[Replicant] [PATCH 9/9] freedom-privacy-security-issues: Improve the modem isolation description.
Paul Kocialkowski
contact at paulk.fr
Thu Mar 3 16:33:12 UTC 2016
Le mercredi 02 mars 2016 à 20:28 +0100, Denis 'GNUtoo' Carikli a écrit :
> Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo at no-log.org>
See comments below.
> ---
> freedom-privacy-security-issues.php | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/freedom-privacy-security-issues.php b/freedom-privacy-security-
> issues.php
> index f62c702..35fc430 100644
> --- a/freedom-privacy-security-issues.php
> +++ b/freedom-privacy-security-issues.php
> @@ -12,7 +12,7 @@
> <h3>The current situation of freedom and
> privacy/security on mobile devices</h3>
> <p>A mobile device respecting the users' freedom
> would have:<ul><li>Free hardware</li><li>Free firmwares</li><li>Free modem
> system</li><li>Free bootrom and bootloader</li><li>Free system and
> applications</li></ul>Regarding <a href="#free-hardware">free hardware</a>, it
> barely exist as of today. The ways of modifying existing hardware are very
> limited. Because of that, new versions of the hardware have to be produced to
> carry the modifications, and this is expensive. While producing printed
> circuit boards (PCBs) costs a lot of money, producing integrated circuits is
> out of reach. A few devices come with schematics, or full design files for the
> PCB, but that's usually as far as it gets. Hence, totally-free hardware
> doesn't exist yet. While design for FPGAs do exist in free software licenses,
> FPGAs are not practical enough to be used to replace ASICs in smartphones, and
> most of them even proprietary software tools.</p>
> <p>Firmwares running inside integrated circuits are
> most of the time proprietary. While free firmwares are hard to write, some
> exist for very specific hardware (e.g. <a href="//www.arduino.cc/">Arduino</a>
> , <a href="//dangerousprototypes.com/docs/Bus_Pirate">Bus Pirate</a>) and
> sometimes, manufacturers can liberate firmwares running in their integrated
> circuits (e.g. <a href="//github.com/qca/open-ath9k-htc-
> firmware">ath9k_htc</a>). However, it is not always possible to even replace
> those firmwares: some are loaded to the integrated circuit by the main CPU but
> some others reside in separate storage that is loaded by that integrated
> circuit. In that case, we wound't be able to tell the difference with an
> integrated circuit lacking any storage. With seperate storage, the firmware
> cannot easily be updated to a free replacement.</p>
> - <p><a href="images/freedom-privacy-security-
> issues/bad-modem-isolation.png" data-lightbox="current-situation" data-
> title="Bad modem isolation"><img src="images/freedom-privacy-security-
> issues/bad-modem-isolation.png" alt="Bad modem isolation" style="width: 250px;
> float: left;"/></a>The modem system on telephony-enabled mobile devices is
> always proprietary. While <a href="//bb.osmocom.org/">OsmocomBB</a>, a free
> software GSM stack exists, it only runs on some old feature phones or or the
> openmoko smartphones modem. It currently requires a host computer to operate
> and is not certified to run on public networks. Despite this situation, the
> modem remains a crucial part for privacy/security: it is nearly always
> connected to the GSM network, allowing for <a href="//www.gnu.org/philosophy/m
> alware-mobiles.html">remote control</a>. The modem can be more or less
> damaging to privacy/security depending on what hardware it has access to and
> can control. That is to say, how isolated it
> is from
> the rest of the device.<br /><br />A device with bad modem isolation would
> allow the modem to access and control key parts of the hardware, such as the
> RAM, storage, GPS, camera, user I/O and microphone. This situation is terrible
> for privacy/security as it provides plenty of ways to efficiently spy on the
> user, triggered remotely over the mobile telephony network. Those are
> accessible to the mobile telephony operator, but also to attackers setting up
> fake base stations for that purpose. <a href="images/freedom-privacy-security-
> issues/good-modem-isolation.png" data-lightbox="current-situation" data-
> title="Good modem isolation"><img src="images/freedom-privacy-security-
> issues/good-modem-isolation.png" alt="Good modem isolation" style="width:
> 250px; float: right;"/></a>On the other hand, when the modem is well-isolated
> from the rest of the device, it is limited to communicating directly with the
> SoC and can only access the device's microphone when allowed by the SoC. It is
> th
> en stric
> tly limited to accessing what it really needs, which considerably reduces its
> opportunities to spy on the user. While it doesn't solve any of the freedom
> issues, having an isolated modem is a big step forward for privacy/security.
> However, it is nearly impossible to be entirely sure that the modem is
> actually isolated, as any documentation about the device cannot be trusted,
> due to the lack of effective hardware freedom. On the other hand, it is
> possible to know that the modem is not isolated, when there is proof that it
> can access hardware that could be used to spy on the user.</p>
> + <p><a href="images/freedom-privacy-security-
> issues/bad-modem-isolation.png" data-lightbox="current-situation" data-
> title="Bad modem isolation"><img src="images/freedom-privacy-security-
> issues/bad-modem-isolation.png" alt="Bad modem isolation" style="width: 250px;
> float: left;"/></a>The modem system on telephony-enabled mobile devices is
> always proprietary. While <a href="//bb.osmocom.org/">OsmocomBB</a>, a free
> software GSM stack exists, it only runs on some old feature phones or or the
> openmoko smartphones modem. It currently requires a host computer to operate
> and is not certified to run on public networks. Despite this situation, the
> modem remains a crucial part for privacy/security: it is nearly always
> connected to the GSM network, allowing for <a href="//www.gnu.org/philosophy/m
> alware-mobiles.html">remote control</a>. The modem can be more or less
> damaging to privacy/security depending on what hardware it has access to and
> can control. That is to say, how isolated it
> is from
> the rest of the device.<br /><br />A device with bad modem isolation cannot
> prevent the modem from accessing and controling
That's a typo, should be "controlling".
> key parts of the hardware. For instance the main CPU's RAM, its storage, the
> GPS, the camera, user I/O and the microphone. This situation is terrible for
> privacy/security as it provides plenty of opportunities to efficiently spy on
> the user, that could be triggered remotely over the mobile telephony network.
> That mobile telephony network is accessible to the mobile telephony operator,
> but also to attackers setting up fake base stations for that purpose.
All the rest looks good!
> <a href="images/freedom-privacy-security-issues/good-modem-isolation.png"
> data-lightbox="current-situation" data-title="Good modem isolation"><img
> src="images/freedom-privacy-security-issues/good-modem-isolation.png"
> alt="Good modem isolation" style="width: 250px; float: right;"/></a>On the
> other hand, when the modem is well-isolated from the rest of the device, it is
> limited to communicating directly w
> ith the
> SoC and can only access the device's microphone when allowed by the SoC. It
> is then strictly limited to accessing what it really needs, which considerably
> reduces its opportunities to spy on the user. While it doesn't solve any of
> the freedom issues, having an isolated modem is a big step forward for
> privacy/security. However, it is nearly impossible to be entirely sure that
> the modem is actually isolated, as any documentation about the device cannot
> be trusted, due to the lack of effective hardware freedom. On the other hand,
> it is possible to know that the modem is not isolated, when there is proof
> that it can access hardware that could be used to spy on the user.</p>
> <p>Looking at the software that runs early on the
> SoC, the first component is the bootrom. It is always proprietary and is
> stored in read-only memory, so it cannot be changed (in that case, it almost
> seems to behave like hardware). However, regarding the bootloader, the
> situation is different for each platform. There are actually multiple stages
> of bootloaders, some of which can be free. However, it also occurs that the
> bootloaders are cryptographically signed with a private key. In that case, the
> bootrom will check the signature against a public key that cannot be replaced
> and only run the bootloader if the signature matches. That sort of tivoization
> prevents replacing pre-installed bootloaders, even when their sources are
> released as free software. There are some good platforms that don't perform
> such signature checks and can run free bootloaders (e.g. Allwinner Ax, TI OMAP
> General-Purpose).</p>
> <p><a href="images/freedom-privacy-security-
> issues/operating-system.png" data-lightbox="current-situation" data-
> title="Mobile operating system"><img src="images/freedom-privacy-security-
> issues/operating-system.png" alt="Mobile operating system" style="width:
> 250px; float: left;"/></a>The biggest part of the software running on a mobile
> device is the operating system, that runs on the main CPU. It has access to
> most integrated circuits (I/O, camera, microphone, GPS, etc) as well as the
> user's data and communications. It is the most critical part for
> privacy/security and is also very important for free software as it interacts
> with the user directly and holds knowledge about communication with the
> hardware. Many mobile operating systems are mostly free software (e.g. <a
> href="//www.android.com/">Android</a>, <a href="//mozilla.org/firefox/os">Fire
> fox OS</a>, <a href="//ubuntu.com/phone">Ubuntu Touch</a>, <a
> href="//www.tizen.org/">Tizen</a>), as they use the <a href="//www.
> kernel.o
> rg/">Linux kernel</a>, a free framework and ship with free base applications.
> However, the user-space hardware abstraction layers are for the most part
> proprietary (it varies from one device to another) and they also ship with
> proprietary loaded firmwares for various integrated circuits. Every piece of
> proprietary software running on the system is a risk for privacy/security as
> they can offer <a href="//www.gnu.org/philosophy/malware-mobiles.html">remote
> access back-doors</a> and compromise the rest of the system.<br />None of
> these mostly-free systems have a clear policy to reject proprietary software
> and not advocate its use, except for Replicant.</p>;
> <p>While the operating system is a very important
> piece of software, it doesn't ship with applications that cover the wide
> spectrum of activities that a mobile device is expected to provide.
> Thankfully, plenty of free software applications exist for each kind of
> (mostly-)free operating system, sometimes gathered in free software
> application stores (such as <a href="//www.f-droid.org/">F-Droid</a> for Andro
> id systems).</p>;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20160303/430d1eb4/attachment.asc>
More information about the Replicant
mailing list