lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <52C8C990.1020508@bksys.at>
Date: Sun, 05 Jan 2014 03:55:12 +0100
From: Bernhard Kuemel <bernhard@...ys.at>
To: full-disclosure@...ts.grok.org.uk
Subject: "the Fairphone is fatally flawed for security"

Hi!

The fairphone (http://www.fairphone.com/) is a socially fairly produced
smartphone, similar to fairtrade products.

http://replicant.us/2013/11/fairphone/ says:

"However, things are not looking so good when it comes to evaluating the
platform that was chosen for the Fairphone: the modem is embedded in the
System on a Chip (SoC) which leads us to believe that it is poorly
isolated from the rest of the platform and could access critical
components such as storage, RAM, GPS and audio (microphone) of the
device. If this was to be the case (we can only speculate about what the
truth actually is), it would mean that the Fairphone is fatally flawed
for security as it makes it possible for the phone to be converted to a
remote spying device."

Can you tell me what attack vectors might exploit this vulnerability?
Does there need to be a back door in the SoC? Can that be exploited by
sending "audio" signals to the modem? Or is this secure if no back door
was installed by the SoC manufacturer? But I guess we can't really know
that. OTOH, there could also be a back door in the CPU, right? What
makes the modem so "easy" to exploit?

Thanks, Bernhard

-- 
Encrypt emails.
My GPG key is on public key servers.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ