Table of Contents
- The Apple iPad, from a hardware point of view
- Apple, the National Security Agency, and Data Link-Ability
- Critical Notes
- Device Setup Directions
- DEFCON ONE configuration
Originally written for the iPod Touch in September 2015, updated September 2023
This guide is aimed at providing a detailed method for maximizing security and privacy on an Apple iPad (non-cellular). This guide should be adapted to fit your threat model, including using this guide on iPad's with cellular that support iPadOS 17.0.1 or iPhones that support iOS 17.0.1.
Legacy phone calling and texting (SMS, MMS) are inherently insecure. Communications content and metadata is collected and stored by various organizations and for many years. All people, but especially those in at-risk professions, have a responsibility to safeguard their communications with strong encryption technologies because only then will your coworkers, friends, and family be able to collectively defend your rights. In professions where privacy is expected between you and clients like law and journalism, policy should dictate to either communicate securely or not at all.
Encryption technology is not new but default strong encryption in mass-market devices is. The political cost of default privacy and security is at an all-time low while the social expectations of strong encryption are at an all-time high. Modern telecommunications largely depend on legacy and vulnerable communications infrastructure, which is by design:
- All cell phones (baseband processor) transmit insecure content and metadata because cell networks were designed for connectivity and surveillance of said connectivity.
- All cell phones (baseband processor) not broken, off, or in Airplane Mode can be easily tracked.
- The majority of SIM cards require registration using government-issued ID.
- Most Androids get slowly patched, if at all.
- Carrier modified versions of Android are poorly developed and maintained.
“Nobody is listening to your telephone calls” –President Obama, 2013
President Obama is not lying. It is not possible for the US government to "listen" to every phone call. However, the technical requirements for recording phone calls (MYSTIC, DAPINO GAMMA) and text messages (DISHFIRE) is more than feasible. It is cheaper and more effective to transcribe voice data to text, transcriptions that can be stored forever. The solution is easy: don’t give it to them.
What is bad for U.S. Intelligence is also bad for all other malicious actors. It is up to us to cause the social change that in turn lowers the personal costs of default privacy and security and the financial risk of businesses to support what we need.
The financial cost of surveillance equipment is also at an all-time low. Mobile IMSI catchers can be built and deployed by anyone technically savvy enough to learn how to build one, and law enforcement has large budgets for more feature rich devices. The most effective way to assure that you are not a victim of cell tracking or attack is to not use those systems.
Not the iPod anymore
Due to a massive lapse in judgement by Apple to put the A10 Fusion chip from 2016 in the 2019 iPod Touch, no version of iPod Touch is secure. Also, as of 2022, the iPod has been discontinued.
The Apple iPad, from a hardware point of view
The iPad fills a much needed space:
- Supports Wi-Fi only
- Supports >= A12 chip
- Supports wired headsets for audio and video calls, including 3.5mm ports, Lighting ports, or USB-C with a USB-C adapter. Not all iPads have the same port options, that's important to double check.
- Supports >= iPadOS/iOS 17.0.1 as of writing (Sep 2023)
- Supports Signal
In order of security, then cost:
- M2 - iPad Pro 11-inch (4th gen, 2022) - spec
- M2 - iPad Pro 12.9-inch (6th gen, 2022) - spec
- M1 - iPad Air (5th gen, 2022) - spec
- M1 - iPad Pro 11-inch (3rd gen, 2021) - spec
- M1 - iPad Pro 12.9-inch (5th gen, 2021) - spec
- A15 - iPad Mini (6th gen, 2021) - spec
- A14 - iPad (10th gen, 2022) - spec
- A14 - iPad Air 10.9” (4th gen, 2022) - spec
- A13 - iPad (9th gen, 2021) - spec
- A12Z - iPad Pro 11” (2nd gen, 2020) - spec
- A12Z - iPad Pro 12.9” (4th gen, 2020) - spec
- A12X - iPad Pro 11” (3rd gen, 2018) - spec
- A12X - iPad Pro 12.9” (3rd gen, 2018) - spec
- A12 - iPad 10.2" (8th gen, 2020) - spec
- A12 - iPad Mini 7.9" (5th gen, 2019) - spec
- A12 - iPad Air 10.5” (3rd gen, 2019) - spec
Keep in mind that the newer the chip, the longer that Apple will support it with security patches. Do not use a device no longer getting the latest version iPadOS/iOS. Validate the latest iPadOS is supported here.
Why is the A12 (or greater) chip so important?
Before the A12, Apple devices do not have these critical technologies:
- Page Protection Layer (PPL) "requires that the platform execute only signed and trusted code."
- Pointer Authentication Codes (PAC) are "used to protect against exploitation of memory corruption bugs."
See Apple's high-level breakdown of SoC Security.
The thing that you need to know is that without these critical security technologies, Apple devices are vulnerable to easy-to-perform physical and remote exploits.
One reason why Tor is so valuable compared to any for-profit VPN provider is that you blend in with everyone else using Tor. Don't stick out. Using "un-hackable phones" or hardware-modded devices sticks out. Using commodity hardware like an Apple iPad does not. This has important value for both physical surveillance and network surveillance.
Why not use a phone in Airplane Mode? Why does it need to be a Wi-Fi-only device?
- In modern cell phones (devices with cellular baseband processors), the baseband is an isolated computer within your phone, with its own power controller, CPU, memory, firmware, and operating system. When a phone boots up, the initialization sequence of the phone includes the boot up of the baseband. This means that the baseband is initialized, before and in parallel to, the phone's main operating system. This is done for power-saving and security reasons. It means that when you put a phone into Airplane Mode, all you're doing is turning your phone's operating system's access to the baseband off. Airplane Mode does not mean that the baseband hardware, firmware, or software stack is turned off.
- Even without a SIM card, a baseband processor can and does connect to cell towers, including the disclosure of the device's IMEI along with "when" and "where" metadata read more here. This is how a SIM-less phone can call 911. It's impossible to mitigate cellular communications without resorting to Faraday cages.
Apple, the National Security Agency, and Data Link-Ability
Apple is an American company that works with the NSA and is part of the PRISM program. If you are, or ever could be a target of U.S. intelligence or U.S. military organizations, you are already playing difficult game by choosing an Apple product. However, you probably aren't defending against the NSA. Not all adversaries are the NSA, nor do they have the budgets and reach as the NSA. Risk minimization should not always be compared to NSA-style actors. Care about your threat model, not someone else's.
Just turning on an Apple product, the device is working against you by collecting WiFi and Bluetooth network information in order to attempt to "streamline" a user's setup experience. Some of that data is uploaded to Apple's servers as soon as the device is connected to the internet. Every Apple device, especially new ones, upload its unique hardware identifiers to Apple, along with network metadata that can disclose physical location information to Apple.
- Your device's hardware identifiers.
- Your public IP address used to connect to *.apple.com services.
- All other information that you input into the device for device setup and account sign-in, which are both required in order to access the Apple Store.
When a customer activates an iOS device with a cellular service provider or upgrades the software, certain information is provided to Apple from the service provider or from the device, depending on the event. IP addresses of the event, ICCID numbers, and other device identifiers may be available. IP address information may be limited to the most recent 18 months. This information, if available, may be obtained with a subpoena or greater legal process.
If Apple, or any of the U.S. intelligence or military organizations, have any other data that links anything about you to the this Apple device, your identity can be tracked by these organizations.
- Your credit card or debit card used to make the purchase.
- Your physical address for device delivery.
- Your car license plate seen by Automatic License Plate Readers (ALPR) going to pick up the device.
Apple Push Notification Service (APNS)
Per Meredith Whittaker, Signal's President, "In Signal, push notifications simply act as a ping that tells the app to wake up. They don't reveal who sent the message or who is calling (not to Apple, Google, or anyone). Notifications are processed entirely on your device."
That "ping" is more than just a ping, and requires Apple to have a lot of data about the target service and the target device. Apple is able to see, and thus FVEY is able to make a permanent record of:
- APN identifiers, such as hardware identifiers, of who is receiving a message.
- The messaging application; in this case, Signal.
- The date and time associated with received messages.
- Any network metadata, such as IP, associated with receiving messages.
All of this can and will be used with FVEY's other records, such as internet backbone or ISP metadata, and will be used to confirm assumptions made when identifying who is talking to whom.
To further break this down:
- A Signal user sends a message to an Apple user via Signal (the receiver).
- Signal's servers notify APNS that there is a message or call waiting for a specific user.
- APNS "pings" the specific user's Apple device.
- The receiver's Apple device receives the "ping" and notifies the end user that there are new Signal messages, or a call.
- The receiver's Signal application then activates and requests any new messages (or calls) from Signal's servers.
There are ways to deal with APNS metadata leakage, but it is not for the average user. I'll go into more detail in the DEFCON ONE section below.
Wi-Fi iPad + Signal Advantages
- Wi-Fi iPads do not have baseband processors, SIM cards, or SIM card port insecurities.
- You can control which Wi-Fi networks to expose your device to, if you choose to use Wi-Fi.
- Wi-Fi iPads employs default Full Disk Encryption that is dependent on hardware and firmware cryptographic integrity controls.
- Apple publishes security patches quickly and are not dependent on carrier restrictions.
- Signal uses only modern, always-on, end-to-end cryptography. As of September 2023, Signal now has quantum resistance.
- Signal allows users to verify encryption key fingerprints.
- Signal is free, open source, and has public security audits.
- Signal supports interoperability, meaning that other people can use Signal on iOS or Android devices.
Wi-Fi iPad + Signal Disadvantages
- The default settings for iOS devices are bad for operational security. To use Signal anonymously or pseudo-anonymously requires great effort.
- Wired or Wi-Fi internet access is not as abundant as cellular internet access. These days, people depend heavily on having an always-connected device to function.
- iPadOS/iOS require an AppleID to download and update apps.
Notes on Charging
Only use genuine Apple chargers and charging cables that you have purchased yourself, ideally in-person with cash. Do not use friend's, family's, or borrow stranger's chargers or charging cables. Do not use third-party chargers or charging cables. Do not let anyone else use your chargers or charging cables. Read more here.
Notes about iOS Updates
Update iOS always. Update as soon as possible. Every update comes with very important security patches.
Be aware that privacy settings may be reconfigured without your knowledge when you perform iOS updates. Review all settings after every update.
Airplane Mode gets disabled automatically after every iOS update. This "feature" is great for idiots, but terrible for operational security. Presume that after every iOS update + reboot, Airplane Mode will be disabled upon startup until you reactive Airplane Mode. See my DEFCON ONE section below if this matters to your threat model.
Notes on "Lockdown Mode" (LDM)
Should you use LDM? Yes, absolutely. LDM has two features that improve the security of a device that this guide is written for: device connections hardening and configuration profiles hardening. All the other features of LDM are for people who do not take privacy and security as seriously as this guide is intended for; meaning, people who use an iPhone more normally by using iMessage, iCloud, and who browse the internet with Safari.
LDM should be enabled before your device is ever networked. Particularly, if you are using an iPad with cellular or using an iPhone, and your SIM card is inserted, malicious SMS messages or iMessages can be received by your device before LDM is enabled, potentially opening up your device to remote exploitation before the mitation can be implemented. Even SIM-less devices, like a Wi-Fi iPad that this guide focuses on, malicious actors might be able to perform remote or local network attacks (Wi-Fi or Bluetooth), or physical attacks if threat actors have physical access to your device, that might be mitigated by LDM.
iPadOS and iOS 17 have some Lockdown Mode improvements. Devices won't automatically join non-secure WiFi networks (open, WEP or WPA encrypted, etc) and will disconnect from a non-secure Wi-Fi network when you turn on Lockdown Mode. 2G cellular support is turned off. 2G being disabled by default is an evolution of LDM, one that I hope gets further enhanced to mitigate cellular insecurities. Of course, this doesn't help a Wi-fi iPad. However, by disabling 2G by default in cellular devices, Apple is attempting to better protect at-risk users from IMSI catchers or fraudulent cell towers performing MitM attacks. By disabling automatic joining to insecure Wi-fi is also very important to protect against similair MitM attacks within Wi-Fi range.
If Apple is listening, LDM could be improved, a lot: * A modern exploit mitigation technology called Memory Tagging Extension (MTE) still has not been enabled. However, in iPadOS/iOS 17, there are some security enhancments that i'll discuss once Apple releases its whitepaper. * Media decoding, like the automatic processing of images and video when your device receives these things, is performed by the main SOC. Ideally (not for performance but for security) media would be decoded at the application layer, or Apple would have to build a new isolated processor for offloading media decoding.
Notes on Advanced Data Protection (ADP)
Since ADP only applies to data uploaded to Apple's servers (iCloud), ADP, while amazing for a lot of people, is not in scope of this guide.
Notes on Security Keys
Security Keys is an iCloud security feature. Don't use iCloud, so you should not need Security Keys for this device.
Device Setup Directions
Set up a new or recently wiped device. Please perform steps 1 - 5 before doing anything else on the device.
(!) Critical notes if you are adapting this guide for an iPhone or cellular iPad: * Remove the SIM card before powering on the device. Ideally this would be a brand new device having never been connected to a network. * If the device is cellular but does not have a SIM tray, be sure that the device is brand new and will NOT self-activate. In other words, do NOT have Apple of your cellular carrier automatically transfer your phone number to the new device until AFTER steps 1 - 5 are complete. * It is critical to understand that Lockdown Mode is imperative to have turned on before a cell device can be remotely messaged (SMS, MMS, iMessage, etc). Apple's designed the new device setup process to active in the background BEFORE at-risk people can go into settings and enable Lockdown Mode. A failure on Apple's part to best protect at-risk people. Because the cell device will attempt to active in the background during the new device setup process, SMS, MMS, and iMessage can work and potentially allow a remote attacker to compromise a cell device before you are able to get into Settings, enable Lockdown Mode, and restart.
Create a >= 12 digit PIN or alpha-numeric passphrase (see Upgrade Your iPhone Passcode to Defeat the FBI’s Backdoor Strategy)
- Click "Forgot password or don't have an Apple ID?"
- Click "Set Up Later in Settings" then "Don't Use"
Click "Customize Settings"
- Location Services: Disable
- Siri: Set Up Later in Settings
- Screen Time: Set Up Later in Settings
- iPad Analytics: Don't Share
Disable the Network
- Settings > Airplane Mode: Enabled
- Settings > Wi-Fi: Off
- Settings > Bluetooth: Off
Enable Lockdown Mode
- Settings > Privacy & Security > Lockdown Mode > Turn On Lockdown Mode, then immediately restart.
Perform steps 6 and 7 below before setting up your AppleID, and before connecting to any network of any kind (Wifi, Bluetooth, or cellular).
- Notifications - Show Previews: Never
- General - AirDrop: Off
- General - AirDrop - NameDrop: Off
- General - AirPlay and Handoff - Automatically AirPlay to TVs: Never
- General - AirPlay and Handoff - Handoff: Off
- General - Background App Refresh: Turn every app off independently because you will want background refresh on once Signal is installed
- Control Center - Remove all controls
- Siri & Search - Siri Suggestions: Disable all
- Touch ID & Passcode - Allow Access When Locked: Disable all
- Privacy - Tracking: Disable
- Privacy - Motion & Fitness: Disable
- Privacy - Apple Advertising - Personalized Ads: Disable
Delete any iPadOS/iOS apps that you feel you will not need.
AppleID setup and configuration
Before you can setup your AppleID, you need to create a new email address that: * Has no ties to your identity. Don't use any names, pseudonyms, passwords, or anchor points that you've ever used. * Supports two-factor authentication (2FA). * Is created and only accessed via Tor Browser; ideally, Tails Linux.
Open the App Store app on your iPad.
Click the Profile icon in the top-right corner.
Create a New AppleID.
Signing into the App Store app is important for being able to install Signal and perform app updates. Signing into the App Store app will not automatically sign into iCloud. Never sign into iCloud.
- Install Signal
Setting up Signal
There are lots of choicees to be made here. What's most important when choosing a Signal number is that you have long-term, secure control of the phone number, or trust the person or organization managing the phone number. Choosing the right method really depends on your threat model and your goals for your publicity or anonymity.
Journalists, lawyers, and other professionals might have an already-public phone number given to them from their employer. You can use that phone number in Signal on this device, and on this device only.
Americans can leverage Google Voice. Digital phone number serices might be a good solution for a Signal phone number, but only if access and control of that phone number is legitimately secure. Google Voice, for example, leverages the same nation-state defences that Gmail accounts use. Two-factor authentication must be used to access these services. Americans with access to Google Voice can also pay Google $20 to transfer in a phone number to Google Voice, and doing so will make it a permanent number on your Google account and will not get purged due to lack of activity.
You can request that a friend or family member add a new phone number to their cellular provider's plan. Active the phone number on an old cell phone and get the Signal registration SMS, then destroy that phone and SIM card, and remember anchor points (dont activate the phone number and use cellular services in places where you regularly go).
Note: The updated Signal app has a bad user interface when it is the first and only device for your Signal number. When you have a fresh install of Signal, in the first couple of setup screens there is an unlink icon in the top right corner that you have to click.
Notes on the use of the Contacts, Calendars, and Notes apps
You have two choices when it comes to managing your contacts list, calendars, and notes data. There are many pros and cons with these two options and will depend on your threat model, so please think very carefully about your operational security practices.
Offline data: Since you are not signed into iCloud, you cannot risk disclosing your contacts, calendars, and notes data to Apple or your local government willingly (if your government has forced Apple to host iCloud data in your country instead of, or in addition to, the USA). This means it is relatively safe to use the Contacts, Calendar, and Notes apps, depending on your threat model. Using Apple's Contacts app is seamless since you can safely grant Signal access to contacts.
- You have to trust Signal to continue to implement trustworthy cryptographic security mechanisms that continue to prevent themselves from ever having cleartext access to your contacts. This risk is low, since you are already trusting Signal with the confidentiality and integrity of the content of your communications and whom you communicate with via Signal. This risk is also low because Signal does not have any financial motivation to collect your contacts in any way. In fact, data storage is expensive, and responding to government requests for users data is expensive, so it is cheaper for Signal to never have this data.
- Apple native apps are the default places to look for this data if you ever are stopped and searched by government or private security agents. If this risk applies to you, store your data in a trustworthy offline password manager that supports a "key file" like Strongbox. Strongbox is like KeypassXC but for iOS, where the database is encrypted in addition to iOS disk encryption, but you can use a key file to make bruteforcing of this database impossible. Keep your key file online somewhere so you can remotely download it when you need access to your Strongbox database contents. Like your passphrase to the database, the key file should never be shared.
Online data: If you are technically savvy, or have access to trustworthy technical friends or coworkers, you can self host your contacts, calendars, and notes. I use Mail-in-a-Box to self host these things, but there are many open source, self-host solutions out there.
- Since data is remotely available, you can easily wipe your phone when crossing security check points, including regional borders like at airports, and re-setup your device and re-download your data from anywhere in the world after you have safely cross these types of high-risk areas.
- Since data is remotely available, it may be possible for your adversaries to know of the existence of where your data is stored online. In my example of using Mail-in-a-Box, this setup requires a public domain name that is registered to my name. Government and private entities can buy full access to domain registry data. Online storage is a risk for remote exploitation by way of illegal or legal (government warrant) means.
- Running your own Tor hidden service, like from a Raspberry Pi hosted in a secure location, means that you can use Onion Browser by Mike Tigas to safely and privately access or download remote data.
DEFCON ONE configuration
There are two options that can be used independently, or combined, to enhance operational security.
Why DEFCON ONE might be critical for you
Are you worried about, or have you ever experienced, attackers physically stalking, harassing, or assaulting you? If the answer is yes, then you have a high risk of those same abusers conducting wireless attacks against your wireless device.
Wireless (Wi-Fi or Bluetooth) attacks are "physical" attacks. They require an attacker to be physically near and aim to:
- Capture your wireless packets in order to conduct surveillance. Your abusers might be trying to determine:
- Are you nearby?
- When are you online and active?
- How long are your conversations?
- How often do you have conversations?
- Capture your wireless packets in order to attempt to hack the security vulnerabilities in wireless protocols. Your abusers might be trying to determine:
- What type of device are you using?
- What methods are you using in order to communicate with others?
- Are there any vulnerabilities that could be taken advantage of?
- DoS (Denial of Service) your device to prevent you from being able to communicate.
- Hack the wireless protocols allowing active surveillance of wireless transmissions or to hack the device through protocol, driver, or operating system vulnerabilities. Your abusers might be trying to determine:
- What apps are you using?
- Do those apps have any vulnerabilities?
- Hack the wireless device directly through unknown or unpatched vulnerabilities in the wireless service, driver, and/or operating system. Your abusers might be trying to:
- Have complete access to your device, including apps like Signal.
DEFCON ONE setup directions
The GL-iNet Beryl is a router that supports some outstanding features:
- Wi-Fi can be disabled
- Supports a WAN port and LAN port for wired-only networking
- Supports transparent Tor proxying
The Belkin USB-C to Gigabit Ethernet Adapter or Belkin Ethernet + Power Adapter with Lightning Connector allows you to mitigate all wireless attacks when the iPad is in persistant Airplane Mode.
- Connect an ethernet cable to the ethernet adapter.
- Connect the ethernet adapter to a new, out-of-box iPad without turning the iPad on.
- Power on the iPad for the firs time
Following steps 1-3, upon iPad boot-up, the iPad will not go searching for Wi-Fi access points and will automatically use the wired connection.
Combine the GL-iNet Beryl with a wired ethernet adapter, and you can then Torify the iPad initialization and all future use, in effect never disclosing your physical location metadata to Apple or Signal.
Notes on DEFCON ONE configuration
- If you do this, be sure that the wired ethernet connection is always active before, during, and after all iOS updates because of the unfortunate automatic disabling of Airplane Mode after iOS updates.
- The Belkin USB-C adapter does not support USB-C charging. You will not be able to leave the iPad with an always-on internet connection, but this is not necessarily a bad thing.
- Assure that Airplane Mode is enabled immediately after setting up the iPad for the first time. Assure that Airplane Mode is always enabled. Assure that you never connect to any Wi-Fi access point, ever, so that if Airplane Mode ever becomes disabled accidentally, it will not broadcast any Wi-Fi connect packets.
- If you are not worried about physical wireless attacks (attackers who physically stalk you and try to break into your iPad via wireless hacks), then you can use the GL-iNet Beryl as a wireless device while leveraging the transparent Tor proxy.