Extreme disappointement with Pine's shipping department

[mouffa]

I can see too much conspiracy here, Australia and New Zealand are the leading 1984 Orwelian western states, if you are afraid of such intervention you should go and pick the phone by yourself from Hong Kong or tell someone to ship it to you as a personal item from another country, the funny thing is that I hadn't thought of that scenario though I knew that anything could be hiding in the Quectel modem, in the US all the modems have to have backdoors by law and according to Braxman the still undisclosed Pegasus attack was due to modem backdoors

[barray]

I'm putting this here because I'm not sure if this deserves its own thread.

I think this could have been put on its own thread, it's an interesting discussion that should be had. After all, one of the benefits of an open source phone is its security.

Some people on other sites have voiced concern that this shipment of pinephones has been subject to "Method Interdiction".

Which sites have people voiced this concern on? Why didn't they come here?

Obviously, without leaks, we'll see no proof of this, but New Zealand does have intelligence-sharing agreements with several other countries, and it's not exactly a secret that many of the people who buy these phones did so out of a desire to escape the problems android and iOS devices have with sending gobs of user data to the servers of large corporations.

The shipment really spent just a day or something in New Zealand, I can promise you New Zealand does not have the infrastructure for such an operation. Doing this would require a lot of time and financial investment - something I really doubt big government agencies would bother with. More interesting to them would be a server, for example.

Usually these types of attacks would be a combination of hardware and software - the software is likely to be re-flashed as soon as it arrives (and I recommend you do so).

Fortunately, there's published images of the PCB you can compare it to so you can check for hardware modifications.

Equally, if you are seriously considering the Five Eyes in your threat model, I would consider every single place and Country the phone visits on its journey to you, including the factory. Equally, it would be much easier to change the PCB or software and introduce bugs there. For example, if you introduce a bug into SSH or OpenSSL, you get all Linux phones and servers at the same time. Factories are also not entirely unknown to pre-install viruses for example.

Also, that would probably cause a longer delay if they were to physically replace components but you can't be sure since other things could very well cause the pallet to sit there for over a month.

They were literally there for a day or so, something that @lukasz can likely confirm.

But if I were you I'd treat these things as any computer if you're concerned about that: load a new operating system before doing anything else. Overwrite the EMMC with random data (dd if=/dev/urandom) to be really, really sure.

It really depends on your threat model.

I would hope Pine64 can inspect the phones before they ship to customers but I'm aware that might be infeasible.

I doubt this is possible and if anything, it will just delay the time it takes to get your device and introduce further potential points to introduce issues.

[biketool]

OK, fine; I actually like this line of thinking.... even if I hate it!
An exercise in counterintelligence: Threat level nightmare
Let us act as though we 100% know a hostile tech superpower nation state actor has had weeks to adulterate our Pinephones and other gadgets, they have the hardware in their hands, lets talk that scenario out in a serious and technical way.

The board is easy enough to pull and inspect for the chip number stamps, I think those are all in the wiki and pics?
How can we test point verify that we have authentic and unhacked hardware? Do they throw anything unique and unspoofable at startup?
How could we hash verify what firmware is loaded?
How can we verify that the firmware is hash correct?
Is it possible for the ADB method to verify 100% what is going on inside the telephony modem module and it has not been turned rogue?
Is it possible to make a paranoia SD image where we can fully wipe all firmware and other memory and verifiable reload it with hash verified safe images?
How could we be sure we are getting a clean copy of the paranoia boot image?

The only assumption I don't try to make in this scenario is that the opposition would take the time to fab up custom silicon, not sure what could be done if they are willing to invest that deeply.

Am I missing anything?

If we can compile a full sterilization and reload protocol we can publish it in the wiki. The existence of such a scorched earth reload protocol would be a real feather in the cap of the Pinephone over any others from a security standpoint.

[mouffa]

the chips can have non user-flashable undisclosed binary blobs, so they can replace the same components with different blobs or factory-reprogram the chip, I would inspect the motherboard for the types of solder used etc

[biketool]

the chips can have non user-flashable undisclosed binary blobs, so they can replace the same components with different blobs or factory-reprogram the chip, I would inspect the motherboard for the types of solder used etc

So since for once WE(pine64) are the customer can we request future hardware revs allow a checksum at power up?  I think cryptographically signed firmware hash or something like that would serve the purpose. 
Can we request that the no-dump fuses be left unblown?
How do you ID a fake IC in the wild without decapping the package?
How does a vendor verify authenticity of flashed firmware other than chain of custody or flashing in house and setting the no-flash fuses?
(edit)
If we are designing the board then including non-standard verification test points should be possible even if we have to plug in a serial line or something.

[kqlnut]

This long, but interesting article about potential ways of securing the PinePhone might be of interest here.

[mouffa]

the manufacturers are not obliged to disclose the chip schematics and the microcode so you can not know if there is firmware somewhere in the chip without electron microscopy, forget it, they will just not provide the chips if you insist on such condintions

[tllim]

Instead of waiting current batch return from New Zealand, Pine Store has arranged to reship another new PinePhone batch from factory today and sales team will provide the update few hours later. Every affected buyer will received new DHL airway bill by Thursday (August 11) from shipping team or DHL.

Hopefully this resolved the conspiracy concern.

[Zebulon Walton]

This long, but interesting article about potential ways of securing the PinePhone might be of interest here.

An interesting read, thanks! My approach is simply not to keep anything of any importance on the phone - and use full disk encryption anyway. If someone does steal it and they spend a few days hammering away at the passcode to get in they'd be pretty disappointed at the results.

[mouffa]

the idea that you will be using the NWO technological infrastructure with privacy is an idea that completed its lifecycle, soon you'll have to either evacuate the chamber (smart cities) or be assimilated, even the laws are already there prohibiting encryption etc and at some point they will be forced by violence or better like with the various IDs without which you will not be able to biologically survive in the system, so I would suggest that you don't get crazy with privacy and security, anyone at any point could be experiencing a Kafka's trial