No Speaker Hardware Off Switch is a Vulnerability

Not having a speaker hardware off switch is a for Librem products is a vulnerability in areas that may contain insecure devices in earshot because a sound signal of low or higher frequency than what is audible can be produced and picked up by devices that are compromised. https://www.insidescience.org/news/computers-can-be-hacked-using-high-frequency-sound

The paper says they weren’t able to work with infrasound. For defense against the ultrasound attack you don’t have to disable the speaker completely; if it’s a concern you could make the phone play ultrasonic noise while typing to lower the signal to noise ratio of any malicious signal.

There can’t be a killswitch for every component of the phone, and this is honestly a pretty low-probability attack.

I never even knew mine had a fan until today. For some reason the CPU was working like crazy and the fan was running at high speed. Couldn’t figure out what that was so I shut it down for an hour or so and now it’s fine. I was rather bizarre. I had some of the cores running at 100% on and off. Never had that happen before.

Our test is complete, sorry for the interruption. :slight_smile:

Everybody’s a comedian.:rofl:

And after that, the screen (from RFI).

I just read another one of your posts, s3nsOr about how they can steal data using the sound of the fan and the CPU. Interesting since while my fan was running at high speed and the CPU was getting a workout the 'puter was sending something on and off. I use my dumb phone as a hot spot. It sits right next to the laptop.
No reason for anyone to be “snooping” on me though.

Funny. There isn’t anything on mine to view.

Take the battery out :smiley:

We should keep this vulnerability in perspective.

  1. How many customers are using their librem laptops airgapped?

How many would-be customers of the librem 5 will be using it airgapped? For a mobile phone that would have to be close to zero?

  1. This exploit relies on running untrustworthy code on your computer in an uncontrolled environment. Oftentimes if your computer is running that code then you already have a major problem! You’ve already been pwned, and command and control / exfiltration will simply proceed via the internet for most of us.

Time and effort might be better spent on avoiding situations in which untrustworthy code gets to run.

The fan is clearly not a problem at all in the librem 5.

The fan problem (such as it is) in the librem laptops can be solved by making them fanless. That might be considered overkill for something that is barely a real problem but fanless is a good thing in its own right and good for other reasons. However I am not seriously suggesting that this should be a priority for Purism.