Dumbphone survey

Tlhokaina

What's the best dumbphone for security/privacy?

Delaney

Tlhokaina A modern pixel phone with GrapheneOS installed

NoahRaketic

Tlhokaina They are all very bad for security and privacy.

Novalissoide

Tlhokaina best dumbphone for security/privacy?

One in the late 1990:s, early 2000:s, not anymore.

not-a-rola

Tlhokaina Old feature phones or modern ones based on KaiOS, but not Android.

NoahRaketic A dumbphone implies it only provides cell carrier services. Law enforcement has accass to that data anyway even with GOS.

Novalissoide Yeah. There are plenty of them on eBay and Vinted.

skywing

Would you please explain, why dumbphones are bad for security and privacy?
Is it because of missing features GrapheneOS offers or are there other reasons?

NoahRaketic

skywing Reliance on insecure protocols, very poor hardware security, questionable update cycles, among other issues.

not-a-rola A dumbphone implies it only provides cell carrier services. Law enforcement has accass to that data anyway even with GOS.

That is exactly part of the reason that dumbphones are so insecure. A user with only a dumphone does not have access to secure messengers like Signal (except for that one Punkt phone, which has its own issues), meaning the user will have to rely on very insecure protocols rather than secure alternatives. Either that, or they will have to move messaging to a very insecure desktop computer.

userofgos

skywing See here: https://xcancel.com/GrapheneOS/status/1982026809588748577#m

A dumb phone fully dependent on being connected to cellular with no support for private calls/texts is the opposite of a privacy improvement.

And here: https://xcancel.com/GrapheneOS/status/1837594658953679145#m

You don't avoid the issue of cellular requiring the device and SIM to identify with the network by using a far less secure device. You have the same issue but also have the problem that it's less hardened, will lack basic patches and you can't use Signal, etc. via cellular data.

Another one: https://xcancel.com/GrapheneOS/status/1813574104177381643#m

Carrier-based calls and texts are not private or secure. Unlike a smartphone, a dumb phone can't be used for secure communications. Being connected to cellular means you have identified with a subscription to it and it knows where you are. It has nothing to do with smartphones.

Lastly: https://xcancel.com/GrapheneOS/status/1748379011158257929#m

It's a misconception that dumb phones are more secure due to being less capable. They're much less secure even for the basic use case of simply using carrier-based calls and texts. You should also entirely avoid carrier-based calls and texts if possible since they're insecure.

Dumb phones have a much less capable CPU, cellular baseband and OS but they aren't more secure. Running a hardened Linux-based OS is a lot better than one of those barely updated and hardened feature phone operating systems. They often even have a horrifying insecure browser.

not-a-rola

Like this: https://www.vinted.pl/catalog?search_text=motorola%20t2288&search_by_image_uuid=&page=1

userofgos

skywing So there is only the argument, that the software is insecure.

That's not the only argument, the hardware is insecure as well as is written here: userofgos

skywing because I don't have to fear state-level-actors or hackers which are personally after me?

At the end of the day, it's your choice and if you're fine with the tradeoff's do what you will. You won't find many, if any, on this forum that will recommend using a "dumbphone" over a supported Pixel with GrapheneOS. I wouldn't touch one with a ten foot pole.

Novalissoide

The fallacy comes from a simple device feeling more easily controlled and easily monitored by the user. A simple phone gives a sense of 'too basic for advanced threats to be dangerous'. Fewer sensors of simple phones further adds to this impression.

skywing

Thank you very much for your explanation!
The argument, that carrier-based calls and texts are unsecure and unprivate is in my opinion not an argument against dumbphones. It is an argument against carrier-based calls an texts. Also on GrapheneOS.

So there is only the argument, that the software is insecure. But what do one do on a dumbphone?
I'm NOT talking about FEATUREphones (i.e. with KaiOS), which have more "capable" software, I'm talking about DUMBphones, like the Nokia 105.
If I neither use the "browser", nor save any sensitive data on the phone: what can go wrong when I just want a phone for calling and texting (yes, carrier-based) because I don't have to fear state-level-actors or hackers which are personally after me?

skywing

Please don't get me wrong. I don't want to defend the use of a dumbphone at any price. I have far too little idea about the matter for that. I just want to understand your arguments and the background. I may have to ask a little more specifically.

Most of my phone calls (private and professional) are made via the carrier. Does it make a difference whether I make these phone calls on a Pixel with GOS or on a dumbphone?

The same for SMS. Are SMS sent via GOS more secure than those sent from a dumbphone?

How can an attacker gain permissions on my dumbphone, for example, to listen in on conversations or eavesdrop on me via the microphone (without having physical access to my device)?

What other risks arise from the use of a dumbphone?

NoahRaketic

skywing A smartphone is still going to be more secure, even when only used for SMS and calls. It's going to have a better software update cycle and better isolation for baseband processors. With the exception of OSes based on AOSP and receive updates (most aren't), dumbphones have much poorer privilege separation between hardware, the system, and unprivileged apps and no full verified boot to ensure system integrity. All of that serves to make your phone much more vulnerable to a compromise, and especially a persistent compromise. This is also assuming the dumbphone has any physical security and locking mechanism (most don't).

Of course, with a smartphone that only does SMS/calls, the network is going to be the weakest link, it's just that the specific attack vector of compromising the device is much less likely.

It would be possible to develop a dumbphone that is at least as secure as a smartphone that only does calls/SMS, but such a device would take engineering work and would wind up costing hundreds of dollars for the consumer.

Blastoidea

On a “practical” note, I used a Nokia 2780 for about a year.

It was a roaring pain in the ass.

You may feel differently.

skywing

Thank you very much for your detailed response. I can understand many of the risks you mention.

For me, all of this is still quite abstract, because I’m not very tech-savvy in this regard. I still find it difficult to gauge the risk for myself personally.

On one hand, smartphones offer stronger security features. On the other hand, dumbphones have very few functions. With such a small attack surface, wouldn’t any attack have to be highly targeted at me personally?

Or is there a significant risk that I could become a victim of an attack “by chance,” just incidentally?

Novalissoide

skywing dumbphones have very few functions. With such a small attack surface

Again, the simple phone may give the user the impression of having small attack surface, but this is faulty logic. A smartphone has so many more ways of telling you when something dangerous is happening, while a simple phone will feel rock solid until it's not.

W1zardK1ng

skywing Dumb phones only support carrier based calls and SMS which are not encrypted and easy to intercept. They are great as a burner phones. U make a call then throw it away other than that it has no value.

skywing

Novalissoide while a simple phone will feel rock solid until it's not.

W1zardK1ng Dumb phones only support carrier based calls and SMS which are not encrypted and easy to intercept.

I use a dumbphone alongside my Pixel (GOS) for the purpose of digital detox (just to be reachable for my family and work colleagues).
Apart from the fact that carrier-based calls and SMS are insecure. And apart from hardware-insecurity.
Are there any reports that the software of a Nokia 105 has been remotely hacked and that this caused harm to the user?

For example: Is it possible for someone to remotely hack my dumbphone and misuse it as a listening device?
Or something else. I’m lacking the imagination for what else could go wrong if absolutely nothing sensitive is on the dumbphone except a few contacts.

Sorry if I’m starting to get on your nerves. I’m genuinely trying to understand it.

W1zardK1ng

skywing I use a dumbphone alongside my Pixel (GOS) for the purpose of digital detox (just to be reachable for my family and work colleagues).

You could do that if you already use a sim card and reach your friends and family using the traditional calls/sms. many people do that on a smartphone so for a detox it doesnt make any difference but don't have any sensitive discussion over that.

skywing Are there any reports that the software of a Nokia 105 has been remotely hacked and that this caused harm to the user?

Not that im aware of, but how many cases you heard of someone remotely hacked a pixel/iphone compared to the number of users. It costs millions of dollars to get such exploits and some random hackers cant afford that.

skywing Is it possible for someone to remotely hack my dumbphone and misuse it as a listening device?

Yes it possible but not easy, cost lots of money and resources, what is your threat model btw. People do those things only if you worth those efforts.