[farkanoid]

Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].

I'm under the impression that basebands still require a proprietary/binary blob, basically rendering the security features of the underlying Open Source OS useless, since it sits between the user and outside connectivity.

How can GrapheneOS ensure that there are no hidden backdoors (ie: Pegasus-like spyware, which was created by ex-IDF soldiers via NSO Group), etc, in the baseband?

[1] https://www.whoprofits.org/companies/company/3808

[2] https://www.motorolasolutions.com/newsroom/press-releases/mo...

[spaqin]

In the same way they can(not) do it on Pixel phones - and I would be surprised if Google was not already cooperating with the state actors. You do what you can. Even open source drivers (which are not gonna happen when operating within tightly regulated radio bands) won't help if there's a hardware backdoor.

[Terr_]

The way I see it, I don't have much direct control over the actualities of that kind of nation-state spying stuff. However:

1. I can direct my consumer-dollars towards the vendors that promise to respect ownership and privacy in general, and they will also have the most to lose if they are caught enabling spying.

2. Defense in depth. Security features generally add to the spying's difficulty, expense, or risk of detection, and that in turn decreases the incentive for abuse.

[Barbing]

Ah nice so leave the phones in another room

Easy but for missing Step 1 of “Colocate with friends and business partners”

[lotyrin]

Just only ever speak in a language of your own invention that uses both cryptographic and steganographic techniques which you invented while colocated, maybe.

[RealityVoid]

I can't wait until we're all mentats each speaking our custom encrypted pidgin. That will surely help with communication and world peace!

Not your keys, not your speech!

[vladms]

I personally am more afraid of what "someone" can convince other people to do rather than listening to me. Sadly there are enough people that are easily manipulated that probably the "smarter" people are completely ignored.

If I would be to place a bet I would place it on mass propaganda targeting people below average - it might be simpler, easier and cost effective. So lots of this talk about "encryption", "privacy" might be in fact great for those "actors": smart people worry about their precious technology and principles, while "they" talk to "the masses".

[627467]

Motorola Solutions != motorola mobility

Ill leave you to investigate how != they are

[herewulf]

This. I know some people who work for the former and they are always having to say "no, I don't work for that Motorola". The shared name is entirely historic.

[RajT88]

Mobility is in Merchandise Mart, Solutions is in Schaumburg.

Used to be anyways. (My office was a floor below in the mart)

[farkanoid]

I did. There's long term patent cross-licensing agreements between the two companies. Motorola mobility may be a separate company now, but they didn't start from scratch.

[karel-3d]

The mororola mobility is a Chinese company with Chinese management. They bought the brand and the patent portfolio. They sure as hell are not supplying Israel or NSA.

[627467]

> they didnt start from scratch

> long term patern cross licensing

> israel

> pegasus

Basically lots of judgment based off of superficial facts with little understanding of implications and the actual consequences of those facts.

[farkanoid]

Well, you sure showed me.

[cromka]

They did. You're nitpicking to not lose face while you could have easily say "OK, didn't know they were separate brands" and we'd all move on with our lives.

[aniviacat]

Motorola phones are made by Motorola Mobility, not Motorola Solutions.

Motorola Mobility is largely owned by the Chinese government.

The Chinese government is not gonna share your data with Israel/USA.

https://news.ycombinator.com/item?id=47215079

[Dectanable]

Israel has sold nuclear US state secrets to China. Don't hold your breath. https://www.military.com/defensetech/2013/12/24/report-israe...

[alt227]

Serves them right for giving confidential equipment to terrorists.

The key quote in this article is:

"Israel has a long record of getting U.S. military technology to China. "

[greenchair]

true, they want it for themselves

[embedding-shape]

If you're not in country X which spies on you, but you live in country Y, is it preferable to have country X or Y to spy on you, given one is further away and cannot really impact your daily life, compared to the other country?

[thisislife2]

Let me give you another perspective - you cannot fight a foreign state that wants to hack your device and access your personal data. Even Apple iPhones, who often taut how "secure" their devices are, remain vulnerable to state spywares. A secured device, at most, will protect your data from the police or lay cracker or malware, who lack the means to use more sophisticated methods to access your data. When Android forks (like Lineage OS or Graphene OS) advertise that their Oses are more "secure", with better "data protection", what they mean is that their OSes try and prevent data leakages to the OS vendors (like Google or Apple or other BigTech) or to online services integrated with the OS or through system and user installed apps. In other words, "privacy and security" primarily means that they try and prevent surveillance capitalism.

[chpatrick]

Actually Graphene has been shown to be resilient (uniquely) to some of the forensic tools used by governments.

[M95D]

Probably because nobody targeted them yet.

[gruez]

cellbrite specifically has grapheneos in its support matrix.

[latentsea]

Which demographics do you think run GrapheneOS as a daily driver other than people who have shit to hide? They've definitely been targeted.

[NotPractical]

...apparently most of HN, judging by these recent threads?

[DANmode]

Yeah, I hide that I’m using apps from other spyware apps.

What of it?

[latentsea]

My point was it's the OS of choice for those in organised crime, so yes, it has been targeted.

[DANmode]

Will Graphene not require Moto to offer an IOMMU like Pixels do?

[strcat]

They already have it and it isn't part of what needs to be developed. Qualcomm does that for them.

[user2722]

Ya, I believe that's the correct answer. I believe there is an IOMMU or equivalent on modern phones to prevent those doubts binary blobs bring.

[M95D]

None of it matters. If the device has a SIM card (virtual or physical), it will execute commands sent over the network. It's required by the GSM/LTE standards. The best you can hope for is to have separate SoC for the OS and separate SoC for the GSM/LTE connectivity, but that means double the power consumption.

See presentation at DEFCON21 about SIM cards: https://www.youtube.com/watch?v=31D94QOo2gY

[Aachen]

defcon21 is from the pre-snowden world (2013), for anyone else wondering. Mobile landscape (our reliance on them, the central role they play in our lives) back then was a little bit different and indeed I'd not be surprised if most models support that the carrier can remotely read out any memory location or something

[fsflover]

Perhaps you may be interested in Librem 5 or Pinephone, both of which have hardware kill switches for modem and available schematics. The latter even has most of the modem software freed.

[strcat]

Those devices have atrocious security at a hardware, firmware and software level. Their microphone kill switch also doesn't prevent audio recording. They aren't open hardware despite many attempts to mislead people with the marketing.

> The latter even has most of the modem software freed.

Pinephones have entirely closed source baseband firmware. They use a highly unusual cellular radio which includes both an incredibly outdated Qualcomm baseband processor with atrocious updates and security combined with an extremely outdated proprietary fork of Android running on an extra CPU core which isn't present in any mainstream smartphone. It's only replacing the unusual extra OS which has been done. That whole component doesn't exist on other smartphones and the only reason it's possible to replace it is because the whole radio has absolutely atrocious security. The radio is connected via a far higher attack surface USB connection providing far less isolation for the OS and the USB connection can be used to flash the proprietary Android OS via the fastboot protocol. The baseband firmware itself doesn't have any replacement available.

[daneel_w]

> Pinephones have entirely closed source baseband firmware.

> The baseband firmware itself doesn't have any replacement available.

Same with the Google Pixels and their Samsung Exynos modem. Neither you nor GrapheneOS users have any idea at all what's going on in their cellular transceivers. What will it be for the upcoming Motorola phone?

[DANmode]

> Neither you nor GrapheneOS users have any idea at all what's going on in their cellular transceivers

Pixel has an IOMMU - are you implying that’s being defeated, or that you weren’t aware of it?

[daneel_w]

Neither. It's great that the Pixels' baseband ACPU doesn't have free reign in system memory, but if we're gonna underline the deficient state of the cellular modem in the Pine Phone we should also remind ourselves that the firmware situation with the Pixels is an almost equally sore thumb.

[DANmode]

It doesn’t feel equal to me, here in my real-world usecase.

[handedness]

There's a lot of hand-wringing in this thread about Motorola's location, and a lot of support from a few for a modem made by a company headquartered in....Shanghai. If consistency here is what we claim to be pursuing, then let's actually pursue it.

The opacity of the firmware situation isn't great on either, but one contains numerous excellent mitigations and is very proactively maintained, and the other is something that relies heavily on reverse engineering and community projects to even use.

And it has a physical switch and has some physical distance between it and the CPU, both of which given the previous limitations are mostly theater, in practice. "My modem is so vulnerable it needs to be turned off during extra-important times, but I don't mind leaving it on during times that are merely important." As if a compromised OS can't just wait to exfil data. If your goal is to make it to Checkpoint Charlie and don't want the hassle of having to buy a new phone after you reach freedom, fine, but I haven't seen many well-articulated needs that would be satisfied by a hardware switch when everything behind that switch is filled with vulnerabilities.

For my threat model, using the modern modem with a bounds sanitizer, an integer overflow sanitizer, stack canaries, control flow integrity, automatic initialization of stack variables, very active updates and a large commercial user base and a large market cap in part depending on it, makes a lot more sense.

Google's highly lucrative ad tech business is what makes everyone nervous about anything Google, rightly so, but their share price would plummet if they were caught using Pixel hardware in nefarious ways, or did an unreasonably insufficient job in securing it. I'm not saying it's not possible that the modem is compromised, but for my threat model I have to put a lot into the possibility of an undetected backdoor inside a modem which is by all indications constructed very well, to make using a weird old modem known to be massively lacking in dozens of ways, running an OS with all kinds of issues, make more sense.

And I say that as someone who tried the PinePhone at one point. Fun idea, but no commercial or state organization with an elevated risk profile would trust their data to a PinePhone as it stands. It's fun for hobbyists, but it doesn't belong in the conversation with iPhones and Pixels from a security standpoint. It won't be making it onto the DoDIN APL any time soon.

[ysnp]

Hi daneel, what would you like GrapheneOS to do while you develop your own formally verified, open hardware, open source firmware/OS baseband processor they can use? Sit on their hands doing nothing or making the best of the least worst options currently available?

[daneel_w]

The Pixels already are the best of the least worst options currently available. Anything new must categorically bring improvements, and the closed source firmware of the Pixels is a pressing point.

[handedness]

That's reasonable, and I hope we get there.

Qualcomm is an American company, and it sounds like the GrapheneOS team is working directly with them on developing the spec for this, including hardware MTE support. That's promising and I think could bring improvements over the current situation, if not open source modem firmware, unfortunately. I'm hoping to be surprised, though.

[fsflover]

> Their microphone kill switch also doesn't prevent audio recording.

Unless you provide some evidence, I will consider this false accusation.

> They aren't open hardware despite many attempts to mislead people with the marketing.

Who and where said they were open hardware?

> extremely outdated proprietary fork of Android

Which was freed and can run new Linux kernels now: https://github.com/the-modem-distro/pinephone_modem_sdk and https://xnux.eu/devices/feature/modem-pp.html

Your walls of text are disingenuous.

[handedness]

> Unless you provide some evidence, I will consider this false accusation.

The line of thinking is, if you're so concerned about your device being compromised that you need to enable the mic kill switch (because of aforementioned lack of trust in the device), then other sensors which have been demonstrated to be able to capture audio can't be trusted, either, and in many demonstrations some of those sensors have been shown to be capable of recording what is effectively audio. That's old news, so you shouldn't have any difficulty finding evidence of your own.

On a device that's that compromised one would have to physically power off every sensor on the device, and even then there would still be some things to consider. Air gaps are a thing for a reason, and yet some incredibly clever exploits have been demonstrated to jump that gap. Many components that aren't microphones, cameras or radios can be turned into cameras, microphones or radios pretty effectively.

Still, I see the appeal of hardware switches as another practical layer against basic human factors, like a webcam lens cover adding another step beyond firing up the camera's permissions/appVM. But if we're being practical, a phone I can get wet is much more practical than a phone with physical hardware switches when I already have a high degree of trust the OS's ability to control sensors, and a low degree of rust in the OS's ability to control liquids and debris.

> Which was freed and can run new Linux kernels now:

Unfortunately that has kernel dependencies that haven't been updated in years. If you think the kernels in well-maintained Debian and Fedora VMs still need to be separated by a hypervisor to be trustworthy, you're in for a bad time trying to run that kernel on a PinePhone.

> Your walls of text are disingenuous.

You've got the attention of one of the sharpest security minds on the planet and that is what you come up with?

"Unless you provide some evidence, I will consider this false accusation." is bizarre, especially given your audience. You're capable of learning all this stuff on your own without asking everyone to do that for you.

Regardless, nine sentences across two paragraphs isn't a wall of text. The guy took time out of his day to respond to banality and that's what he gets.

It's becoming increasingly difficult to see you as anything but someone who deliberately attempts to derail any threads relating to Graphene OS. Help me out: why shouldn't I?

[fsflover]

> then other sensors which have been demonstrated to be able to capture audio can't be trusted, either, and in many demonstrations some of those sensors have been shown to be capable of recording what is effectively audio. That's old news, so you shouldn't have any difficulty finding evidence of your own.

You (and strcat) have no idea what you are talking about. And you are constantly shifting goals. Sensors are much harder to use as microphones. Was it ever caught in the wild, not in a lab? Sensors are also switched off on Librem 5 by the three kill switches: https://puri.sm/posts/lockdown-mode-on-the-librem-5-beyond-h...

> If you think the kernels in well-maintained Debian and Fedora VMs still need to be separated by a hypervisor to be trustworthy, you're in for a bad time trying to run that kernel on a PinePhone.

This is misleading. There are different degrees of security. Qubes provides the highest achievable degree (for certain threat models). It doesn't mean that Debian and Fedora have no security at all. Moreover, if you only run trusted application, they are reasonably secure, unlike OSes with (partially) closed source.

> You've got the attention of one of the sharpest security minds on the planet and that is what you come up with?

I don't care about personalities. Famous and smart people are wrong more often than you seem to think.* I care about arguments. This is why I'm on HN.

> Regardless, nine sentences across two paragraphs isn't a wall of text.

I am talking about all comments together, not one comment.

> It's becoming increasingly difficult to see you as anything but someone who deliberately attempts to derail any threads relating to Graphene OS. Help me out: why shouldn't I?

I do not have any hope that you try to understand me, since you immediately started fighting with me, without even considering my point of view. Many of your replies (see example in this very answer of mine) did not address my concerns. Some of your replies ignored my links (LoC).

* (Me included; I argue here, because I want to find out where I'm wrong.)

[handedness]

Sure, if you switch off every kill switch you're in pretty good shape for the time being. Same as if you turn off all radios and sensors on a GrapheneOS device. And then you're way ahead of the game when you turn all of the software switches back on.

The trusted application thing is hard, same as the trusted kernel thing is hard. Some monolithic kernels are adding bugs faster than they're being addressed. It's a really hard problem and I don't see monolithic kernels as being the best solution of the future. That's relevant to threat modeling, which is why virtualization is so valuable, but it needs to be built on a secure hardware platform. Part of the benefits of significant sandboxing, much like virtualization, is you can ultimately run all apps as some degree of untrusted. Both together would be best. Saying you can't imagine how something could be more secure than your Qubes setup is a better indication of your ability to imagine than it is of any security reality. And then you recommend people check out two solutions with the benefits of neither approach (and other issues).

Anyway, I'm still going at this because your comments (which frequently commit the errors of which you accuse others) go unreplied in too many threads, so I engage so that others who skim threads containing questionable assertions will at least see a different viewpoint.

When I recently didn't continue to play along with you, you tried to use that thread as evidence supporting some kind of weird dunking on me, and others. It's a project you claim to care about and want to see succeed, and then you repeatedly approach it in a highly insufficient way, often invoking the project in threads not even about it just to go ahead and dismiss it. You ask basic, easily researched questions relentlessly and when people stop answering point to the lack of a final response as justification, despite your claims of awareness of your own ignorance. There's an actual name for what it is you're doing.

It's a weird axe you have to grind, and I'm content to let others see it all in context and decide for themselves. I only bother because I think it's an important project, genuinely want to see it succeed, and think on this important site of tech culture, you're damaging it unfairly. Whether that's intentional or not, I don't know, nor do I need to.

[gf000]

Security theater, it has absolutely no use. If you can't trust your hardware that it won't actively listen to the microphone without your knowledge and permission then what are you even doing with that device?!

[fsflover]

I do trust my device. However in specific circumstances where privacy may be critical, an additional protection might save me even from a state-sponsored attack.

[handedness]

If your threat model is state-sponsored then I hope for your sake you're just LARPing, because if not you're in for a bad time with some of the solutions you advocate.

[fsflover]

This is just a shallow dismissal. I'm sure state actors can break into my phone. I'm also sure that they can't track or record me when kill switches are off (unless there is another device nearby). Tell me why I'm wrong and please stop repeating how surprised you are that people are so very stupid.

[handedness]

For kill switches on a device with otherwise comparatively abysmal security to be the better security choice over a device with thorough and comprehensive security paired with OS-level radio and sensor switches, you would have to demonstrate that the infinitely more vulnerable device's physical kill switches are somehow significantly more effective at addressing your threat model than software switches in a trustworthy OS. If they are approximately equally effective then you have given up a lot for no benefit, and are net much worse off.

Again, I get the human factors appeal of physical kill switches, and if all else were equal they may be worth having, but people are place far too much faith in the value of physical kill switches.

[raffael_de]

> Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].

makes me feel good about it.

[strcat]

You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

[Aeglaecia]

what exactly makes you feel good about a privacy black hole with the worlds foremost anti privacy captain at the helm ?

[imcritic]

The opportunity to be blown up by your phone upon a trigger pulled by mossad. Obviously.

[strcat]

You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

[worldsavior]

Are you a terrorist? No? Then you have nothing to worry about :)

[LollipopYakuza]

This is a fallacious argument that has been thoroughly debunked countless times, and frankly it has no place on a platform where we expect a baseline level of digital literacy. Privacy isn't about hiding crimes, it's about limiting how much power one government has over you. History has shown stuff that’s totally fine today can be treated like a problem tomorrow. A surveillance system built under a “good” government can be handed to a shady one.

[farkanoid]

If you have anything to hide you have nothing to fear, eh?

Former Mossad Chief Yosi Cohen bragged about having booby trapped and otherwise compromised devices in pretty much every country. [1]

[1] https://the307.substack.com/p/former-mossad-chief-brags-that...

[strcat]

You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

[raffael_de]

all technology companies are to some extent in cahoots with secret agencies. but israel has no room for mistakes, they only work with the best. no doubt they will ask for backdoors. but no phone is safe from governments anyway - grapheneos or not.

[worldsavior]

I'd say you're paranoid. Nobody cares about you, and they won't invest billions just so they can see your hot nude pictures. There are much easier ways to get information out of a phone, no need for a backdoor.

If there were ever any backdoor in some phone, it would have been found. No smartphone company is gonna take that chance that someone will find their backdoor, it will literally kill the company.

[krior]

Sometimes you become a target purely by chance. You may witness something you should not have seen, are at the wrong place at the wrong time, the "algorithm" glitches and increases your "thread level" by 5000%. In most of these situations preparations like running graphene os can be quite the boon.

Or think of friends and family. When they become the target, you are prepared, you have the knowledge and tools ready, you can be the guide that helps them navigate a hostile digital world.

[romanovcode]

> Nobody cares about you

This is such a low-iq argument I cannot even. Yes, nobody cares about OP, you, me, whatever - until they do. Not to mention general harvesting for profiling and propaganda reasons.

General: What do people in this city/country/region/etc are thinking - This is the main one where the data is used and collected, then grouped. It is extremely powerful information for targeted agenda whichever it might be.

Targeted: Oh, you or someone from your close ones went to a political protest? Too bad we have all this information to put you and your family in jail - This is where suddenly they will care about you, even when it is NOT YOU but someone from your close circles were the ones upsetting them.

[Xunjin]

Whether parent is paranoid or not, Pegasus literally is used to spy, just because the state might not care about his hot nude pictures does not mean they don't care about other phone usage.

"While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists."[0]

Information these they can be much as powerful as a bomb, for example, I could learn more about your calls and discover that you do something immoral but not illegal and use it to blackmail you.

0.https://en.wikipedia.org/wiki/Pegasus_(spyware)

[lejalv]

As if spying on “governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists” wasn't already alarming, Pegasus has also been used to spy elected officials.

A recent court case investigating spying on 37 elected representatives [1] (including the prime minister, three ministers, and regional politicians) had to be closed in 2023 and again in 2026 “for lack of cooperation of the Israeli government”.

[1] https://www.rtve.es/noticias/20220510/pegasus-espiados-sanch... (spanish) [2] https://www.rtve.es/noticias/20260122/juez-archiva-caso-pega... (spanish)

[saikia81]

I'm guessing you missed out on the Snowden revelations? Or the news articles about federal agents literally laughing at private dick pics.

And your second paragraph seems to go on the premise that the average person care if there is a backdoor.

I don't know why you wouldn't take security seriously, when even the US government is telling everyone to be careful where they supply their devices because of spying. Just don't trust them to point the finger the right way.

[RobotToaster]

The UK government is known to spy on anti genocide protestors.

The US government is known to spy on anti ICE protestors.

If you have an opinion your government doesn't like, or a potential future government doesn't like, there's a good chance you have or will be spied on.

Perhaps you lack a single opinion worth caring about, but most people do not.

[samplatt]

>If there were ever any backdoor in some phone, it would have been found. Not only have MANY been found, but the whole security industry is aware of them and works with/against those backdoors.

This is kind of like a mechanic not knowing what a car's exhaust does...

[pschastain]

And I'd say you don't understand how state-sponsored tracking and spying operates