As long as the modem is connected via SDIO/USB to your open system (which it is), how is this a problem? It's treated as compromised/hostile.
Encryption of IP traffic happens on the open system, so no problem there.
If you'd like to complain about encryption of voice calls happening on the closed modem, I have some bad news. It wouldn't matter if it was open or closed, since the network it negotiates keys with is also compromised.
The only problem remaining, on this particular device, is direct connection of physical sensors (microphone, GPS, etc) directly to the modem. This is solved by physical switches (or hardware switches controlled from the open system) between the sensor and the modem.
The only exception I see now is the GPS, which is embedded into the modem. If they solve that, I'm buying the phone.
Right. There are two distinguishable risks from cellular or WiFi modems. One is geolocation by towers or access points. And the other is isolation of the open system from cellular or WiFi modems.
You can't use cellular or WiFi without being geolocated. But as long as the modems are securely isolated from the open system, geolocation information can't pollute your communications. There's obviously the same geolocation issue with broadband.
Also, that isolation prevents compromised modems from compromising the open system, and the accessing data, compromising end-to-end encryption, and so on.
Both are aspects of modems being "treated as compromised/hostile".
> The only problem remaining, on this particular device, is direct connection of physical sensors (microphone, GPS, etc) directly to the modem
is that even the case of the microphone? My understanding was that - independently of the possibility to turn the microphone and modem off with kill switches - all audio data to the modem comes via I2S from the SoC anyways, i.e. that the microphone is NOT directly connected to the modem but to the SoC (possibly via a separate audio codec Chip) and that the SoC serves the modem via I2S whatever audio data the user pleases (whether that be from the microphone or whatever else).
Yes, the modem can't talk to anything, it's only connected to the SoC with the i2s audio bus and the usb bus, the SoC controls what gets sent to the modem. for a voice call the SoC proxies audio between the mic/speaker and the modem.
Often the case and one excuse they provide is so that they can comply with radio regulations - which as many are semi software with DSP's in effect, would make the slightest software bug/change cause issues with the local radio regulators and indeed, the telco's. Not saying that you would need a radio licence from the local area just to compile modem code, but maybe not that far removed in part. Certainly testing, would dictate a sheilded enviroment to avoid legal issues and then at the end of all that, it would have to be certified by whatever local regulator of the country(s) it is used.
So does make open source modems rare, liability exposure of legal fallouts make for some muddy waters.
It would still be possible to be open source, even if it cannot be altered, such as by storing it in ROM (or storing a checksum so that only the exact version will run; this works better if the program is written in assembly language, since then you do not have to worry about the compiler messing up stuff). It could also be designed allow the code to be uploaded but to disallow transmission in that case, making it so that if the code is altered then it can only receive, and cannot transmit. Another alternative might be that the radio and the DSP are separate components in a single package, and then if you want to use them separately you will have to break the package to reveal the parts, and then it cannot be resealed; you will have to make your own and lose the warranty. (This last alternative is what I think is good, but if that won't work (I don't know much about its working, so maybe it won't work) then the others ways might do.)
> In ham land you can do anything that follows the emissions rules.
In the US, hams are prohibited from employing encryption with the single exception for control coms with amateur space-based radios. With the proliferation of digital modes, the encryption rule is increasingly being challenged and it will be interesting to see where this goes in the future.
In ham land, the transmitter possesses the license to utilize the radio spectrum. With mobile phones, the carriers do. Cell phone owners don’t need a license - the model assumes their equipment manufacturers do, and will do what’s needed to assure continued compliance.
It depends on how you define the "problem". Is it ideal, nope. But there is really nothing else out there even trying to do this other than librem which has its own problems. Not to mention this is very cheap. You have to start some where.
To me, the modem running a closed source blob is okay so long as that entire system is acting as a slave to the host, and isn't integrated with that host. The PinePhone appears to be explicitly designed around a total lack of trust for that modem. In a way, you could think of the modem at that point like any other Wireless Access Point you might connect to. Think about going into a coffee shop; sure you can hop on CafeBucks WiFi, but do you know what firmware the access point is running? How do you know it's secure? Heck, could you even guess the model number? Of course you can't; instead, your security model treats that entire communication line as potentially insecure, and implements SSL/TLS on top of it.
The PinePhone appears to use a similar approach here. The modem's only job is to provide a data connection, and ideally everything sent through that connection is encrypted in such a way that even if the modem wanted to snoop, it would be unable to do so. All it sees is encrypted noise, with the OS and application doing everything they can to keep it that way. The additional hardware isolation helps to ensure that even if the modem is compromised in some way by an attacker (difficult, but theoretically not impossible) it has very limited access to the rest of the phone, and would hopefully not be able to do very much damage. This is in stark contrast to most of the rest of the mobile industry today, which happily integrates the modem into the rest of the memory space, and would be at far greater risk should a modem exploit be discovered.
None of this is perfect, of course. In a perfect and ideal world, a FOSS modem would exist at scale, and the PinePhone would use that and all of the firmware would be open source. But the practical reality is that, at scale, a closed blob for the modem is required; no alternative exists that's cost effective enough to bring to market. So, the phone is designed to give that blob just as little trust as possible while still making the connection work. I think that's a perfectly fair trade.
> This is in stark contrast to most of the rest of the mobile industry today, which happily integrates the modem into the rest of the memory space, and would be at far greater risk should a modem exploit be discovered.
Is that still the case? I though that most phones now isolate modems via some flavor of USB with IOMMU.
And indeed, that phones now isolate modems better than Intel and AMD machines isolate USB devices. There's IOMMU, but only some software actually uses it, such as Qubes.
Modems in modern phones are all integrated in the SoC, it's technically seperated by iommu, but the issue with that is that you can't verify that the iommu works. There isn't really anything preventing the modem having some hard lines into the RAM.
With the PinePhone (and also the Librem 5) the modem and SoC are physically seperate so the communication between those two components can be inspected and controlled.
While a completely open device is the ideal, to many there's nothing inherently wrong with making a few pragmatic compromises as long as they are well thought through. In the case of the radios, they appear to be well isolated from the CPU/system memory on the PinePhone. So if you want to be paranoid and ensure that every byte sent through them is encrypted before they see it, even if some malicious / snooping code is in those blobs, you can do that and they won't be able to accomplish very much. If that's not good enough, you can cut power to the radios entirely if you can live without them. So that's Pine64's approach.
We have two devices coming to market that take ideologically different approaches to choose from: the PinePhone (pragmatic compromise) and the Librem 5 (no compromise). So just pick where on the libre spectrum you want to live and enjoy 2020... it should be a fun year!
I don't know but I find the structure of the post pretty hilarious.
Basically the post says that the PinePhone mobile phone is, with the exception of the "mobile phone" part, a completely open source mobile phone.
It's just a funny way to write the post. If you remove the mobile phone part it's not a mobile phone. It's like saying a cake is, with the exception of the cake part, completely vegan.
If it were a feature phone, this would be an accurate summary. For a smartphone, calling is a minority usage (an actual issue with the modem, sure) and network access is assumed over a hostile link anyway; does it matter if it's hostile at hop 1 or hop 2, if the modem is not a privileged part of the system?
Right. We're just moving the DMZ, and that's for a lot of cases totally fine. Rather than how people would assume it works like this.
CPU -> LTE Modem || DMZ || Cellphone Provider
We have this for the Pinephone.
CPU || DMZ || LTE Modem -> Cellphone Provider
This is fine.
Remember that in the first model, and in most typical phones, the LTE Modem have above root access to the CPU through DMA. The exception is some more modern devices like the iPhone, which give the modem a specific sandbox device to DMA into that's not the actual processor.
.. But the modem itself is broadcasting it's identity to multiple radio receivers. Is there enough of a difference wrt GPS positioning for the distinction to matter?
There are two reasons for wanting an open source phone: safety and hackability. Yes, the actual modem part isn't hackable, but they did do a good job (as do iPhones!) of segregating the closed source part so at least you don't have to worry about it remotely popping the actual phone OS. (nitpicking about "the modem is the real phone" not withstanding)
Encryption of IP traffic happens on the open system, so no problem there.
If you'd like to complain about encryption of voice calls happening on the closed modem, I have some bad news. It wouldn't matter if it was open or closed, since the network it negotiates keys with is also compromised.
The only problem remaining, on this particular device, is direct connection of physical sensors (microphone, GPS, etc) directly to the modem. This is solved by physical switches (or hardware switches controlled from the open system) between the sensor and the modem.
The only exception I see now is the GPS, which is embedded into the modem. If they solve that, I'm buying the phone.