im so unbelievably black-pilled on the hardware kill switch concept. you would notice if your phone was recording audio/video and uploading it... if your phone runs a sane OS with good security practices (sooo not any of the Linux mobile solutions rn) apps can't arbitrarily turn your modem/wifi on

idk, change my mind or something

like, IoS and Android (and really just projects like grapheneOS) is the only mobile OS capable of offering something that could hold up against you being actively targeted by hackers.

its gonna be a huuuge effort to get postmarketOS anywhere near the same level (though of course its a long term goal).

hardware kill switches feel like a big misdirect to avoid the real issue which is bad software and inadequate education on attack surfaces.s

@cas I think you're right, but I also think the threat model is not that the apps might be malicious as much as that the baseband might be. but in order for the baseband to usurp control of mics/cameras from the regular OS (enough to enable them and surveil the user) it would need drivers for them, and I'd be astounded if that had ever happened to anyone or ever will

@migratory the exploit chain to do this on a Qualcomm phone would be pretty wild. But the point is that you (as an individual) would need to be actively targeted, which is NOT a realistic threat model for most people.

@cas companies should be able to listen to you in order to better understand what ads to show you. Overall it creates a better online experience where you don't get frustrated by ads, but experience joy.

See, all this time we've been fighting to give the ad sellers less data when in truth what we should have been doing is give them more so they can better serve our needs.

They are doing it for us

@matzipan i know this is satire but 😭😭😭

@cas what is satire

@matzipan nooo please

@cas you don't understand

@matzipan yeah probably

@cas Have you seen the complete attack on iOS where they injected using... was it through font? It is rather good story. Apparently the price of that attack was $1M or so, yet it was successful. And yes, in the end someone noticed. And yes, it is possible that _you_ would notice. But those attacks are directed at high value targets, as they are very expensive. So yes, people would notice widespread attacks on Android / iOS. Yet we know that targeted attacks happen, and we can be fairly sure most of them are not detected.

I'll be happy to meet and explain. Are you at Plumbers _now_ by chance? :-). Or in Prague later?

@cas @migratory Not for most people. But we know targeted attacks are/were used for some people. If you make Saudis so angry they are willing to spend $1M attacking your phone, you should get phone with hw switches :-).

@cas @migratory Actually, doing a "call" when the phone would not ring but would accept and connect audio is widely believed to be a feature available to network operators. SIM toolkit is rather powerful. Silent SMSes are widely used. I am not aware of malicious silent calls, but would not really rule that out.

@pavel unfortunately not, very sad i couldn't make it to LPC.

I am familiar with these attacks on iOS, hardware kill switches on networking would at best make these attacks harder to pull off, but not impossible especially if you're being specifically targeted. kill switches on the mic might have value in this (extremely abnormal) context (while companies like purism market hw kill switches to normal end users), but I don't think recording audio was the focus of any of these targeted iphone exploits.

@cas why not both?

@fla i just think its misleading to imply that they in any significant way impact how privacy respecting your device is

@cas I couldn't care less about the security aspect, but I was actually surprised how much I use Librem 5's kill switches. They're so handy! Well, the cellular and WiFi ones at least, I don't think I have ever used the camera one for non-debugging purposes 😜

@cas What I want is the ability to power gate the modules, which has plenty of use-cases, but most importantly it gives me some control over black-boxed peripherals. Whether it's ultimately controlled by a hardware switch or the OS that I actually control doesn't make much difference - or at least that's what I used to think until I started using the L5 and noticed how convenient the switches are. The PinePhone ones are IMO mostly useless though (maybe aside of the UART one).

@dos @cas Aha? Are you saying that next time camera fails to work, I don't have to reboot, I can just powercycle it with a switch? #Librem5 :-)

@rolandlo powering the modem off is gonna stop it from doing anything whether it's done via software (which on modern Qualcomm phones has to load the modem firmware and talk to it over pcie or shared memory) or via hardware.

there's no super secret hidden way the modem can turn itself on and load its (many megabytes) of firmware without a lot of hand holding from the OS.

@dos right, i mean look you can turn all these clocks off, send an irq to kill the modem, keep it in reset....

https://github.com/torvalds/linux/blob/master/arch/arm64/boot/dts/qcom/sdm845.dtsi#L3314

there's no fundamental benefit to hardware switches from a privacy perspective

@pavel @migratory if the modem is switched off (something you don't need a hardware kill switch for) it makes no difference

@cas no radio device can broadcast whatever if it has no power?
from bt announcing to the world you are around. To your modem saying hello to cell towers.

runtime battery life? why have the card powered if you are on the street and not using it.

@joao you can just as easily turn it off from software

@cas What about Sailfish? I spent some time looking into it and it would appear it's both daily-drivable and a fully tweakable Linux distro.

I'm waiting on them to release an image for the Xperia 10 V before I make the switch.

@coffee it's fine? idk, it's a fully custom distro with a bunch of proprietary parts that also relies on the proprietary android BSP under the hood (downstream kernel, android graphics/radio stack, etc).

@cas @pavel @migratory I must be missing something. How can the OS make sure the modem stays switched off? That is, how is baseband prevented to switch it back on? I may be paranoid, but I believe this feature is so tempting that it has been implemented by more than one vendor.

@cas I don't think it's about technical details, it's about the human factor.
- it's simple and quick (and pleasing) to turn something off,
- it thus gives even non-technical people a sense of agency,
- it can indicate state (e.g., the ringer switch on iPhones or HKS on the Librem 5 - I can just look at or feel the phones side and see/sense what's up)

So: Humans likey buttons, that's all - and on the Librem 5 you just want to turn unused stuff off to save battery ;-)

@ptesarik @cas @migratory Baseband often runs Linux and uses lot of power. If basebands were "often" running while they should be off, people would be noticing. (That does not rule out occasional targeted attacks.)

@ptesarik @cas @migratory Plus, you could simply turn off baseband's power supply.

@ptesarik @pavel @migratory on Qualcomm devices the modem is either a DSP (which requires a bunch of hand-holding from the OS to boot up and do anything) or a PCIe peripheral (which still requires hand-holding to boot up). you can simply hard reset it and not load the firmware. it can't do anything in that situation

@pavel @cas I mean, that's the only thing I use the camera switch for 😂

@cas I think the emphasis should be on *hardware* not *kill*. In a world where software tries to be clever physical switches (that are easily operated without even looking at the device) off means of and on means on which is very reassuring when one wants to save power or make sure one doesn't accidentally hit immense roaming fees with wwan on.

@cas @joao what if you're not sure you can trust the software?

@heyoka @joao then you should get a new phone