Using GrapheneOS as a base for a consumer product
pixpot
Thanks.
Thanks for all the replies. Eve though I tried in my original post to define what we are doing I'll do a summarize pit project and business model here:
We are building a phone that needs to be as secure, anonymous and privacy oriented as possible using small means and a limited budget. We aim to make everything as cheap and easy for the end user as possible.
The phone will be using a custom security hardened version of an OS (hopefully GrapheneOS)
The stripped down OS will include only one app, a custom version of Signal and will be using the official Signal infrastructure.
Once we have a working prototype we will buy cheap phones in bulk and flash them with our custom build and then sell them to consumers anonymously.
I came here to see if I could find some advice on if using GrapheneOS was a good fit for our product and in my OP I asked som more technical questions that I hoped to bet some answers to.
Im also happy to answer any question you might have (or even to collaborate). We do have funding and a business plan in place.
pixpot Pixel 4 costs about 200 USD
Pixel 4 firmware support is over, so anybody who would buy a locked-down Pixel 4 would be buying something running firmware with vulnerabilities that won't be tracked or fixed.
pixpot Despite the lack of direct identification, mobile network operators still allow anonymous prepaid SIM cards to access the internet and communicate over cellular networks. The network identifies the SIM card based on its unique International Mobile Subscriber Identity (IMSI) and the authentication keys stored on the SIM card. The IMSI is not directly tied to the user's identity during the purchase process, making it more challenging to trace back to an individual.
An earlier claim was "not registered to any person or company", which is quite different from "not directly tied to the user's identity" / "more challenging to trace back to an individual".
If I were to purchase a phone from your company with an "anonymous" SIM in it, I could choose to assume that your company hadn't recorded which SIM card you shipped with my phone, but personally I wouldn't make such an assumption.
Meanwhile, though indeed there are lots of people selling "anonymous SIM cards" online, making all sorts of claims (including "GPS spoofing", LOL), that doesn't make those claims accurate. This piece might be of interest: Anonymous SIM card scam, especially the "Anonymous SIM cards are really anonymous?" part.
At some point if your company does ship "anonymous SIM cards" to your customers, the customers (and anybody publishing a review of the product) will discover who issued the SIM cards, and be able to evaluate claims like "anonymous", "not registered to any person or company", "more challenging to trace back to an individual", etc. But a claim that your company can provide SIM cards that would shield "journalists under repressive governments" is an extraordinary claim that calls for extraordinary evidence.
The company seems to be targeting Sky Global's market, or am I mistaken?
That's a bit risky. I'd say the biggest risk is being dragged to legal complications by unsavory clients if authorities figure that SIM scheme of yours means you're aiding your clients in their activities.
As for the technical side, some further considerations:
- using Starlink instead of cell towers? Or bundle a gli router with the phone.
- removing the phone's camera & microphone as Snowden does, only allowing verbal communication by USB devices
- ...not by Bluetooth because every android and iOS phone is a bt tracking device for other phones.
- provide users with safe charging cables (USB cables with the data wires removed) to reduce the attack surface, even though GOS has USB attack mitigation.
[deleted]
pixpot Since we are not allowing users to install any other apps this should not be an issue right?
Yes, but the Pre-installed apps need to work without Native code debugging.
pixpot Think of the product as strictly a secure communication device where users can send messages (and use voice in a future update).
Nice
pixpot if you want affordable and secure, you pretty much can't look beyond the recent Pixel a series (6a or 7a at the moment), as they guarantee 5 years or security updates after release and also have the Tensor security core. Even the pixel 5 that you suggested will run out in a few months. You can check this table to see which devices make sense to use: https://grapheneos.org/faq#device-lifetime
- Edited
de0u If I were to purchase a phone from your company with an "anonymous" SIM in it, I could choose to assume that your company hadn't recorded which SIM card you shipped with my phone, but personally I wouldn't make such an assumption
We won't record anything, not even your name. If you assume we somehow investigate you before selling you a phone to then register you to a sim card/phone then you are wrong. We don't record any customer data.
de0u Meanwhile, though indeed there are lots of people selling "anonymous SIM cards" online, making all sorts of claims [that are not] accurate. This piece might be of interest: Anonymous SIM card scam, especially the "Anonymous SIM cards are really anonymous?" part.
The sim cards ARE anonymous, no name or ID is required to buy or use them. As for the claim in your link that
But when it comes to the law enforcement agencies that will want to find a prepaid ("anonymous") SIM card user's identity, the situation changes radically: no chance to hide your identity. Whether using the network operator or through lawful interception systems, finding the identity of any prepaid SIM user is a matter of a few days or even hours.
That is complete nonsense. "No chance to hide your Identity"?
Please explain how anyone (law enforcement for example) can find the identity of a user with a phone using anonymous sim and a VPN to communicate via the Signal app.
de0u A claim that your company can provide SIM cards that would shield "journalists under repressive governments" is an extraordinary claim that calls for extraordinary evidence.
That depends on many variables, both technical and behavioral. It also depends on the definition of "shields". But I don't think the claim is extraordinary.
If a user is:
Using a phone with the aforementioned features (anonymous sim, VPN, Signal, automatic "airplane mode" every time the screen is turned of, random Mac address for each connection,etc)
Not falling into a pattern of allways using the phone in the same place at the same time.
i think it does a great job of "shielding" users to a very high degree. Of course, if a governments/agency deems you so dangerous that they are willing to spend millions in technology and manpower, not any communication method in the world is ultimately safe.
- Edited
Hb1hf The company seems to be targeting Sky Global's market, or am I mistaken?
Yes. That is not our goal at all. The objective is simply to provide a device that is safe, anonymous and private as possible at an affordable price.
That's a bit risky. I'd say the biggest risk is being dragged to legal complications by unsavory clients if authorities figure that SIM scheme of yours means you're aiding your clients in their activities.
We are not aiding anyone in illegal activity. Are manufacturers of ski masks aiding bank robbers?
As for the technical side, some further considerations:
using Starlink instead of cell towers? Or bundle a gli router with the phone.
Worth investigating. Thanks!
removing the phone's camera & microphone as Snowden does, only allowing verbal communication by USB devices
...not by Bluetooth because every android and iOS phone is a bt tracking device for other phones.
Camera, microphone, Bluetooth and gps will be physically disconnected before the phone is shipped.
provide users with safe charging cables (USB cables with the data wires removed) to reduce the attack surface, even though GOS has USB attack mitigation.
The phone will not ship with a charging cable. We will rely on GOS's USB attack mitigation
pixpot Please explain how anyone (law enforcement for example) can find the identity of a user with a phone using anonymous sim and a VPN to communicate via the Signal app.
I think what de0u means and elaborated yesterday is that cellular networks are fundamentally tracking networks. Since you want your users to utilize mobile data for Signal messages, they will be trackable via triangulation any time they use it. Law enforcement, if motivated enough, could simply wait for the users to turn off Airplane mode, track them down and arrest them. They could also force mobile carriers to hand over logs and figure out where your users regularly and where they sleep.
There's simply no way around it: If the users' threat model involves hiding from three letter agencies or other well-resourced law enforcement, they should not use mobile data and operate their phone only in Airplane mode (with occasional WiFi when using signal). Using a mobile router that allows shuffling IMEIs around and buy a new SIM card regularly like Hb1hf suggested (if I understood them correctly) will make the users harder to target, but still: As soon as a SIM card connects to a network, it will be trackable.
[deleted]
pixpot The sim cards ARE anonymous
No, they are more like psuedonymous, because the carrier can do stuff like cellular triangulation
First off. Thank you for an interesting discussion.
N1b I think what de0u means and elaborated yesterday is that cellular networks are fundamentally tracking networks. Since you want your users to utilize mobile data for Signal messages, they will be trackable via triangulation any time they use it. Law enforcement, if motivated enough, could simply wait for the users to turn off Airplane mode, track them down and arrest them. They could also force mobile carriers to hand over logs and figure out where your users regularly and where they sleep.
I am aware of this "problem". Im not 100% ut to date on the technical progress in the field when it comes to triangulation/location pinpointing. But I'm under the assumption that its is not even close to as precice as GPS. The towers can give you a signal strength and general direct of the cellphone. These are not precise but by combining data from more than one tower they can narrow the location down to (I'm guessing now) within a circle of 300 meters I diameter.
BUT. The only thing the have is a sim card that transmittws from that location.
If the user is unknown, the contents of the communication is unknown and the recipient is unknown, then this data is totally worthless.
There's simply no way around it: If the users' threat model involves hiding from three letter agencies or other well-resourced law enforcement, they should not use mobile data and operate their phone only in Airplane mode (with occasional WiFi when using signal). Using a mobile router that allows shuffling IMEIs around and buy a new SIM card regularly like Hb1hf suggested (if I understood them correctly) will make the users harder to target, but still: As soon as a SIM card connects to a network, it will be trackable
I agree, but lets take an example. You and me start an underground news agency that reports on crimes of a repressive regime. The regimes "3 letter angencies" would have to:
- Find out who we are
- Find out what sim cards we are using
- Find out when we are communicating
- Find out the contents of our communication
- Find out our current location
Solving 5 if you 1-4 is known is fairly simple. But solving 1-4 is nearly impossible.
Another similar scenario would arize if you switch nr 4 and 5 so that the agency hope to
find out the contents of our communication after they have arrested us. This task would range from nearly impossible to haes depending of how repressive the government is (using torture, etc) since our phones are encrypted and have not a panic wipe function, a timer wipw function and do not store any communication data even if they are unlocked/cracked.
As stated earlier, i agree that finding the current location of a device (nr 5 in original list) can be fairly easy.
1-4 I would grade as nearly impossible undless resources of extreme proportions are used (and event if so, a mall chance of success)
Please feel free to elaborate/comment further.
Honestly, and this isn't a dig at you or trying to throw your credibility into question or anything like that, I would NOT trust you to supply a device with the claimed characteristics. Why? Because I don't know you and can't really check your work to make sure it is good. For all I know, you could be handing out backdoored devices for whatever reason (blackmail, foreign government payoff, etc.)
In the line of "anonymous sim card", that is simply not a possibility. I think the best option there is, is a cellular service being provided by a company in a country that doesn't have an information sharing agreement with the country the end user will be using it in. Especially eSIM, which can be swapped out without having to obtain a physical replacement.
Now there will STILL be trackable data from the device as long as it makes any kind of cellular connection -- the device's IMEI. Nothing you can do to prevent it from being tracked from cell to cell except by carrying multiple phones and switching between them frequently.
As far as the OS goes, again, I don't trust you, I trust ME. So I'd insist on installing grapheneOS myself, not having someone else do it and muck with it in who knows what way.
So from my point of view, you are BREAKING the trust of the device, not enhancing it.
And "Signal" -- correct me if I'm wrong, but that has to be linked to a PHONE NUMBER, doesn't it? That means that somewhere, someone can track certain metadata. Who is sending a message, to whom, at what time, etc. Even if they don't know the CONTENT of the message, there is still a ton of data available to be harvested and used for tracking. I sure as hell wouldn't be using "Signal" for anonymity.
- Edited
csis01 Honestly, and this isn't a dig at you or trying to throw your credibility into question or anything like that, I would NOT trust you to supply a device with the claimed characteristics. Why? Because I don't know you and can't really check your work to make sure it is good. For all I know, you could be handing out backdoored devices for whatever reason (blackmail, foreign government payoff, etc.)
I understand an appreciate that. However, you are not on the target group. You are a tech savvy user with knowledge in this area. Our customers are not.
You CAN check our work. Our company will be publicly listed with all legal documentation avalible.
csis01 In the line of "anonymous sim card", that is simply not a possibility. I think the best option there is, is a cellular service being provided by a company in a country that doesn't have an information sharing agreement with the country the end user will be using it in. Especially eSIM, which can be swapped out without having to obtain a physical replacement
It's absolutely possible to obtain anonymous sim cards in bulk. Read the previous posts. Our main concern is not hiding the approximate location of a device but rather to make it impossible to identify the person using the device and evesdrop on their communication.
csis01 And "Signal" -- correct me if I'm wrong, but that has to be linked to a PHONE NUMBER, doesn't it? That means that somewhere, someone can track certain metadata. Who is sending a message, to whom, at what time, etc. Even if they don't know the CONTENT of the message, there is still a ton of data available to be harvested and used for tracking. I sure as hell wouldn't be using "Signal" for anonymity.
Signal initially requires a phone number. That could (and will be) a disposable number used only for the purpose of creating a signal account. That number (a virtual number) will then be discarded and an anonymous sim card will be used to handle mobile data. This makes signal users anonymous since the number used to activate there account was an anonymous, temporary disposable number.
You have obviously thought of many things. It’s the ones you haven’t thought of that will bite you on the ass.
Your enthusiasm is refreshing, and I wish you luck. Pick your advisors carefully.
Blastoidea Thank you. If you have any point that we have not considered, please feel free to contribute them!