Why it is a bad idea to run devices with outdated firmware, and what we can win in the long run by taking that risk during development of postmarketOS.Index
- Outdated firmware threatens old smartphones
- We can't fix this any time soon
- Depending on your attack model, up-to-date phones with manufacturer support are just as bad.
- We would be better off with open source firmware.
- Long term options
- Fuck yeah!
- I am really hyped now, but what does all this mean for postmarketOS?
- Thanks to...
This is a follow-up post to the project I've published last week: postmarketOS a touch-optimized, pre-configured Alpine Linux with own packages, that can be installed on smartphones. In that post I have painted an utopic image, of how the world of smartphones could consist of well maintainable open source software with ten year hardware life-cycles, and how we, as a community, could get there some day.
Now let me do the opposite and crush your dreams: Basically all phones, where the support from the manufacturer has run out, have serious security holes inside their Wifi and cellular modem firmware! That can be used to turn your device silently into a surveillance device, because these components have direct access to your device's RAM (via DMA), location (GPS), microphone and camera. Exploits are publicly available for everyone. The older your device is, the more certain you can be, that there is such an exploit available.We can't fix this any time soon
These firmwares are complex closed source operating systems, and there are only few people the open source software community, who know something about them. Even worse, it is only possible to install cryptographically signed firmware files on modern smartphones, so we couldn't replace them, even if we understood them and had replacements!Depending on your attack model, up-to-date phones with manufacturer support are just as bad.
I will assume, that you — the somewhat tech-interested reader of this blog post — does not want phones to be little big brothers in people's pockets, that listen to every word they are saying. At least not your phone.
In that case: Does it really matter that much, who has access to the security holes present in your device's firmware?
Let's say, that you use an up-to-date device with the hardened CopperheadOS, and install all updates as soon as they become available. (UPDATE: I don't recommend using CopperheadOS anymore) Does this mean, that you are safe from exploits through security holes in the Wifi or cellular modem firmware? No!
Thanks to Edward Snowden we know, that there are agencies all around the world, with enormous budgets, who spend all day finding security holes in all kinds of software (to complement the intentional backdoors they alread have). Of course that includes smartphone firmware. So how can you be certain, that not even one of these agencies is able to hack your phone (let alone the phones of your friends and family with possibly less technical knowledge)? And if they are, how can anyone be sure, that their exploits do not get turned into ransomware by a third party and get used against the general public? This is just what happened with WannaCry about three weeks ago!We would be better off with open source firmware.
I'm not saying here, that open source is the cure to all problems. We sure do have our share of security bugs. But with open source, we at least get the option to verify the source code. We can fix bugs when we want to, and not when it fits into the schedule of the manufacturer's company. We can write code with modern coding standards, such as static code analysis, having a comprehensive testsuite with measured code coverage and we could implement preventive measures, such as proper privilege separation or using safer programming languages.
We would at least have the opportunity to make it better. Today we can only blindly trust the firmware vendor.Long term options
- Don't use smartphones at all. Good luck convincing your WhatsApp friends.
- Let politicians make laws, that demand open source. Snowdens leaks date back to 2013, and the situation has not improved at all, so I don't expect that to work out.
- Let companies handle that. They know exactly, what they are doing by using closed-source components, that can't be updated without their support. So this definitely won't work.
- Let's take it into our own hands and hack the hell out of it until we, as a community, understand every last bit of how it works and can really control our own devices, even if it takes years to get there.
In my opinion, the first step is to break-free of Android's unsustainable development model and that is, what postmarketOS is doing. When we have a solid base like that (and yes, that will take a really long time, if we ever pull it off), then we can free one closed source firmware, one at a time. It's not like nobody has tried to develop an open source baseband or cracked signature verification code for firmwares.
The hacker community has the skills. The only question is, if we have enough manpower.I am really hyped now, but what does all this mean for postmarketOS?
Here are some tips, that you, as postmarketOS developer, may apply to phones with insecure firmware, whatever that means to you.
- Never store sensitive data on the device.
- Put the battery out of your device when it is turned off.
- Do security research and extend your device's wiki page with the issues you can find. Then think of ways to work around them (how about removing the most dangerous parts of a blob, like me_cleaner does?).
- Consider removing your device's microphone
- Consider using a tablet instead of a phone and removing baseband completely
...everyone who has contributed to the project so far (be it in code, kind words, or constructive criticism), there are quite a few of you considering the short time that the project is available. Thanks to Alpine Linux, sorry I forgot to explicitly thank you in the initial blog post — of course all this would not have been possible without that tiny, fun Linux distribution! Thanks to /u/strncat for pushing me to write this "security warning" (although I don't think that this is quite what you had in mind — but it names all the issues, right?) and for maintaining CopperheadOS for such a long time, I enjoyed using it a lot.
I strongly believe that we, as in the open source community, really need to be straight with these problems and must not ignore them.