Librem 5 Computer Security (traveling+new zerodays)

Hey all,

I did system upgrades a week ago, and since then was away from known good internet, in some places, including some countries internationally. I only brought Librem 5, not other kinds of phones.

But I am finding the cellular function to be very odd and spotty, which pushes me to use free wifi. The modem will connect to various overseas networks and show names like vodafone or O2 or EE or Orange F as network name, but the widget for network selection in Gnome settings doesn’t appear to actually work. Whatever one of these networks the modem randomly latches on to at boot seems to be the one that it sticks with until toggling stuff off and on and rebooting. Also, the list of towers shows nonsense names from the US on the other side of the planet:

2024-10-13-112153720×1440 39.6 KB

2024-10-13-112309720×1440 32.7 KB

Of all these various networks this would sometimes latch on to, EE seemed like the only one that would actually frequently provide Mobile Data, and when it did, that often only happened on the Crimson dual boot that I have set up. The main Byzantium install seems broken. It will show 4G as if data is available, then if I try to ping google.com or ping 1.1.1.1 it says unreachable and the 4G icon disappears, or the orange warning icon shows on top of the status.

So, obviously that was a likely scenario that these mobile data providers are part of the walled garden universe where it’s going to be hard for Purism to convince them to support a niche phone.

But then I have another problem. I noticed overseas there seem to still be many places offering free WiFi without password. So I used some of these, kind of out of necessity, but historically I keep almost no cookies and use “incognito”/“private” browsing for everything, because when I was a kid browsers actually didn’t cache information and I was OK with that.

So, my security model of being cookieless for everything, according to modern information about what we’re told to think, is worse, supposedly. And I know I’m being paranoid and a bit off when I continually enter passwords instead of entering my automatic cookies. So, last time I traveled when I was traveling in the US, I used the modem exclusively and tried to avoid WiFi, under the hopes that this would reduce the likelihood of HTTPS getting somehow busted to where someone would get my logins.

But now with the modem not working reliably and only sometimes working, I have been clinging to my one cookie that I keep which is on L5 on Firefox, as a way to communicate with folks I need to contact, when on insecure WiFi.

But now this week they say there’s a zero-day vulnerability on Firefox, while I’m traveling, and this is frustrating for me. Weren’t there already known vulnerabilities in Gnome Web? What am I supposed to use that would actually be in working order, if I don’t want to update over some crappy public wifi and only have what I already have? I’m sure apt is probably using some TLS bollocks, but I don’t like the idea of updating on public WiFi. I don’t want to…

So I know this is a bit of a rant, but I think other people who are more confident of their machines being in working order could answer some key, really useful questions for me:

1. Does the version of Gnome Web included by default on PureOS Byzantium, 1.5 weeks ago, have any currently known unpatched vulnerabilities? apt list says epiphany/byzantium 0.7.0+0-6 arm64
2. Does the version of Firefox included by default on PureOS Byzantium, 1.5 weeks ago, have any unpatched vulnerabilities (very likely yes, danger, reports of active malicious use in the wild, right??) apt list says firefox-esr/byzantium-security 128.3.1esr-1~deb11u1 arm64 [upgradable from: 115.15.0esr-1~deb11u1]
3. Do the aforementioned vulnerabilities have any risk of being used by zeroconf/spammy multicast to poke holes in a device where Firefox-ESR is running at all— or if I only visit a few, known “good” sites, would FirefoxESR be safe (“good” here meaning lots of money, like a major FANG messenger or whatever), is it likely the known “good” would mean I was in the clear?
4. Would you, personally, upgrade your FirefoxESR on public WiFi? I’m gathering from my notes on (2) above that the stupid PureOS store I never bothered to uninstall is already checking for updates and providing information about 128, by contacting PureOS net over the insecure WiFis. If I spend time on it, I would probably like to turn that off. I find joy in doing apt updates manually because I am the arbiter of when I upgrade, and stay informed about what is upgrading. Downloading automatic updates on airport WiFi, for my $1000 samsung a few years ago, caused a bunch of parental control apps to show up, and a new function for the home button, that I didn’t ask for. I don’t want that and I certainly don’t want it when my boarding pass may require the phone. One way to eliminate stupid security events on our devices is to command them to no longer do stupid things; so, is this paranoia or is performing system upgrades on public WiFi stupid?
5. Does anyone else on Broadmobi E version in Europe have inconsistent mobile data? Sometimes when I try to enable “Mobile Data” after toggling it on and off, it becomes completely unable to toggle back on, listing 5 instances of “US Mobile,” none of which do anything. I am not in the US. Should I use some mmcli command to clear this list and allow it to populate with Europe things?? Similarly, disabling “Automatic” switch on the Network setting is totally dysfunctional on both Byzantium and whatever Crimson snapshot dual boot I have. It always just says it timed out, and jumps back to whatever network was currently being used.

• tdlr is there an mmcli command for this?

6. Is there a better browser choice in general? I have also used Brave on the L5, but installed from brave browser ppa instead of PureOS. It is the only other ppa that I have added. It seems to work fine, but I notice what feels like much higher battery drain when that is open versus Gnome Web/Firefox.

Sent from Gnome Web on Airport WiFi on my L5 in some European country

I guess you are in France. I had difficulties there with the mobile data connection as well. See here for more info: Problems getting mobile data in France with Dutch provider Simpel

1. Not sure.
2. Not sure, I use upstream:

3. The answer likely depends on what version you are using, although I have no idea about this “FANG” you are mentioning.
4. Yes, as long as the repository signing keys are still valid.
5. Not applicable.
6. See my prior response:

Unmaintained browser list:

Time to ditch Mozilla? - #90 by FranklyFlawless - Round Table - Purism community

It is most likely your SIM not connecting to these networks, not necessarily your Modem.

Have you tried manually adding, selecting, and saving an APN for any of those French networks? Find settings on their websites, or search for them online. EDIT: I’ve got that wrong; connect with your U.S. APN instead.

Your US Mobile APN(s) will likely still display in that list while you’re overseas, by the way, because you are roaming on a US Mobile SIM.

Are you not using a VPN when connecting to public wifi? If not, big mistake.

P.S. DId you ever update the firmware for the new modem?

Not sure, but you can get connection info with mmcli --modem=any.

Check mmcli --help for other possible functions.

Sorry, I’m using messages.google.com, but I was trying to refer to it some other way so that I wasn’t effectively operating as free advertising for Google, since… you know… Google is probably evil.

So, does this make it unsafe to download new signing keys for your Firefox upstream suggestion? Really I think the FF upstream sounds like a pretty good idea for my Firefox problem.

I assume if I download the new keys from an HTTPS URL, we could assume them to be “the real ones” and not a Free WiFi man-in-the-middle.

I went and read the information online and my SIM provider claims that they allow use of the SIM internationally, for up to 90 days, but then the SIM must spend time in the US or else they turn it off.

Technically its not a US Mobile SIM. These are just some Librem 5 bugs. Here’s a screenshot of it showing a different list:

2024-10-13-163639720×1440 57.3 KB

Okay but I think you’re right I should figure how to add overseas APNs to the list (manually?).

In order to get the credentials of my old VPN and see if it is working, I would need to do some logins that tbh I would want to do from behind a VPN anyway.

Can I ask why you believe this to be a big mistake, specifically? From my perspective, a VPN would slow my traffic down and put it all through a singular pipe instead of many different sources. I would have to be able to trust the VPN provider not to sell my traffic, and yet the point of the thing is that we don’t trust ISPs. I have a healthy skepticism of my VPN provider. They probably sell the traffic.

A VPN would encrypt all your traffic passing through the public wifi connection, so that the operator of the public wifi (and potential nefarious hackers lurking there) couldn’t have access or visibility to what you’re doing online.

Try to get a mobile network connection first, then. Update the modem firmware if you haven’t already. That could be the problem.

Then use a different VPN, use it intermittently, and/or subscribe to multiple ones. I subscribe to AirVPN (paid) and Proton VPN (basic free level). Other privacy-conscious forum members swear by Mullvad.

I’ll see if I can find some APN settings for those French networks, and will post them here, unless someone else already has them handy. EDIT: Disregard that.

EDIT: Disregard. Use your US provider’s APN.

Actually, now that I think about it, maybe it’s your US APN you should be connecting to, as they’re the ones handling the roaming connection for you. The foreign APN selection might only apply if you’re using a SIM from the foreign carrier.

In any case, you can try both.

Apologies, if I’ve got it mixed up.

Back to VPNs, note that the provider’s client might not work on the L5, so you’ll probably need to set up the connection in the Advanced Network Configuration app.

Maybe a hot take, but in the near short term I am more concerned about a zero-day on the public wifi taking over my L5 (in the style of eternal blue) than about the airport finding out that they were host to Dlonk for a few hrs.

@janvlug Where did you edit XML to put MCC and MNC for Orange F? I was in an airport sitting with Orange F detected nearby like you’re thinking. But so far I just used the GUI, and set Name=Orange France, and the “orange” in all the other boxes, and nothing worked.

That depends if you trust Mozilla or not. One of the steps provided in the link verifies the keys:

It will print an output displaying if the fingerprint matches or not.

If it is the airport’s official wifi network, and not just a malicious spoofed one.

@Dlonk , what’s your modem firmware version? (Check it in the BM818 Tool.)

See this bug: Timeout when refreshing mobile network (#342) · Issues · Librem5 / OS-issues · GitLab (I was hit by this issue when in France).

Despite the timeout when searching for networks, you can initiate it multiple times until it finds what you want.

First off, “zero day” refers to vulnerabilities that have not yet been discovered and are unknown. Always assume that any software (and hardware) can have those. It is seldom that a single weakness opens the door to do whatever - you often need a few and make them work together. This is why only some of them get so much attention. This is also why we have layered (“onion”) defenses and why other apps and modifications and just usecase/circumstance/cybehygiene/userbehavior may render vulnerabilities moot.

Yes, apps do have vulnerabilities. You may be targeted (depending on risk profile) or it may be dumb unlucky, but it’s about odds and likelyhoods and how to play them. That being said, it’s not good security practice to advertise vulnerabilities, so it’s hard to say if and what known vulnerabilities there are in those browsers.

To point 4: The update process has been made secure (signed) and the pipe is secure (https), so it’s unlikely to be a pathway to compromise your device (as it’s much more resource and time consuming than other ways - but still within realm of possiblity, perhaps). More likely is some add-on or clicking a malicious link at a dubious website. You can read about what kind of security advisories there are and compare which one have been patched (not all are as the exploit may need some very special circumstances - I’ve read stories about tickets from decades ago being fixed). For FF example, see: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox and Mozilla Firefox security vulnerabilities, CVEs, versions and CVE reports and Known Vulnerabilities in Mozilla Products — Mozilla (needs a bit of digging into).

My advice would be to make sure you have a secure connection and update. For that added layer of protection, using a VPN is exactly for this kind of use case as it protects the pipeline from your device to internet, through that dubious wifi. If you don’t have one, check what Mozilla, Protonmail or Opera offer for free for limited browsing uses (if such suit your temporary need).

Btw. it’s always good to ask from store or hotel info desks about their wifi offerings because one way to spoof is to set up an official sounding SSID somewhere that is not providing wifi at all (despite what a printed note on the wall may say). Regarding number 3, I think it’s irrelevant what you use the browser for but of course you should try to do more sensitive stuff at more secure places Any website potentially could be poisoned to attack browser vulnerability, although using G’s site is probably safe (privacy may be another matter but that may be irrelevant in the use case). Back when http was the major form of connection, wifi attacks would add stuff to the websites (ads and malicious ads), but that’s hard to do with https (and VPN), so just keep an eye that the connection isn’t forced downgraded to http from https (you can set this strict from browser settings). And if your really paranoid about connection security, I hope you’ve set up your firewall (you should be good but also you should make sure and have a look).

Point 5: I’ve had inconsistent mobile data too. Depending on your SIM/dataplan, you might consider using mobile data as that would be more secure than wifi, if you can. And using VPN gives you more privacy and security on that too. Don’t worry, any phone company already knows where you are and using mobile data does not change that, if that worries you (GPRS protects you a bit more in EU than compared some other places).

Point 5 tldr: Install Advanced Network Configuration to get a GUI on proper network settings, like editing mobile broadband provider list and their preferences or wifi access point list. Makes life easier. It doesn’t fit well on mobile, you have to set display to 100% to get to the right side buttons, but for temporary editing in landscape mode it’s usable and best way to get a proper view of what setting you have.

About 6: FF is pretty good from security point of view, as it gets updated pretty quick, fixing those vulnerabilities, as they become known. You just need to keep updating. Tor-browser is based on it and could offer some protection on dubious accesspoints (no official aarc64 but there is the seemingly reliable unofficial one that I’ve used).

Alternative workarounds: buy (or in some places: rent) a mobile broadband standalone accesspoint - the device connects to mobile data and you connect to your own private safe wifi accesspoint. A bit of extra cost, though.

And just in case you might need it, here is a global database of mobile operators and their APN infos: serviceproviders.xml · main · GNOME / mobile-broadband-provider-info · GitLab [I’m not sure how often it updates - always a possibility that an APN has changed recently, in which case you can check from their site]

Or buy a local short-term tourist SIM.

That too, but I was thinking that if mobile data doesn’t work reliably, a separate device would work as an alternative.

@dlonk, silly question: do you have Data Roaming enabled in mobile settings?