How secure is my cell phone?

Apologies for a shift away from the usual whimsical blog posts.

The continuing revelations about the Israeli firm NSO's Pegasus spyware infestations should surprise no one. The first news about NSO's compromises came out years ago, and cheers to my old buddy Lorenzo for that piece.

We're usually bothered when we hear about a car crash. But zooming in on the wrecked car always raises the shock level dramatically.

We now know that at least hundreds of journalist and dissident cell phones were infected, providing full access to the targets' devices, including what was typed into encrypted applications like Signal plus the ability to remotely turn on microphones.

The UK's Guardian provides comprehensive articles on the disclosures, which is not a surprise since the Guardian played a significant role in Edward Snowden's disclosures and was a quick adopter of technologies like SecureDrop. Cory Doctorow wrote a good piece that is worth reading twice.

But turn back the clock two decades.

There was a naive moment in the late 1990's when many proclaimed the dawning of a new era of democracy and freedom delivered as internet access spread around the globe.

But the internet is just another contested terrain, reflecting very real geo-political tensions and disputes. It was foolish to believe such notions then, and outright laughable to carry them today.

For many, the most shocking revelation may be the utter insecurity of cell phones, regardless of the hardware manufacturer, operating system or application. Evolved versions of the spyware didn’t even require a user to click on a specious email or SMS.

Think your Apple phone just runs iOS and your Samsung just runs Android? Think again. Behind every user-facing operating system is the baseband OS. It's difficult to access, and holds the ultimate control over your phone.

Your cell phone carrier, the hardware manufacturer, the operating system creator, not to mention malicious players like the NSO Group... those are the real owners of your cell phone.

At a recent privacy tech event, I stated the fact that the phone isn’t your possession, but rather you’re possessed by the phone. The event moderator asked if my next phone was an iPhone, assuming I was using an Android phone.

I replied that my next cell phone was actually a circa-1993 numeric pager. It just broadcasts pages, and has no idea where the destination device is located. There’s software on a pager, but its size is negligible compared to anything downloadable from any online app store today.

Apple’s well-designed campaign about “privacy matters” does not amount to a break from the horrendous insecurities of the cell phone ecosystem. Sure, there are a number of strong security mitigations Apple has implemented, but when faced with Pegasus, they were inadequate. It’s merely a well-designed campaign. Large and small technology firms are seeing the benefits in playing the privacy card, reflecting a real uptick in concern from ordinary people.

Some of my colleagues argue that Apple is better than say, Google, since they aren’t reliant on user data for revenue, but rather on hardware sales. It might be true today to some extent, but I also remember being told that services like What’s App aren’t going to monetize user data if you used the paid version. Do you really think investors are going to ignore a significant revenue source? And, yes, and hello Facebook.

Because of this lack of control, many of us in technology decided a long time ago that cell phones were not a trusted platform.

As an aside for the more technical blog readers:

Maintain a copy of your private SSH keys on your phone for remotely accessing network devices? No way.

What about private PGP keys to decrypt incoming email to your phone-based email client? Not a chance.

In the privacy technology scene, we debated endlessly about the implications of a compromised device. Your cell phone carrier long ago could just triangulate your cell phone location by doing a little Venn diagram between three cell phone towers. Then GPS commercialized and the accuracy increased massively.

Cell phones were always understood as a liability. You can uninstall applications here and there, disable some services, turn off Bluetooth and WiFi, but that low-level operating system was still in control.

And then there's the notion that clicking on a picture, er, I mean tapping an icon, would somehow conduct the function it claimed to, like disabling the camera. How do you know that? Maybe "log onto social network" also just pushes your phone logs to an unauthorized third party?

You can opt for an open-source PinePhone or install LineageOS on an Android phone. But there's a lot of code review to sift through, and it still doesn't truly mitigate the role of the baseband OS or the network carrier.

A while back a Tor Project developer explored the question of taking control of an Android phone in 2014, then revisited it in 2016. It’s now dated information, but it’s worth browsing just to see how complex the process was then.

On a side note, I’ve always been teased about being the only person in the privacy tech scene not to use Signal. I have respect for Moxie Marlinspike and the development team, even though I was never fond of the centralized model they chose. But my main issue was that the cell phone is a lost platform for the high-stakes craft of enhancing privacy, especially for highly vulnerable or targeted individuals. The consequences could be lost employment, imprisonment or even death.

Really.

I spent a lot of time working with targeted people whose privacy and anonymity are high-value. It’s one thing to discuss these issues in the abstract, say, in an academic or even corporate environment. It’s quite another to look people in the eyes who’ve paid a serious price already, and future pain is inevitable.

I also know there is a long queue of people waiting to send me cat videos once I install Signal, so I’ll take a pass.

In the last 1990's, cell phones captured many imaginations. No more missed calls or searching for a pay phone and a quarter to return a call. I even remember searching a sports arena for a AA battery for my pager. But a number of other players found some opportunities, including the carriers and cell phone manufacturers themselves.

In that period, the act of collecting your data for the sake of it, or to generate revenue by repackaging and selling it, had only just begun.

You pay for the hardware and cell service to enlist yourself as someone else's data collection beacon. Even the privacy policy tells you that.

Geo-political tension once again reasserted itself as the ephemeral optimism after the Cold War subsided.

And with that, explicitly malicious actors entered the arena. Your cell phone was now their weapon.

Even more chillingly, there were initial and then continuing decisions to make and keep cell phone insecure in how they communicate. I refer to SS7, the communications protocol cell phones use. That fact has been covered and the high-level ignorance has been well publicized, with even a New York Times op-ed piece.

It's difficult to live without a cell phone in these times, and not just for the Manhattan iPhone carrier who needs to pre-order their Starbucks on their way back from the gym. It's also how banking is done in much of the world where data networks have sparse coverage and are expensive.

But everyone should come to recognize that end users quickly became the punch line in the humor of the cell phone ecosystem.

What can you do?

One lesson I’ve drawn is to minimize what your cell phone stores. Assume all the data is already compromised, and work from there. What about a hard copy datebook instead of the built-in calendar? Do you really need to put in your parent’s or partner’s phone number in the contact manager? And I would argue that phone-based map programs are a hindrance to actually getting to know the locations you dwell and visit.

I think more people die each year staring at their cell phone directions while crossing streets than all the shark attacks in the 20th century.

I would add that if your device allows it, remove the battery at night. You’re sleeping anyway, so what’s the point of having it on? Need your cell phone as an alarm clock? Then go buy an alarm clock. That’s what they were meant for.

NSO Group's Pegasus spyware? Sure, it matters and should be approached, debated, legislated, sanctioned, whatever. But they are just aggressive adopters of an already broken platform.

George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.

ClearOPS is a privacy and security technology company automating security questionnaire response and vendor monitoring. Do you know who your vendors are?