Secure Messenger Scorecard (May 2017)

This is a draft.

I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.

I’ve created an editable Google Doc for further input and development.

Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.

version one

version two

version three

Hardware hacking the LG L15G Sunrise

sunrise_complete_2

The Tracfone LG L15G recently dropped to $10 at Walmart, so I picked one up. As expected, the hardware is incredibly simple and accessible.

During my (very easy) work on this, I kept thinking: Why would anyone spend $700 on a “secure phone” (Silent Circle) when I can spend $10 on this one and take the microphone and camera out? It really depends on which security feature we’re looking at, and in this case, with the LG, it’s hardware security. At the very least, Silent Circle should make it very easy to physically remove specific, high-risk sensors. This LG still has Rotation Vector and Accelerometer senors, and I don’t know where those are located. Even still, compared to my Nexus 6, this is an extremely simple device to “secure”.

Ars Technica reviewed the LG Sunrise. While they are quite right about how “cheap” it is, I got the feeling like they have no appreciation for easy to hack devices, especially ones as powerful as Android.

A review of the $10 Walmart phone—better than nothing, but not by much

Reasons to keep a $10 Android around:

The end result, achievable within 5 minutes of work, resulted in the removal of the microphone, the front-facing sensors, the rear camera, and the rear speaker. I could have taken out the primary earphone too.

Processor and Sensors

via “CPU-Z”

CPU: Qualcomm Snapdragon 400
Model: MSM8926
Cores: 2
Architecture: 2x ARM Cortex-A7 @ 1.19 GHz
Revision: r0p3
Process: 28 nm
Clock Speed: 300 MHz – 1.19 GHz
CPU Load: (CPU 1 idles at 300 MHz with the second turned off. Idle load was 10-20%)
GPU Vendor: Qualcomm
GPU Rendered: Adreno 305 @ 400 MHz
GPU Clock Speed: 300 MHz
GPU Load: (Idles at 0%)
Scaling Governor: on demand

Model: LGL15G (y25_trf_us)
Manufacturer: LGE
Brand: lge
Board: y25
Screen Size: 3.46 inches
Screen Resolution: 320 x 480 pixels
Screen Density: 166 dpi
Total RAM: 420 MB
Available RAM: (Idle, 150 MG (35%)
Internal Storage: 1.80 GB
Available Storage: 1.49 GB (82%)

Android Verson: 4.4.2
API Level: 19
Bootloader: unknown
Build ID: KOT49I.LGL15G10f
Java VM: Dalvik 1.6.0
OpenGL ES: 3.0
Kernel Architecture: armv7I
Kernel Version: 3.4.0+(LGL15G10f.1419269528)
Root Access: (I rooted this test device just to see if I could, but I don’t recommend it)

LGE Accelerometer Sensor
LGE Rotation Vector Sensor

The hack

The only tool that I needed to open up the phone and do most of the work was a simple crosshead screwdriver.

sunrise_screwdriver_2

sunrise_screws_2

The disassembly was trivial as I didn’t need any tools (after the screws were removed).

sunrise_fourpart_2

To disconnect the system board from the back of the LCD screen, just disconnect the top right (earphone) and bottom left (home buttons) cables.

sunrise_homebuttons1_2

sunrise_earphone1_2

The rear camera simply disconnects. The front-facing sensors needed a moderate “push” (with the screwdriver) to disconnect.

sunrise_camoff_2

The microphone needed a moderate “pull” (with the pliers) to disconnect.

sunrise_micon_2

sunrise_micoff_2

As the Ars Technica review mentions, the hardware is very simple. The system board demonstrates that.

sunrise_boardfront_2

The rear speaker was easy to disconnect simply by removing the connecting wires. I didn’t have a good reason to remove this speaker. In my defense, I didn’t actually know (or test) if there was another microphone here. Plus, the vibrator is still attached.

sunrise_backspeaker_2

After all this, the phone booted up without issue. Buy a headset and make end-to-end encrypted calls with Signal, with or without using cell service.

sunrise_reinserted_2

sunrise_backwithout_2

StageFright

Android 4.4.2 is pretty bad. Using Signal would help defend against Stagefright.

CVE-2015-1538
CVE-2015-3829
CVE-2015-3828 (not vulnerable)
CVE-2015-3864
CVE-2015-3827
CVE-2015-3876 (not vulnerable)
CVE-2015-6602
CVE-2015-3824
CVE-2015-6575

Apps I was able to disable

Browser
Calendar
Chrome
Cloud Print
com.android.providers.partner
com.lge.sui.widget
ConfigUpdater
Drive
Favorite contacts Widget
Google Backup Transport
Google Calendar Sync
Google Contacts Sync
Google One Time Init
Google Partner Setup
Google Play Books
Google Play Games
Google Play Movies & TV
Google Play Music
Google Play Newsstand
Google Search
Google Text-to-speech Engine
Google+
Hangouts
LG VoiceCommand Speech Pack
Maps
Market Feedback Agent
Mobile Device Management
Multitasking Framework
Music
My Account Downloader
Polaris Office
Setup Wizard
Stret View
TalkBack
Tasks
Voice Command
WAP Service
YouTube

Create an anonymous document drop with any Android

Honestly I have no idea why I didn’t think about this before. I’m sorry it’s taken so long. This guide will show you how to use any Android to host a Tor hidden service and send it files from anywhere in the world with SSH or SCP. I tested this with a Nexus 6 (shamu) running Android 6 but I will test this on Android 4.4.4 soon. Root is not needed, you could perform these steps on any Android. Play around with this. I do not currently have a lot of confidence (stability) in an Android (Wifi), SSHelper (app), Orbot (app), and Tor (circuit) hidden-service combination. But I’ll try this out on an extra Android and see if I can still access it after a week or so and update the post.

Much wow.

There are several amazing things about this setup:

1. Easy. It’s so easy, omg. Even securing the Android is super easy with this narrow of use case.

2. Cheap. Like, as little as $10 cheap, or, “can I have your old Android for free, please” cheap.

3. You could drop a burner Android, using any Wifi you can connect to, in so many places. And if you don’t have a wall outlet where it could sit and charge forever, you could have several days or weeks worth of uptime before it dies.

Guide

0. Buy a cheap Android in person with cash, you may prefer one with an SD card slot for additional storage. Go to a coffee shop you’ve never been that has free Wifi. Turn on your Android and connect to the public Wifi. Create a new Google account with an unattributable username and password. Put the phone into airplane mode then reactivate the Wifi. Disable any apps and services not needed (dependent on the device) then install any Android OS or app updates that are necessary. Ensure the Android’s storage is encrypted, and ensure that devices access requires a long passphrase for boot and for device entry.

Note on “buy any Android” — some burners that I’ve purchased before, like a $30 one from Verizon, forces you to activate the device as soon as you turn it on, making it extremely difficult to control any aspect of Android until phoning home to Verizon and activating with a phone number. If you want to be sure you don’t have to deal with carrier crap, spend a little more and go with an unlocked Moto E for $120. The 1st Gen and 2nd Gen Moto E’s conveniently support a 32GB microSD.

1. Download “Orbot: Proxy with Tor” (by: The Tor Project) from the Play Store. Open “Orbot”. Go into settings and scroll down to “Hidden Service Hosting” and enable “Hidden Service Hosting”. Tap “Hidden Service Ports” and enter “2222”. Back out of settings and long-press the power button to connect to the Tor network. Go back into settings then scroll down and tap “.Onion Hostname” to view your hidden service address. Document that address on your laptop with Tails or Torified SSH ready to go.

2. Download “SSHelper” (by: Paul Lutus) from the Play Store. Open the “SSHelper” app. That’s it. The default user is “admin”, default password is “admin”. The default ssh, scp, and rsync directory is your normal user’s home directory, which is one below the virtualized (or real) “SDCard”. I was able to connect with an ECDSA key pair.

3. Download “NetGuard – no-root firewall” (by: Marcel Bokhorst) from the Play Store. Open “NetGuard”. In the top right corner are three vertically aligned dots. Tap that button to enter into the Settings menu. Activate “Block Wi-Fi by default”, “Block mobile by default”, and “Manage system applications”. Click back to save the settings changes. Now scroll down and find “Orbot” and tap the orange Wifi icon (it will turn from a striked-out orange icon to a green icon) which will allow it to access the network over Wifi only. Scroll down a little bit more to “SSHelper” and tap the orange Wifi icon to give it Wifi access too. Now at the very top, to the right of “NetGuard”, tap the switch icon to activate your firewall rules. Accept (OK) the two prompts that follow.

Your Android is now ready to go.

4. From your Linux or OS X command line interlace (CLI), you should now be able to send it any files. It only took 22 seconds for me to transfer an 8 MB PDF:

scp -P 2222 bulletproof-ssl-and-tls.pdf admin@c3dznupj493fgtd5j.onion:.

Torify SSH (Ubuntu) for connecting to hidden service addresses

Install tor and openssh-client. Then:

sudo vim /etc/ssh/ssh_config

Add (under “Host *”)

proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Then:

sudo service ssh restart

Simple Android adb & fastboot management for Ubuntu

Desktop OS: Ubuntu 14.04, 15.04, 15.10, or Tails Linux
Device: Nexus (tested on 6 (shamu) and 9 (flounder))
Mobile OS: Android 5.1.1 > 6.0.1

Requires phone to be unlocked and USB debugging enabled in Developer options.


sudo apt-get update
sudo apt-get install android-tools-adb android-tools-fastboot

sudo su
adb devices
adb reboot bootloader

fastboot erase system
fastboot erase all

fastboot flash bootloader bootloader.img
fastboot reboot-bootloader
fastboot flash radio radio.img
fastboot reboot-bootloader
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot erase cache
fastboot flash cache cache.img
fastboot reboot-bootloader
fastboot oem lock
fastboot reboot

1 http://forum.xda-developers.com/nexus-6/general/guide-flash-factory-images-nexus-6shamu-t2954008

2 https://developers.google.com/android/nexus/images?hl=en

Using Google Fi for a relatively private phone service

Created 2015-Aug-24
Updated 2016-Apr-19

In this post I’ll discuss ways to leverage the new Google Fi service in ways that are possibly more secure or more private when juxtaposed to regular AT&T, Verizon, Sprint, or T-Mobile phone service. Good planning and good practices can help people who are sensitive to physical location data sharing avert certain kinds of passive surveillance and in turn may prevent future active surveillance. While this information may be useful, it is not intended to solve your specific needs. You are ultimately responsible for understanding why you are performing these actions and non-actions.

Regarding SS7 attacks, the common way for such attacks to work requires that an attacker know your real cell phone number. Google Voice numbers are not vulnerable to these attacks. The same could be said for a landline phone number or any VoiP number like Skype.

Regular, long-term cell service wrongs:

  1. Requires government issued ID, which basically means connecting your government issued identity to a SIM card and other hardware identifiers.
  2. Requests (and at times requires) a Social Security Number, which also, basically, means connecting your government ID to hardware IDs.
  3. Requests the availability of voicemail, a service that is remotely accessible and is unlockable by a simple 4-digit pin code.
  4. Does not support two-factor authentication for access to sensitive account information.
  • Google Fi does not ask for identification, period. It is also possible to use prepaid credit/debit cards. As of April 2016, the Google/LG Nexus 5X is the cheapest phone, and you can buy it online or from a local retailer. Related notes: AT&T locks the SIM, so you can’t use an AT&T Google Nexus until AT&T (or a third party service) gives you a SIM unlock code. T-Mobile does not lock the SIM.
  • Voicemail is also an option with Fi. Fi support has stated that “Once you have set up your voicemail with Project Fi, it is impossible to turn off your voicemail,” and, “It will not be turned on until you activate it.” However, I presume that once Fi voicemail is activated, it is remotely accessible like regular voicemail service. If you perform the below steps, you will have no use for Fi Network voicemail, so don’t activate it.

Steps

The following configuration utilizes Google’s Hangout Dialer app that you will install and leverage on your Google Fi Nexus. The Hangouts Dialer will be able to make and receive all calls and texts using a Google Voice phone number. Two Google accounts are needed.

If your personal Google account has Google Voice presently, you will be forced to either give up that number or make it your Google Fi phone number. Either way, you will lose Google Voice functionality completely and is why a second Google account is needed.

  1. Register for Google Fi service using Google account #1 including ordering a new Nexus 6, 5X, or 6P.
  2. Do not share your Fi Network phone number. With anyone. Not your friends, family, or any services. Period.
  3. With Google account #2, register a Google Voice phone number.
  4. Download Google’s Hangouts Dialer. Google account #1 will automatically log in. Log in with Google account #2 (the Google Voice account). Then sign out from Google account #1 — only sign out in the Hangouts Dialer app, not from the Nexus completely.
  5. Configure Hangouts Dialer as follows: Settings > Enable merged conversations (yes), > account2@gmail.com > Incoming phone calls (yes), Messages (yes), > Customize invites > People who have your phone number (can contact you directly).
  6. Give out your Google Voice number to friends, family, and services. Calls and plain SMS will come through in the Hangouts Dialer app.
  7. Always make calls with the Hangouts Dialer app so the receiver’s caller ID shows your Google Voice number. It is best to remove the regular phone dialer app from the Android system tray and replace it with Hangouts Dialer.
  8. Added security

    1. Employ Google Authenticator two-factor authentication (2FA) for both accounts as soon as possible for better security. Avoid SMS 2FA because of the inherent vulnerabilities.
    2. Download Signal onto the Nexus and register your Google Voice phone number in Signal. While Signal will open up showing the real Google Fi phone number, delete it and enter the Google Voice number. The SMS verification will fail, so wait for the 2 minute countdown to expire then click “call me” for automated voice verification.
    3. Through the Google Voice web interface, optionally create a voicemail greeting that requests people to install and call back with Signal. Enabling “do not disturb” will enhance this goal because then nobody can call you and can only leave voicemails.
    4. If you haven’t already, talk to your friends and family about our need for privacy and security and inform them about Signal.

    Added anonymity

    The following are added steps in case you wish to also have probable anonymity to the service providers, in this case, Google, Sprint, and T-Mobile:

    1. If anonymity from the cellular provider is your goal, you’ll need to use cash to buy a Nexus 6, 5X, or 6P from a local retail location with cash and a prepaid debit card for monthly service. If you go this route, you will still need to order a Fi Sim Kit from Google with Google account #1 and have it shipped to you. If anonymity is your goal, consider renting an AirBnB or a hotel room using a pre-paid debit card and alias during the window of delivery.
    2. During registration for Google Fi service, account registration will require a “service address”. Use the above mentioned AirBnB address or be creative. You can always change the service address at a later date. All billing is electronic.
    3. You can consider not using your Nexus phone in any anchor points, including home or work. To do this, you would need to keep the device turned off at all times except when out and about. This makes it harder for service providers to identify you, but keep in mind that Google, Sprint, and T-Mobile can see network metadata and they can always record your voice when not using Signal. It’s still a tracking device with a microphone and camera!
    4. Consider removing the microphone and camera.

    Creating Google accounts

    Use an Android to create one or more Google accounts (Settings > Accounts > Add account > Google). Creating new Google accounts this way does not require the creator to enter in an existing email or phone number. Creating new Google accounts while using Tor will result in an account auto-lock. However, once an account is setup with two-factor authentication, you can log in via Tor Browser or Tails elsewhere. If you are trying to stay anonymous to Google, you’ll have to use a new Android (device IDs never before used by your real identity) and turn it on at a location far from any of your anchor points. Keep in mind that Google will know where your Fi device is when using the Fi network, but depending on your preparation/operational security, will not know the identity of the user.

    In retrospect

    Google, in addition to sporadic use of Sprint and T-Mobile network infrastructure, will be the only ones who know the identity (phone number and hardware IDs) of the subscriber. But you have much better control over defining the data and information that is linkable to this service.

    1. Adversaries can’t “ping” your cell phone if they can’t determine what your phone number is. However, if they run around your house with an IMSI catcher, it will not be hard for them to determine what number you’re using for service. It’s good practice to activate airplane mode when you enter into your home neighborhood, especially if your friends and family predominantly use Open Whisper Systems apps (Signal).
    2. Remote adversaries can’t track your physical location via possible SS7 vulnerabilities if they don’t know your real phone number.
    3. Network adversaries (telecommunication corporations or federal/local governments) can still inject or monitor your activity to “better service you” (sell your data to advertising networks), but unless they can connect that activity to a known identifier, you, personally aren’t vulnerable to said forms of surveillance.
    4. Network adversaries may employ voice recording and recognition technologies. The employment of said technology will only increase since it is a biomarker that financial institutions have started using for account verification purposes. If network adversaries are using this technology, there is no way to hide a real phone number or hardware device IDs from them unless you step up your paranoia and use a voice changer. Using Signal (end-to-end encryption) will mitigate only the voice print vulnerability. You will always divulge your hardware device IDs to a cellular network when using cell service.
    5. Endpoint adversaries (medical offices, food services, financial services, friends with or without Signal, etc) may also employ voice recording and recognition technologies. If you make calls using your Voice number (caller ID) to endpoint services, doing so will make it hard or impossible for a third party to link your personal ID to hardware ID.

Apps disabled on stock Motorola Moto E (2nd gen)

The following apps and/or services were ones I disabled. Some of them are Motorola services, some are Google apps, and some of them are apps that don’t provide any identifier at all yet have access to my phone. Before giving a new phone any network access (no cell network, no Wi-Fi), I disable these services.

This time around (I’ve tried many different mobile device configurations for security), this device is kept locked (not rooted) and lightly used (in this case TextSecure, RedPhone, and Flock are my only apps). I don’t have a browser like Chrome or Firefox because the web isn’t safe. I don’t use any social media apps because they suck up the contact list. The only software that I choose to run on this device (I have others) is from Open Whisper Systems.

Apps/services disabled:

Android Work Assistant
Basic Daydreams
Camera (replaced with “Open Camera”)
Chrome
Cloud Print
ConfigUpdater
CQATest
Device Management
Docs
Drive
Email
Exchange Services
Gallery (replaced with “Gallery ICS”)
Gmail
Google Backup Transport
Google Contact Sync (replaced with “Flock”)
Google Hindi Input
Google Korean Input
Google Launcher Config
Google One Time Init
Google Partner Setup
Google Pinyin Input
Google Play Books
Google Play Games
Google Play Movies & TV
Google Play Music
Google Play Newstand
Google Text-to-speech Engine
Google+
Hangouts
Help
HP Print Service Plugin
iWnn IME
Maps
Market Feedback Agent
Moto
Moto Actions
Moto Display
Motorola Alert
Motorola Boot Services
Motorola Checkin
Motorola Migrate
Motorola Notification
Motorola One Time Init
Motorola Sensor Services
Motorola Services
Motorola System Service
OMA Client Provisioning
Photos
Preset
Print Spooler
Setup
Setup Wizard
Sound Recorder
Storage Optimizer
Street View
TalkBack
Trusted Face
YouTube

Securing voice communication for lawyers, clients, journalists, and sources

Introduction

Lawyers need to talk to their clients securely. Journalists need to talk to their sources securely. It is through good security tools and good security practices that privacy can be achieved. Securing the conversation (content) is important. Revelations made possible by Edward Snowden show the dangers of unsecured content and metadata. This guide does not aim to create an anonymous communication device by way of anonymizing either content or metadata, only securing the content by way of employing Open Whisper Systems Signal (iOS or Android).

In February 2014, documents publicized by James Risen and Laura Poitras revealed proof of the United States explicit and illegal action of spying on lawyers. The National Security Agency’s technological capabilities, also being made public, provide facts that the public needs in order to understand the complex threats that alone chill freedom of association. Even though you might not be a law firm “representing a foreign government in trade disputes with the United States,” the threat and probability of occurrence are clear. Your voice communication can be passively swept up into a global surveillance dragnet.

This guide’s target audience are people needing to protect their day-to-day phone calls and thus the privacy of the people involved. If you want to be successful at using technology to perform your work, you need to be open to learning some technical information and theory. Without sacrificing too many comforts when it comes to communicating via phones, this guide aims to bridge the gap between easy-to-use, state-of-the-art encryption and tools that are readily available.

Prior but related guides

Notes for Signal

Signal threat modeling

Create an anonymous Signal phone number w/ Android

Goals

Provide a public or private phone number that:

1. Uses an iOS or Android device with Signal to securely communicate with your clients or sources. “Security” is gained by having an independent device that is only used for encrypted communication. Calls will be end-to-end encrypted for protecting the content of your conversations.

2. Falls back on a voicemail recording so normal (unencrypted) telephone callers hear an automated message to install Signal and to remake the call after getting it installed.

Additionally this guide will discuss basic operational security to protect the physical device and thus its contents.

Signal simply needs a telephone number to get setup. You do not need a cell phone with active cell service. When done correctly, your voicemail will be reachable by a regular phone caller but said caller and Signal calls will be routed to your Signal device.

Your options:

– A new or used iPod Touch (5th generation with iOS 8), a new or used iPhone 5, 5S, or 6 (iOS 8), or Android (OS version 5, or “L”, is ideal). The Motorola “Moto E” is inexpensive and the Google Nexus line runs “pure” Android and gets updates the quickest. Operating the phone in airplane mode with Wi-Fi enabled creates a similar device as the iPod Touch in terms of which communication networks it uses.

– Any voice-over-internet-protocol (VoIP) service that gives you a long-term phone number. I also suggest a service that provides voicemail in order to warn normal callers to call again with Signal.

Register a land line, cell phone, or VoIP number?

Installing Signal on to your iOS or Android device simply requires a phone number that can either receive a text message confirmation code or an automated telephone/audio confirmation code. Open Whisper Systems’ software does not care what type of phone number it is, they just need to be able to call it for setup confirmation. It is possible for you to do any number of the following:

1. Register a land-line phone number with Signal. Doing so will automatically route Signal callers to your Signal device. Regular, unencrypted callers will still reach your land-line phone.

2. Register a cell phone number on the same device as the SIM-registered number. This is what most people do when they install and use Signal, and it is the common scenario that your callers will implement.

3. Register a cell phone number on a different device as the SIM-registered number. The original, SIM-registered cell phone will continue to receive normal, unencrypted phone calls, but Signal calls will get automatically routed to the secondary device. Doing this compartmentalizes the communications metadata and device exploitation risk.

4. Register a VoIP phone number on a new iOS or Android device. This guide focuses on this scenario to benefit from voicemail options to alert normal, unencrypted callers to install Signal and call again.

Instead of a VoIP service, you could, in fact, use your work land-line phone number to register Signal. I advise against that based merely on the fact that using the same number may confuse your clients/sources on what is and is not a secured line. Giving them a separate Signal phone number creates cognitive dissonance. However, maybe your target audience is aware of the differences between unsecured and secured (Signal) calls. You must assess the risks involved.

Clients/sources will undoubtedly save your Signal number in to their phones. This name-number association will end up on Google’s, Apple’s, Facebook’s, Twitter’s (they steal contact databases from phones), etc servers, so keeping the number private is not probable. What you have to focus on is making it easiest for your clients/sources to contact you securely, with them knowing that the content of the call is private. Maybe you have a combination of 1+4 or 2+4, where 4 in either scenario is a private, non-publicized Signal number. Maybe you give out business cards with this number with explicit directions not to save this number into the client’s/source’s phone book. Keeping a number completely private can be difficult.

Requirements

– At least one lock-and-key safe, ideally a fireproof/waterproof safe with alphanumeric keypad entry.

Unavoidable information and metadata leakage

As stated above, without explicit direction, your clients/sources will likely store your contact number digitally. This digital database, on their iOS or Android smart phone, is continuously copied by other applications that people use, either out of convenience (to backup contact lists) or because of capitalism (direct marketing, relationship linking). Either way, state-actors make it a point to obtain these databases so that they can know who communicates with whom. As a lawyer or journalist, the likelihood that a state actor wants to know whom you work with is much higher than normal.

Apple (or Google if you use an Android) will have a name-to-device information. This means that US surveillance agencies will probably have the same information. This guide does not attempt to create an anonymous phone number (where the device is not linked to you or your company’s identity).

Even though this guide is written to use an iPod Touch which requires the use of a wireless access point and thus at least one internet service provider, and even though Signal network traffic is end-to-end encrypted, encrypted network traffic creates metadata that indicates:

A) you’re using the Internet at all, and
B) that you’re generating encrypted network traffic.

It is possible, with deep packet inspection, that your adversary will be able to identify what kind of encrypted traffic that it is, maybe even as specific as the application being used. So, theoretically, you will, for sure, create metadata, recorded by the internet service provider, that you (or your company) is making Signal calls, when, and for how long. A state actor such as the NSA, with global dragnet surveillance capabilities, may even be able to associate that traffic to the destination. These are critical issues if your threat is a well-funded surveillance agency with legal/political/global reach. A simple minimization procedure, to avoid network metadata leakage, would be to only use the Wi-Fi of at public locations such as coffee shops or libraries. But doing so is not a silver bullet.

A supplementary read: Cell Phone Opsec

If you choose to purchase a registered cell phone instead, which may be required for your work/reach-ability, you must be aware that state actors can track the physical locations of said device whenever the device is on. Movements and non-movements are very informative to adversaries. Cell phone tracking is made painless with IMSI-catchers when governments and companies can afford it.

Guide

1. Purchase and setup your device. Download and install Signal by Open Whisper Systems.

2. Choose a VoIP service.

To test Signal calling from an iPod Touch, I bought a Microsoft Skype phone number that is registered to my long-time Skype account. Skype is convenient because you simply purchase a Skype phone number with a debit/credit card, install Skype, install Signal, and you use Skype to receive the confirmation code. Yes, Skype, is a PRISM participant, and records (of you purchasing a Skype number and receiving a confirmation call from Open Whisper Systems) are guaranteed to end up in the hands of any government agency. Yes, Skype is backdoored by design. But Registering a Skype number with Signal makes the routing of said calls managed by completely different infrastructure. Skype calls are not end-to-end encrypted. Signal calls are.

An alternative to Microsoft Skype is Google Voice. Google Voice, by way of a Gmail address, has the added benefit of 2-factor authentication (2FA). Skype does not offer 2FA, so your account is remotely accessible if your password is stolen. Voice gives you a perpetual phone number that is tied to your Gmail address. Yes, Google is a PRISM participant, too. Like with Skype, calls made by Signal using a Google Voice phone number will not use Google infrastructure.

3. Setup voicemail

The value of using a dedicated, VoIP-based phone number is the ability to setup voicemail. This way, when people call with a normal, unencrypted phone number, they can get the automated message to call back after they’ve installed Signal.

Signal does not have voicemail. If they call you with either and you do not answer, it will only ring.

4. Physically secure your device.

Make sure that your iPod password is secure. Use a strong passphrase and not a simple, 4-digit “Simple Passcode”.

It is critical that you habitually store your device(s) anytime they are not in use. If your work requires that you be available 24/7, you may need to purchase a second, isolated safe for home use for when you bathe/sleep/etc. Never leave your device unattended or in the possession of someone you do not trust.

5. Share your contact number.

Depending on the nature of your work, you should decide how you want to share your number. If you’re a lawyer, you would want to share your public phone number on your website. In this case it is prudent to ensure your website is serving content via HTTPS (data in motion) so that an adversary cannot inject/disinform your clients/sources with a bad number. Similarly, having a secure website (data at rest) is equally important so that the integrity of the public information is unchanged.

It is also prudent to include minimal directions on installing and using Signal. Guiding them to EFF’s Surveillance Self Defense guide is a good option.

Signal threat modeling

In this blog post I will explore what telecommunication companies (telcos) are able to observe in terms of metadata and content when using or not using Open Whisper Systems’ Signal. Special thanks to John Brooks for content editing.

Introduction

Telecos, globally, for over a hundred years, have had various data retention policies that include metadata and content collection and storage (information seizure). In the United States, the Communications Assistance for Law Enforcement Act (CALEA) was enacted specifically to enhance electronic surveillance. Anything the telecos can see and store, intelligence agencies and law enforcement have the ability to obtain too, often in real-time (information search). Intelligence agencies store this information for much longer than telcos because of the monetary costs to store your private information. Within the Snowden revelations, top secret documents make clear that as much information as possible is collected depending on company/agency capacity and technical capability.

The mobile devices that you use contain a huge swath of information about you. They also contain a huge swath of information about the people that you communicate with. In each of the scenarios that I explore below, I’ll be breaking down my exploration into two high-level categories; device vulnerabilities, which can alternatively be thought of as “data at rest”. The second high-level category is infrastructure threats, which can alternatively be thought of as “data in motion”.

Target audience

Journalists, lawyers, activists, and domestic violence survivors are all example populations that have a choice. They can either attempt to learn somewhat technical material and self-empower their decisions about the technology that they use or don’t use, or they can further trust other people to make those decisions for them. It is my opinion that vulnerable populations that are direct victims of surveillance should put more effort into learning technical material. It is unethical for me to make all information and operational security decisions for my students. It is also my opinion that technical educators like me have a responsibility to help bridge any gaps in learning.

Summary

Standard SMS and standard voice calls leave you vulnerable to device and infrastructure exploits (information seizure) for both content and metadata. Once installed, Signal, for Android, handles SMS which is the same in transport as standard SMS, but message content is better protected on the device. Signal can not protect standard voice calls.

Signal manages both encrypted IMs and encrypted voice calls. When you use encrypted IMs and encrypted voice calls, your message content is protected against device and infrastructure exploits. Metadata is protected against infrastructure exploits when you use encrypted IMs and encrypted voice calls, but metadata on the device is still somewhat vulnerable.

Understanding the visual models

phone-basestation
The column and row -based models shown below, one model per scenario, were made to help illustrate the different phases of text/voice communications through telco networks and other related risks.

Asset

The messages that you send people (data in motion) contain two very important things. These two things are your assets: participant metadata and message content. These two assets have to traverse your telco network and the telco network of your friend in order to work the way you expect them to. Each of the two assets is uniquely vulnerable depending on your choice of communication technologies.

The adversaries to your assets are the people who want to illegally or unethically copy your assets for themselves. Your threats are the infrastructure technologies which your adversaries have designed and control.

Device

Your messages must be generated and stored (data at rest) on your mobile device in a messages database. In order to reliably send people messages, you have a third asset that must be protected: your contacts database. It is possible that your teleco has pre-installed software on your phone that has access to your stored assets. Other common threats to data confidentiality include social media applications and syncing applications that make a copy of your messages and contacts and stores them on someone else’s servers.

Infrastructure

When you want to communicate with someone, your device has to send your messages across various infrastructure technologies to reach the person whom you wish to communicate with. I will not be going to great depth into each of the phases of telco network traversal. It is not important given the Open Whisper Systems crypto tools that you have available. What is important to understand is that if you’re using AT&T and your friend is using Verizon, messages have to traverse two completely different sets of infrastructure. When you send a single message to someone, it is likely that three different adversaries are able to copy your assets. Each adversary has completely different data retention policies, laws, and ethics.

SMS communication scenarios

Scenario 1

SMS2SMS-1
1. You send an SMS on your cell network without Signal to a friend who receives the SMS on her cell network without Signal, or vice versa.

Participant metadata and message content

1.1. Device vulnerabilities: message databases and contact databases are, by default, easily accessible to other applications installed on your mobile devices. Social media apps, message sync apps, etc, will copy these databases and put them unsafely on servers that you have minimal control over. Specifically, regarding SMSs and IMs, these companies that store your private information can observe who you talk to and when. Companies like Facebook want to know everything they can about you. Companies like Apple and Google want to make backups easy and seamless, but they store your information in such a way that they can make it available to law enforcement.

1.2. Infrastructure threats: SMS is only encrypted between your mobile device and the cell tower. At no other point in the message’s traversal to the delivery cell tower is it encrypted in such a way that a network operator or intelligence agency cannot access it. Your information was designed to be exploited when using these systems as-is. 2G/3G/4G encryption standards largely protect cellular network communication from local eavesdroppers, but those standards are weak.

Scenario 2

TS2SMS-1
2. You send an SMS on your cell network with Signal to a friend who receives the SMS on her cell network without Signal, or vice versa.

Note:

From Open Whisper Systems: “Signal does not store its encrypted database in a location that other applications are allowed to access. Android features support for isolated storage, and Signal takes advantage of this functionality. Memory contents are also protected, and recent versions of Android include ASLR which makes manipulating memory contents (or predicting the location of stored material) even more difficult.

Having said that, users should still choose strong passphrases to properly protect their message contents if their phone gets lost or stolen.”

Participant metadata and message content

2.1. Device vulnerabilities: While the message database is protected on your mobile device when Signal is managing said database, the contacts database is not. Apps can and will read or copy your contacts database unless you take additional protections to block apps from doing so. Copying your contacts database will not reveal who you necessarily communicate with, but it does show who you can communicate with and who you’ve likely communicated with. Database security presumes that your mobile device is free from existing malicious software.

2.2. Infrastructure threats: All participant metadata and message content infrastructure threats are identical to scenario 1.2.

Communication scenarios with Signal

Scenario 3

TSS2TSS-2
3a. You send an IM on your cell network with Signal to a friend who receives the IM on her cell network with Signal, or vice versa.

3b. You make a Signal call on your cell network to a friend who receives the call on her cell network with Signal, or vice versa.

Note:

On transport security, see Open Whisper Systems Is it secure? Can I trust it?

Participant metadata

3.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

3.2. Infrastructure threats: When using Open Whisper System’s end-to-end encryption, the participant metadata of messages is protected from all aspects of “data in motion”. However, Deep Packet Inspection (DPI) by any infrastructure intermediary is capable of identifying the fact that traffic is encrypted. DPI can also fingerprint the encrypted traffic to the degree that adversaries might be able to identify you as a Signal user. This alone would not allow a teleco to know whom you communicate with. A global adversary like Five Eyes (FVEY) may be able to identify who you communicate with by fingerprinting the type of encryption and network timing analysis. This should concern you if you’re a journalist talking to a source or vice versa.

Message content

3.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

3.4. Infrastructure threats: When using Open Whisper System’s end-to-end encryption, the content of messages is protected from all aspects of “data in motion”.

Scenario 4

TSS2TSS-1
4a. You send an IM on your Wi-Fi with Signal to a friend who receives the IM on her Wi-Fi with Signal, or vice versa.

4b. You make a Signal call on your Wi-Fi to a friend who receives the call on her Wi-Fi with Signal, or vice versa.

Note:

Scenario 4 is nearly identical to scenario 3, except that the transport infrastructure has changed, which means the specific adversaries have, too. Conceptually, the technical threats and vulnerabilities are the same.

Participant metadata

4.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

4.2. Infrastructure threats: All participant metadata infrastructure threats are identical to scenario 3.2.

Message content

4.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

4.4. Infrastructure threats: All message content infrastructure threats are identical to scenario 3.4.

Scenarios with IMSI catchers

IMSI-catchers come in many different names and capabilities. There is even a Free and Open Source Software (FOSS) version called OpenBTS that allows amateur or professional hackers to exploit the weaknesses of cellular networks. Infosec Institute made a decent guide. They all pose an abundance of threats to you and your assets.

IMSI catcher capabilities:
  1. Passively or actively extract identifiers of cellular devices such as IMSI, ESN, and MEID numbers.
  2. Passively or actively track physical locations and movements.
  3. Actively perform Denial of Service (DoS) attacks that would prevent the cellular device from connecting to a cellular network. Targeted DoS attacks can also force cellular devices to use older wireless technologies (2G or 3G) which use weaker encryption or no encryption depending on the cellular network configuration.
  4. Actively perform Man in the Middle (MitM) attacks to eavesdrop on all forms of cellular communications: SMS, voice, or data.
  5. Actively exploit baseband processors, allowing the adversary to deploy malicious software onto to the cellular device.

There is no indication that local law enforcement perform capabilities #3 or #5. However, intelligence agencies and well-funded groups are capable of such operations. It is very important to understand who your actual adversaries are in order to apply any notion of risk (threat + vulnerability).

Scenario 5

SMSIC2SMS-1
5. You send an SMS without Signal via your compromised cell network to a friend who receives the SMS on her cell network without Signal, or vice versa.

Note:

When IMSI catchers are in use, there is a higher probability of device exploitation if you are the target of the operator. Mobile device databases could be extracted, key-logging software or voice and visual recording software might be installed that will jeopardize existing and future conversations.

Participant metadata and message content

5.1. Device vulnerabilities: All participant metadata and message content device vulnerabilities are identical to scenario 1.1.

5.2. Infrastructure threats: SMS is likely not encrypted at all or the IMSI catcher was able to Man-in-the-Middle the encryption between your mobile device and the cell tower. At no point in the message’s traversal to the delivery cell tower is the message protected in any way. The IMSI catcher operator, cellular network operator, and/or intelligence agency can access the messages.

Scenario 6

TSSIC2TSS-1
6a. You send an IM on your compromised cell network with Signal to a friend who receives the IM on her cell network with Signal, or vice versa.

6b. You make a Signal call on your compromised cell network to a friend who receives the call on her cell network with Signal, or vice versa.

Note:

When IMSI catchers are in use, there is a higher probability of device exploitation if you are the target of the operator. Mobile device databases could be extracted, key-logging software or voice and visual recording software might be installed that will jeopardize existing and future conversations.

Participant metadata

6.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

6.2. Infrastructure threats: All participant metadata infrastructure threats are identical to scenario 3.2.

Message content

6.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

6.4. Infrastructure threats: All message content infrastructure threats are identical to scenario 3.4.

Related adversaries + threats not discussed

  1. Intelligence agencies, companies with lots of money to spend with grudges, and global surveillance adversaries that have the ability to pin-point your mobile device and perform one-time or persistent malicious activity.
  2. Technical threats or adversaries posed by IMSI catchers are the same when connecting to your normal cell network, but the probability of exploitation may not be the same.
  3. MitM attacks, similar to IMSI catchers, can also be performed on Wi-Fi networks; technical exploitation might be different, but outcome of exploitation might be the same.
  4. Mobile devices that have already been compromised either intentionally or accidentally.
  5. Can you think of one?

Conclusion

This is the style of guide that people like journalists, activists, and lawyers need. It borders on specific technical details without getting into too many details. It is also the style of guide that needs regular maintenance (research, Q&A, feedback, editing, administration). This guide demonstrates the need of journalists, activists, and lawyers to become educated in certain areas of technological advancement.

I hope that this has proven useful to you. If you liked this blog post, tell your friends about it and talk to them about it. Talk about encryption. Talk about surveillance. People need to talk about this stuff. If you have any questions, concerns, or constructive feedback for me, please email me.

Glossary

2G/3G/4G: cellular teleco technologies that allow your cellular mobile device to talk to telco networks.

802.11 a/b/c/n: “Wi-Fi”

Android: Google’s mobile device operating system.

Asset: Something that is important to you.

BTS: See: “Base transceiver station” on Wikipedia.

IM: Instant Message. Think: AOL instant messenger or MSN instant messenger. Signal is capable of sending IMs to mobile devices using Internet data.

IMSI catcher: a device that can be used to maliciously intercept, alter, or deny your cellular network communication. It is commonly used by law enforcement, private police, private investigators, or hackers. See “IMSI-catcher” on Wikipedia.

iOS: Apple’s mobile device operating system.

ISP: Internet Service Provider. This might be your home ISP or the ISP of a coffee shop that you’re using.

Message content: the content of an SMS or IM.

Participant metadata: Any aspect of people and the communications between people. This could include, but is not limited to, who is communicating, when, for how long.

Signal: The open source application made for iOS by Open Whisper Systems. See: Notes for Signal

SMS: Short Message Service. A “text”. You usually send these to people with your phone, limited to 160 characters per message.

SMS-SC: See: “Short message service center” on Wikipedia.

SS7: See: “Signalling System No. 7” on Wikipedia.

Telco ISP: the ISP of your cellular telco network provider. It could be that your cellular network provider is also its own ISP.

Threat: A person, place, or thing that is likely to cause damage or danger to your assets.

Vulnerability: A person, place, or thing that is unable to withstand the effects of a hostile environment.

WAP: Wireless Access Point. It provides Wi-Fi.