Edward Snowden and hacker Bunny have developed a device for monitoring GSM, GPS, WiFi, Bluetooth, NFC signals on the telephone bus

Reverse Engineering iPhone 6

Connecting to the FE1 and FE2 bus contacts on the iPhone 6. The connection points on the back of the PCB are wired to the front side for easy connection. SIM card connector removed

When Edward Snowden met with reporters at a Hong Kong hotel, he asked to put the phones in the fridge (household analogue of a Faraday cage) to block any radio signals that can be used to track devices or remotely activate microphones and cameras. In the embassies of some countries and other protected areas are usually asked to hand over the phone at the entrance and / or remove the battery.

Turning off the phone or Faraday's cell - attempts to temporarily deactivate the "bug" that a person constantly carries with him. Such methods are not very practical and effective. Edward Snowden, along with well-known hardware hacker Andrew "Bunny" Huang, developed a convenient and reliable alternative - an introspection -like cover for continuously monitoring the signals that are sent by the phone's built-in antennas.


Connecting to the FE1 and FE2 bus contacts in the iPhone 6 on the back of the PCB. For the experiment, the RF shield was removed, and the connection points were mechanically cleaned from the solder mask
')
"Self-analysis device" is equipped with an indicator that instantly notifies the owner when a signal is received or transmitted from a mobile phone. We can say that this is a much more advanced version of the standard EMF-sticker for the phone, which glows under the influence of the electromagnetic field ( from 10 cents in Chinese stores). Such a guaranteed way to visually make sure that the phone does not transmit any signals even if the "Airplane mode" is on.

The designed device will look like a case for the iPhone 6 with a monochrome screen and an external battery. But in reality, this is a fairly advanced device - something like a “compact oscilloscope”, which is directly connected to the electronic board through the contacts near the SIM-card connector. When connected to the board, the device detects signals from the built-in antennas on the bus that are used by GSM (2G / 3G / 4G), GPS, WiFi, Bluetooth and NFC transceivers. To reverse engineer the iPhone 6 and install the signals of these interfaces helped the Chinese modders, who have schemes and documentation for the iPhone 6.

Both the FE1 and FE2 buses in the iPhone 6 operate at a frequency of 20 MHz at a voltage of 1.8 V. These buses are mainly used to configure the radio transmitters of the phone.


FE1 bus traffic example


An example of a Wifi UART signal decoded by Tek MDO4014B

Chart of signals available for study on iPhone 6

Receiving real traffic from the bus, the device gives a signal in the event that the phone has started unauthorized data transfer.

Edward Snowden believes that the device is primarily intended for journalists. Indeed, in authoritarian countries, journalists are the main target of special services, which install exploits on their mobile phones.

Andrew Huang says that, in principle, you can set up the device even to automatically turn off the phone in case of an unauthorized signal.

“Our approach is this: the government-level opponent is very powerful, so we assume that the phone is compromised anyway [at the program level],” said Bunny. “Therefore, we are looking at hardware signals that are extremely difficult to fake.”

Andrew Huang added that this method is more reliable than the Faraday cage, which can still pass a radio signal. And this is better than turning off the smartphone using the button, because malware has already been created that recognize button presses and show animation, as if the phone is turned off (and then turned on). In 2014, Snowden said that the NSA used such bookmarks. We can assume that the Russian special services have similar software.

Nowadays, such protective devices for telephones are needed not only by journalists, but also by all other citizens who may, quite unexpectedly, be subject to surveillance and illegal prosecution, which has happened many times before.

Since 2013, Edward Snowden himself has refused to use smartphones and any other gadgets with a wireless connection, so that the American special services could not calculate its actual location in Russia. Apparently, the plan worked: so far there is no evidence that the coordinates of Snowden are known to someone else, except for his Russian curators, a lawyer and a girl.

Snowden emphasizes that a compact oscilloscope with automatic blocking of extraneous radio signals from a smartphone is not a panacea, but this is one of the ways to significantly increase the complexity and cost of surveillance for the enemy. Increasing the cost of surveillance, we can force the enemy to abandon it. In most cases, the security services will decide that the object is not worth the significant effort required to bypass the hardware protection. Now mass wiretapping of the population is possible only for the reason that it is cheap and affordable. The use of encryption and hardware signal blockers will change the situation - as a result, the special services themselves may stop their illegal practices, says Snowden.

So far, the project of the compact oscillograph Snowden-Bunny is at the design stage. Published technical documentation with a detailed description of the technology. The authors hope to make a prototype next year and order a batch of such devices somewhere in a Chinese factory that accepts small wholesale orders for production using original models. Hacker Bunny already has experience in manufacturing electronic circuits in China that he developed independently.

The finished gadget might look something like this.



Andrew Huang added that the hardware design of the device and the source code of the firmware, of course, will be published in the public domain.

Bunny now lives in Singapore, but she travels monthly to Shenzhen to meet with manufacturers. He says that his Chinese colleagues have enough experience to produce such electronics, because the iPhone repair and modification market is very developed there. Moreover, if some large customer (for example, a large newspaper) orders a batch of such covers to protect the phones of its employees, Bunny is ready to organize the production of such a batch. “An ordinary American DIY enthusiast will think that this is total madness. An ordinary Chinese guy who makes modifications to the iPhone in China will look at it and say that there are no problems, ”added Andrew Huang.

Snowden and Bunny never met in person, but Edward Snowden spoke positively about a colleague: "This is one of the hardware researchers I respect the most in the world," he said and added that he began to correspond with him on the encrypted channel in Signal messenger in end of 2015. The idea of ​​developing such a device belongs to Snowden, and Bunny with his experiences of hacking and modding helped to implement it.

Huang tried to create the simplest scheme of the device, which at the same time conforms to Snowden's paranoid standards.

Hacker shyly admits: “If it were not for Snowden's participation, it would be a rather prosaic device. My solution is simple. But it will help an important group of people. ”