In an engineering paper, bunnie Huang and Ed Snowden describe a malware-resistant hardware Iphone privacy overlay

In July 2016, Andrew "bunnie" Huang and Edward Snowden presented their research on journalist-friendly mobile surveillance resistance at the first MIT Media Lab Forbidden Research conference; a little over a year later, they have published an extensive scholarly paper laying out the problems of detecting and interdicting malware in a mobile device, and presenting a gorgeously engineered hardware overlay that can be installed in an Iphone to physically monitor the networking components and report on their activity via a screen on a slim external case.

Huang is a legendary hardware engineer — his 2017 book, "The Hardware Hacker" is absolutely the best book on the subject you will find. Snowden, of course, is the world's leading public authority on the surveillance capabilities and tactics of governments. Together, they are an unbeatable team.

The two begin by noting that political journalism is the riskiest form of journalism there is — political journalists are more likely to be killed than war correspondents. When it comes to state-level surveillance, journalists tend to be heavily outgunned (see the work of Citizen Lab for details on how governments subject individual journalists to malicious software attacks of the sort more commonly used to target enemy spies and military targets).

They propose a solution: an "Introspection Engine" in the form of a separate computer that physically monitors the electrical signals traversing the phone's networking components, analyzing them and reporting on their activity. In the first iteration, this can be used to detect the kind of malware that allows phones that appear to be off, or in airplane mode, to continue to communicate with adversaries, serving as surveillance devices.

The Introspection Engine takes the form of a beautifully designed separate computer and board that overlays the internal components of an Iphone 6, which can be installed by a minimally competent repair technician in less than an hour. The board is "open source, user-inspectable and field-verifiable" — it uses a fully open firmware stack and is designed to be easily dumped and verified to ensure that no one has sneakily backdoored your backdoor-detection system.

The paper looks at other, less drastic approaches to this problem — from faraday cage bags (not reliable or backed by research) to active jammers (traceable, heavy battery drainers), physical off-switches for the network components (leaky). It also reports on what the pair learned when they deployed the board — that the Iphone's wifi and GPS components emit sporadic radio energy even when they're allegedly off — and they propose a simple way of permanently disconnecting the networking components and replacing them with an Ethernet jack that journalists could have physical control over (they call this a "Silent Phone").

They also report that due to some quirks in Android at the Nexus design, it would be harder to deploy a Silent Phone solution — Android doesn't want to boot up if it can't find its SIM.

As alluded to previously, the Introspection Engine is broken into two major parts: the tap board and the signal analysis module. By breaking out mission-critical introspection signals with a tap board to a common 0.5mm pitch FPC connector format, users can mix-and-match phones and analysis modules. Being able to swap out analysis modules means we can avoid building a complex, one-size-fits all analysis module which inevitably leads to challenges in validation, may necessitate firmware updates, and present an overall inflated attack surface. Instead, we can build targeted, minimum viable modules which are easier to inspect, maintain, and secure, with each module customized for a given set of threat scenarios.

For this proof of concept research, we developed a simple signal analysis module which is capable of counting events on the critical introspection buses: SPMI, UART, and GPS. Event counting is analogous to counting network packets: one knows traffic has happened, but nothing about the nature of the traffic. Event counting was chosen under the theory that in airplane mode, no packets should be sent at all, therefore a near-binary indicator of traffic is sufficient. One could chose to implement a signal analysis module which can log and inspect the radio bus traffic using more sophisticated filters, but it would require substantially more capable hardware to keep up with the relatively high bitrates present on these buses (20 Mbps for 2x SPMI and 3 Mbps for 3x UARTs).

*Thus, the design goals for the proof of concept signal analysis module are as follows:

*Ability to count and log packet events on the relevant buses

*Simple hardware design using the most open and inspectable components available at the time of design

*Relatively simple code base, allowing for easy audit and verification

Against the Law: Countering Lawful Abuses of Digital Surveillance
[bunnie Huang and Edward Snowden/The Journal of Open Engineering]

(via Naked Capitalism)