Indie UK mobile carrier announces a Tor-only SIM that blocks unencrypted data

Originally published at: https://boingboing.net/2018/10/23/hardware-orbot.html

3 Likes

Bullshit marketing. IP traffic does not go through the SIM and thus the SIM is not in position to do so.

It maybe that their particular subscription goes through a data gateway that tries to block non-tor traffic. In which case there is no reason why they couldn’t also make the service available to existing customers.

“requiring Orbot to be installed”, again, if the SIM is inserted into a dumb gsm phone, what is it gonna do ? Nothing that couldn’t be bypassed by malware, unless it uses baseband hackery to inspect the main OS, and frankly, this is not something you should look forward to.

They certainly could(it sounds like they already sell such a thing for wireline internet service; and in general telcos are free to attach just about any value-added to the gateway side of things); but it could well be that the most enthusiastic Tor SIM users aren’t the ones who buy 2 year contracts with billing details on file and weak credentials to the user portal and such.

For what a SIM doesn’t cost these days it’s a fairly low overhead way to make what would otherwise involve some billing records and customer preferences and so on into an SKU you can just buy and pop into a phone. One also suspects that relatively few people are in the market for only a data-only-tor-only service; so they probably want the additional SIM for either a dual SIM device or a burner; they don’t want their primary SIM made Tor only.

Having the gateway refuse non-tor traffic will hopefully reduce the risk of the ever-chatty mobile apps and the usually quite limited client site firewall options; but I hope we don’t have too many people making the mistake of using this SIM in the same handset as a more identifiable one. SIM/IMEI correlation wouldn’t exactly be rocket surgery in that case.

I’m all in favor of these kinds of things, but at some point one has to start wondering whether they’re already being weaponized. If I was an employee of some alphabet-soup federal agency tasked with data/behavior exfil of some of the more security-skittish folks in my country, a service such as this would be just about ideal.

At some point, eventually, everyone has to ask themselves who they trust.

Unfortunately, not enough people to securely implement Hello World, much less the systems I want to use(once you count all the hardware, compiler, library, etc. dependencies that’s not a knock against the people I do trust).

That’s the trouble. If all I had to do was trust the motives of the guy implementing my technology I’d be set with just a little DIY; instead I need to find pure motives and impeccable competence. That’s tricky.

This topic was automatically closed after 5 days. New replies are no longer allowed.