Linux Phones

Comparison with Other Phones

Linux phones, such as the Librem 5 or Pinephone, are a major degradation from traditional mobile operating systems, such as Android or iOS. A few of the points in this article do apply to the Librem 5 specifically, but the majority applies to any Linux phone unless specified otherwise.

Linux phones lack any significant security model and the points from the Linux article apply to Linux phones fully. There is not yet a single Linux phone with a sane security model. They do not have modern security features, such as full system MAC policies, verified boot, strong app sandboxing, modern exploit mitigations and so on which modern Android phones already deploy.

Distributions like PureOS are not particularly secure. They are mostly a reskinned Debian and do not include substantial hardening. While AppArmor is enabled, the majority of processes still run unconfined so that is mostly negligible. PureOS changes a few security-relevant settings, but these are also mostly negligible:

PureOS also uses linux-libre. This will prevent the user from loading any proprietary firmware updates which just so happens to be almost all of them. The Librem 5 prevents the user from updating new firmware even with an alternative kernel which forces the user to use outdated and insecure firmware with known vulnerabilities.

The hardware itself lacks many modern security features too, such as proper verified boot, a hardware-backed keystore (some PGP smartcard is not equivalent) and more.

Although one way to fix the issues in software would be to install a more sane OS like Android or its derivatives, such as GrapheneOS, if support for the hardware was added. Keep in mind though that it would still lack important hardware and firmware security features like verified boot so it still isn't close to a normal Android device.

These devices are also not open hardware/firmware unlike what they try to imply. The majority of the hardware/firmware is still proprietary.

Hardware Kill Switches

Hardware kill switches are nothing but marketing frills.

The microphone kill switch is useless since audio can still be gotten via the sensors (such as the gyroscope or accelerometer). While the Librem 5 does have a "lockdown mode" that disables the sensors, it also requires flipping all of the other switches, including the network switches which effectively turns your device into a brick just to prevent audio recording.

The network kill switch has two primary threat models: preventing cell tower triangulation or preventing data exfiltration after the device has been compromised. The switch is useless in either of these threat models:

The camera kill switch can be useful as a small usability improvement, but it is really no better than some tape.

Modem Isolation

Modem isolation isn't anything special. For example, Qualcomm SoCs have isolated the modem via an IOMMU for years, among others. The unorthodox way in which the Librem 5 attempts to isolate the modem is via the Linux kernel USB stack which is not a strong barrier as shown in the Linux article.

There is also a lot of misinformation about how the modem being on a separate chip means it's isolated — this is completely untrue. Just look at how FireWire for example can be abused for DMA while being completely separate from the rest of the hardware. Whether or not the modem is on a separate chip is irrelevant to if it's isolated.

Go back