I know sensitive: Is backdoor required?


#1

The recent revelation that an iPhone can be activated remotely to allow a third party access to the camera and microphone without the consent of the phone owner, has caused some to suggest that this vulnerability is actually a feature required by the Government.

  1. Has the Librem 5 team been made aware of such a requirement?
  2. If so, will you be open about your compliance with such a requirement?
  3. If not 2), can you speculate about whether a member of your team would be willing to quit your team and anonymously provide the community a way to defeat this back door?

I’m so sorry to even have to bring this up.


#2

I believe that is what the Warrant Canaries are for:

https://puri.sm/warrant-canary/


#3

Issues like this are why there are the physical switches in the design. By physically separating the baseband processor from the main system, and providing a removable battery, you can prevent remote control by the traditional telephone network carriers. This is how the carrier can tell where you are even when your phone is off. The baseband stays in contact with the nearest cell tower, and can be “pinged” even if your phone is “off”.

The design of the laptops took this into account with the physical off switches for wireless, and the camera/microphone. No electrical connectivity, no possible way to activate – remote or otherwise.

Hardware is controlled by software. Unless the physical design takes this into account, such as the LED on the same power line as the microphone/camera, malicious software – including the OS – can compromise you. PureOS is pure libre software. It is nigh unto impossible to hide that sort of back door in software when it is open source and everyone is looking for something like that because of how the Librem’s are marketed.

The iPhone issues are only when malicious software is installed on the phone. There isn’t much you can do for security if someone else can install software on your phone and grant explicit permissions. I believe it also requires either a rooted phone or an unpatched exploit to grant that level of access.