This is complicated. See what I wrote in the community FAQ: https://source.puri.sm/Librem5/community-wiki/-/wikis/Frequently-Asked-Questions#86-where-are-the-librem-5-and-librem-5-usa-assembled-and-where-are-their-components-made
Here are the vulnerabilities associated with Pegasus, according to Wikipedia:
- CVE-2016-4655: Information leak in kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel’s location in memory.
- CVE-2016-4656: Kernel memory corruption leads to jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to secretly jailbreak the device and install surveillance software – details in reference.
- CVE-2016-4657: Memory corruption in the webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
At this point, all the major phone makers are dependent on China in one way or another. Samsung is the only major phone maker left that still does the majority of its own assembly, and Samsung now outsources 20% of its phones to Chinese ODMs. All the significant phone ODMs and design houses (Wingtech, Huaquin, Longcheer, TINNO, Chino/OnTim, Haipai, Huiye, Ragentek and FIH Mobile) are Chinese companies. FIH Mobile, which is a subsidiary of Foxconn, is technically Taiwanese, but the majority of its workers and operations are in China. At this point, probably the only phones that have no Chinese labor or parts are Galaxy S-series, but a tiny phone maker like Purism can’t make half the parts in its phones like Samsung does. It is hard for small phone makers to avoid Shenzhen, since most of the mobile parts industry and design services are centered there.
The last that I heard, the L5USA was still shipping with the same Chinese-made BroadMobi BM818 modems used in the L5. Judging from what little I can find searching in source.puri.sm, it will probably be a while before Purism can offer the German-made PLS8 modems. Purism says that it will offer the PLS8 modem cards as an option that people can buy for the L5, although it will cost more than the BM818.
It’s worth pointing out that both the BM818 and PLS8 are using Qualcomm modems, (which were probably designed in California), and the BM818 chip was probably fabbed in Taiwan or S. Korea like most contracted fab work, although its M.2 card was likely assembled in China (probably not by BroadMobi, which appears to outsource its manufacturing).
If that were true, then we should be able to find many examples of that meddling, but there has been remarkably little evidence presented of hardware/firmware/driver tampering by the Chinese government. The best evidence that we have is the Bloomberg story about inserted spychips in Supermicro servers, and that was reportedly targeted for servers used by specific companies (Elemental, Apple, etc.). Serious questions have been raised about the credibility of the Bloomberg article, since pictures of the putative spychips were never produced, Supermicro continues to deny that it ever happened, and other news agencies have not been able to validate (or at least haven’t published anything to validate) the Bloomberg story. In contrast, we have multiple sources and news agencies which have corroborated that the NSA was intercepting Cisco routing equipment in the shipping to tamper with it so it could be used for spying.
The kind of surveillance that China does of its own citizens doesn’t require hardware/firmware/driver tampering, and the political risks to the CCP of tampering with hardware for export are very large, since solid evidence of this happening would cause many tech companies to pull out of China. Given the risk of losing millions of jobs and billions of dollars in exports, the CCP has a strong incentive to not meddle with hardware for export. Remember that the political power of the CCP is no longer based on Marxist ideology, but is now based on its ability to keep delivering jobs and economic growth for the Chinese people, and staying in power is its central aim. If the CCP were going to risk tampering with hardware for export, it has every reason to be very selective in who it targets, in order to limit the possibilities of getting caught.
Yes, the BM818 is a black box and it is possible that the CCP might order BroadMobi to alter it for spying or may have operatives inserting spychips in the assembly plant, but it strikes me as very risky for the CCP to target the L5, and I doubt that many high-value targets are using the phone which is only partly functional at this point. Of all the targets that the CCP could choose for conducting covert surveillance, it seems foolhardy for the CCP to select the one phone in the world with free/open source schematics and 100% FOSS drivers and software, which is made by a company which overtly opposes government surveillance (see Purism’s warrant canary) and is used by a community which is paranoid about surveillance and has tech skills to investigate it.