Sunday, July 31, 2022

Phone Privacy at DEFCON 30!

So our workshop on smart (I will keep a straight face here, just saying) phone privacy was accepted by the Crypto and Privacy village at DEFCON 30. If you are there, we will be presenting it on Saturday Aug 13th. As it will be only one hour, we strongly recommend to first to folow the instructions in the co-author's github-based wiki; this link is also in the official DEFCON accouncement, but it is so important we would rather mention it a few times.

So, what is it all about?

Short version: how to make your smart phone more private and why you should care. I could elaborate on that, but this post is not about the contents of the workshop: go watch it and find out!

Anything useful you want to tell us?

People have told me I have some kind of fixation with bullet points; let's not disappoint them, shall we?

  • No pictures will be taken with my phone; I will be bringing a camera -- ancient but trusty Canon ELF -- to take some pictures of the event. Yes, compared to modern smart phones its resolution is pathetic. But, it has a real zoom, using real lenses, has no understanding of wireless file transfer (great during DEFCON), and does not keep you up at night when vendor stopped creating patches for it. As this will be a real camera, not smart phone, they will not be posted in real time.
  • I was comparing our abstract with the other presenters' and realized ours is gigantic by comparison! This is not a size competition, and I realized it may e nd up being a bit of a turnoff. But, there is some logic behind the madness: we really wanted to make sure people knew what to expect and that they need to prep are for the workshop. Which leads to...
  • The "talk" part of this workshop will be rather short because the main dish is the hands-on part.
  • If you to get your hands dirty, bring an Android phone. It's two main requirements are
    • A phone you are fine if it is bricked. That can happen. And, you can find out if it does brick before attending the event because we put the setup instructions in the wiki.
    • Ideally, you want to have a phone such as Google Pixel (3 and above), OnePlus, or Fairphone. Main reason is because a lot of Android phones have a closed source "blob" of code that is only updated for a brief period of time (a year? A week?), until not longer after replacement hit the shelves. However, we are not saying "for best experience you should have bought the latest $1000 phone" (bonus point if you know where I took that from). We do think everyone should be able to strive for a private focused phone (sounds like a tag line for a product, eh?). In fact, we will have a Pixel 4 to show things, but a Pixel 3 will work just fine and can be found for around $50 if you look hard enough. When I checked this morning, an used Pixel 4 was hoving around $100.
    • FYI, I have issues with the Google Pixel phones, primarily how hard it is to repair it.
  • I would love if we could make the phone fully private from a GDPR (we tend to mention it a lot in this blog?) standpoint, but that won't happen. Compounding that, some countries do not take your efforts to protect your privacy in your phone very kindly.
  • I really would like to thank the Crypto and Privacy village for having us. This may sound the typical fake message you associate with Facebook and LinkedIn, but for a change it is real. One of the hints is that I am not starting this thread with "I am excited that;" the truth is that we have been working hard and long hours on this and the CPV crowd have put up with all of our stupid questions and rewrites and whatnots. And have not tried to strangle us!

Dude, I have an iPhone! What should I do?

Dude, I have no clue; I do not have an iPhone to research on!