacquiredfromtheHuaQiangelectronicsmarket,wecatalogedasetofinternaltestpointsthatwere:
1. Accessiblewithlowprobabilityofdamagetothelogicboardbyatrainedoperator2. Couldprovidemeaningfuldataontheradiostatus3. Wouldbedifficultorimpossibletodisableorspoof(e.g.,future-proofagainst
adversariesawareofourresearch).
Fortheaccessibilitycriteria(1),testpointswereconsideredviableeveniftheyrequireddesolderinganRFshieldortheSIMcardconnector,andmanualremovalofsoldermask.Inourexperience,atrainedoperatorcan
performthesetaskswithlowprobabilityofirreparabledamagetothemotherboard.Theseoperationsarenotrecommendedforentry-levelnovices.However,ourexperiencesinShenzhenindicatethatanytechnicianwithmodestsolderingskillscanbetrainedtoperformtheseoperationsreliablyinabout1-2daysofpracticeonscrapmotherboards.Thus,technicianscouldbetrainedtoperformthemodificationsinanylocalewithsufficientdemandformodifiediPhones.
Thefollowingtableisalistoftestpointswehaveaccessedandhavefoundtoprovideintrospectiondatathatpotentiallymeetcriteria(2)and(3).
Above:tableofinternalsignalcandidatesforintrospection.
Above:imageoftheFE1,FE2busprobeexperiment.TestpointsfromthebacksideofthePCBarewiredtothetopsideforeasyprobing.
Above:imageofthebacksideoftheFE1,FE2probeexperiment.ThetestpointsarelocatedadjacenttotheNANDFlash,underneathanRFshieldwhichwasremovedforthisexperiment.Thetestpointswerecoveredwithsoldermask,whichwasremovedthroughmechanicalabrasion.
Above:imageoftheUARTandGPSsyncprobingexperiment.ThemajorityofthetestpointsarelocatedunderneaththeSIMcardconnector,whichwasremovedforthisexperiment.
Above:imageofthebacksideoftheUARTandGPSsyncprobingexperiment.ApairofwiresareruntobreakoutWLAN_PERSTandpower-relatedsignalsformonitoring.
CellularModemIntrospection
TheFE1andFE2serialbusesrunat20MHz,witha1.8Vswing.Thisbusis
usedprimarilytoconfigurethecellularmodemradios.Whentheradiosareon,thereisconstanttrafficonthesebuses.Wheninairplanemode,thetrafficcompletelyceases.
Above:exampleofbustrafficontheFE1bus.
Cellularradiosoperateinacomplexenvironment,andrequireconstantadaptationoftheantennae,poweramplifiers,andbandselectionforproperoperation.Itishypothesizedthatanattempttoevenpassivelyscanforbasestationswithouttransmittingwillrequiretrafficonthisbus;attheveryleast,theantennaswitchesmustbepoweredonandconfiguredtoreceive.Therefore,cellularmodemintrospectionmaybeaseasyasnotingifthereisanyactivityontheFEbusesduringairplanemode.
Wenoteforthesakeofcompletenessthatitmaybepossibleforanattackertostaticallyconfiguretheantenna,channel,andpoweramplifiersettingsandconvertthedeviceintoaradiobeaconthatblastsoutasignalthatisinconsistentwiththecellularmodemstandardbutdetectablethroughothermeans.Inthismode,onewouldobservenotrafficontheFEbuses,butonecould,intheory,triangulatethelocationofthetransmitterwithmodifiedbasestationsorspeciallydeployedreceivers.Thisscenariocanbemitigatedbydoingdeeppacketinspectionandnotingtheaddressesthatshouldbehittopowerdownthecellularmodemsystems.Ifanydevicesareskippedduringthepower-offsequence,thatwouldbeflaggedasapotentiallyhazardouscondition.
However,thisscenariowouldrequiremodificationstothecellularmodemtransportspecifications,andassuchonewouldneedtodeploymodifiedbasestationsacrosstheterritorytogainadequatesurveillancecoverage.Thiswouldlikelyrequireextensivecooperationofboththebasebandradiovendorsandcellularproviderstocraftandeffectivelydeploysuchanexploit.Becauseofthedifficulty,weimaginesuchanexploitwouldbeavailableonlytowell-organizedgovernment-leveladversaries.
Finally,thephone’svendor,Apple,couldvolunteer(orbecoerced)topushasignedupdatethatsendsrandom“NOP”packetsovertheFEbusesduringairplanemodetoforcefalsepositivesandmakethistechniquelesseffective.Again,insuchacasedeeppacketinspectioncouldhelptodiscardchafffromsignal.Althoughfuturehardwareversionscouldencryptthisbustofoilobservation,webelieveitisnotpossibletointroducebusencryptionwithasoftware-onlychange:theperipheraldevicesonthisbuslackloadablefirmware.Thus,atleastforcurrentphonemodels,deeppacketinspectionshouldberobust.
WiFi&BluetoothIntrospection
TheWiFisubsysteminterfacestotheCPUthroughmultiplebuses,namely,PCI-expressandaUART;theBluetoothsubsysteminterfacestotheCPUthroughaUART,withaseparateUARTchannelforcoexistence.BecauseoftheBluetoothsubsystem’srelativelysimpleinterface,itshouldbepossibletorobustlydetectBluetoothactivitybysimplymonitoringtheBTUARTsignals.
TheWLANUARTsignalsseemtocarryconfigurationandstatusinformationregardingWiFiconfiguration,asevidencedbytheUARTtracebelow.
Above:exampledataontheWifiUARTasdecodedbyaTekMDO4014B.
Furtherexplorationofthedatacontainedwithinthesignalsisnecessarytodetermineifitispossibleforanadversarytoperformaccesspointscans,whichisaneffectivemeansofgeolocation,withoutinvokingtheUART.Unfortunately,theWiFipowerremainsoneveninairplanemode,somonitoringWiFivoltagelevelshasnocorrelationwithradioactivity.
Significantly,WLAN,BT,andGPSriskscanbemitigatedbyforcingtheWLANPCIbusintoreset.ByholdingWLAN_PERSTlowpriortopower-onandthroughoutboot,WiFiwillfailtoenumerateonthePCIbus.iOSwillcontinuetobootandisfullyusable,butintheSettingspanel,WiFiwillappeartobeoffandcannotbeswitchedon.AttemptstoswitchonBluetoothfail,andGPS,althoughactive,cannotaccessitsantennaastheantennaforGPSissharedwithWiFi.NotethatforcingWLAN_PERSTlowduringnormaloperationforcesaphonereboot,sodisablingWiFiusingthistechniqueeffectivelynecessitatesareboot.
Thisisasimplebuteffectivemethodtoforceseveralcriticalsubsystemstobeoff,withnochanceforanupdatedfirmwaretobypassaWiFihardwarereset.However,thefailureofBluetoothandGPSsubsystemstoactivatemaybeduetofirmware-onlydependencies.ItishypothesizedthatthesesystemsrelyonWiFitoinitializebeforeactivatingtherespectiveantennaswitchesforthesesubsystems,sincetheyallshareacommonantennaport.ThusitmaybepossibleforanexploittobedevelopedtoforceBluetoothandGPStobeonevenifWiFiisinreset.Furthermore,itmaybepossibleformalwareto
fingerprintsystemswheretheWiFihasfailedtoinitialize,andflagtheseusersforfurthermonitoring.
Thus,dependingontheuser’sthreatmodel,theWLAN_PERSTdefeatmaybeasimplebuteffectivemethodtodefeatseveralradioswithasinglesignal,butitmayalsogiveawayinformationtoadvancedadversariesonthepresenceofanintrospectionengine.BecauseoftheeffectivenessoftheWLAN_PERSTtrick,wewouldpresentuserswiththeoptiontoactivatethis,butnotrequireit.
Significantly,repairmanualsindicatethattheWiFi/Bluetoothmoduleincludesahardware“RFKILL”pin.Appleleavesthispinunconnectedandverydifficulttoaccessthroughmods,butifphonevendorswantedtosupporteffortslikethis,futurerevisionsofphonescouldbreaksuchpinsouttoofferamoregracefuldefeatthatdoesn’trequirerebootingthephoneorleaveameasurablesignaturewhiledisablingtheseradios.
GPSIntrospection
Todate,wehaveidentifiedthreepossiblemethodsfordetectingGPSactivation.OneistolookforactivityontheBBUARTbus.WhenGPSisactive,coordinatedataseemstobetransmittedovertheBBUARTbus.AsecondistolookattheGPS_SYNCsignal.WhenGPSisactive,theGPS_SYNCsignalpingsthebasebandatarateofaboutoncepersecond,withapulsewidthinverselyproportionaltothequalityoftheGPSlock.AverywidepulseindicatesahighdegreeofuncertaintyintheGPSsignal.Finally,theGPShasanindependentpowerregulatorwhichisturnedoffwhentheGPSisnotactive,tosavepower.
NFCIntrospection/Defeat
ForNFC,wedecidedthattherisk/rewardofselectivelyenablingandmonitoringApplePayisnotworthit.Inotherwords,wedonotexpectjournalistsoperatinginconflictzonestoberelyingonApplePaytogettheirworkdone.Therefore,tosimplifytheeffort,weopttofullydisableApplePaybydisconnectingtheRFfrontendfromitsantenna.
Fortunately,theNFC’santennaisconnectedtothemainlogicboardviaasinglescrew.Byremovingthisscrewandseparatingtheantennafromthemainlogicboard,wehopetosubstantiallyandselectivelyreducethesensitivityoftheNFCradio.Furthertestingisrequiredtodetermineifthisissufficienttoguardagainstattacksbyadversariesusinghigh-poweramplifierstoquerytheApplePayNFCfeature.Iffoundinadequate,further
countermeasures,includingbutnotlimitedtopermanentlyremovingtheApplePayNFCRFfrontendchipfromthemainboard,areoptionstopreventexploitationoftheradiowithoutleavingaclearsignaturethatcanbedetectedbyanadversary.
Above:locationoftheApplePayantennaconnection,highlightedinpink.OriginalimagecourtesyiFixit,CC-BY-NC-SAlicensed.
NextStepsandFieldDeployment
Nowthatasetofviablesignalshasbeenidentifiedforintrospection,thenextstepisrefiningthesystemforfielddeployment.
Fromtheoutside,theintrospectionenginewilllookandbehavelikeatypicalbatterycasefortheiPhone6.However,inadditiontoprovidingextrapowertotheiPhone6,thecasewillcontaintheintrospectionengine’selectronicscore.TheelectronicscorewilllikelyconsistofasmallFPGAandanindependentCPUrunningacodebasecompletelyseparatefromtheiPhone6’sCPU.ThisphysicalisolationofCPUcoresminimizesthechanceofmalwarefromthephoneinfectingtheintrospectionengine.
Above:Conceptualrenderingofa“batterycase”styleintrospectionengine,piggybackedonaniPhone6.
Thebatterycase/introspectionenginewillalsofeatureanindependentscreentoupdatetheuseronradiostatus;forexample,itcaninformtheuserontimeelapsedsincethelasttrafficwasdetectedonanyradiobus.Thus,userscanfield-verifythatthebustapsareinplacebybrieflybringingthesystemoutofairplanemodeinasafelocation.Anyradiothatdoesnotreporttrafficoutofairplanemodewouldindicateahardwarefailureoftheintrospectionengine.Ofcourse,thesystemwillalsofeatureanaudiblealarmthatcanbesettotripincaseanyactivityisseenonanysetofradios.Itmightalsobedesirabletoincorporatea“killswitch”featurewhichforciblydisconnectspowertothephoneinthecasethataradioisfoundtobeerrantlytransmitting.
Inordertofacilitatetherobustwiringofthesignaltaps,acustomflexibleprintedcircuit(FPC)willbedesignedwithcontactspre-loadedatsignaltestpointlocations.Thiswillstreamlinephonemodificationswhilemakingthefinalproductmorerobust.AstheSIMcardhastoberemovedforaccesstokeytestpoints,theFPCwillalsoconnecttotheSIMcardsignals.AnadditionalFPCwillthenexitviatheexistingSIMcardport,makingavailabletotheintrospectionengineboththebustapsandtheSIMcardsignals.
Above:TheorangehighlightedpartisaproposedFPCwhichexitsviatheSIMcardportandroutessignalsfromthemodifiediPhone6mainboardtotheintrospectionengine’selectronics.
ThisarchitectureopensthepossibilityoftheintrospectionenginefeaturingmultipleSIMcardslots.AlthoughthesystemwillstillneedtoberebootedwhenswitchingSIMs,itcanbeconvenientforcertainuserstobeabletoswitchSIMsrapidlywithouttheuseofanyextratoolsorworryofdroppingandlosingthetinySIMcards.Thisisespeciallyproblematic,forexample,whenswitchingSIMcardsduringtransitonunpaved,bumpyroads.ItshouldbenotedthatchangingSIMcardsisnodefenseagainstgeolocation;theIMEIremainsconstantdespitetheSIMcardswap.TheSIMcardswappingfeatureissimplyaconveniencetoreporterswhoneedtomaintainseveralnumbersordataplansappropriateformultipleregions.
Overthecomingyear,wehopetoprototypeandverifytheintrospectionengine’sabilities.Astheprojectisrunlargelythroughvolunteereffortsonashoestringbudget,itwillproceedatapacereflectingthepracticallimitationsofdonatedtime.Iftheprototypeprovessuccessful,theFPFmaymovetoseekthenecessaryfundingtodevelopandmaintainasupplychain.ThiswouldenabletheFPFtodeploymodifiediPhone6devicesforfieldserviceamongjournalistsinhigh-risksituations.
Thetechniquesdevelopedinthisworkshouldalsobeapplicabletoothermakesandmodelsofphones.Pervasivedeploymentofradiointrospectiontechniquescouldbeassistedwithminimalcooperationofsystemvendors.By
groupingradiocontroltestpointstogether,leavingthemexposed,andpublishingatersedescriptionofeachtestpoint,directintrospectionenginescanbemorerapidlydeployedandretrofittedintofuturesmartphones.
Furthermore,directintrospectionmaybeextendablebeyondtheradiointerfacesandintothefilesystemlayer.Wetheorizeanintrospectionengineattachedtothemassstoragedevicewithinaphone;forexample,anFPGAobservingtheSDbusbetweentheCPUandtheeMMCinatypicalAndroidphoneimplementation.Thisintrospectionenginecouldobserve,inrealtime,filemanipulationsandflag,orevenblock,potentiallysuspiciousoperations.Withfurthersystemintegration,theintrospectionenginecouldevenperformanoff-lineintegritycheckofthefilesystemordiskimage.TheefficacyoffilesystemintrospectionisenhancedifthesystemintegratorchoosestoonlysignOS-relatedfiles,butnotencryptthem.AscoreOSfilescontainnouserdataorsecrets,baringthemfordirectintrospectionwouldnotimpactthesecrecyofuserdatawhileenablingthird-partyattestationoftheOS’sintegrity.
References[1] DanaPriest.WashingtonPost.[http://wpo.st/5W2l1]
ThisworkislicensedunderaCreativeCommonsAttribution4.0InternationalLicense.
