I like pretty much everything about the Librem 5, but I have thought of a potential issue. If the broadband and wifi can be disconnected via kill switch, then how would anti-theft work if at all? Lets say you drop your phone somewhere and on the phones trip to wherever it ends up, it hits a kill switch. Would this mean anti-theft / find my phone options are now impossible? Or how about a situation where your phone is stolen. Sure not many people would know it’s a Librem 5 and that by pressing the kill switch you remove the possibility of anti-theft, but what if the thief did know? Or what if they press a kill switch by accident?
Essentially what I’m getting at is, would anti-theft be an impossible feature to implement on the Librem 5 considering if it is lost or stolen, you can cut all communication to said anti-theft service such as Prey? Or is there a way around this? Perhaps another version of the Librem 5 but without kill switches?
The whole point of the kill switches is to make it harder or nearly impossible to track you and invade your privacy. Using a service that finds your phone can make you a much more vulnerable target. I guess you’ll just have to be careful not to loose your librem.
Perhaps another version of the Librem 5 but without kill switches?
@Napalm this is the first time I see someone request fewer kill switches I think those switches are so much part of Purim’s appeal that they are unlikely to go away. But if you are sure you will never need them, and are worried that things will be off when needed the most, then perhaps a dab of epoxy glue would secure them in an always-on position.
On a more serious (?) note, I think a find-my-phone feature would be useful, but I’m wary of opaque services tracking me wherever I go. On the other hand, having to self-host a server would make the threshold too high for most people. So…
Matrix will be installed on the Librem 5 by default. Would it be possible to build something on top of that?
I’m thinking of having Matrix as a transport layer, to send the phone’s position in private messages, or in messages to a private “room” with just your own devices connected. Messages going back to the phone could ask it to lock and erase, or send all photos taken since it was lost. All those messages would be end-to-end encrypted, so only the owner would be able to read them.
On top of that there should be a user interface fit for this specific use, of course.
I’m sure there are caveats. E.g. does the Matrix home server keep everyone’s private keys, so that it can re-encrypt messages before forwarding them? That would require the same blind trust in the home server as in any other find-my-phone service - so force you to self-host the home server
i have uses iphones so far so i can only refere to apples find my phone and theft protection, Apple dose this by forcing any user to register with the apple server after a full software recovery, in this process apple checks if this device already belongs to some one else an block it in such a case which makes it worthless. What i heard this deccreased the theft rate drasticly but i think this is no option for a free phone. What i could imagen is a password protection for the recovery mode which can be set by the user. So without this password it would ne impossible to restore the phone and therefore would make it also worth less for a theef, who can use or redtore it without the normal pin oder the recovery password.
For the gps traking i have no idea how to make such a thing with out a central server and potential privacy leaks / undermining the kill switch aproach.
I might be possible to track the Librem5 (or any phone) and not have any company tracking the phone by offloading the trust of activating the tracking feature and storing data from an organization to the user it self; using blockchains. (NO, I’m not using blockchains because it’s the buzzword but it is actually needed in this case.)
I think I’ll build it as a open source project if I got time. Anyone wants to also work on it?
The issue for tracking in the event of theft is not so much the kill-switches as the openness of the phone to modification (which is one of its selling points).
At some point, the possessor of the stolen phone is probably going to want to turn the kill-switches back on again, at which point the phone can be tracked if the tracking software is still present on the phone.
But something that could be a hindrance to tracking the phone after it gets stolen is the openness/freedom of the phone. If a thief can just install a new OS and wipe away any tracking software that happens to be installed on it, then you can’t track it. I think this is more or less the point @ramnasko made above.
To enable effective tracking, the owner needs to be able to lock down the hardware so that only someone with the owner’s key can install new firmware, install a new OS or remove/disable the tracking software. I don’t know enough about the Librem 5 to know whether this will be an option.
Less free phones can lock down the hardware, firmware and software so that only the manufacturer can permit installation of a new OS, but that is not a viable option for a device like the Librem 5, which aims to respect the owner’s freedom.
If the phone cannot be locked down so that only the owner can remove the tracking software, then it seems to me that the best option would be to regularly send encrypted information about the phone’s location in the hope that some useful information is gathered before the thief disables the tracking (which might be as soon as they lay their hands on it, given the presence of kill-switches).
I don’t think having a decentralised storage service for the tracking data (such as using a blockchain) provides a lot of extra privacy, provided that the data is encrypted before it hits the storage service and no information is leaked through things like the timing of tracking messages from the phone or the length of the encrypted messages. I can think of one disadvantage of a centralised server: someone who knew about or had access to the server could potentially monitor which IP address(es) connect to it to deposit data, potentially giving away some information about the phone if its IP address varies. However, this could be mitigated by having the phone always contact the server via an anonymising network.
@Napalm, I think you’re not looking at the whole picture:
You imply that a potential thief would think it would be acceptable to never go online. A thief could do that with any phone. After all, there is the offline mode. The kill-switch just makes sure the software does not fool you.
A smart thief would probably remove the battery immediately (if possible) or wrap the device in aluminum foil or something like that. Again, it’s just slightly simpler with the Librem 5.
So, I’d say, for the casual thief, the Librem 5 is not better than other phones.
@patch I don’t think the openness is a disadvantage here. It just gives us more ways to trick the thief. Like
create a cronjob that sends encryped GPS + celltower + wireless info to your e-mail
trigger that script whenever the BT dongle in your pocket loses contact
hide a similar thing in the firmware
put the whole system in a hidden VM, and re-installing triggers an alarm in the host (I guess that’s what Joanna Rutkowska would do
Hm… I’m wondering if it is possible to prevent overwriting the OS without a password. For example like this: You never get root access via USB-C, except you enable it manually. Or: to boot from SD card, you first have to boot/unencrypt the internal memory.
That would probably not hinder professional attackers with flash hardware available.
I guess a TPM will help there in later revisions!?
On the other hand, if one can install their own Linux, the device will still have the same IMEI. And currently I believe most thieves don’t want a no-carrier phone.
In practice, you’re probably right. I was thinking of the worst case scenario where the thief knows exactly what they’re dealing with, and knows they can just overwrite the OS without a password. I probably didn’t word it very well though. A bit waffly.
Although, the cellular modem is a replaceable module, so the IMEI can potentially be exchanged for a new one with a non-blacklisted IMEI.