Aiming for a 10 year security nightmare 2017-06-03 5 min

Why it is a bad idea to run devices with outdated firmware, and what we can win in the long run by taking that risk during development of postmarketOS.

Index Outdated firmware threatens old smartphones

This is a follow-up post to the project I've published last week: postmarketOS a touch-optimized, pre-configured Alpine Linux with own packages, that can be installed on smartphones. In that post I have painted an utopic image, of how the world of smartphones could consist of well maintainable open source software with ten year hardware life-cycles, and how we, as a community, could get there some day.

Now let me do the opposite and crush your dreams: Basically all phones, where the support from the manufacturer has run out, have serious security holes inside their Wifi and cellular modem firmware! That can be used to turn your device silently into a surveillance device, because these components have direct access to your device's RAM (via DMA), location (GPS), microphone and camera. Exploits are publicly available for everyone. The older your device is, the more certain you can be, that there is such an exploit available.

We can't fix this any time soon

These firmwares are complex closed source operating systems, and there are only few people the open source software community, who know something about them. Even worse, it is only possible to install cryptographically signed firmware files on modern smartphones, so we couldn't replace them, even if we understood them and had replacements!

Depending on your attack model, up-to-date phones with manufacturer support are just as bad.

I will assume, that you — the somewhat tech-interested reader of this blog post — does not want phones to be little big brothers in people's pockets, that listen to every word they are saying. At least not your phone.

In that case: Does it really matter that much, who has access to the security holes present in your device's firmware?

Let's say, that you use an up-to-date device with the hardened CopperheadOS, and install all updates as soon as they become available. This is just about the best thing you can do regarding Android security (really, get a CopperheadOS phone, if you are about to buy a new phone!). Does this mean, that you are safe from exploits through security holes in the Wifi or cellular modem firmware? No!

Thanks to Edward Snowden we know, that there are agencies all around the world, with enormous budgets, who spend all day finding security holes in all kinds of software (to complement the intentional backdoors they alread have). Of course that includes smartphone firmware. So how can you be certain, that not even one of these agencies is able to hack your phone (let alone the phones of your friends and family with possibly less technical knowledge)? And if they are, how can anyone be sure, that their exploits do not get turned into ransomware by a third party and get used against the general public? This is just what happened with WannaCry about three weeks ago!

We would be better off with open source firmware.

I'm not saying here, that open source is the cure to all problems. We sure do have our share of security bugs. But with open source, we at least get the option to verify the source code. We can fix bugs when we want to, and not when it fits into the schedule of the manufacturer's company. We can write code with modern coding standards, such as static code analysis, having a comprehensive testsuite with measured code coverage and we could implement preventive measures, such as proper privilege separation or using safer programming languages.

We would at least have the opportunity to make it better. Today we can only blindly trust the firmware vendor.

Long term options Fuck yeah!

In my opinion, the first step is to break-free of Android's unsustainable development model and that is, what postmarketOS is doing. When we have a solid base like that (and yes, that will take a really long time, if we ever pull it off), then we can free one closed source firmware, one at a time. It's not like nobody has tried to develop an open source baseband or cracked signature verification code for firmwares.

The hacker community has the skills. The only question is, if we have enough manpower.

I am really hyped now, but what does all this mean for postmarketOS?

Here are some tips, that you, as postmarketOS developer, may apply to phones with insecure firmware, whatever that means to you.

Thanks to...

...everyone who has contributed to the project so far (be it in code, kind words, or constructive criticism), there are quite a few of you considering the short time that the project is available. Thanks to Alpine Linux, sorry I forgot to explicitly thank you in the initial blog post — of course all this would not have been possible without that tiny, fun Linux distribution! Thanks to /u/strncat for pushing me to write this "security warning" (although I don't think that this is quite what you had in mind — but it names all the issues, right?) and for that project, which you maintain. Quite a fan of that actually.

I strongly believe that we, as in the open source community, really need to be straight with these problems and must not ignore them.

Comments: reddit, Hacker News