I am new potential buyer interested in a secure Librem 5 phone.
I’ve heard conflicting stories vs unix phone types. currently no smart phone secure from this type of attack?
Hello!
Can you explain a bit more what you mean, what kind of attack are you thinking about?
Something along these lines.
I know some people complained it to be done from a link sent to the phone.
It involves complete access to features on your phone. Including complete phone use, such as sending messages, etc.
SIM swapping is more a vulnerability at the carrier level than the phone hardware or software level. An attacker convinces a cellular carrier they are a particular customer who got a new phone, and they are able to get them to move an existing number over to a new SIM. From there they can receive SMS and calls to that number and they often use that access to bypass 2FA that happens over SMS.
Many cellular carriers put additional authentication steps and other safeguards in place these days to try to defend against this, but all it takes is an attacker who is good at social engineering to convince the right customer support employee.
9 Likes
Missed opportunity to praise AweSIM 
2 Likes
In addition to the above, SIM swapping does not involve someone taking control of your phone. It involves someone taking control of your phone number.
The implications of that may be zero or may be significant.
For example, if you aren’t using your phone number for 2FA and you haven’t given your mobile phone number to companies that you deal with then the implications may be zero or negligible. (I prefer not to give my mobile phone number to companies simply because I know they will spam me forever if I do. 
)
If your mobile phone number is used for 2FA, it is still only one half of the puzzle. The criminal still has to know your password. Or the criminal still has to use social engineering, or otherwise, to get a password reset done via SMS. So the functionality offered by a completely different company (e.g. your bank, as distinct from your cellular provider) is also part of the picture.
Because SMS has limited security, I take a dim view of any company that is using SMS for security purposes. More sophisticated companies will do 2FA via an authentication app, and the app has to complete successful registration before it can be used the first time, giving e.g. your bank, additional opportunities to detect and stop the attempted fraud (since the phone number hijacked onto a new phone in no way gives access to the apps that are on the old phone 1).
1 Well unless you use a spiPhone, back it up to spiCloud, and the criminal can social engineer, or otherwise, his way through Apple - and even then the implementation of the authentication app may hinder that fraud from working. But I wouldn’t recommend backing up using that mechanism anyway.
2 Likes
Thank you for clarifying. I had the impression that the weakest part is the service in terms of tracking location, but tried to see if a hardened phone and encryption could make up for that weakness.
The phone in question had the complete function takeover.
My interest in Librem 5 is for the obvious preventing privacy abuses from android/ios but also in hopes to see if I could remedy the security problem from a simple switch.
Going on a tangent for a moment: could you describe the process of the SMS 2FA that is used by company or companies where you are? Here, I have an example that uses SMS to relay a number that is insignificant if caught, altered or blocked because it’s only an index number on a separate physical printed list of codes (as in, the number tells which code to use to verify). I bring this up, as SMS 2FA has been used to send the code itself, which is the unsafest option I’d imagine you are referring to, but there is this other variant that is less susceptible (as an additional physical item is needed) to attacks - although can be made unusable if messages are not getting through (which is different). I’m curious if there are other variations, if someone has come up with more mitigation options (or worse versions) to use SMS.
Ordinarily, I hate Google and avoid it. But I do use Google Voice. No one that knows me even knows my phone’s real number as I don’t give that number to anyone. I don’t use it anywhere except in my Google voice settings of where to forward my calls to my actual phone’s number, from my known Google Voice number that I ported to Google Voice from my old Verizon account. I use the Google Voice app to make my calls and do text messaging instead of the phone’s actual number. I use an MVNO for cell service, and only maintain a personal e-mail address for when I ask someone to send something to me or I send them something. But 99% of my e-mails never get read as I use only text messaging most of the time. I don’t answer calls from anyone who is not in my address book and tell everyone in my outgoing phone message not to leave me a voice mail because as I tell them, I won’t ever receive it because I never check my voice mail. In my outgoing voice mail, I tell everyone who calls me except for those in my address book, to text me and to include what they are trying to reach me about in the text message. Google voice routes the calls from everyone in my address book to a different and more inviting message from me than everyone else gets. It tells them that I usually will answer my calls when I can, and tells them that I will call them back. I call them back from my missed calls log and still never check voice mail. You can build walls around yourself and let only your friends in. To me, this feels like the safest security. Telemarketers and junk e-mailers hit a wall whereas my friends get right through to me. Scammers will never be able to untangle the obstacles I set out for them.
i asked my bank if they will offer an app for the L5 but you know how this things usually go … they only have a general contact@name-dot-domain and nothing dedicated for such things … banks usually prefer to support ONLY the big-tech duopoly when it comes to apps on ‘smartphones’
for SMS authentication on my mobile phone with my banking website i have to enter my user-name and password (more like a PIN really, since it’s only allowed to be 5 digits maximum) and once i’m ‘in’ i get sent a new 6 digit code with a new SMS and after i enter that then i have to enter the 5 digit PIN again and then it’s done.
My bank will send also me my one-time verifications to my @librem.one email. (It is a radio button at log in time, I have to choose it.)
The annoying part is, librem mail is been having recent IMAP outages. I have to make sure librem mail is up before I choose it.
Yes, this. (The required code is sent as the content of the SMS itself and the SMS content of course passes unencrypted through the systems of one or more unrelated companies, so certainly not meeting the highest standards of robust security. Plus anyone who can successfully hijack your phone number can defeat this 2FA on the phone half of the authentication.)
To be honest I haven’t encountered any companies using SMS for 2FA but using the content of the SMS in some indirect way. Bear in mind that the scheme has to be usable for the average not very bright customer. So an index into a codebook probably doesn’t fly - and that sounds more like secret agent than customer. 
Yes, I expect that you will be running the Android version of the app under Anbox, and hoping that Anbox is adequately able to tame the app.
Run your own SMTP/IMAP(or POP) servers (only needs very limited functionality) on your home server.
I need to keep in sync some t-bird folders between a laptop and a bigger computer. I have most, (some 20 years of emails) on local folders. About a half dozen other folders that I access frequently on IMAP. (That may change soon as I retire in a month. I won’t need to keep two computers in sync between home and work.)
Can you remind me how to set up a file server again? I just got comfortable with Remmina and VNC. Now I need to work with Samba I guess. Last time I tried I got lost in the etc/password stuff.
Best to take that to a separate topic.
OK later, good idea but it is bedtime now.
Done by a bank around here. Because it’s the easiest way for grannies (who do not use smart devices - or know not to trust them). Being a granny does not exclude 00-status (I mean, who would suspect them) 
It’s become a regular that bank info is being inquired over the phone by scammers from the elderly. The Microsoft tech support version requesting remote access may be the latest. 2FA helps there too.
1 Like
Regarding the SMS message with a one-time code the bank sends you when logging in, it does occur to me that someone has to be actively targeting you to intercept it and log in using your same credentials during the 300 seconds that code is active.
(Not to JR-FI specifically, just using the reply button at the bottom of the thread.)