Edward Snowden’s New Research Aims to Keep Smartphones From Betraying Their Owners

In early 2012, Marie Colvin, an acclaimed international journalist from New York, entered the besieged city of Homs, Syria, while reporting for London’s Sunday Times. She wrote of a difficult journey involving “a smugglers’ route, which I promised not to reveal, climbing over walls in the dark and slipping into muddy trenches.” Despite the covert approach, Syrian forces still managed to get to Colvin; under orders to “kill any journalist that set foot on Syrian soil,” they bombed the makeshift media center she was working in, killing her and one other journalist and injuring two others.

Syrian forces may have found Colvin by tracing her phone, according to a lawsuit filed by Colvin’s family this month. Syrian military intelligence used “signal interception devices to monitor satellite dish and cellphone communications and trace journalists’ locations,” the suit says.

In dangerous environments like war-torn Syria, smartphones become indispensable tools for journalists, human rights workers, and activists. But at the same time, they become especially potent tracking devices that can put users in mortal danger by leaking their location.

National Security Agency whistleblower Edward Snowden has been working with prominent hardware hacker Andrew “Bunnie” Huang to solve this problem. The pair are developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions. They argue that a smartphone’s user interface can’t be relied on to tell you the truth about that state of its radios. Their initial prototyping work uses an iPhone 6.

“We have to ensure that journalists can investigate and find the truth, even in areas where governments prefer they don’t,” Snowden told me in a video interview. “It’s basically to make the phone work for you, how you want it, when you want it, but only when.”

Huang made a name for himself by using a technique known as reverse engineering to hack into Microsoft’s Xbox and other hardware devices locked down using various forms of encryption, and Snowden said he’s been an invaluable research partner.

“When I worked at the NSA, I worked with some incredibly talented people,” Snowden said, “but I’ve never worked with anybody who had such an incredible outpouring of expertise than I have with Bunnie.”

Snowden and Huang presented their findings in a talk at MIT Media Lab’s Forbidden Research event today and published a detailed paper.

Location Privacy and Smartphones

Smartphones come with a variety of different types of radio transmitters and receivers: cellular modems (for phone calls, SMS messages, and mobile data), wifi, bluetooth, and others. But using any of these radios could leak your physical location to an adversary who is watching the airwaves.

Journalists and activists use their phones to communicate with sources and colleagues, post updates and livestream to social media, and accomplish countless other networked tasks. If they need to keep their location secret, for example in a war zone, they need to turn off all of the radios within their phones. Even so, phones can still be vital tools even when offline; internet access is not needed to take photographs, record video or audio, take notes, use certain maps, or manage schedules.

Snowden and Huang have been researching if it’s possible to use a smartphone in such an offline manner without leaking its location, starting with the assumption that “a phone can and will be compromised.” After all, journalists and activists are often under-resourced and face off against well-funded intelligence services. They also, necessarily, use their phones to talk to, and open documents from, a wide variety of sources, leaving them especially vulnerable to targeted phishing, or “spearphishing,” attacks, where an attacker baits a victim into opening an enticing document that actually contains an exploit.

The research is necessary in part because the most common way to try to silence a phone’s radio — turning on airplane mode — can’t be relied on to squelch your phone’s radio traffic. “Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface,” Snowden and Huang explain in their blog post. “Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”

Concept art for the Introspection Engine.

Introspection Engine

Since a smartphone can essentially be made to lie about that state of its radios, the goal of Snowden and Huang’s research, according to their post, is to “provide field-ready tools that enable a reporter to observe and investigate the status of the phone’s radios directly and independently of the phone’s native hardware.” In other words, they want to build an entirely separate tiny computer that users can attach to a smartphone to alert them if it’s being dishonest about its radio emissions.

Snowden and Haung are calling this device an “introspection engine” because it will inspect the inner-workings of the phone. The device will be contained inside a battery case, looking similar to a smartphone with an extra bulky battery, except with its own screen to update the user on the status of the radios. Plans are for the device to be able to sound an audible alarm and possibly also to come equipped with a “kill switch” that can shut off power to the phone if any radio signals are detected. “The core principle is simple,” they wrote in the blog post. “If the reporter expects radios to be off, alert the user when they are turned on.”

The introspection engine also must fit a number of design goals, including: It should be entirely open source, with open hardware, to make it easy for experts to inspect; it should operate in a separate “security domain” than the phone. Basically, the introspection engine should work even if the phone is hacked and actively lying to you; it should have a simple and intuitive user interface and require no special training to use; it should be usable on a daily basis with minimal impact on workflow.

Introspection engines don’t exist yet, and the research Snowden and Huang presented today is only the beginning. In order to begin work on a prototype, the pair needed to pick a specific model of smartphone to target. They chose the 4.7-inch iPhone 6, based on their understanding of “the current preferences and tastes of reporters.” However, introspection engines could be designed for any model phone.

Jacking Into the iPhone

Huang, an American who currently lives in Singapore, traveled to the metropolis of Shenzhen, China to explore the electronics markets of Hua Qiang, which he described as “ground zero for the trade and practice of iPhone repair.” While there, he bought spare parts and repair manuals that contained detailed blueprints of the target device.

Testing the electrical signals from the iPhone 6.

Using information gleaned from these manuals, Snowden and Huang discovered that the iPhone’s logic board has several test points designed by the manufacturer that can be exploited to learn the status of various on-board radios. These test points, which are built-in to many consumer devices, are crucial to improving customer experience. When a customer returns a defective device, engineers rely on them to determine the cause of the defect.

Snowden and Huang discovered 12 test points that could be used to monitor the status of the cellular radios, the GPS radio, and the wifi and bluetooth radios. While they didn’t find a test point to monitor the Near Field Communication chip, the part that makes Apple Pay possible, they discovered that they could disconnect its antenna, vastly reducing its range.

They don’t think that modifying an iPhone 6 to install an introspection device could be done by just anyone, but “any technician with modest soldering skills can be trained to perform these operations reliably in about 1-2 days of practice on scrap motherboards.”

Supply Chain

The next step is to develop a working prototype, which Snowden and Bunnie hope to complete over the next year. Their blog post says that the project is currently operating on a “shoestring budget” and “donated time.”

If it proves successful, they may seek funding through the Freedom of the Press Foundation to develop and maintain a supply chain. The nonprofit, of which both Snowden and I are board members, could then distribute iPhones that have been modified to include introspection devices to journalists who work in dangerous environments to use in the field.