Bunnie + Snowden's Introspection Engine Project


Bunnie (the open hardware researcher who built a completely open laptop, the Novena) has co-released a design proposal for an iPhone 6 battery pack that provides the user with reliable information about the state of the phone's radios. They call their design an "introspection engine."

The purpose of the project is to provide high-risk users (specifically, they mention journalists working in conflict zones) a way to insure that their phone is not leaking location information (specifically, any radio signals that could be triangulated).

Something like this is necessary because one cannot reliably turn off one's phone if it lacks a removable battery. "Airplane" mode or powering off your phone will only cut cellular and WiFi transmissions if the phone's software is operating in a stock condition. If the phone has been compromised by malware, then the phone may "pretend" to be off when powered down, or erroneously show that the phone is in Airplane mode, when the phone's radios are in fact still transmitting. So, for "high risk" users, who may be targeted with malware, simply powering down the phone or putting it in airplane mode is insufficient.

There are generally two existing solutions to this problem: faraday bags and burners. Faraday bags work by trapping most (but not all!) of the phone's radio transmissions with a Faraday cage woven into the fabric of the bag. Burners are an opsec hack; the towers see the phone, but the phone is not associated with the targeted user. Burners create lots of problems, however, because in order for them to work, the end-user has to maintain discipline in ways that directly impede them from getting on with their job.

Bunnie and Snowden's "introspection engine" addresses this problem by directly monitoring the state of the phone's radios from the hardware itself; their iPhone battery pack would connect to test points on the phone's board, by inserting wires through the phone's SIM slot to reach the board. The "introspection engine" would have its own screen, FPGA, and CPU, so that its readings could be trusted independently from the phone's software; even if the phone were infected with malware, the introspection engine would still provide accurate information about the state of the phone's radios, allowing you to "go black" (insert scared Jim Comey face here).

Basically this tool is designed to solve a problem akin to: "how can an insane person know if they are insane?" or "how can a drunk person know whether they are safe to drive?" How can a compromised phone accurately report on the state of its radios?

There was an interesting conversation on Twitter about the real world limitations of this device:

The Grugq argues that this thing would get a journalist killed in Syria, not because it wouldn't work, but because it looks like spy gear and so would get you in trouble at a check point.

A fair point. I think the Grugq is still working on a project to make a phone OS that appears normal, but incorporates OS hardening, has an on-board messenger based on Pond, and actively responds to forensics tools. So, there may be some competitive motivation beneath his critique as well.

Also, while the current prototype rendering shown in Bunnie + Snowden's design proposal looks like it walked off the set of a Ridley Scott film and/or was designed in order to maximize your changes of getting laid at C-Base, there's no reason that it couldn't be re-designed to look more like the hundreds of iPhone battery packs already on the market, with a discreet set of three LED lights that could correspond to different radio states, which would address the "spy gear" criticism.

Journos: what do you think? Based on your experiences reporting in dangerous places, would you carry an "introspection engine" equipped phone? Why or why not?


As an awareness-raising device, it's kind of interesting. As a functional thing I'd use to protect myself with, I think it would basically be telling you whenever the horse has already left the stable. This means: if I'm out in a situation with my phone and I can't get it to stop doing things, then I'm already in trouble. The phone case would essentially tell me that I need a different phone, or that I should have left it at home; which is what I'd suggest to people in that situation anyway. The tech in this case is giving you enough information to be worried, but not enough information about what you should be worried about. For that, the case would need to tell you who is accessing the information.

I might want one of these for a visual aid in a training session, just to show people how little control they have over their mobiles, but a journalist in the field would do better with operational security training and assume the mobile is disclosing its location/activity unless it can be reliably shut off.

In the context of something as extreme as Syria: Don't carry a phone that you wouldn't want to remove the sim and ditch on extremely short notice.