An interesting article but i can't comment on its accuracy.
Linux Phones | Madaidan's Insecurities - 6-Mar-2022
Linux phones, such as the Librem 5 or Pinephone, are a major degradation from traditional mobile operating systems, such as Android or iOS. A few of the points in this article do apply to the Librem 5 specifically, but the majority applies to any Linux phone unless specified otherwise.
Linux phones lack any significant security model, and the points from the Linux article apply to Linux phones fully. There is not yet a single Linux phone with a sane security model.
Privacy Implications of Accelerometer Data: A Review of Possible Inferences
Accelerometers are sensors for measuring acceleration forces. They can be found embedded in many types of mobile devices, including tablet PCs, smartphones, and smartwatches. Some common uses of built-in accelerometers are automatic image stabilization, device orientation detection, and shake detection. In contrast to sensors like microphones and cameras, accelerometers are widely regarded as not privacy-intrusive. This sentiment is reflected in protection policies of current mobile operating systems, where third-party apps can access accelerometer data without requiring security permission. It has been shown in experiments, however, that seemingly innocuous sensors can be used as a side channel to infer highly sensitive information about people in their vicinity. Drawing from existing literature, we found that accelerometer data alone may be sufficient to obtain information about a device holder’s location, activities, health condition, body features, gender, age, personality traits, and emotional state. Acceleration signals can even be used to uniquely identify a person based on biometric movement patterns and to reconstruct sequences of text entered into a device, including passwords. In the light of these possible inferences, we suggest that accelerometers should urgently be re-evaluated in terms of their privacy implications, along with corresponding adjustments to sensor protection mechanisms.
Gyrophone: Recognizing Speech From Gyroscope Signals
We show that the MEMS gyroscopes found on modern smart phones are sufficiently sensitive to measure acoustic signals in the vicinity of the phone. The resulting signals contain only very low frequency information (<200Hz). Nevertheless we show, using signal processing and machine learning, that this information is sufficient to identify speaker information and even parse speech. Since iOS and Android require no special permissions to access the gyro, our results show that apps and active web content that cannot access the microphone can nevertheless eavesdrop on speech in the vicinity of the phone.
8 thoughts on “Comparing security of Linux phones, such as the Librem 5 and Pinephone, with Android/iOS”
The guy from the first article either is or only acts as an anti-privacy shill. Instead of appreciating hardware kill switches and maybe suggesting improvements, he goes on to claim microphone kill switch is “USELESS” because you can get “audio” from gyroscope or accelerometer, implicitly suggesting to keep using unsecured microphones.
One possible solution would be to replace gyroscope and accelerometer with an orientation sensor which doesn’t leak data. Another solution is to just dump the sensors. If not for phone orientation detection, most people wouldn’t notice that they’re missing anyway.
i agree that he went overboard with the mic kill switch being useless – the studies he linked to don’t completely support that
you mentioned some options and i’ll mention another: quit using them – i barely miss mine
It’s possible to live without one, but it’s also very useful to have a portable computer that can replace many devices that you would otherwise have to buy as separate gadgets like navigation, music player, alarm clock etc. It can also act as a graphical user interface for other devices. Imagine having electricity usage monitoring device and trying to display a usage graph on a built-in black and white 100×20 pixel screen. We don’t need to throw out the baby with the bath water here.
I was looking for a phone myself recently and found a company(shiftphones.com) making smartphones that are easy to repair – they even include a screw driver in the package! One option I have in mind is to take it apart and remove/destroy the sensors I don’t want. The downside is that to be able to install linegeos I’d have to buy a model that is twice more expensive than their cheaper option. Another option I was looking at is pinephone, which doesn’t support android apps and according to reviews, barely works in general, unless you’re into using command line on a smartphone :D
i agree mobiles are useful – they made them that way so everyone would want one – a lot of people seem to use mobile only and i find that pretty sad – you can’t do real research on a dinky screen and i’m sure that suits the powers that be just fine
for the SHIFT5me they added strange note: “[…] but in some countries with FCC or other certifications (USA, South America, …) problems with the mobile phone provider can arise after a few months.”
do you know what that means?
i’m also curious about what they mean by “repairable” and “modular” – aren’t most phones repairable (though a few semi-special tools may be needed to disassemble the thing)?
> problems with the mobile phone provider can arise after a few months
No idea, but I’d assume it has something to do with GSM standards or their implementation on either side. I guess it’d be best to email them and ask.
> aren’t most phones repairable (though a few semi-special tools may be needed to disassemble the thing)?
You must be kidding :D Judging by the phones, it appears that the manufacturers have forgot that screws exist. Everything is glued together, it takes a lot of time and effort to get to the components and it’s not that hard to break something in the process. This increases repair costs and makes it only worth repairing a phone if you bought an overpriced one in the first place. See https://www.ifixit.com/smartphone-repairability
hey Simon – i’d like to invite you to join our Mumble chats – i think you have a lot to offer – details here
Thanks, I’ll join next week or whenever you have one scheduled. It’d be useful to have a separate post where you would add a comment every time there’s a chat planned so I could subscribe to RSS comments feed of that post.
subscribe to https://12bytes.org/category/12bytes-website/feed/
looking forward to talking with you