➡ Mobile phones, while useful, can pose security risks. While the average person doesn’t need to worry too much, those in high-risk positions like whistleblowers, journalists, politicians, and celebrities need to be more cautious. Phone security can be compromised through physical access, surveillance, attacks by people you know, and internet attacks. It’s important to be aware of these risks and take necessary precautions, such as not storing too much data on your phone, regularly changing passwords, and being cautious of what apps you download.
➡ Avast, an app that installs fake root certificates, can be used for spying if someone has access to its private key. Remote attacks, like the Pegasus from the NSO group, are advanced and expensive, typically used by governments or large corporations. Another type of attack, SS7, can control phone functions like calls and texts, and can even track your location. Lastly, supply chain attacks can occur when someone embeds harmful functionality into the hardware or software of a device, but these are hard to discover and are usually reserved for high-value targets.
➡ To protect your data, limit the apps you use and avoid opening attachments on your phone. Big tech companies like Apple, Google, and Facebook have access to your data, but using open source phones can help protect your privacy. Physical access to your phone is a risk, but simple protections like using a fingerprint or being aware of who can access your phone can prevent attacks. Lastly, don’t assume that if your information is leaked, it came from your phone – it could have come from the internet.

There’s a bit of an elephant in the room when talking about mobile phones. While I emphatically tell you that you should get an open source phone for your privacy, someone is bound to make a video comment saying that phones are unsafe and then these people will school me on the security problems with phones. And admittedly these people are not wrong. So one would ask why would you listen to me talking about privacy phones when I cannot even assure you of safety with threats like that? More aggressive aspects of phone security is not the area I focus on a lot since I am more targeted towards big tech and government mass surveillance, which I believe is the greater threat way more than individual targeted attacks.

We all want and need privacy and we need some level of security on our phones though we are just average everyday users. However, some people like Edward Snowden, Julian Assange, whistleblowers, journalists, politicians and people who live in the underworld of spycrafts, or likely even criminals like drug dealers need a level of security that’s above and beyond. Then there are the famous people who get blackmailed because of their nude photos like Jeff Bezos, or those who get assassinated when speaking against the Saudi government like Jamal Khashoggi, both supposedly powered by a Pegasus hack from the NSO group.

Or if you’re a criminal, a spy or an enemy of the state, then when you are arrested they can take your phone and extract your files and photos using advanced tools. Or someone could hack you remotely. Let me be clear, the average person doesn’t really need to worry too much about these threats because these are focused on on high value targets. However, I need to explain it to you so you can judge for yourself if these are things you need to worry about or not. I don’t want to give you an incomplete picture with phone, so stay right there.

In this video I will delve primarily into security issues on phones and we’ll skip the privacy threats of big tech. I want to stress that the average person is not a security target and phones are generally very hard to attack. The strong focus on security, like on iPhones and security features being pushed by a graphene OS is based on the premise that you should put all your data on your phone and now you must spend all your time guarding it. This is in contrast with a privacy focused person who I encourage not to put too much data on the phone to begin with, so heavy security is not so much the focus.

However, if you put your life on the phone then yes, you will be super interested in security and this will concern you more. So today we will Focus on the security side and the threats that you need to be aware of A state with physical access Data extraction if you’re at the airport and the authorities stop you and take your phone, can they access your data? And the answer is yes. And the amount of data they can capture depends on acroms like bfu, AFU and ffs. This is important, so learn this with me. Newer phones have a feature called the file based encryption or fbe.

When you put in your PIN code, password, face id, fingerprint or whatever on your device, the device uses that to generate long encryption keys which are then used to encrypt your files. As long as your phone is unlocked once but your device is on the lock screen, the files on your phone remain unencrypted. This state is called afu. After first unlock. Companies like cellebrite, which I mentioned in a recent video, have tools that can extract a majority of data from a device if the device is in AFU mode and if your unlocked device is not on the lock screen, they can extract the entire data contents in a full transfer mode called ffs.

How do they extract data for ffs? A company called Graveshift has a program called Graykey that can brute force the password on a phone and thus completely unlock it. Apparently this uses a zero day vulnerability and it can bypass the protections of both iPhones and androids. These are tool used by law enforcement. Now interestingly if you reboot your phone you are in a state called BFU or before first unlock. In this state the data that can be accessed is very minimal. So in this kind of emergency just make sure to reboot your phone before it can be taken.

Though you cannot be protected against gray key, some forensic people have stated that if you freeze the phone memory, it would ensure that the contents of memory remain fixed and this would allow it to be accessed later. These are just examples of techniques used to extract data like encryption keys and memory. A state with physical access surveillance. When a state gets access to your phone, they may return the phone to you and at that point the phone is likely tainted. There are very many ways to insert malware into a phone or leave it temporarily in memory when there’s physical access.

Again, this is state level stuff, not something the average hacker can do. They can install secret system apps directly, modify executables in Linux, root the phone, possibly put keyloggers and trojans on the phone. Since they can brute force the password, they can get the same access as you can. So all of this is possible. About the only solution possible from here is at best to reinstall the custom ROM from scratch, but to play it safe I just sell the phone and get another now some of you will claim that your ex husband or ex girlfriend did this to your phone.

Well, we’ll get to that later, but it is possible only if they know your password. But in the government case here they can brute force the password using grey key Physical Attacks by people you know there’s an equivalent physical attacks possibility in cases when someone you know like an ex had physical access to your phone. The difference here is that this person likely knew your password like a pin code or pattern that is easily noticed. If there is a potential risk of this kind, I would probably rely more on fingerprint protection as that can not really be noticed.

Some phones can be fooled with a face ID, so that’s not 100%, but if the only way to access the phone is via fingerprint then it is more protected from others in your house. There’s some issue though with fourth Amendment rules pertaining to biometric passwords, so just be aware of that. The problem is that once someone gets access to your phone with a valid password, then they have complete control and can root the phone, insert the same key Loggers, Trojans and Advanced Spyware However, I fail to imagine an average hacker with this skill set. The most likely tools they can install are commercial spyware apps with subscriptions and there are many like location trackers and tools that parents use to spy on their kids.

Social media use. This is the likely low tech way and these can be hidden if you’re not looking for them. Many of you assume that everyone has some advanced skill set in hacking here. Extremely wrong. Most hackers are actually just crackers, they copy what others have done. Very few people have sophisticated hacking skills and most of them will have high paying jobs in their fields or paid highly for criminal activity. Reinstalling the ROM should solve this kind of case. A factory reset may not be sufficient here depending on whether the device was rooted, although a factory reset should be the first line of defense when in a rush.

Just note though that modifying the root level files will often break verified boot, so you will likely get a warning as well. So if your phone comes with a verified boot OS like on a Brax 3 or a graphene OS, then you should pay attention to changes in warnings on boot. This does not apply to installations like Lineage OS that do not have verified boot Internet attack Full decryption this is likely the most common threat affecting the most people and I would imagine this to be applicable to countries that do a heavy surveillance of their population.

Examples of countries in this category would be China, Russia, Iran, Saudi Arabia, to name a few. The attack method here is based on requiring citizens to download some app to access the some government service. Then the app installs a fake root certificate on the device. I discussed the mechanics of root certificate attacks in an old video, but just in general. A fake root certificate breaks the TLS encryption on the Internet. Whoever has a private key to that root certificate, meaning in country Internet routers and such, can then read the content in plain text and use that to perform mass surveillance.

The other possibility which crosses into a physical attack is that someone could physically just insert a fake root certificate on your device. This will not leave any app to look at, so you may not be aware of this change. And the other approach here is that it can be installed as part of an antivirus project. Avast is an example of an app that installs fake root certificates. So if someone has access to that private key, then any device with AVAS could be spied on. So this could be used either for mass surveillance or a targeted attack Remote Hacking Attack now let’s get into remote attacks.

This is the kind of attack that involves something like a Pegasus from the NSO group. This kind of attack is beyond the skill set of a normal hacker. This is for those with deep pockets. The NSO group does not provide hacking tools for free and typically they market to governments, though I imagine big corporations could afford it too. I’m guessing that a Pegasus hack will have a one million dollar price tag. Are you worth one million to your opponent? So if you’re expecting your ex to have access to a Pegasus attack with remote hacking, then you really need to move on to more realistic concerns.

Pegasus is based on some to date unknown 0 day, which I imagine cost the NSO group a lot of money to discover it would be their most protected asset. Pegasus is a no click attack, so apparently this will not require you to take action to embed the malware which can extract data from your phone. The most common reason for zero days is a memory leak which allows some root level code to be inserted and then the phone becomes vulnerable. And mostly it’s been used heavily against journalists and anti government people speaking against certain iron fist regimes, at least in publicized cases.

It does not appear to be used by the US though it wouldn’t surprise me if they had similar access. From my research the likely element containing the malware payload is an attachment, either an attachment to email, SMS or imessage. So Apple attempted to counter it by having a mode where where all attachments are eliminated. Remote hacking attack SS7 this requires a separate video on its own and it is the SS7 architecture of the phone network. Your phone has the modem processor or otherwise called the baseband modem and this device can be remote controlled using SS7 commands and even custom modem commands sent through SS7.

SS7 is the channel used by the public switch telephone network, the pstn, to control phone functions like dialing, forwarding and texting. It is basically the language used to initiate phone and texting traffic. But your phone can secretly receive control messages as made known by the simjacker hack. And this can activate an interface on your SIM card that that can do things like intercept a call and text or initiate a call and text. Just in general, this attack is focused on phone related functions and is not really connected to intercepting your Internet traffic or accessing your files.

Some things this threat can be used for is to turn your phone on to call someone without your knowledge. Obviously this turns on the microphone and thus allows someone to listen in. The commands to the phone are sent with silent text over SS7, so there is no indication that that it has occurred. The other threat here is that someone can use this to intercept text messages, which obviously can be problematic for two factor authentication. Someone could control your bank accounts and social media accounts this way. The attacker could also query your device for the nearest towers, so your location could be approximated with tower triangulation.

Not super precise, but could be useful for general surveillance. The attacker has to know your number to perform this attack, and generally this attack is not at the skill set of the average hacker. Because of authentication requirements to SS7, I would expect that credentials from a carrier, employee or government access would be required. There are some theoretical attacks made on the baseband modem itself to see if it can be used to Access the main OS, meaning iOS and Android. I read in one case where someone transferred a file to the phone with a Samsung Exynos SoC.

So this could be an advanced way to transfer malware that has some zero days. This is possible because the main OS and the modem share memory and the main OS interacts with the modem OS to make calls, so there could be triggers for the action. Another threat in my mind is that some parts of the baseband modem could could receive custom code often referred to in embedded systems as fpga. Some of you may have experienced the automatic over the air OTA update of your phone modem with a carrier update since this could load new software on the phone, it could possibly be a vector for introducing spyware at the modem level and can be used to attract people who approach certain sites like the NSA site in Fort Meade.

Supply Chain Attack there’s another level of vulnerability on a phone that is possible, though discovering these kinds of attacks may be quite difficult. Phones, even those we classify as open source, such as those using Android Open Source Project, still has programming that is not visible to us. This is referred to as closed source blobs, meaning they are executable binaries and we don’t know what’s in them. A big source of these are device drivers from Broadcom or device drivers for cameras, sensors, power management, and so on that do not come from Linux itself. On an Android phone, these would be files found in vendor system or systemlib64.

Here’s a theoretical example. Let’s say that the manufacturer of the camera module modified the driver so that a live shot could be monitored or on the phone by an external party. Likely the device driver for the camera is closed source and we don’t know who made the device driver. But if a device driver is made to capture camera images, then there is a feature in Linux that is built into phones called Selinux. This means that each process has to be assigned allowable behaviors by the builder of the phone os. For example, if the camera driver is connecting to the Internet by itself, then Selinux would be the way to stop that, since a camera driver would not normally be given Internet rights or network rights.

Now it is possible that someone modifying Selinux policies may screw up here, but since Selinux is outside of the control of the driver programmer then it would be a long shot to get such a threat activated. However, if some camera driver interacts directly with the network driver using secret communications, then the collusion between the two may not be within the scope of what Selinux can control in its security policies. So I state this as a possibility and we should be on guard that this could be an avenue for a zero day. The other potential source of threats is if someone embedded an engineer at Qualcomm, Mediatek, Samsung or TSMC to inject or hardware based functionality.

These kinds of threats are generally known as hardware supply chain attacks and the problem is that they are very hard to Discover inside complex SoCs or even device drivers. Now some cocky custom ROM OS maker will likely claim that their OS is invulnerable, and with some of these threats I mentioned it becomes clear that it is impossible to guarantee a completely safe phone supply chain. Attacks are in my opinion at the level of three letter agencies and embedded engineering spies. There’s already a history of this having been done particularly on router equipment from Cisco and others.

This is something that would be used very sparingly to keep it a secret and likely reserved for high value targets. MZ Catcher Attack an old favorite attack was the use of the Stingray device, which is just generally called an IMSI catcher. This is a radio based attack and is basically a man in the middle method of intercepting your cell traffic. In theory this attack is well documented enough that even hackers can use it to some extent. However, personally I think this is no longer as important to use for law enforcement purposes. Mostly it is used to wiretap someone and listen in to conversations if you didn’t know the phone numbers of the parties.

But if you know the phone number, law enforcement can just wiretap the number directly from a browser over the Internet. They don’t even need to be present. This is because of the CALEA law, but this is useful to know who’s gathered at a particular location. This device can run in passive mode and just record images of devices in the area and thus is a proximity sensor. You can sense who’s near a particular location which is really geofencing. Again, this has been replaced by an easier tool like Fog Data Science Anomaly 6 or the Google Sensor Vault, all of which are heavily used by law enforcement and have been used in court cases.

What is the real life risk? Knock on wood. My phones have never been hacked and I’m of course a targeted person. Though typically I’m targeted by hackers, not state level operatives. So certain things I do must make me less vulnerable to an attack. But on the other hand, as I said, the bulk of the attacks you see are from state sponsored hackers and I’m not that kind of threat. The main lifestyle difference that protects me is that I’ve learned to not put much of my data on the phone. Photos on my phone are recent and and then I transfer them to my backup server, which is Synology.

I not only limit the apps I use, but I have a long standing policy of not opening attachments. As you all have heard, the new phone technologies are focusing on AI and the AI companion and the main feature of these new operating systems is to see what you see. Apple and Google both currently do client side scanning to capture what you’re doing on screen and Microsoft is doing the same on a Windows PC. Fortunately, open source OSS do not have this kind of AI or AI agents that analyze your content. So if someone physically takes my phone, this kind of historical information will not be on it.

The biggest risk to most people is from physical access to the phone and the threat is then either using government tools like Grey key to brute force a pin code or your ex knowing your pin code. Once someone unlocks your phone then all hell can break loose. But government access aside, with simple protections like using fingerprint or just being aware of who can access your phone is enough to prevent attacks. Having given you all the security issues with phones, it is crazy to be obsessing with all this as some people do while ignoring the main issue which is affecting 99% of all people and that is having Apple, Google, Facebook and others have complete access to all your data.

It is not even important to look at your phone as they already have your data remotely or at least a profile of your data. And this is why I focus on the privacy issue more because it is more pressing. Only a fraction of 1% of you may experience a security attack, but 99% of you are already subject to to a privacy attack. When I push you to use open source phones, I know that it really eliminates you from being in the 99%. You will be in the 1% of people safe from privacy issues then. At that point working on security issues makes you feel more secure and it is icing on the cake.

So please put my teachings here in balance. A good number of you claim that you’ve been hacked, but to be honest with you, you may not know you’re hacked until someone actually shows you information that they’ve acquired from you. And don’t assume that the information came from your phone. It could have come from the Internet, but I’m 100% certain that big Tech already has a ton of your data. In a follow up video, I will go deeper into some of the issues I outline here using my Brax3 partner Dominic Gingris as a resource. He has a long history of building secure phones, mostly for governments and we can learn some of the challenges of hardening a phone against attacks.

Folks While other channels sustain themselves via sponsorship, we are actively funded directly by this community, hopefully one that benefits directly from the education we provide. Thank you to those who provide donations to us through patreon locals and YouTube memberships. Our long run approach is just to offer services and compete in the open market to generate your trust and patronage. This makes me feel like I’m always offering you value rather than feel like I’m begging. For those Interested in the Brax3 project that is handled by buy the site braxtech.net and you can see the current status of the project there, which currently started shipping.

We have other products that you will find on our community area On Brax May There are over 120,000 users that are part of our community and that discuss security and privacy issues in a safe environment. Many of you believe in us and so this community is growing. Some have been involved for more than 10 years in our store there you will find products like the Google Phones, Brax Virtual Phone, braxmail, bytesvpn, and Brax Router. These are an essential base to building your personal privacy and of course support the creation of content on this channel. Thank you for watching and see you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.