I'm involved in postmarketOS, one of the Linux phone distributions the article talks about. Also a heavy Qubes OS user and previously user of a certain hardened android project on the nexus 5x while strcat was still involved in it.
I think it's quite simple,
* if you are a more casual user with strong security and privacy needs, then the Linux phone distros are not there yet. Use something else.
* if you are a Linux enthusiast/developer/hacker who is interested in getting away from Google and Apple eco systems, consider getting involved in one of these Linux phone projects and helping out there.
This should not be seen as competition, it's all free and open source software. Android hardening projects focus on delivering a reasonable solution today while Linux phone projects focus on getting something truly independent in the long run.
Is there any indication that Linux is going to catch up to Android/iOS in terms of security?
From my perspective, not only has Linux userspace security barely improved at all over the past few decades (almost all programs run as the user with all of their privileges, no sandboxing, barely any permission/access control to speak of (and yes, I know that there are some projects that aim to fix this, but they're all woefully immature and barely adopted)), but the Unix philosophy itself seems opposed to these security measures. Am I just being overly pessimistic?
But Linux based phones might be better in terms of privacy and data collection en mass, and giving back to society via open source software and hardware.
Large firms offer platforms that are secure against anyone other than themselves (and their partners, such as states).
Google tracks and collects huge data through various channels, and Apple scans your information in your own device (and its operating system is even closed source and cannot be verified). Their platforms might be incrementally more secure against advanced expensive attacks, e.g., targeted attacks performed by a company such as NSO.
If you are an average user, do you worry more about maximizing the security or major privacy concerns, namely: automatic mass data collection, tracking and profiling by governments and those in power, or fancy attacks targeted to you?
I was overseas recently checking out the Huawei Harmony OS devices and did stop to consider that while the Chinese could be spying on me with their distribution, they’d totally lack authority over me and may be less inclined to provide account details as Google will do for location based dragnet requests.
> Apple scans your information in your own device (and its operating system is even closed source and cannot be verified).
Open source may be better in certain ways, but a statement that closed source cannot be verified as to what it’s doing is narrow and incomplete. Android’s key parts are also closed source (there’s a lot more in “Android” than AOSP).
- While the accelerometer hack is theoretically possible, it's practically infeasible, EVEN if the accelerometer takes measurements above 4 KHz (being extremely generous here, you probably really want close to 8-10 KHz). But you need that high of a sampling rate to overcome Nyquist. Accelerometer are much closer to 100-500 Hz, so Nyquist will tell you that theorically, you can only recover audio data below 250 Hz.
I'm all for discussing security tradeoffs with Linux Phones vs Android vs iOS, but seeing those two issues alone makes me question the other claims that I don't have knowledge about.
Edit: For a paper on using an accelerator as a microphone:
So on this paper looking at it, the experiment is done where the speakers are at 75 dB and the phone is one foot away (See Section 3.4). 75 dB looks to be about as loud as a vacuum cleaner. The phone is also completely still, so there is no other data that is being recorded besides (very loud) audio.
Following the leads, DOI:10.1145/2742647.2742658 says the accelerometer in Apple iPhone 6, Google Nexus 5 and Samsung Galaxy S5 supports 4kHz sampling. However, the OS limits it to 200Hz to conserve power. Googling around, it appears there are accelerometers with much higher bandwidths.
Sounds pretty good. At 2kHz it gets a bit hard to listen to but I can still understand a fair proportion of it. I imagine it shouldn't be too hard to come up with an algorithm (or neural net) to resynthesize the higher frequencies and make it easier to understand.
(Obviously these are not accelerometer recordings, just normal microphone recordings downsampled with sox)
I agree it's a bit silly complaint though. I see it a lot in security circles: if some feature doesn't give you perfect protection against all possible attacks, it's a problem. At the same time, the same people advocate mitigations and techniques that only apply to certain attacks. It's as if there's no silver bullet, but it's a damn shame if you deploy something that isn't a silver bullet!
> The article confuses FireWire and USB in the last paragraph.
I believe he's not; the paragraph about USB and the one about FireWire are separate ones. And his point that kernel isolation of the modem is flawed because of properties of the Linux kernel seem accurate, though I don't have the expertise to confirm that (you'd need to ctrl+f "kernel", not "USB", since the point is a general one)
Sure, if you measure security by the amount of buzzwords that were deployed, these phones don't look that great.
In practice, these phones are more secure because nobody will bother to target this vanishingly small installed base - except for a highly targeted attack, in which case Android probably isn't going to protect you any better either.
This is a veiled attack on user freedom itself. The article is based on the idea that software isn't free and doesn't give controls to the user that the user should rightfully have as the device owner.
When it talks about security models and "modern security features", it assumes that the running software utilities aren't trusted.
One interesting point is the firmware being difficult to update. I guess that that could hypothetically become an issue if the firmware were open-sourced or reversed, but still it seems like a reasonable decision once you realize that firmware updates can introduce new bugs/vulnerabilities.
It's not true though, the firmwares aren't difficult or impossible to update on these phones. It's a common myth that's often being repeated just because PureOS does not include non-free firmware updates in its repositories.
Author rails against separating the modem, claiming iommu is sufficient (yeah, google qualcomm iommu cve, you'll find plenty of fun to be had). Then goes on claiming that chips connected by usb 2.0 (a protocol explicitly used because it doesn't have rdma) might be vulnerable to some rdma attack.... because firewire exists?
They rail against being unable to swap out "the firmware", while failing to mention that "the firmware" in question is nothing more than the ddr4 memory training blob.
Yeah. Exploit mitigations or access controls can improve security in various circumstances, but they are not synonymous with security, and there are circumstances where such security features are just dead weight. Real security is more complicated than just a checklist of features.
I thought this was important to post here, given the amount of people that claim to have switched to Linux Phones after Apple's CSAM debacle. The author recommends using mainstream iOS/Android or GrapheneOS on Pixel Phones. Here's his overview of Android security: https://madaidans-insecurities.github.io/android.html
I also slightly editorialized the title, since it is extremely non-descriptive of article contents.
It always depend of your definition of security, I'm personally prevented from checking those claims on Android so I trust it much less than my Linux laptop, despite whatever Google could claim. Additionally, who knows what's really running in userland in Android...
While everything the author writes makes sense to me, I think the kind of security threats he focuses on aren't the main concern for most people.
What % of Android devices have their bootloader unlocked or root enabled? Or have the ability to enable signature spoofing for MicroG? I doubt that malware targeting such weaknesses would be economically profitable to develop, considering also that the typical hardcore user is less likely to just install random Play Store or unverified APKs .
This seems a list of security weaknesses against _targeted_ attacks - the inclusion of "evil maid" attacks is exemplary. If somebody gains physical access to my phone, by far the greatest risk to me is that they will steal it and immediately wipe it, not that they will install bootloader malware and put it back.
So yeah, if you're e.g. a professional user and might be the target of industrial espionage, follow the author's advice to the T (going with GrapheneOS or not depends on whether your company trusts Google with your business data). Graphene > Google > Lineage > Linux. If you just don't want to have your personal data tracked by Google and want better control over the apps you install, Graphene > Lineage > Linux > Google.
What a crap. Secure boot is a straw man for "locked down" phone. In this view it is insecure to be free to use any software you like. And this article on a hacker site. BS.
>In this view it is insecure to be free to use any software you like.
How is this "BS"? If you can replace the software to whatever you like, so can the baddies. Readers of a "hacker site" (you do realize the "hacker" in hn refers to hackathons rather than bad guys breaking into servers?) might accept this trade-off, but it still means it's less secure
Security is only one of many factors people consider when purchasing a phone.
That said, the author isn't very convincing when he mentions trivial stuff like verified boot. My takeaway is that Linux (or PureOS) has some issues but Android still has more closed source.
The only remotely sane points are about UX and the fact these GNU/Linux systems allow users to do stupid things if they want to.
Running software from your distro's repos? That's safe, I mean, how could you use a system and not trust the people who make it? The only alternative here is writing your own OS (analyzing everything is much harder than that).
Running something else? Firejail is really simple to use. Sometimes flatpak or docker can get you covered (just don't assume it's safe by default). You can always use SELinux if you have to.
You can't prove linux-libre is less safe than a slightly more recent non-libre, and it'd be surprising if that were the case.
Not having kill switches isn't better than having them.
The rest either have been considered acceptable in the safety-paranoid Linux community for years or are absurd. Claiming something like DMA is possible from the isolated modem is a VERY strong claim presented with zero evidence.
An important distinction to make: open-source software has a high chance of not being malicious. It doesn’t make them safe, especially with the overwhelming majority of them being C all the way down. A single bug (of which they are not absent at all) can introduce security implications depending on their usecase. Eg a firefox bug can easily make your device running untrusted code without any other remaining defense on your device.
The authors suggestion to “install android” as a way to fix the security on these Linux phones obviously misses the point. People want a phone where they can do whatever they want with it.
The usefulness of this approach depends, I think, on whether the apps are actively working against the user's interests and need to be treated as hostile entities.
Putting "ls" in a sandbox would make it much less useful and doesn't provide much benefit. On the other hand, the .NET Core CLI utilities, which collect telemetry on Microsoft's behalf, would benefit from sandboxing.
While most of this article can be argued to be true, they missed a key point of early adoption of linux phones- privacy. They forgot to mention how both Ios/Android are less private than the linux phone. Also, they should have delineated between security, privacy, and anonymity to be clear on what point they were trying to make. Poorly written at best.
I would be surprised by any other result. Android/iOS phones are used by millions of users and backed by huge companies with the resources and strong motivation to make the phones secure. Of course they are going to have fewer vulnerabilities than a niche open-source OS with far fewer resources behind it.
That's complete bullshit propaganda and you know it. Remember how the govt simply pushed Covid surveillance apps to Android users without their consent? Yeah, try that on a bare Linux phone.
[+] [-] ollieparanoid|4 years ago|reply
I think it's quite simple,
* if you are a more casual user with strong security and privacy needs, then the Linux phone distros are not there yet. Use something else.
* if you are a Linux enthusiast/developer/hacker who is interested in getting away from Google and Apple eco systems, consider getting involved in one of these Linux phone projects and helping out there.
This should not be seen as competition, it's all free and open source software. Android hardening projects focus on delivering a reasonable solution today while Linux phone projects focus on getting something truly independent in the long run.
[+] [-] fouric|4 years ago|reply
> the Linux phone distros are not there yet
Is there any indication that Linux is going to catch up to Android/iOS in terms of security?
From my perspective, not only has Linux userspace security barely improved at all over the past few decades (almost all programs run as the user with all of their privileges, no sandboxing, barely any permission/access control to speak of (and yes, I know that there are some projects that aim to fix this, but they're all woefully immature and barely adopted)), but the Unix philosophy itself seems opposed to these security measures. Am I just being overly pessimistic?
[+] [-] goodpoint|4 years ago|reply
Citation needed. Android does plenty of homecalling and also a lot of phones came preloaded with bloatware with tracking functions.
You have to provide some justification to claim that a Linux phone protects users privacy less than Android.
[+] [-] aborsy|4 years ago|reply
Large firms offer platforms that are secure against anyone other than themselves (and their partners, such as states).
Google tracks and collects huge data through various channels, and Apple scans your information in your own device (and its operating system is even closed source and cannot be verified). Their platforms might be incrementally more secure against advanced expensive attacks, e.g., targeted attacks performed by a company such as NSO.
If you are an average user, do you worry more about maximizing the security or major privacy concerns, namely: automatic mass data collection, tracking and profiling by governments and those in power, or fancy attacks targeted to you?
[+] [-] boopmaster|4 years ago|reply
[+] [-] AnonHP|4 years ago|reply
Open source may be better in certain ways, but a statement that closed source cannot be verified as to what it’s doing is narrow and incomplete. Android’s key parts are also closed source (there’s a lot more in “Android” than AOSP).
[+] [-] kop316|4 years ago|reply
- The article confuses FireWire and USB in the last paragraph. USB, to my knowledge, doesn't do DMA, while FireWire does. (USB-C can if it has thunderbolt, but Linux phones don't have thunderbolt). The article then references this link for why USB is bad: https://madaidans-insecurities.github.io/linux.html (here's an archived link: https://web.archive.org/web/20210903200926/https://madaidans... )
But a crtl+f "USB" comes out empty.
- While the accelerometer hack is theoretically possible, it's practically infeasible, EVEN if the accelerometer takes measurements above 4 KHz (being extremely generous here, you probably really want close to 8-10 KHz). But you need that high of a sampling rate to overcome Nyquist. Accelerometer are much closer to 100-500 Hz, so Nyquist will tell you that theorically, you can only recover audio data below 250 Hz.
I'm all for discussing security tradeoffs with Linux Phones vs Android vs iOS, but seeing those two issues alone makes me question the other claims that I don't have knowledge about.
Edit: For a paper on using an accelerator as a microphone:
https://crypto.stanford.edu/gyrophone/files/gyromic.pdf
So on this paper looking at it, the experiment is done where the speakers are at 75 dB and the phone is one foot away (See Section 3.4). 75 dB looks to be about as loud as a vacuum cleaner. The phone is also completely still, so there is no other data that is being recorded besides (very loud) audio.
[+] [-] foxfluff|4 years ago|reply
Here's how 8 bps mono speech at 4kHz sounds like: https://vocaroo.com/102J6NRULedu (download link: http://fpaste.dy.fi/oyU/dl)
Sounds pretty good. At 2kHz it gets a bit hard to listen to but I can still understand a fair proportion of it. I imagine it shouldn't be too hard to come up with an algorithm (or neural net) to resynthesize the higher frequencies and make it easier to understand.
2kHz sample: https://vocaroo.com/18F3LkYrsPNQ (download: http://fpaste.dy.fi/rvy/dl)
(Obviously these are not accelerometer recordings, just normal microphone recordings downsampled with sox)
I agree it's a bit silly complaint though. I see it a lot in security circles: if some feature doesn't give you perfect protection against all possible attacks, it's a problem. At the same time, the same people advocate mitigations and techniques that only apply to certain attacks. It's as if there's no silver bullet, but it's a damn shame if you deploy something that isn't a silver bullet!
[+] [-] concinds|4 years ago|reply
I believe he's not; the paragraph about USB and the one about FireWire are separate ones. And his point that kernel isolation of the modem is flawed because of properties of the Linux kernel seem accurate, though I don't have the expertise to confirm that (you'd need to ctrl+f "kernel", not "USB", since the point is a general one)
[+] [-] incrudible|4 years ago|reply
In practice, these phones are more secure because nobody will bother to target this vanishingly small installed base - except for a highly targeted attack, in which case Android probably isn't going to protect you any better either.
[+] [-] nsajko|4 years ago|reply
When it talks about security models and "modern security features", it assumes that the running software utilities aren't trusted.
One interesting point is the firmware being difficult to update. I guess that that could hypothetically become an issue if the firmware were open-sourced or reversed, but still it seems like a reasonable decision once you realize that firmware updates can introduce new bugs/vulnerabilities.
[+] [-] kaba0|4 years ago|reply
As opposed to having only old bugs and vulns…
[+] [-] seba_dos1|4 years ago|reply
[+] [-] reuqwajhae|4 years ago|reply
Author rails against separating the modem, claiming iommu is sufficient (yeah, google qualcomm iommu cve, you'll find plenty of fun to be had). Then goes on claiming that chips connected by usb 2.0 (a protocol explicitly used because it doesn't have rdma) might be vulnerable to some rdma attack.... because firewire exists?
They rail against being unable to swap out "the firmware", while failing to mention that "the firmware" in question is nothing more than the ddr4 memory training blob.
[+] [-] marcodiego|4 years ago|reply
[+] [-] foxfluff|4 years ago|reply
[+] [-] concinds|4 years ago|reply
I also slightly editorialized the title, since it is extremely non-descriptive of article contents.
[+] [-] realusername|4 years ago|reply
[+] [-] piaste|4 years ago|reply
What % of Android devices have their bootloader unlocked or root enabled? Or have the ability to enable signature spoofing for MicroG? I doubt that malware targeting such weaknesses would be economically profitable to develop, considering also that the typical hardcore user is less likely to just install random Play Store or unverified APKs .
This seems a list of security weaknesses against _targeted_ attacks - the inclusion of "evil maid" attacks is exemplary. If somebody gains physical access to my phone, by far the greatest risk to me is that they will steal it and immediately wipe it, not that they will install bootloader malware and put it back.
So yeah, if you're e.g. a professional user and might be the target of industrial espionage, follow the author's advice to the T (going with GrapheneOS or not depends on whether your company trusts Google with your business data). Graphene > Google > Lineage > Linux. If you just don't want to have your personal data tracked by Google and want better control over the apps you install, Graphene > Lineage > Linux > Google.
[+] [-] jiggunjer|4 years ago|reply
[+] [-] zepto|4 years ago|reply
If any significant number of people had switched, we’d have seen announcements by Purism and Pine.
[+] [-] padraic7a|4 years ago|reply
Pure OS, and the Librem phone get a lot of coverage but they aren't the totality of Linux phones.
As I understand it Ubuntu Touch, which is the most mature Linux phone OS, does have app sandboxing.
This blog post might be a little out of date but is hopefully useful; https://ubports.com/blog/ubports-news-1/post/ubuntu-touch-sa...
[+] [-] jiggunjer|4 years ago|reply
[+] [-] tommek4077|4 years ago|reply
[+] [-] gruez|4 years ago|reply
How is this "BS"? If you can replace the software to whatever you like, so can the baddies. Readers of a "hacker site" (you do realize the "hacker" in hn refers to hackathons rather than bad guys breaking into servers?) might accept this trade-off, but it still means it's less secure
[+] [-] foxfluff|4 years ago|reply
[+] [-] jiggunjer|4 years ago|reply
That said, the author isn't very convincing when he mentions trivial stuff like verified boot. My takeaway is that Linux (or PureOS) has some issues but Android still has more closed source.
[+] [-] lvass|4 years ago|reply
Running software from your distro's repos? That's safe, I mean, how could you use a system and not trust the people who make it? The only alternative here is writing your own OS (analyzing everything is much harder than that).
Running something else? Firejail is really simple to use. Sometimes flatpak or docker can get you covered (just don't assume it's safe by default). You can always use SELinux if you have to.
You can't prove linux-libre is less safe than a slightly more recent non-libre, and it'd be surprising if that were the case.
Not having kill switches isn't better than having them.
The rest either have been considered acceptable in the safety-paranoid Linux community for years or are absurd. Claiming something like DMA is possible from the isolated modem is a VERY strong claim presented with zero evidence.
[+] [-] kaba0|4 years ago|reply
An important distinction to make: open-source software has a high chance of not being malicious. It doesn’t make them safe, especially with the overwhelming majority of them being C all the way down. A single bug (of which they are not absent at all) can introduce security implications depending on their usecase. Eg a firefox bug can easily make your device running untrusted code without any other remaining defense on your device.
So open-source is orthogonal to security.
[+] [-] xt00|4 years ago|reply
[+] [-] goodpoint|4 years ago|reply
[+] [-] claudiojulio|4 years ago|reply
[+] [-] Wowfunhappy|4 years ago|reply
[+] [-] ape4|4 years ago|reply
[+] [-] ptx|4 years ago|reply
Putting "ls" in a sandbox would make it much less useful and doesn't provide much benefit. On the other hand, the .NET Core CLI utilities, which collect telemetry on Microsoft's behalf, would benefit from sandboxing.
[+] [-] goodpoint|4 years ago|reply
[+] [-] xlaacid|4 years ago|reply
[+] [-] D13Fd|4 years ago|reply
[+] [-] Kenji|4 years ago|reply
[+] [-] goodpoint|4 years ago|reply
[+] [-] zepto|4 years ago|reply
[+] [-] temptemptemp111|4 years ago|reply
[deleted]