Librem 5 Computer Security (traveling+new zerodays)

If it is the airport’s official wifi network, and not just a malicious spoofed one.

1 Like

@Dlonk , what’s your modem firmware version? (Check it in the BM818 Tool.)

1 Like

See this bug: Timeout when refreshing mobile network (#342) · Issues · Librem5 / OS-issues · GitLab (I was hit by this issue when in France).

1 Like

Despite the timeout when searching for networks, you can initiate it multiple times until it finds what you want.

1 Like

First off, “zero day” refers to vulnerabilities that have not yet been discovered and are unknown. Always assume that any software (and hardware) can have those. It is seldom that a single weakness opens the door to do whatever - you often need a few and make them work together. This is why only some of them get so much attention. This is also why we have layered (“onion”) defenses and why other apps and modifications and just usecase/circumstance/cybehygiene/userbehavior may render vulnerabilities moot.

Yes, apps do have vulnerabilities. You may be targeted (depending on risk profile) or it may be dumb unlucky, but it’s about odds and likelyhoods and how to play them. That being said, it’s not good security practice to advertise vulnerabilities, so it’s hard to say if and what known vulnerabilities there are in those browsers.

To point 4: The update process has been made secure (signed) and the pipe is secure (https), so it’s unlikely to be a pathway to compromise your device (as it’s much more resource and time consuming than other ways - but still within realm of possiblity, perhaps). More likely is some add-on or clicking a malicious link at a dubious website. You can read about what kind of security advisories there are and compare which one have been patched (not all are as the exploit may need some very special circumstances - I’ve read stories about tickets from decades ago being fixed). For FF example, see: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox and Mozilla Firefox security vulnerabilities, CVEs, versions and CVE reports and Known Vulnerabilities in Mozilla Products — Mozilla (needs a bit of digging into).

My advice would be to make sure you have a secure connection and update. For that added layer of protection, using a VPN is exactly for this kind of use case as it protects the pipeline from your device to internet, through that dubious wifi. If you don’t have one, check what Mozilla, Protonmail or Opera offer for free for limited browsing uses (if such suit your temporary need).

Btw. it’s always good to ask from store or hotel info desks about their wifi offerings because one way to spoof is to set up an official sounding SSID somewhere that is not providing wifi at all (despite what a printed note on the wall may say). Regarding number 3, I think it’s irrelevant what you use the browser for but of course you should try to do more sensitive stuff at more secure places Any website potentially could be poisoned to attack browser vulnerability, although using G’s site is probably safe (privacy may be another matter but that may be irrelevant in the use case). Back when http was the major form of connection, wifi attacks would add stuff to the websites (ads and malicious ads), but that’s hard to do with https (and VPN), so just keep an eye that the connection isn’t forced downgraded to http from https (you can set this strict from browser settings). And if your really paranoid about connection security, I hope you’ve set up your firewall (you should be good but also you should make sure and have a look).

Point 5: I’ve had inconsistent mobile data too. Depending on your SIM/dataplan, you might consider using mobile data as that would be more secure than wifi, if you can. And using VPN gives you more privacy and security on that too. Don’t worry, any phone company already knows where you are and using mobile data does not change that, if that worries you (GPRS protects you a bit more in EU than compared some other places).

Point 5 tldr: Install Advanced Network Configuration to get a GUI on proper network settings, like editing mobile broadband provider list and their preferences or wifi access point list. Makes life easier. It doesn’t fit well on mobile, you have to set display to 100% to get to the right side buttons, but for temporary editing in landscape mode it’s usable and best way to get a proper view of what setting you have.

About 6: FF is pretty good from security point of view, as it gets updated pretty quick, fixing those vulnerabilities, as they become known. You just need to keep updating. Tor-browser is based on it and could offer some protection on dubious accesspoints (no official aarc64 but there is the seemingly reliable unofficial one that I’ve used).

Alternative workarounds: buy (or in some places: rent) a mobile broadband standalone accesspoint - the device connects to mobile data and you connect to your own private safe wifi accesspoint. A bit of extra cost, though.

And just in case you might need it, here is a global database of mobile operators and their APN infos: serviceproviders.xml · main · GNOME / mobile-broadband-provider-info · GitLab [I’m not sure how often it updates - always a possibility that an APN has changed recently, in which case you can check from their site]

2 Likes

Or buy a local short-term tourist SIM.

1 Like

That too, but I was thinking that if mobile data doesn’t work reliably, a separate device would work as an alternative.

2 Likes

@dlonk, silly question: do you have Data Roaming enabled in mobile settings?

1 Like

I did not enter Orange F myself. I was wondering if it is correctly in the file.

The file with all details is here on your Librem 5:

/usr/share/mobile-broadband-provider-info/serviceproviders.xml

And it is maintained here: serviceproviders.xml · main · GNOME / mobile-broadband-provider-info · GitLab

I do not know how the file is exactly used, I only fixed it for my Dutch provider. Actually, I still believe that the timeout issue that I mentioned earlier might be the root cause of difficulties on getting an mobile data connection in France. I traveled this summer through several EU countries, and the mobile data connection usually worked well. But in France I had difficulties. Maybe there are some French Librem 5 users in the forums that can shine some light on this?

1 Like

Often yes but I often tried toggling it to see if that would change anything, to no avail.

So, my provider is Google’s Project Fi, sometimes called Google Fi. I have seen the L5 know this and show “Project Fi” as the Network name at times. But I dont see that in your global APN list XML file. And last time I contacted their Google customer support asking for APN style information for Chatty MMS, their reply was that I must buy another new phone of a different kind, and my phone is not officially supported.

Isn’t it impossible for me to change this because of firmware jail, or something?

1 Like

I would just keep searching again and again for networks until it shows up (hopefully).

If you swapped out your modem, but didn’t also update the firmware, then it’s possible that the version number you’re seeing is the one you installed for the North American modem. (Unless the firmware somehow updates itself in byzantium now, which I doubt.) The 20220930 date is the latest for all three modems, as far as I know. You probably need to update the firmware for the newly installed modem. Instructions can be found in the forums. Your decision, though.

Possible, and it was also recommended by Purism. The “jail” refers to the SparkLan wifi card, if I’m not mistaken.

It needs to be on if you want data while roaming.

1 Like

If there is doubt about what version BM818 Tool is showing you then

AT+BMSWVER

can be issued directly to the modem in order to ask it what version it has.

It is my understanding that each modem has to have the firmware upgraded separately, if there is a need to upgrade the firmware at all - but obviously the time to do that is before leaving home, in case there are problems.

2 Likes

The firmware jail only applies to the Wi-Fi/Bluetooth module, not the cellular modem, of which the firmware version is already up-to-date.

Ask g**gle ai
:wink:

1 Like

This is probably correct; I didn’t update any firmware, but I switched out the hardware.

Noob question but seriously what does “roaming” mean? It is a mobile device. The use case is when I am not at home, not in one place!

I tried sudo mmcli -m any AT+BMSWVER and it printed a bunch of junk. I dont want to paste it here since I dont want to leak IMEIs or whatever that is, but the text included this:

       |       firmware revision: MPSS.JO.2.0.2.c1.1-00032-9607_GENNS_PACK-1.351938.1  1  [Nov 26 2020 02:00:00]

Random thing: clicking all the APNs on byzantium in history, the Verizon button somehow got things working while im at a coffee shop. So Access Point=Verizon, Network=Orange F. No idea why!

1 Like

It is not:

Using other cellular networks than the telecommunication carrier assigned to your phone plan in order to continue receiving service.

Plenty of people have posted that string here on this forum for their own modem. It should be safe to post. It shouldn’t be personally identifying, since many people will have the same modem firmware version.

But that’s OK. There is no need to post it.

The point of my post is that you can verify the output from BM818 Tool by comparing it directly with the output from the relevant AT command. (It is entirely possible that the tool simply issues the same AT command, but formats the output better.)

Of course, in theory, looking at security rather than privacy, it is never a good idea to advertise what version you have of anything - because that could guide an attacker as to which exploits exist and which do not exist, in your environment.

2 Likes

I realize your question is rhetorical, but in the context of mobile network plans, “roaming”, both domestic and foreign, refers to using other mobile providers’ networks when you are not within the coverage area of your contracted mobile provider’s network. Obviously, reciprocal roaming agreements have to be in place among the networks involved, e.g. between T-mobile and AT&T, or between T-mobile and Vodafone, Orange, etc.

It has to be intentionally enabled in your phone settings, and sometimes also in your online account settings (as with Ting’s foreign roaming coverage), because roaming can result in extra charges, sometimes high charges, especially in the case of roaming internationally.

If you travel or live near an international border, e.g. U.S./Canada, or U.S./Mexico, it’s usually recommended to keep roaming off, in order to avoid inadvertently switching to foreign mobile towers and incurring extra charges.

3 Likes

Ah, yeah okay. Thanks. I only ever used resellers who don’t own towers, as I understand, so I was never in a situation where I was paying a tower owner who needed to distinguish between their own towers and other peoples’ towers, so somehow I was picturing there would simply be “allowed” and “unallowed” towers and “unallowed” would hopefully be irrelevant or not appear, and “allowed” would just work. But that makes sense, if a rich tower owning company needs to troll users by allowing both, but fining them.

2 Likes

A reseller (or MVNO) uses the towers of the host network (MNO); some MVNOs can benefit from the domestic roaming agreements of the host network, and some not, depending on the MNO-to-MVNO contract and features. International roaming is a different story, though. I think fewer U.S. MVNOs get international roaming from their MNOs, at least according to my own experience when vetting U.S. MVNOs for international roaming. (I’m referring to calls+texts+data SIM roaming, not the use of eSIM data add-ons.)

1 Like