Librem 5 is a HIGHLY insecure device!

@GrapheneOS@grapheneos.social ( Mastodon)

Librem 5 is a HIGHLY insecure device which still has completely closed source components: SoC (including the CPU, GPU, memory controller, etc.), memory, touchscreen, battery, cellular, Wi-Fi, Bluetooth, etc. is all closed source hardware with closed source firmware for it too. They simply don’t update the firmware and prevented updating a lot of the firmware, which is still closed source but you have high assurance of lack of privacy/security via unpatched vulnerabilities.

???

2 Likes

That,s not True. Librem 5 is the Best Security Mobile Phone ATM, however anybody can say whatever for Librem 5.

There are not any Full Libre Mobile SOC ATM to preven BLOBs, however Purism selected the best Libre and Security soc for Librem 5 plus Purism engineered a layout to keep all Blobs Jailed in Librem 5.

Updating a BLOB is a Security.Privacy hole which Purism retains, however some Opensource Purism Employees promote it Sadly. However the owner has the power to do whatever on L5 without compromising Purism and Free Software Community.

GrapheneOS/Devices is HIGHLY Unsecurity from Root.

6 Likes

So, typically the unpatched vulnerabilities can be found online in a database of CVEs. Have you (or someone you’re citing) done the research to list which CVEs affect the Librem 5 hardware that a Librem 5 user can be assured to suffer from?

Or, are you citing secondhand speculation that’s more targeting user opinion and less focused on specifics?

Sent from my Librem 5.

9 Likes

Hello . This is the official channel on Mastodon and their opinion about Librem5, so I gave the link @GrapheneOS@grapheneos.social so that everyone can see what they wrote.

I asked that, in addition to just words, their company write a technical justification, but did not receive an answer.

2 Likes

Perhaps this is a GrapheneOS game where you write whatever comes to mind without technical documentation and get likes…

2 Likes

I’m not sure it is a game. I would not be entirely surprised if the folks posting this message believe what they say. In many cases these days, due to echo chambers and different information sources, people can wholeheartedly believe what they say but still be incorrect. I might be totally incorrect.

Many of the components of the Librem 5 pointed out in this post are indeed closed source. But is this a case of the pot calling the kettle black? What is an example of an open source hardware that can run GrapheneOS?

Sent from my Librem 5.

6 Likes

Thank you for bringing this to my attention. I have let senior leadership know about this and highly encouraged them to jointly construct a formal response to these allegations and criticisms. It is one matter for an individual to rant about a company (free speech), but it is a potentially legal matter when a company/organization publishes written defamation (libel). I will keep my opinions to myself until a formal response can be provided.

7 Likes

I heard that there is plenty of gold and silver and diamonds inside the L5 :lying_face:
It must be true since that fact was mentioned on the internet. :joy: :laughing:

4 Likes

The “insecurities” of the Librem 5 have been brought up numerous times and I don’t feel much has changed other than the lack of updates (for now). One of the GrapheneOS devs has been critical of Linux phones for some time: https://madaidans-insecurities.github.io/linux-phones.html

This is Kyle Rankin’s (former Purism President and security officer) response to it: https://forums.puri.sm/t/librem-5-pureos-ridiculously-insecure/10173/10.
Here is Joao’s take on it (Purism support technician, not Purism’s official stance): https://forums.puri.sm/t/librem-5-pureos-ridiculously-insecure/10173/21.

7 Likes

You should format your post more clearly so that it is obvious which are your words and which are quoted words.

I don’t think a blow by blow rebuttal would be productive but I would make the following observations:

  • The apparent source has a clear conflict of interest. As such, I wouldn’t take them as a good source of information.
  • It is a pity that they are criticising an approach that is also trying to get us away from The Duopoly - rather than criticising The Duopoly.
8 Likes

Most oft the problems with the “blackbox” binaries are real and we all know about this. I never thought of the L5 as a secure device, only as an device where I can do my daily work without Google and Apple sitting everytime on my shoulders.

The problem with the drivers will be never solved on the L5, so You has to be aware of all bad things there can be happen. As Purism is an US company they also have to fulfill all the things that the Patriot Act wants to have from them. And millions of code lines in Debian seem to be “uncontrolled” as the latest XZ drama shows us clearly. NOBODY can overlook all the other modules in Debian and other Linux derivates. So there may be hundreds of holes and nobody will ever has a plan to solve this problem.

And per se Debian is also not more secure than others. The “fight” for an unimpacted system lis lost a long time since the governments of lots of countries wish a total control over all that we do.

Does the NSA not sponsor and co-work in development of new encryption projects?

Therefore also my disk encryption is useless … maybe … better You do not place any important information on Your phone

And that form Purism there is no visible intention to bring the OS an step forward to Crimson.

Think of the L5 as a nice gadget which can a little bit keep away Google and Apple and Amazon. Maybe thats it

2 Likes

Wow those GrapheneOS people just really cannot let it go. They really don’t want linux phones to exist. I’m not reading and responding to this stuff anymore. This is ridiculous. There is another non-apple alternative to android. Let it go.

10 Likes

Dont hang the Graphene communty tooo high. But they have pointed on things on the L5 that are real and annoying :frowning:

… and I am no Graphene user nor have any device with this :wink:

1 Like

I’m not blaming the whole community. I’m saying that they previously did an obviously deliberate smear campaign (including literal lies) in order to get people to flee from the only non-apple and non-android mobile alternative so that they would go to the GrapheneOS project. That is fear-mongering. This is exactly the kind of toxicity that Louis Rossman and Techlore were talking about. You can have your own project and advocate for it. That’s fine. Being hyperbolic and accusatory of other projects that have not been antagonistic to yours is really toxic awful behavior that has no place anywhere but their own matrix rooms and similar.

5 Likes

We can stay here and do finally the things which are needed to make the L5 better. But ATM I cannot see anything in progress on the L5 and all the security problems I wrote before do really exist.

I also do not take the L5 as an secure device… maybe as on with more privacy… but not more. So far lots of things they wrote about Debian and the L5 are correct. We can discuss about the form and way they do. But not for the reality they throw us on our feets

1 Like

Like I said, I saw the title, clicked and saw it was from GraphoneOS, and immediately remember that they have engaged in toxicity and fear-mongering to scare people into fleeing linux and using their project. They are like the boy who cried wolf now. Maybe if this is an important post to make in this community, there doesn’t need to be mention of GrapheneOS (because it’s 100% irrelevant to PureOS and Librem 5 security), and the title of the topic doesn’t need to be the same type of click-bate fear-mongering stuff they’ve put out repeatedly.

If someone wants to use GrapheneOS, cool. Please leave us alone though.

If someone wants to have a serious discussion about PureOS and Librem 5 security, cool. Please don’t be hyperbolic, click-batey, and toxic.

That’s all I’m saying.

I might end up switching back to postmarketOS at some point if there is no progress soon, as annoying as that will be. But I’m not some super interesting target that needs to worry a lot about security.

Do y’all realize there is a not-insignificant number of people on this planet running really old and EOL android and iOS devices? Security is important generally, but obsession with security is unhealthy.

Also I don’t have a cellular modem in my phone, so my phone is superior to anything else that exists. And I’m never going back.

6 Likes

PM-OS has every piece of code on a security control? And for them all the binary blackboxes are open?
No way to attack the phone (and the user) with maliciuos code?

And ATM there is no sound on calls if You use the L5 with PM-OS. I have already wrote an bug report in github for this. But it seems not to be fixed.

The guy who wrote the lines about problems on the L5 has - I think - absolutely told the truth. This is what makes it SO painful…

BTW: The problems also (can) sit in the WiFi module or any other blackbox-device like BT. So disabling the modem does not clean out the security problems. If you want a secure phone device You have to shut it down.

1 Like

Good thing the Librem 5 supports ethernet, killswitches, external displays, and removal of modules. Absolutely no GrapheneOS device will ever have those features and is ultimately controlled by google. Like I said, I’m never going back.

5 Likes

Yeah, this means obviously that the L5 is an secure device if You switch all components off, remove any software that can make a problem and use it as a brick?

We talk not about “back to Google” or so but about the problems the L5 really has and that ATM there is no sign from Purism to make any progress on the OS to a more actual build?

1 Like

I feel like I’ve said what I have to say, and you’ve ignored the meaning my messages were attempting to convey. I’ll let readers judge for themselves. I don’t care. I think I’m done here. Gonna go back to more important things.

You can have the last word and continue with whatever it is you’re interested in discussing. I’m just not interested. No hard feelings. Bye.

6 Likes