When I tell people I work for Purism and I’m asked what Purism does, the explanation I give to the average person is along the lines of: “we make privacy and security respecting hardware that runs free software.” Immediately after that, I almost always point to our hardware kill switches to demonstrate how we take a different approach from most other hardware out there. To me it’s a great example of a simple, easy-to-understand security measure that provides a tangible benefit to everyone.
Like with our Librem laptops, our Librem 5 smartphone will also feature kill switches; but unlike the laptops it will have three kill switches, not just two:
Later in this post I’m going to describe an exciting new feature for our Librem 5 phone we are calling “Lockdown Mode” that extends our normal kill switches to provide even more security and privacy; but first I will explain the existing use, and reasons behind, each kill switch – as well as talk about some of the privacy and security risks with other sensors on the phone that have led us to implement Lockdown Mode.
The cameras and microphone kill switch is arguably even more important on a phone than on a laptop. While the webcam / microphone kill switch on our laptop can help protect you from malware that might snoop on you through the webcam without your knowing, at least it could only snoop on you while you are around your laptop. Most people tend to carry their phones with them everywhere so the privacy risks are much greater if your microphone and cameras are always on.
Like with the camera and microphone, the WiFi and Bluetooth kill switch has even greater significance on a phone than on a laptop. Disabling WiFi and Bluetooth can protect you from external over-the-air attacks if you are in a high-risk area (or a vulnerability comes out for your WiFi or Bluetooth card). Protecting against remote attacks isn’t the only benefit of this kill switch though, disabling WiFi in particular can also protect you from tracking.
Since your phone is in your pocket, your WiFi hardware detects compatible networks nearby as you move around. Even if you don’t associate with the networks around you, the mere fact that your hardware can see them allows the phone (and apps on it) to know you are near those devices. As you move, your distance to those devices changes, which changes the strength of the signal and helps triangulate where you are for any company like Google that has a database of WiFi access points, along with their location. By removing power from your WiFi hardware, you can ensure that any applications that might try to track your location with WiFi are blocked.
The cellular baseband kill switch is unique to the Librem 5 and completely removes power from the cellular modem in the Librem 5. Even if you aren’t concerned by the risks due to the fact that cellular modems run mystery code and have access to all communications that go over them, you still should be aware of, and concerned by, the tracking and privacy concerns. To route calls and data to your phone, your cellular provider needs to triangulate your position with respect to the towers in your area. As a result, as long as your cellular modem is on, your provider knows where you are. Your phone’s OS also uses this tracking data to supplement (or in place of) GPS so apps on your phone can also know where you are.
Putting a kill switch in the Librem 5 meant a design unlike many of the existing phones out there that combine the CPU and cellular modem into a single chip. We intentionally split out the baseband onto a replaceable M.2 card. This not only lets you physically remove the baseband altogether, but lets you power it off with a kill switch. If you want to know for sure that your cellphone isn’t tracking you, you can flip the switch and know for certain that it’s off.
One big challenge when protecting your privacy on a phone is that, unlike an average laptop, a phone is full of more sensors and other hardware that could be used for tracking and spying. A lot of security research over the past decade has demonstrated just how much information can be derived by seemingly harmless sensors that are included on a phone.
GNSS, which supports GPS, GLONASS, Galileo and Beidou – as well as SBAS augmentation services like WAAS, EGNOS, GAGAN and MSAS – is useful for navigation software, as it provides your accurate coordinates wherever you are on Earth. Despite what some people might think, the GNSS is a passive device. By itself, it can’t transmit your location to anyone, it can only pick up signals from GNSS satellites and use them to calculate your current position. That said, if your GNSS is on, even if your network is disabled, any software on your system with access to the GNSS can log your location, and transmit that log later.
The IMU chip provides a phone with a compass and accelerometer it can use along with a GNSS to tell what direction you are heading. An accelerometer is also a useful sensor to provide extra phone features such as detecting the orientation of the phone so that it can rotate the screen, provide metadata to the camera, and even detect when you pick it up, put it in your pocket, or flip it over and place it back on the night stand.
There are some privacy and security risks with the accelerometer, however. Security researchers over the years have discovered ways to detect what you are typing on the screen simply by looking at variations in the accelerometer. Also, being able to log the speed and direction of your phone, combined with detecting nearby WiFi access points could (in theory) provide a pretty accurate tracking device even with GNSS disabled.
The ambient light and proximity sensors on a phone provide a number of useful features we use every day. Among them the light sensor helps the phone adjust the backlight brightness based on the available ambient light, which can help with power savings. The proximity sensor helps detect when you place the phone up to your face, so it can lock the screen and prevent you from accidentally triggering touchscreen button presses with your face. These sensors seem pretty harmless, but security researchers have demonstrated how the light sensor can be used to fingerprint a particular user and even to map out the arrangement and size of their home.
So we have three kill switches, yet there are so many other sensors that we might want to turn off. It’s true that people could disable hardware within the OS and since PureOS is free software and Purism is an ethical company, you have more reason to trust that disabling the hardware with software actually works. That said, the whole idea of the hardware kill switch is to provide you that additional assurance that a piece of hardware is truly off.
While we could add kill switches for every individual piece of hardware, having three kill switches already pushes the limits with respect to space on the phone, the complexity of the hardware and the overall user experience. So if you set the upper limit on kill switches to three, there are a number of different ways you can address the problem with these extra sensors including:
We have thought through all of these different options, among others, and we decided that it was better to offer the option for extra security to those who really need it. We have selected a solution we are calling Lockdown Mode, that gives people who need this extra level of protection the option to turn all sensors off easily, without imposing extra complexity on an average user.
To trigger Lockdown Mode, just switch all three kill switches off. When in Lockdown Mode, in addition to powering off the cameras, microphone, WiFi, Bluetooth and cellular baseband we also cut power to GNSS, IMU, and ambient light and proximity sensors. Lockdown Mode leaves you with a perfectly usable portable computer, just with all tracking sensors and other hardware disabled. If you switch any of the hardware kill switches back on, the hardware that corresponds to that switch powers on along with GNSS, IMU, and ambient light and proximity sensors.
One of the most obvious side effects of Lockdown Mode is the ability to use the GNSS with purely offline maps. Note that you still can do this on the Librem 5 in a few different ways, by flipping any one of the kill switches back on and then disabling the corresponding hardware in software. For instance, if your biggest concern was transmitting your location, you could leave the WiFi / Bluetooth and cellular baseband off, turn on the cameras and microphone and disable those in software instead. Those who need a offline navigation but have such a high level of risk that they can’t accept the risk of disabling the cameras and microphone in software, could physically remove the cellular baseband hardware from the phone and leave that kill switch on.
There is a lot of potential to extend Lockdown Mode past just disabling hardware into software, and we are exploring some of those options now. For instance, the OS could detect when Lockdown Mode is enabled and automatically lock your screen. Those who are under even greater threats could potentially have Lockdown Mode enable extra defenses inside the OS, disable certain services, or even shut down or wipe the phone (although I’d suggest you set up some kind of PIN prompt for that last one, in case you trigger all the switches by accident). There are a lot of possibilities for this new feature and I’m looking forward to seeing how our customers extend it on their own phones.
Purism offers high-quality privacy, security, and freedom-focused computers, phones, and software. Our platform is meant to empower everyone, including privacy-conscious users, entrepreneurs, business people, developers, writers, digital artists, activists, geeks and defenders of freedom all around the world.