Boeing's self-destructing, tamper-resistant spookphone: the Black

[Permalink]

ā€œHere, we made a perfectly secure phone. No, you canā€™t know how it works. No, if you own one you canā€™t know how it works, and if you try figuring it out and tell anyone, weā€™ll sue you. Just trust us, itā€™s perfectly secure.ā€

What could possibly go wrong?

4 Likes

The reality is that if you tamper with it: DRONE STRIKE

3 Likes

Your analysis is somewhat flawed as regards ā€œautodestructā€ circuitry - they are not about physical access, and rather about means to read the actual bits and bytes. For example, old arcade systems, to prevent bootlegging, had special battery backed circuits. If you changed the electrical characteristics of the board, letā€™s say by adding a probe or removing a component, the power balance would mean a bit of critical information would go missing (say a 128-bit cryptographic key) effectively turning the static information in the flash useless. Iā€™m guessing Boeingā€™s solution is a similar obfuscation system.

1 Like

Sure, boss ā€¦ you can play with my new phone. Iā€™m going to lunch.

1 Like

Theyā€™re not telling you how it works. That doesnā€™t mean they arenā€™t telling anyone how it works. If their market is Government users and Government contractors, there are established requirements, practices, and review processes for assessing and modeling security. In general, when you are selling things to the government, you donā€™t get to keep security a secret ā€“ although, the end users might not be privy to whole story. Also, no one who knows anything claims things are perfectly secure, but you absolutely can make things tamper resistant. Boeing and its contractors have been doing that a long time. For hopefully obvious reasons, electronics on military aircraft are designed to be difficult to reverse engineer in event of crash. Depending on the threat, designers can use encryption. They can use zeroizing features. They can use coatings on the chips that are resistant to drilling and inspection. They can use physical destruction. Doesnā€™t mean tampering is impossible, but it can be made more expensive or difficult.

1 Like

ā€œā€œYouā€™re holding it wrongā€ā€

3 Likes

If it doesnā€™t destruct with a puff of acrid smoke as it physically fries the circuitry, they really missed out on a huge opportunity to allow us to live out our Mission Impossible fantasies.

6 Likes

I recall in the old days of cable box hacking, some of them used systems to detect when the case was opened and zero-out some needed decryption keys.

The solution was to carefully drill a hole in the bottom of the case, under the PCB, and then short out the contacts for the offending switch.

Obviously, what needs to be done is to seal these devices above or below atmospheric pressure, and tie a pressure sensor to the kill circuitry.

Iā€™d be inclined to believe the anti-tamper claims - this is basically what happens inside every (well, hopefully every) point of sales device, but also in hardware security modules, and a variety of secure/trusted computers used by the military, telecoms and financial industries. A lot of effort goes into monitoring the integrity of enclosure, when anything suspicious is detected, encryption keys are rapidly destroyed. So you can usually get into the device, but by the time you get there, you will only have dead ICs on your hands.

And you can be sure that it will be tested thoroughly, before any government will use it. This probably includes sharing large parts of the security architecture.

This reminds me of Ross Andersonā€™s ā€œSecurity Engineeringā€ - a book I have to read regularly to be reminded of all the ways security is built into our lives, and the many many places where we let it fail. Chapter 16 covers physical security.

3 Likes

If I was going to attack this phone and had a spook agency budget, Iā€™d aim for the battery.

The battery is a power brick. We can make arbitrarily small ARM cores these days, and it ought to be possible to build a GSM dumb-phone stage and microphone into a fake battery which can still deliver enough juice to be convincing. Ta-da! The phone itself hasnā€™t been compromised, but any time you draw enough juice to make a call, the second parasitic phone inside the battery pack listens in on your speech and the answers from the speaker and sends them out to your adversary.

The idea that you should take the battery out to ensure privacy when the phone is not in use is thereby turned into a vulnerability ā€“ all it takes is a pick-pocket swapping the real battery for a bug-battery and the device is compromised.

4 Likes
ā€œThere are no serviceable parts on Boeingā€™s Black phone, and any attempted servicing or replacing of parts would destroy the product,ā€ Olcott wrote.ā€

I.e. Capitalism at its zenith.

2 Likes

Bingo. I worked on remotely sensing systems that were deployed near the Soviets. We loaded both the cypher algorithm and keys into RAM during deployment for just this reason.

There are tried and true methods for anti-tamper activity that are REALLY simple. The best bang for the buck in electronics is layering the entire board in heat-tolerant, opaque resin, about a quarter inch thick. You canā€™t lay leads on any contacts to discern their signals, and you canā€™t peel / scrape / melt off the resin without damaging the components or any information in volatile storage.

Coupled with an expiring code, this would make the phone useless to its possessor within a day or so. Well inside the amount of time you could figure out how to non-destructively remove the coating.

For a phone, this would only require the coating over key-sensitive materials - the CPU, modem, and RAM - and lets you leave the rest free on other circuits.

Iā€™d go so far as to say ā€œA completely secure phone could be designed in a week and built in a month, with existing technology.ā€ Thatā€™s not the same thing as saying ā€œI can keep a secret completely secure.ā€ If the phone is too strong, Interested Parties just look for a weak point. ā€œThis is a picture of your son at day careā€ is really, really easy and fast, depending on your need.

These are all moot, however, as the universal weak point is your sales channel. ā€œTo sell this to us at the NSA / ISI / Ministry of State Security, you have to provide me the back door to this system. But weā€™re good for 10,000 units and spare parts for ten years.ā€
ā€œSure, let me get that right to you.ā€

2 Likes

Cory,

You really should familiarize yourself with some of the industrial strength hardware security modules out there and their capabilities. Back in the day the IBM 4758 and 4764 had their own internal battery (if power goes out they brick themselves) and all sorts of tamper detection equipment. This includes temperature sensors, accelerometers, and a conductive fabric enclosure that can detect physical intrusion attempts. If any sensors detect abnormalities the device assumes it is under attack the device wipes its memory and then bricks itself. This actually made handling and installing them a bit of a delicate process as it is always ā€˜onā€™ and looking for excuses to suicide.

Newer equipment is even more sophisticated. We are all used to consumer level technology and its limitations. There is actually more secure stuff out there, just very few organizations are actually interested in security, because doing it right is really hard, and thus expensive.

If thereā€™s a circuit to detect tampering, wouldnā€™t that have to work when the battery was out? Which would meant that the phone isnā€™t completely ā€œoffā€ when the battery-that-you-know-about is out, right?

That said, some fancy crypto accelerator/security cards, that store the private keys onboard, do have a wire mesh array(potted in that otherworldly-tough electronics epoxy, just because they hate you) and one accidental severing, or sufficient change in resistance as you try to rig a bypass, and the keys zero out.

If I were in a mean mood (and will to do lots of experimentation with humidity effects, contemporary high-resolution capacitance sensors, tied to conductive fibers buried in an expoxy matrix would not be fun to sneak around.

You could also do some very neat stuff(power budget permitting) with MEMS mics mechanically coupled to the phoneā€™s chassis: minimizes the effect of external noises(given airā€™s relatively slight density) but allows you to hear the slighest creak and deformation of the housing. Many tricks, some of them probably quite elegant indeed.

2 Likes

Need to mount a small airbag squid in thereā€¦

1 Like

There would be physical and electrical tamper-detection built into any cover that could be removed, possibly with multiple levels of increasing security. These could be in the form of pressure-sensitive hardware switches for the back cover or screen, or electrical contact continually maintained by a small, internal secondary battery, or a hardware-driven probe detection watchdog.

Removing anything more than the battery cover would trigger the switches or contacts (screen or main body skins). Attaching probes to live circuitry (by drilling through a skin) would trigger the erasure system, likely zeroing data stored in specific locations, full wipe, or possibly overwriting it with garbage or mundane info from a partition.

Check out FIPS-140 on Wikipedia for more info; http://en.wikipedia.org/wiki/FIPS_140

Thereā€™s no reason this developer couldnā€™t take the product further than a published specification.

A lot of good a self-destructing phone will do you if you pick an easy-to-guess four character password.

2 Likes