DRAFT How to Use an iPad as a Secure Calling and Messaging Device

2021 March 13

Originally written for the iPod Touch on 2015 September 12

Not the iPod, anymore

Due to a massive lapse in judgement by Apple to put the A10 Fusion chip from 2016 in the 2019 iPod Touch, no version of iPod Touch is secure.

Intro

Modern internet communication technologies are abundant, but legacy phone calling and texting (SMS, MMS) are inherently insecure. Communications content and metadata is collected and stored by various organizations and for many years. People have a responsibility to safeguard their personal communications with strong encryption technologies because only then will your friends and family be able help collectively defend your rights. In professions where privacy is expected between you and clients (law, journalism, etc), policy should dictate to either communicate securely or not at all.

Encryption technology is not new but default strong encryption in mass-market devices is. We’re slowly evolving. The political cost of default privacy and security is at an all-time low while the social expectations of strong encryption are at an all-time high. Modern telecommunications largely depend on legacy and vulnerable communications infrastructure, which is by design:

  • All cell phones transmit insecure content and metadata because cell networks were designed for surveillance.
  • All cell phones not broken, off, or in Airplane Mode can be easily tracked.
  • The majority of SIM cards require registration using government-issued ID.
  • Most Androids get slowly patched, if at all.
  • Carrier modified versions of Android are poorly developed and maintained.

“Nobody is listening to your telephone calls” –President Obama

President Obama is not lying. It is not possible for the US government employees to listen to every phone call. However, the technical requirements for recording phone calls is more than feasible. It is cheaper and more effective to transcribe voice data to text.

The solution is easy: don’t give it to them.

What is bad for the DEA, DHS, FBI, and NSA is also bad for all other malicious actors. It is up to us to cause the social change that in turn lowers the personal costs of default privacy and security and the financial risk of businesses to support what we need.

The financial cost of surveillance equipment is also at an all-time low. Mobile IMSI catchers can be built and deployed by anyone technically savvy enough to learn how to build one, and law enforcement has large budgets for more feature rich devices. The most effective way to assure that you are not a victim of cell tracking or attack is to not use those systems.

The Apple iPad, from a hardware point of view

The iPad fills a much needed space:

  • Supports Wi-Fi only
  • Supports >= A12 chip
  • Supports wired headsets for audio and video calls, including 3.5mm ports, Lighting ports, or USB-C with a USB-C adapter. Not all iPads have the same port options, that's important to double check.
  • Supports >= iOS 14.4, as of writing
  • Supports Signal

In order of security, then cost:

  1. A14 - iPad Air 10.9” 2020 4th gen - 64GB $599 - spec
  2. A12Z - iPad Pro 11” 2020 2nd gen - 128GB $799 - spec
  3. A12Z - iPad Pro 12.9” 2020 4th gen - 128GB $999 - spec
  4. A12X - iPad Pro 11” 2018 3rd gen - 64GB $799 - spec
  5. A12X - iPad Pro 12.9” 2018 3rd gen - 64GB $999 - spec
  6. A12 - iPad 10.2" 2020 8th gen - 32GB $329 - spec
  7. A12 - iPad Mini 7.9" 2019 5th gen - 64GB $399 - spec
  8. A12 - iPad Air 10.5” 2019, 3rd gen - 64GB $499 - spec

Keep in mind that the newer the chip is, the longer that Apple will support it with security patches.

Why is the A12 (or greater) chip so important?

Before the A12, Apple devices do not have these critical technologies:

  1. Page Protection Layer (PPL) "requires that the platform execute only signed and trusted code."
  2. Pointer Authentication Codes (PAC) are "used to protect against exploitation of memory corruption bugs."
  3. "Bulletproof" Just-In-Time (JIT) compilation "is the process by which JavaScript is compiled to native code which forces the separation of memory mappings used to isolate write and execute functions."

See Apple's high-level breakdown of SoC Security.

The technical details of these low-level technologies are out of scope from this publication, but there are many resources to learn about them, like here and here.

The thing that you need to know is that without these critical security technologies, Apple devices are vulnerable to easy-to-perform physical and remote exploits.

Why not use a phone in Airplane Mode? Why does it need to be a Wi-Fi-only device?

  1. In modern cell phones (devices with cellular baseband processors), the baseband is an isolated computer within your phone, with its own power controller, CPU, memory, firmware, and operating system. When a phone boots up, the initialization sequence of the phone includes the boot up of the baseband. This means that the baseband is initialized, before and in parallel to, the phone's main operating system. This is done for power-saving and security reasons. It means that when you put a phone into Airplane Mode, all you're doing is turning your phone's operating system's access to the baseband off. Airplane Mode does not mean that the baseband hardware, firmware, or software stack is turned off.
  2. Even without a SIM card, a baseband processor can and does connect to cell towers, including the disclosure of the device's IMEI along with "when" and "where" metadata. This is how a SIM-less phone can call 911. It's impossible to mitigate cellular communications without resorting to Faraday cages.

Apple is an American company that works with the NSA and is part of the PRISM program. If you are, or ever could be a target of U.S. intelligence or U.S. military organizations, you are already playing difficult game by choosing an Apple product.

Just turning on an Apple product, the device is working against you by collecting WiFi and Bluetooth network information in order to attempt to "streamline" a user's setup experience. Some of that data is uploaded to Apple's servers as soon as the device is connected to the internet. Every Apple device, especially new ones, upload its unique hardware identifiers to Apple, along with network metadata that can disclose physical location information to Apple.

  1. Your device's hardware identifiers.
  2. Your public IP address used to connect to *.apple.com services.
  3. All other information that you input into the device for device setup and account sign-in, which are both required in order to access the Apple Store.

If Apple, or any of the U.S. intelligence or military organizations, have any other data that links anything about you to the this Apple device, your identity can be tracked by these organizations.

  1. Your credit card or debit card used to make the purchase.
  2. Your physical address for device delivery.
  3. Your car license plate seen by Automatic License Plate Readers (ALPR) going to pick up the device.

Also, when you're using Signal, this requires use of Apple Push Notification Service (APNs). This means that Apple has a metadata record of when, where, and what service you're using.

  1. The date and time you send or receive messages.
  2. The network metadata associated with the receiving or delivering of messages.
  3. Your messaging application, Signal.

There are ways to deal with this, but it is not for the average user. I'll go into more detail in the DEFCON ONE section below.

iOS Updates Warnings

  1. Update iOS always. Update as soon as possible. Every update comes with very important security patches.

  2. Be aware that privacy settings may be reconfigured without your knowledge when you perform iOS updates. Review all settings after every update.

  3. Airplane Mode gets disabled automatically after every iOS update. This "feature" is great for idiots, but terrible for operational security. Presume that after every iOS update + reboot, Airplane Mode will be disabled upon startup until you reactive Airplane Mode. See my DEFCON ONE section below if this matters to your threat model.

Wi-Fi iPad + Signal Advantages

  1. Wi-Fi iPads do not have any inherent baseband, SIM card, or SIM card port insecurities.
  2. You can control which Wi-Fi networks to expose your device to, if you choose to use Wi-Fi.
  3. Wi-Fi iPads employs default Full Disk Encryption that is dependent on hardware and firmware integrity controls.
  4. Apple publishes security patches quickly and are not dependent on carrier restrictions.
  5. Signal uses only modern, always-on, end-to-end cryptography.
  6. Signal allows users to verify encryption key fingerprints.
  7. Signal is free, open source, and has public security audits.
  8. Signal supports interoperability, meaning that other people can use Signal on iOS or Android devices.

Disadvantages

  1. The default settings for iOS devices are bad for operational security. To use Signal anonymously or pseudo-anonymously requires great effort.
  2. Wired or Wi-Fi internet access is not as abundant as cellular internet access. These days, people depend heavily on having an always-connected device to function.
  3. iOS requires an AppleID to download and update apps.

Directions

Set Up

  1. Create a >= 12 digit PIN or alpha-numeric passphrase
  2. AppleID
    • -Click "Forgot password or don't have an Apple ID?"
    • -Click "Set Up Later in Settings" then "Don't Use"
  3. Click "Customize Settings"
    • -Location Services: Disable
    • -Siri: Set Up Later in Settings
    • -Screen Time: Set Up Later in Settings
    • -iPad Analytics: Don't Share

Configure

Do this all before setting up your AppleID.

  1. Settings

    • -Airplane Mode: Enabled
    • -Wi-Fi: Off
    • -Bluetooth: Off
    • -Notifications - Show Previews: Never
    • -Sounds - Keyboard Clicks: Off
    • -Sounds - Lock Sound: Off
    • -General - AirDrop: Off
    • -General - AirPlay and Handoff - Automatically AirPlay to TVs: Never
    • -General - AirPlay and Handoff - Handoff: Off
    • -General - Background App Refresh: Turn every app off independently because you will want it on once Signal is installed
    • -Control Center - Remove all controls
    • -Siri & Search - Siri Suggestions: Disable all
    • -Touch ID & Passcode - Allow Access When Locked: Disable all
    • -Privacy - Tracking: Disable
    • -Privacy - Motion & Fitness: Disable
    • -Privacy - Apple Advertising - Personalized Ads: Disable
    • -Safari - Advanced - JavaScript: Disable
  2. Delete all apps, except maybe Notes and Contacts.

  3. Swipe left to see the default widgets, and delete them all. Do everything that you can to remind yourself that this device cannot and should not be used for anything other than using Signal security and privately.

AppleID setup and configuration

Before you can setup your AppleID, you need to create a new email address that:

  1. Has no ties to your identity. Don't use any names, pseudonyms, passwords, or anchor points that you've ever used.
  2. Supports two-factor authentication (2FA).
  3. Is created and only ever accessed via Tor Browser; ideally, Tails Linux. In other words, don't add this email address to your iPad--remember that this secured iPad cannot and should not be used for any other purpose other than Signal.

Directions

  1. Open the App Store app on your iPad.
  2. Click the Profile icon in the top-right corner.
  3. Create a New AppleID.

Signing in with your AppleID via the App Store is strategic and critical. This way, you are only signed into the App Store and not automatically signed into iCloud. Never sign into iCloud.

Contacts management

You have several choice when it comes to managing contacts.

  1. Because you are not signed into iCloud, you cannot risk disclosing your contacts to Apple. This means it is relatively safe to use the Contacts app, depending on your threat model. This method is easiest to manage, since you can grant Signal access to Contacts. There are two obvious risks here:
    • -You have to trust Signal to continue to implement security features that prevent themselves from ever having cleartext access to your contacts. This risk is low, since you are already trusting Signal with the confidentiality and integrity of the content of your communications and whom you are in communications with.
    • -The Contacts app is the easiest place to look for this data, if you ever are stopped and searched by government or private security agents. Realistically, there is no safe place on an iOS device if your threat model includes this scenario. See the OFFLINE DATA section below if this applies to you.

OFFLINE DATA configuration (WIP)

  1. Cloud data
  2. Local data Basically data-less when traveling, to an extreme degree

DEFCON ONE configuration

There are two options that can be used independently, or combined, to enhance operational security.

Why DEFCON ONE might be critical for you

Are you worried about, or have you ever experienced, attackers physically stalking, harassing, or assaulting you? If the answer is yes, then you have a high risk of those same abusers conducting wireless attacks against your wireless device.

Wireless (Wi-Fi or Bluetooth) attacks are "physical" attacks. They require an attacker to be physically near and aim to:

  1. Capture your wireless packets in order to conduct surveillance. Your abusers might be trying to determine:
    • -Are you nearby?
    • -When are you online and active?
    • -How long are your conversations?
    • -How often do you have conversations?
  2. Capture your wireless packets in order to attempt to hack the security vulnerabilities in wireless protocols. Your abusers might be trying to determine:
    • -What type of device are you using?
    • -What methods are you using in order to communicate with others?
    • -Are there any vulnerabilities that could be taken advantage of?
  3. DoS (Denial of Service) your device to prevent you from being able to communicate.
  4. Hack the wireless protocols allowing active surveillance of wireless transmissions or to hack the device through protocol, driver, or operating system vulnerabilities. Your abusers might be trying to determine:
    • -What apps are you using?
    • -Do those apps have any vulnerabilities?
  5. Hack the wireless device directly through unknown or unpatched vulnerabilities in the wireless service, driver, and/or operating system. Your abusers might be trying to:
    • -Have complete access to your device, including apps like Signal.

DEFCON ONE directions

The GL-iNet Beryl is a router that supports some outstanding features:

  1. Wi-Fi can be disabled
  2. Supports a WAN port and LAN port for wired-only networking
  3. Supports transparent Tor proxying

The Belkin USB-C to Gigabit Ethernet Adapter or Belkin Ethernet + Power Adapter with Lightning Connector allows you to mitigate all wireless attacks when the iPad is in persistant Airplane Mode.

  1. Connect an ethernet cable to the ethernet adapter.
  2. Connect the ethernet adapter to a new, out-of-box iPad without turning the iPad on.
  3. Power on the iPad for the firs time

Following steps 1-3, upon iPad boot-up, the iPad will not go searching for Wi-Fi access points and will automatically use the wired connection.

Combine the GL-iNet Beryl with a wired ethernet adapter, and you can then Torify the iPad initialization and all future use, in effect never disclosing your physical location metadata to Apple or Signal.

DEFCON ONE Notes

  1. If you do this, be sure that the wired ethernet connection is always active before, during, and after all iOS updates because of the unfortunate automatic disabling of Airplane Mode after iOS updates.
  2. The Belkin USB-C adapter does not support USB-C charging. You will not be able to leave the iPad with an always-on internet connection, but this is not necessarily a bad thing.
  3. Assure that Airplane Mode is enabled immediately after setting up the iPad for the first time. Assure that Airplane Mode is always enabled. Assure that you never connect to any Wi-Fi access point, ever, so that if Airplane Mode ever becomes disabled accidentally, it will not broadcast any Wi-Fi connect packets.
  4. If you are not worried about physical wireless attacks (attackers who physically stalk you and try to break into your iPad via wireless hacks), then you can use the GL-iNet Beryl as a wireless device while leveraging the transparent Tor proxy.