Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>The best place to siphon data in 2019? Your phone.

But can't you reverse engineer your phone and see what it's doing? And can't you monitor the network data it's sending? With a backdoor in long haul transport gear, academics, researchers, random hackers, watchdog groups, journalists, competitors, etc, don't have the ability to monitor for bad behavior.



AFAIK nobody has reverse-engineered even parts of the radio-firmware, the separate OS which has memory access to your other OS. Linux/Android/Iphones OS, is really just a guest, a side-show to what the radio-firmware can and is doing, ie spying.


This is not true anymore. Some android phones (samsung, google), have DMA disabled and modern iphones (around 2016?) use USB or SDIO without DMA.

I honestly believe that the theoretical DMA backdoor attack (and most other similar attacks) have been mitigated thoroughly. I am much more concerned about secretly held 0days (RCE) and most concerned about warrantless orders against cloud storage.

https://www.apple.com/business/site/docs/iOS_Security_Guide.... p41


> without DMA [...] 0days (RCE) > https://www.apple.com/business/site/docs/iOS_Security_Guide.... p41

Are you citing "To protect the device from vulnerabilities in network processor firmware, network interfaces including Wi-Fi and baseband have limited access to application processor memory. When USB or SDIO is used to interface with the network processor, the network processor can’t initiate Direct Memory Access (DMA) transactions to the application processor. When PCIe is used, each network processor is on its own isolated PCIe bus. An IOMMU on each PCIe bus limits the network processor’s DMA access to pages of memory containing its network packets or control structures."? Correct?

The attention to hardware isolation and separation is appreciated, but I don't hold my breath for iBoot and SEPOS protecting an iPhone from powerful adversaries.


Blocking DMA is separate from 0days. One is a design decision, the other is a still-unavoidable consequence of complicated software.

I think that these mechanisms completely frustrate "bulk" in-field collection efforts; for example, scanning all phones at DUI checkpoints.

No technical control is perfect. If you personally piss off a nation state adversary, they are more likely to yeet you off to a black site and hit you with a wrench until you cough up your passcode.

Surely, someone will break iBoot, and surely, someone will break SEPOS. And surely, someone will chain a kernel exploit with a userspace exploit [0]. And surely, someone will leak the signing keys for a widely deployed cheap android phone [1]. And surely, someone will push 777 permissions to a cloud provider [2]. And most surely, powerful government adversaries will hold brutal exploits close to their chest in the service of power and politics [3].

So I guess, if you want to breath freely: host your infrastructure yourself where feasible. Choose providers who respect your privacy. Make a modest but financially fair donation to the EFF. Become politically active. Use better practices - not best - to avoid fatiguing yourself in the windmill chasing effort of being Perfectly Secure. Most importantly, stay awake and aware and ready to fight.

0 https://github.com/Cryptogenic/Exploit-Writeups/blob/master/...

1 https://www.theregister.co.uk/2017/11/16/dji_private_keys_le...

2 https://www.cnbc.com/2019/05/17/salesforce-says-a-major-issu...

3 https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-...




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: