Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New Satphone Safety Guide

Jacob Appelbaum jacob at appelbaum.net
Tue Mar 13 17:06:04 PDT 2012


On 03/13/2012 03:43 PM, Brian Conley wrote:
> Hi all,
> 
> I'm pleased to announce that we have released our newest guide, focusing on
> increasing satphone safety through best practices.
> 
> You can find the guide here:
> 
> http://smallworldnews.tv/Guide/Guide_SatPhone_English.pdf
> 
> comments, questions, and critiques much appreciated!
> 
> I will be writing a longer blog about the motivations and timeliness later
> this week. Also you can see Frank Smyth's comments here at CPJ.org:
> 
> http://cpj.org/blog/2012/03/from-small-world-timely-advice-on-safe-satphone-us.php
> 
> 
> 


Hi Brian,

Some thoughts in response to specific chunks of text from your pdf follow...

"If you communicate with someone outside the satphone’s service provider
network your communications are subject to any observation happening on
the other user. Communicating with other satphones from the same service
provider is much safer. Even this method is not entirely secure, but
following these basic steps will limit your risks."

This is a really weird statement. The first sentence is true. The second
is pretty subjective, I'd even say incorrect but there is some wiggle
room. The third is also a bit weird to the point of being incorrect.
Limit what risk? Risk in relation to whom? If someone is sniffing the
uplink for either phone, it's irrelevant to take such a step - it's
probably even irrelevant if your threat model includes the sat phone
provider as part of the adversary model.

"The time needed to connect with the network is the first
major security risk."

Sure - why is that though? Isn't it because 0) the beam pattern for
uplink 1) gps location being sent by the phone 2) the phone provider
knowing 0 & 1 and 3) the downlink? So really is it the time that is the
issue? Or what is done during that time?

"2.3 USING A SATPHONE, A WALKTHROUGH"

This walk through seems not entirely correct. For example 07 is not
really the full picture, is it it? Isn't that when the phone sends the
GPS data and not in step 10 as indicated?

"3.1 PHONE CONFISCATION"

I rather like this part of the guide.

"In some cases the authorities may have the proper equipment
to “listen in” on your transmissions, however this requires highly
advanced and sophisticated technology"

I think this is misleading. What country doesn't have the ability to do
this? It requires a fun cube dongle pro or a GNU Radio, a commercial
device or something else home brew - if a hacker at the CCC can do it,
it's not "highly advanced and sophisticated technology" in my opinion.
That isn't to say that it was easy, it's just that now that the work is
done - the code, the hardware and the rest of the information is
available for anyone who cares to try. That is not a high bar and it
would be misleading to suggest it.

"Your location may be logged at the service provider’s Ground Earth
Station (GES)"

Or anyone watching...

"Thuraya’s encryption has been broken, and more advanced
governments may be able to break the encryption of other
satphones. To learn more see Section 6.2.2"

Which sat phone protocol isn't broken? I don't see a table for which
protocols or devices you mean to support with this guide - so it's not
clear why Thuraya is the security exception, rather than an example of
the insecurity rule.

"Voice calls are a very risky method for communicating via satellite."

All times when a user is associated with the network the user is at risk.

"It is best to keep your call under three minutes"

Why three?

"Email sent from your satphone does not provide the same protection as
Email sent via computer or mobile data plans."

While true, this implies that email is somehow secure, ever - which we
all know to be totally bogus, right?

"On some mobile phones and all computers Tor can be used to
anonymize your computers traffic and hide your identity and
location. If at all possible use a secure internet connection to
communicate, not a satphone."

Tor can't protect you from hardware that spies on you - if your sat
phone sends your GPS location, an attacker will know the exact location
of the user, even if they do not know what they are doing or saying.
This seems obvious but it is important to note - the GPS location is at
a different layer.

"Inmarsat’s iSatphonePro"

Why? Rheinmetall, trltech, and others intercept that by brand name. How
is that better than Thuraya? They're all doomed in terms of content
security and location privacy - why suggest those in that case?

For example, it seems odd to me that you did not mention the
Cryptophone[0] as an example of how to secure the content of the
communications - that is probably the only tool on the market right now
that has any such claim.  Combined with a Motorola 9501 Iridium
satellite pager[1], I think you could do something interesting that
actually improved the security of communications or at least assist in
solving the rendezvous problem.

The Motorola 9501 is entirely passive and so it can receive with a very
minimal view of the sky, it does not transmit your location from the
device, etc.

All the best,
Jacob

[0] http://www.cryptophone.de/en/products/satellite/
[1] http://www.outfittersatellite.com/iridium_9501.htm



More information about the liberationtech mailing list