[Feature] Add Lost Mode + Tracking to Librem.one


#1

Feature: Add Find My iPhone like service to Librem.one
Isn’t this an inherent security flaw? In theory, you could always password lock this feature using OTP. This way Purism couldn’t lock or track your phone without your code.
When you re-find you phone you can generate a new code and disable the old one.

How? I’m not a developer, but I know that Prey is mostly open-source:
https:// github .com/prey
Their android client does have some non-free dependencies with some discussion to change this:
https:// github .com/prey/prey-android-client/issues/82#issuecomment-93989938


#2

This makes this

very obvious.

Technically it’s impossible, either the phone has the tracking beacons sent to the tracking service every
x seconds, or the service is completely disabled. Another mode is asking the server if tracking should
be enabled every x seconds, and in case the answer is yes start the tracking. But then it defeats the
whole purpose of real-time tracking, and will still make the vendor know your location :slight_smile:


#3

This idea is that most modern carriers already require you to know your location to use.
Or at least a rough calculation. This is how it figures out which cell tower to use.

My thought process was to set up a web server on the phone.
You could even use I2p or IPFS or whatever, it is just used to communicate in case you lost it.

Then when you send it a code to start sending data to Purism.
This way Purism isn’t constantly knowing having access location or being able to encrypt your phone.

Next, you receive an encrypted version using a second key.
This you can then offload and run to check where your device is.

In theory you could use the 1st code to encrypt your device, wipe data, put into lost mode, e.c.t.
But any valuable information like location would be E2EE using a 2nd key.

Does this make sense?
@s3ns0r


#4

Mobile carriers know your location. But not Purism or your phone manufacturer.
And not when you are on Wi-Fi only.

A web-server on the phone to receive “start location services and report back” event? No need for
a web-server for that, only a web-client that polls the Purism server every x seconds as I said above.

The whole keys thing does not make any sense. If the data is sent to Purism (i.e. GPS) so they will
have inevitable access to this data. Same for authorities who can just then force Purism to turn this
event on in order to track a user.
You can make some web-interface where you will have get access to this data with 2FA, key or password,
but it doesn’t change the above.
Just like when you need iCloud password +2FA to access the “Find my iPhone” map, but it doesn’t mean
Apple doesn’t have access to it, hope I made it more clear.

Also, to buy a phone which is almost entirely marketed around the tracking-free experience, and
force tracking to it? Just get an Android with AOSP and it will probably serve your needs better.


#5

@s3ns0r Password Locked + Encryption

Data can always be sent E2EE.
E2EE platforms are already fairly active thanks to communities like ProtonMail.

And a big part of the thought process is that the u never send the communication, Purism does.
In theory, this adds more anonymity since you don’t need to send signals, just receive them.
But if you are already using I2p or TOR there isn’t much of a reason for this.

To keep the device from keeping location data when user does want to you can always force it to receive a user-generated pin. Apple uses something similar called an APN.


#6

I lost you. The data is sent encrypted, fine, who will be the recipient of the data?
And why to involve Purism in the process?

  1. You create a system service that measures GPS coordinates, encrypts them and sends it to your server.
    Not entirely user friendly but with some work can be improved. Fine.

  2. You have a Purism service that sends them your GPS data, which you can access similarly to Prey,
    Cerberus or Find my iPhone. But then it will require Purism to know this data, you cannot encrypt it since
    then they cannot show it to you on the map, toggle it on/off etc. You can limit the access to this page with
    10 passwords, 5 OTPs, a 2FA via sms and a GPG key. This still won’t prevent them from having the data.

The device doesn’t have to store anything in any case, with a pin or without. It’s enough to get the GPS reading
once and send it over to the network, without writing anything to the storage.

Wait, what? Push notifications are just one-way signaling method, to notify the OS that there is a pending
event for an app without actually awaking the app. How is it related to anything in this thread?

https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1


#7

Setting up your own server can be expensive and time consuming.
Most users would probably set up a VPS anyway.

I think it can work like Librem Social where you can always use a different hub.

There is no reason you cannot decrypt data in the browser, E2EE.
You could also set up desktop app with OpenStreetMaps pre-installed.

:+1: Sorry, I meant send it over the network.

Yes, but it can be used to tell the device to start doing something.
As I understand it, Prey uses it to tell the device to encrypt or wipe data.

Purism could use it for this plus to tell the device to start lost mode among other things.

But until the user gives Purism that code they cannot tell the device to do anything.

Even then you can set restrictions like only send data in encrypted formats that I can download and decrypt.

If you set it up on the device beforehand, when it goes missing you can give Purism the code.


#8

This is the only possible option. Since when you do it in the browser, it doesn’t matter which data you receive,
and how it is encrypted, you still need to send to the web app (with the map) the cleartext GPS coordinates. Because a browser cannot load the full world OpenStreetMap locally.

Your key enrollment suggestion still has many implementation flaws, and actually Purism is not needed for any
part of this “plugin”. You can host a web-service on a trusted platform, that will send the “on/off” switch
for each client device. Each client device can ask this web-service every 5 minutes what is the current action.
Off - keep sleeping for another 5 minutes, On - start sending GPS data to that web-service each 30 seconds.
Then you don’t need all those key enrollment parts since you sync the device with the trusted web service
once. All the data can be downloaded locally and you can parse it with the desktop OpenStreetMap client.

The web-service can actually be hosted on a VPS and serve hundreds of clients, the load for such thing is minimal. But Purism has a long to-do list and I doubt they will make this service even after the phone is released.


#9

:+1:

the cleartext GPS coordinates. Because a browser cannot load the full world OpenStreetMap locally.

You could try cutting into sections, I think this is what ZeroMaps does.
It would maybe only load your town or 1 mile radius or something like that.

But, you are right. Desktop applications are almost definitely better for privacy and Security.

@s3ns0r


#10

As this is unlikely to be a feature anytime soon, you could possibly craft a simple proof-of-concept.

Write a little shell script (to run in the background) that polls the GPS coordinates and sends an encrypted mail to yourself.
No map integration, but does not reveal you position to anybody and possibly good enough when you really need it :wink:
Automatic filtering is advised to keep your inbox tidy :grin:


#11

Noting though that in some jurisdictions you could be forced to decrypt the emails and thereby provide information to the authorities regarding your movements. So that would be another reason to keep your inbox tidy. :slight_smile: You probably also would want some restricted mechanism on the phone to disable sending of GPS information temporarily.

A different approach would be: use NFC and have the phone poll for proximity of an independent device and only send GPS info when proximity is not detected. So most of the time nothing would be transmitted but if you put your phone down and leave it behind then transmission commences.

I don’t really like any of these ideas. They don’t sit well with prioritising privacy.


#12


#13

I seriously don’t expect that I will ever be in the situation where govt would demand that.
If that would be my threat model, i would just stop monitoring the location and accept the chance that I lose it.
I survived the last ~20 years that I owned a phone that way, and never lost one :wink:

If you need an additional protection layer, you can still try with some obfuscation. A good start would be to not use “My phone’s location” as title :wink:

I’d would amuse me to send myself mails of the “helo, im Olga from Moscva, looking sirius men for marry” kind, and have a semi-plausible random location in the EXIF data, but then hide the real location data with steganography in the (obligatory) image itself. (Caution, if you do that last step wrong, e.g. by using the same image every time, you might shoot yourself in the foot very hard, at least if the agancy is worth their money and notices that not only the EXIF data is different… :wink: )
Unfortunately, nobody would ever appreciate the cleverness of this, so rather than implementing it, I’ll just leave it here :sunglasses:

Admittedly though, an encrypted spam mail might raise some suspicion :thinking: :grin:
DISCLAIMER: This was purely for amusement. Don’t try this at home, kids and whistle blowers.

On your other remark: NFC is way to complicated. Just have a threshold of ~100m position delta before actually sending an update.


#14

How many bits is the GPS info in total?

(rest of this post need not be taken too seriously)

If you are going to use stego in the way that you describe, perhaps best not to use encryption.

My concern with that is how you would be able to find the correct email in amongst all the other similar emails. :slight_smile:

Oh, and wouldn’t your mail provider’s anti-spam solution block the correct email (as well as blocking all the other similar emails)?

I would think that cleverness would be best paired with two additional requirements.

  1. You wouldn’t publish your approach (public web site, your adversary and everyone else can read it).

  2. Every person would choose a different approach (invent one’s own rather than copying someone else’s).


#15

Never really worked with that. Depends a bit on the representation of the coords. I would assume it’s not more than 2x64 bit, and if you really try hard you could possibly make it less by reducing precision and encoding only a reasonable area around you.


#16

In the EXIF data itself, the representation is very expansive indeed, stretching to a full 59 bytes if I got my sums right.


#17

It’s not 2 x something. You get latitude, longitude, altitude, speed and heading, and the last two are not simply derived from consecutive measurements, but calculated directly from doppler shift of sattelite signals. So at least 5x something (probably six, as speed in 3D has three numbers aswell) :slight_smile: . How much you’d send home is of course different story.


#18

In the context of this discussion (find my phone) you might do without that. When I wrote “GPS info” I did not make clear the scope of the question.

For clarity then … 59 bytes of values in EXIF for latitude, longitude and altitude … and I agreed with the suggestion that that can easily be crunched into 128 bits (if allowing centimetre precision, which is probably more than you would want or need). If attempting to use stego then every bit counts so you would likely want to do better than 128 bits.


#19

If you already have Librem One and it includes a VPN tunnel, why to even go the EXIF/stego sado masochism
way? just set a non-default VPN route to your destination server via the VPN interface and as long as VPN
usage is not criminalized in your jurisdiction, you will be fine.


#20

It would “amuse”. :slight_smile:

Also, you need to think about the format in which the information exists at the destination. Can it / you be subject to seizure / compulsion? A VPN does not do anything about that issue.