Anti-forensic mobile OS gets your phone to lie for you


1 Like

This should be pretty easy in Maemo5/N900 too, just store everything that is worth the cops grabbing in an audited truecrypt blob with two or more true and false outputs from different passwords. One problem, the cell tower and networks are super easy to use against us without any way for us to control or spoof them.
If you want to destroy the power of the police to abuse us for carrying communication devices PLEASE support the inclusion of POCSAG paging modules in mobile phones, one way regional coverage and untraceable, with an easy to make app a call back when you feel it is safe to fire up your cellular modem is a snap.
Over at where they are community designing the successor to the Nokia N900. There is a need for skilled makers to help design a small efficient USB or serial paging network receiver module to use with the hacker plugin interface which is being designed for happy mutants who love our freedom!
Once it has been done once, demand will build, be part of the spearhead.


Thought. Active defense system. The forensic tools are usually connected to the phone via USB port. What about building in a little high-voltage generator, something like a shrunk-down photoflash, which in case of attempted forensic access charges a capacitor and then discharges it into the USB port data lines? If nothing more, it will fry the interface chip in the forensic box and take it out of commission for couple days. Few microfarads at few 100s volts (or maybe even few 10s, we need to protect our own phone’s internals with physically small circuits) will do a good job here. The ESD protection networks on chips have just few square micrometers and they fry easily. The external ESD diode networks are a tougher nut (MUCH bigger thermal mass, fewer size-performance compromises) and can absorb more energy but ultimately even they can be fried by depositing enough energy in shorter time than it takes for it to dissipate from the silicon die.

This can be countered with beefed-up ESD protection in the forensic reader,but will take time and money to deploy.

A phone can have multiple personalities. A NFC reader in a phone can look for the presence of a chip implanted in the operator’s hand (see Amal Graafstra’s work) and use it to determine if it should show certain locked items in the directory or it should keep them for itself. Hand the phone over to a cop, and the cop sees sanitized version. Get it back in your hand, and the hidden icons and addressbook items pop back into view.

Re POCSAG modules, what about a standalone module either hardwired to the phone or linked via Bluetooth (with caution about opening the data link to remote detection and usual SIGINT/ELINT unpleasantness)?

The paging app should also work with wifi VoIP solutions, so the call back can be done from e.g. a coffee shop’s wifi or any open node. Should also support an equivalent of SMS messages, so instead of a call the reply can be composed at leisure and then sent away from the nearest open wifi the user walks around. Randomizing the wifi module’s MAC address per connection is also a good add-on here.

Thought: A wearable directional antenna array for wifi. A vest with flat patch antennas, each with its own configurable delay line. In a way the electronically steerable radars use for decades, it can be made as directional as possible and track a moving target (when you are in a bus, a wifi in a building counts as a moving target). Anybody working here on radars who could advise about how complex the multiple-element steerable antennas are? There is some noise about making these “smart antennas” standard for cellphones and other stuff, as a way to conserve spectrum (by allowing sharing it spatially), but it goes on rather quietly for rather too long.


I’d suggest a staged approach.

Start with Raspberry Pi with RTL-SDR dongle, use software-defined radio to receive the pager messages. Optionally use Bluetooth dongle for phone interoperability. Voila, pocket receiver. Quick to build, easy to modify. Big, power-hungry, good for testers and early adopters and fine-tuning the capabilities and functional requirements - it is easy to forget something when writing the specs at the table/meetingroom.

Work on the app using this as the hardware. Constrict the communication between the phone and the pager to a serial port; a Bluetooth serial profile then can be replaced with a hardware UART or any other link. Serial data stream is the most flexible way of communication between devices; with this as the interface, you can swap the hardware part of the solution for something else and if the protocol stays the same, you’re still in business without the software-side changes.

Consider also the possibility of letting the pager communicate over NFC (there are EEPROM chips that can be read/written both over NFC and over I2C), or over a small display via QR-codes. In these cases the reader app should be able to convert the message from the pager to the same text line that would come through the serial interface if UART was used instead, and let the app listen on a socket fed with these data instead of on a ttyS-like device. Same principle, same open handle listening in the code.

Coevolve both the hw and the sw, from rough early-adopters versions to final user-friendly ones. Keep the development steps as simple as possible to lower the barrier to entry for the developers and to make it easy to get progress in bits and pieces of time nondedicated nonfulltime developers can spare.

Thoughts, suggestions?


It might be a chore to maintain a plausible fake personal data set; last call made 5 years ago might be a giveaway.

The solution would be a some sort of limited AI that would update the fake records with conversions you might have and cat pictures you might take. Your AI might even make silent calls to your friends’ AI’s so the operators log would match with your phone’s.
A clueless sim living it’s artificial life jailed inside your phone… makes me wonder why I am writing this comment in the first place…


Thanks a lot for the existential crisis :stuck_out_tongue:

Why does it even need plausibility? Why not just present them with a .gif of a laughing troll? Assuming the Constitution still applies and you’re not actually under torture.

1 Like

Border checks, for example. Or you just want to go home and not have a night-in-a-cell hassle.

I think it’s been (cynically) established that everywhere within 100 miles of the US border is a Constitution-free zone.

Why not just add false data, and have no way of distinguishing accept for the user hopefully remembering. An extra call added to memory that never happened, an extra sms, here and there. You know your phone is slightly unreliable, and it’s record aren’t hard evidence anymore, good trade.

I have sitting next to me a N900 with rtl-sdr and multimon running so we can already do pocsag, but the power consumption is something that the N900 can only handle for a few hours with the double battery mod, the DVB-T dongle actually gets hot. I am hoping that some dedicated low power hardware could be harvested from an old bravo pager or similar, unfortunately I do not have the skills to make it happen.
Hacking a bluetooth link is an interesting way to mod a pager to link it to a phone though the power consumption takes it from being a single AA a month device on your belt to one battery every ~24 hours.

1 Like

The RTL-SDR thing is a temporary solution to get the ball rolling. Then somebody can replace it with a low-power hardware. (Big batteries meanwhile.) Hacking stuff from old hardware is good for prototyping, less reliable choice for larger-scale production.

But all you need in the rf part is demodulating the carrier and getting out the bitstream. Then it becomes digital again. And slow (1200 or 2400 bps).

Use low-power bluetooth, the new standard for small devices. Modules are already on the market. The phone has to support it too, though. Which the N900 replacement will do as it is pretty much a standard now.

Edit: it is Bluetooth Low Energy.

You may also consider the NFC-interfaced EEPROM chips, these can be read even without power; just store message in and blink a LED to read it with the phone.

Or use a small e-ink display, send the data to the phone in machine-readable way as a QR-code, and backup with human-readable data next to it. More expensive than the EEPROM/NFC chip (but there are already e-ink displays for $10 or so, e.g. this).

These two ways can work with just about any phone (with the installed app), no need to pair to the bluetooth module, and much more difficult to apply bluetooth-style wireless attacks on the link as both are grossly limited by physical proximity requirements. There’s also the factor of Bluetooth advertising itself; these two cannot be so easily wiretapped remotely. (Caution, NFC can be intercepted (but AFAIK not actively read) over considerable distance, dozens of meters. See the tests done with attacks on NFC payment cards.)

A few years ago, I recall reading about a computer set up at one of the three letter agencies that locked the screen if its webcam detected that the authorized user wasn’t actually looking at the monitor.

There are quite some face recognition phone lock apps out there. I am not sure about their quality, though. But could work nicely as partial lock, disallowing access only to some areas of the phone, e.g. hiding selected contacts.

This topic was automatically closed after 5 days. New replies are no longer allowed.