| > Ah, you mean social engineering attacks and more powerful attacks relying completely outside of the cyberspace (to say more bluntly, which perfectly fits the case here, "in the meatspace"), right No. I mean actual unpatched vulnerabilities and exploits that haven't been published. NVD is just the icing on the cake. Plenty of less scrupulous vendors like Zerodium, Crowdfense, NSO, etc have collected troves of exploits and vulnerabilities that have never been published, because they can pay 2-3x what bug bounty programs pay. For example, NSO's Pegasus toolkit which has been operational for a decade but only remediated in the past couple months. But it doesn't matter. If you've been targeted by adversary using one of those products, you are already very high profile and security theatre around your phone's security is basically useless if you don't have a security team to back you up. > In terms of broadly-understood virtualization, there's always FPGA with its possibility to spawn multiple number of completely independent softcores. These days some FPGAs with enough computing power for well-optimized security-critical part of general-purpose computing That's what Secure Enclave/Trusted Execution is in a nutshell, but it's progressed way past FPGAs (that was a late 2000s/early 2010s research area before moving up to CPUs and GPUs) ------------ Just stick with a common popular smartphone from a brand that makes sure to consistently be on top of patching and supportability. It's about as safe a consumer computing device can be, and even nation states recognize that. Most leaders and politicans use common smartphones as well, but they are locked down with an MDM (this is BlackBerry/RIM's bread and butter now because they've deprecated phone manufacturing) |
I know very well about Zerodium. However, FPGAs can be way more secure than any kind of ASICs. If you don't understand why, then I don't think further discussion is warranted. I worked with Apple's implementation of security enclaves, and they don't isolate (or "outsource" to be processed there) nearly as much as should be isolated. For example, whole display and touch input needs to go through the application processor, anyway. It's not a good way to go, to say the least. You can't overlay anything on the top of the display nor isolate touch input from some area (say, virtual keyboard) to go to the enclave. The rest of what it does is pretty meaningless, given these constraints.