Transparency to discover survilance


#1

Will the modem in the Librem 5 be transparent enough to signal paging attempts with no phonecalls or message afterwords (which are used to silently locate a mobile by the operator) to the userspace? I assume all SMS types will be delivered to the userspace and for example so called “silent SMS” can be monitored (and there are many, many more interesting types or SMS).

Are there thoughts on how to detect IMSI-catchers and similar attacks?

Same applies to all other wireless technologies in the phone and their typical usecases for survilance.


Design demands, features request, opinion for several details
#2

Yes, such location attempts by so called “silent SMS” must be detected and the user must be noticed about. This was already requested for the Ububtu Touch devices.

matthias


#3

i do not talk about silent SMS alone (which can be signaled) but paging requests. modern methods do not rely on silent SMS since long, its a wonderful term used in the press but does not apply anymore. it is even more difficult to detect a paging which does not end in an action (this is what is mostly done).

a “silent SMS” is just a SMS with a type that is not displayed to the screen but still a SMS. this can easily be monitored. there are many more SMS types (like wap push, mms, …) which just have to be shown by a phone (even if spec says not to) which makes such features transparent.


#4

Can you please elaborate a bit more, which technics are used nowadays by the govermental authorities or secret services to locate or track mobiles? Thanks.

At the end of the day perhaps the only thing we can do is completely shutdown the device, or not even this would help as long as the battery stays connected…


#5

speaking about 3g or 2g networks means talking about the ss7 network. there are some requests going through that network to determine the cell-id a mobile is currently registered to. calls like psi or ati give you the cell-information (which can be resolved to a geo location) or immediatly the geo location you want to know. all this without SMS, calls, whatever.

pain is: it may be an old cell information as the mobile does not keep steady connection to the antenna/tower/cell. so you want to update this information. you ask the mobile to register to the nearest cell by either

  • issue a phone call
  • send an SMS

both are noticed by the user. so you wont use calls. but SMS have the opprttunity to send SMSs that arent visible to the user (there are many more type that are not shown than the the two that are shown. still these are ordinary SMS which are signaled to the user-space and can be shown by a software that is concerned in privacy & transprarency).

much simpler is to pretent (from the netowork side) you want to start a call or send a SMS. this is just the paging that takes place before you actually do so. you page the phone but then you dont do anything (like a call or SMS). this updated the cell information, is faster and solves your problem.

ah, just for completness: there are functions defined in the supl specification to locate a mobile. these are quite complex and need implementation in the mobile (btw: will purism deliver supl?) and are seldomly used for legal stuff. finally another aproach can be used, while ati & psi are realtime requests you can do it other way around (which is often done in crime investigations) and ask “who was registered to a specific cell at a specific time”. this can be done later when a crime investigation takes place. no way to detect that.

sure, all-off is the only secure computer. my request is just about knowing when a location request could have happened by detecting weird thing going on. similar is the detection of an IMSI catcher by weird lac changes - something that should be addressed in but could easily when the modem reports the cell information properly and in time into the user-space.


#6

To expand the previous post, the methods of locating an individual phone have various levels of speed and accuracy. The fastest one would be via an SS7 (the control and routing infrastructure between phone networks) request asking for the current subscriber information - which will contain the last known cell tower which a phone was associated with. It used to be possible to get this information about anyone from any other network; they started implementing firewall rules to block strange requests from outside their network after this came to light.

To confirm the current cell tower, that’s what the silent SMS (also known as type 0 SMS) is used for - the GSM specifications require a phone or other piece of user equipment to reply saying “yes, I received this” and to not tell the user.

To get a continuous fix, the so-called empty paging or silent call is used. That’s where something on the network tells your phone “I’m setting up a channel, expect a call”, but then doesn’t actually set up a call or transfer data. When your phone’s in this state, it’s constantly sending “hello network, I’m still here, I can take that call now” messages. These can then be used to locate your position with radio direction finding hardware.

Finally, there’s something called “radio resource location protocol” (RRLP), which is the network telling your phone “give me your current co-ordinates”. The response can take many forms (see https://portal.etsi.org/webapp/workprogram/Report_WorkItem.asp?WKI_ID=53851 for the gory impenetrable details), but it uses either GPS or time difference between message arrival broadcast from different cells. This is also done without any kind of user interaction, and is why I was worried about whether the modem would have a direct link to the GPS chip (a UART is present in some modems for directly providing AGPS data and also for this purpose).

The only way of reliably detecting these tracking attacks is to have access to the raw data right after demodulation and decryption (if applicable, for instance broadcast traffic isn’t encrypted) - you need the control traffic to identify empty pagings, abnormalities in the encryption procedure and “base stations” with a suspiciously high reselection offset.

It was discovered that you can get “monitor mode” on pretty much all Qualcomm modems, and there’s a piece of Android software called SnoopSnitch (https://opensource.srlabs.de/projects/snoopsnitch) which uses this to detect IMSI catchers and some tracking attempts. It used to be possible to activate monitor mode on Infineon (now Intel) modems (https://github.com/darshakframework/darshak/), but I was unable to achieve this from my admittedly crude method of trying to figure out how the debug AT commands worked on a newer modem (XMM7260, in an Asus Zenfone 2).

Sticking a QC-based modem in the phone would give us access to said monitor mode, but I’m almost certain that both them and Intel have signed firmware images which rules out the future prospect of one day writing our own baseband code (for instance, by porting Osmocom and srsLTE). Mediatek modem firmware is odd - while it does have a “signature”, that signature is only over the header (https://comsecuris.com/blog/posts/path_of_least_resistance/) and the entire firmware image can theoretically be modified at will. Whether this is intentional or not (and therefore will remain modifiable in future) is unknown. Samsung’s modem firmware is now properly encrypted (https://comsecuris.com/blog/posts/shannon/), but I don’t think they sell standalone modems which aren’t built into an Exynos CPU anyway. I have no idea what Huawei’s homegrown modems (aka. HiSilicon devices) are like. I don’t know of any other current cellular baseband manufacturers.


#7

Hi all,

would it be legal to build an application / hardware detection of this or would be need to build this our own for our mobiles?

If this is legal are there already alternatives for existing mobiles (android, etc.) or why don’t they have counter measures? Or is it because they have the baseband integreated on the processor (what this project is explicitly not doing)?

Kind regards
Max


#8

I find it very disturbing, that people wonder if it is legal for the device to report to the user all communications that are coming through it.


#10

I hope I will never be in one of yours routers netzworks :wink:

I think this question should definitely be clarified before taking illegal actions from Puri.sm side. Don’t get me wrong, there should be something in that way, but in case detecting legal governement spying is illegal (and I think if you live in this world and have followed the news in the past twenty years, it’s not that far fetched that it could be), this should be provided in some grey area, so that puri.sm won’t have to close doors because of this. (Maybe by only providing sources that we can compile ourselves, or that you have to enter some root mode…)

The idealistic “fight” against all this has to be fought by us, not by puri.sm.


#11

Service providers are quite a different story, not applicable to this topic.In any case, from my - end user - point of view, it’s either encrypted end-to-end, or effectively public.


#12

as far as i know, the paging has to poll, there is no mode to tell the modem to steadily say “i’m here”.

good to know that licenses are incredible expensive and operator have to pay for each optional feature they use. most operators did not pay for RRLP.

yes, this link could be used for SUPL as well to provide satelite data for the GPS via a network link (faster than downloading from the sat) and should not make it into the librem 5.

its more the timingadvance parameter used for the radio which denotes the distance to the tower. if the mobile sees more than one cell/tower the position can be enhanced by trilangulation (not triangulation).


#13

“legal” isnt the right word, its more if the phone gets approval to be allowed to be used in the network. there are stringent regulations and breaking one means you can’t put it into the market.

for example mobiles have to be able to put an emergency call. always. no exceptions (but an empty battery). if they fail to do so you wont get approval for that particular mobile. there are long, long testing flows that must succeed until you are allowed to switch on your phone and register to the network. :wink:

and yes, i am curious about the librem 5 regarding that.


#14

That’s why I stated “If it is legal for the device to report to the user
I’m aware that taking non-standard actions by the phone can break homologation rules. But logging everything your phone receives and sends (where logging is done by the phone itself, of course) - this is of no business for anyone but the end user. It might be technically impractical, but making it illegal would be outrageous.

What the user makes with such logs (recorded calls being part of the logs, for example) - is a subject for yet another long story.


#15

this is our oppinion, sure! :smiley: others may judge differently (and be sure: operators do :confused: ).


#16

The Librem 5 will probably allow the logging all the phone network related operations it performs.

What could a regulator or operator do against Purism if a privacy-conscient user developped an app to parse those logs and warn the end-user in case something suspiscious happens :slight_smile: ?


#17

Interesting. I did not know this. Who’d have thought that greed would end up helping the end user…


#18

Thanks for the detailed info!
It would be nice to have a “SS7 firewall” on Librems!

Fuck “legal govt spying”, but I see your valid point. Does Librem5 have to be sold as “a mobile phone”? How about a “HW enthusiast kit”, that so happens to look like a phone. Connecting it to the cell network may be illigal but that would be the user’s decision.


#19

ok, there are always scenarios you could make up like the NSA is hacking into the network, control the components, know how to enable blocked features and finally locate customers but that sounds like a conspiracy theory, right?

ok, we named it as such until edward told us its happening…


#20

Perhaps not even that. I don’t know the capabilities of the interception hardware which gets stuffed into pretty much every phone network, but I doubt that the manufacturers of this hardware would have stuck in a hard one-way information filter so that you can read from but never write to the network - that would just make things more expensive. And since these location requests, paging notifications, invisible SMS messages and whatever are nothing more than packets on a network, I don’t imagine that they’d have much difficulty in crafting something appropriate and inserting it using their already existing interfaces.


#21

It is not always and not only the NSA … just 3 short examples: Look at Spain and the Catalonian Movement - not that I agree with the Catalonian Movement but what a democratic spanish government is doing there IT-wise, starting from manipulating DNS entries, mobile phone surveilance, taking influence on the local mobile phone net providers, and … and … and, is not what I consider as democratic countermeasures … or Turkey and their Journalists … Ukraine (with the SMS receiving of ¨You were identified as a participant of a Demonstartion¨) - I think ¨Edward¨ was just the wake up call.
Too many things already became real and are not just a conspiracy theory anymore - unfortunately. And too many times already, my laughter about the Alu hats was stuck in my throat afterwards. So whatever is possible: Hardware switches, SS7 firewall, snoopswitch / AIMSICD, seperated baseband and application processor - whatever turns the spybug in your pocket into your device … Purism, please be so kind and do it !