From b11aa57ed58ee6a0abed546f9a50843f6e6fdc49 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 2 Dec 2020 18:55:22 -0500 Subject: [PATCH] overhaul cellular tracking section --- static/faq.html | 68 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 44 insertions(+), 24 deletions(-) diff --git a/static/faq.html b/static/faq.html index 4d8a44d3..1debded3 100644 --- a/static/faq.html +++ b/static/faq.html @@ -76,8 +76,8 @@
  • Can apps access hardware identifiers?
  • What about non-hardware identifiers?
    • -
  • What does GrapheneOS do about cellular - tracking and silent SMS?
    • +
  • What does GrapheneOS do about cellular tracking, + interception and silent SMS?
  • How private is Wi-Fi?
  • Which connections do the OS and bundled apps make by default?
    • @@ -380,36 +380,56 @@ between apps within the same profile, but never between them.

    - What does GrapheneOS do about cellular tracking and - silent SMS? + What does GrapheneOS do about cellular tracking, + interception and silent SMS?

    -

    GrapheneOS always considers the network to be hostile and does not implement weak - or useless mitigations. Therefore, it does not have the assorted gimmicks seen elsewhere - providing privacy/security theatre to make users feel better about these issues. One - of the core tenets of GrapheneOS is being honest with users and avoiding scams/frills - based around marketing rather than real world privacy/security threat models.

    +

    GrapheneOS always considers networks to be hostile and avoids placing trust in + them. It leaves out various carrier apps included in the stock OS granting carriers + varying levels of administrative access beyond standard carrier configuration. + GrapheneOS also avoids trust in the cellular network in other ways including providing + a secure network time update implementation rather than trusting the cellular network + for this. Time is sensitive and can be used to bypass security checks depending on + certificate / key expiry.

    -

    Activating airplane mode will fully disable the cellular radio transmit and receive - capabilities, which will prevent your phone from being reached from the cellular - network and stop your carrier (and anyone impersonating them to you) from tracking the - device via the cellular radio. The baseband implements other functionality such as - Wi-Fi and GPS functionality, but each of these components is separately sandboxed on - the baseband and independent of each other. Enabling airplane mode disables the - cellular radio, but Wi-Fi can be re-enabled and used without activating the cellular - radio again. This allows using the device as a Wi-Fi only device.

    +

    Cellular networks use inherently insecure protocols and have many trusted parties. + Even if interception of the connection or some other man-in-the-middle attack along + the network is not currently occurring, the network is still untrustworthy and + information should not be sent unencrypted.

    + +

    Authenticated transport encryption such as HTTPS for web sites avoids trusting the + cellular network. End-to-end encrypted protocols such as the Signal messaging protocol + also avoid trusting the servers. GrapheneOS uses authenticated encryption with modern + protocols, forward secrecy and strong cipher configurations for our services. We only + recommend apps taking a decent approach in this area.

    + +

    Legacy calls and texts should be avoided as they're not secure and trust the + carrier / network along with having weak security against other parties. Trying to + detect some forms of interception rather than dealing with the root of the problem + (unencrypted communications / data transfer) would be foolish and doomed to + failure.

    + +

    Connecting to your carrier's network inherently depends on you identifying yourself to + it and anyone able to obtain administrative access. Activating airplane mode will + fully disable the cellular radio transmit and receive capabilities, which will prevent + your phone from being reached from the cellular network and stop your carrier (and + anyone impersonating them to you) from tracking the device via the cellular radio. The + baseband implements other functionality such as Wi-Fi and GPS functionality, but each + of these components is separately sandboxed on the baseband and independent of each + other. Enabling airplane mode disables the cellular radio, but Wi-Fi can be re-enabled + and used without activating the cellular radio again. This allows using the device as + a Wi-Fi only device.

    The LTE-only mode added by GrapheneOS is solely intended for attack surface reduction. It should not be mistaken as a way to make the cellular network into something that can be trusted.

    -

    Even if interception of the connection or some other man-in-the-middle attack along - the network is not currently occurring, the network is still untrustworthy and - information should not be sent unencrypted. Legacy calls and texts should be avoided - as they're not secure and trust the carrier / network along with having weak security - against other parties. Trying to detect some forms of interception rather than dealing - with the root of the problem (unencrypted communications / data transfer) would be - foolish and doomed to failure.

    +

    GrapheneOS does not add gimmicks without a proper threat model and rationale. We + won't include flawed heuristics to guess when the cellular network should be trusted. + These kinds of features provide a false sense of security and encourage unwarranted + trust in cellular protocols and carrier networks as the default. These also trigger + false positives causing unnecessary concern and panic. Make good use of authenticated + encryption and airplane mode to avoid needing to depend on an insecure network.

    Receiving a silent SMS is not a good indicator of being targeted by your cell carrier, police or government because anyone on the cell network can send