Exiled NSA whistleblower Edward Snowden and legendary hardware hacker Andrew bunnie" Huang have published a paper detailing their new "introspection engine" for the Iphone, an external hardware case that clips over the phone and probes its internal components with a miniature oscilloscope that reads all the radio traffic in and out of the device to see whether malicious software is secretly keeping the radio on after you put it in airplane mode.
Huang calls is a "you bet your life" assurance for people who are in situations where they face state-level adversaries (Snowden framed one use case in the death of Marie Colvin, a journalist targeted by the Syrian government who tracked her based on her phone to shell her media center in order to prevent her from reporting on attacks on civilian targets) who may infect their phones with malware that makes it impossible to know whether their radios have been switched off.
The external hardware solution is entirely open/free, open to inspection, field-verifiable, requires no specialized knowledge to interpret, and is designed to minimize false positives.
Our introspection engine is designed with the following goals in mind:
1. Completely open source and user-inspectable (“You don’t have to trust us”)
2. Introspection operations are performed by an execution domain completely separated from the phone’s CPU (“don’t rely on those with impaired judgment to fairly judge their state”)
3. Proper operation of introspection system can be field-verified (guard against “evil maid” attacks and hardware failures)
4. Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)
5. Difficult to induce a false negative, even with signed firmware updates (“don’t trust the system vendor” – state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)
6. As much as possible, the introspection system should be passive and difficult to detect by the phone’s operating system (prevent black-listing/targeting of users based on introspection engine signatures)
7. Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; “journalists shouldn’t have to be cryptographers to be safe”)
8. Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)
Against the Law: Countering Lawful Abuses of Digital Surveillance
[Andrew ‘bunnie’ Huang and Edward Snowden/Pubpub]
Snowden Designs a Device to Warn If Your iPhone’s Radio Snitches [Andy Greenberg/Wired]