The Armadillo Phone - A Security Review

Dear blog readers,

As many of you know I've joined forces with Team Armadillo Phone in the fight against cybercriminals including nation-state and rogue and malicious including possibly fraudulent cyber adversaries for the position of Security Blogger in 2019 and I wanted to say big thanks to COO Rob Chaboyer and CEO Kelaghn Noy for bringing me on board and for initiating a series of video conversations to better help them understand my motivation for joining the company and what exactly I can bring on board.

Among my first responsibilities were to possibly include an actual Security Audit and actual Security Advice and Recommendation including practical implementation advice on new Privacy and Security themed related features actual reaching out to current and future customers including active posting of new and innovative Security Research at the company's blog.

In this post I'll provide an in-depth Security Review of the Armadillo Phone in terms of Privacy and Security features including their relevance and importance in today's modern cyber threat adversaries dominated Internet-based communication ecosystem including an in-depth introduction into some of the key features that I might be definitely looking forward to implementing and offering practical advice on in terms of new Privacy and Security features that might greatly assist new and future customers on their way to achieve a decent degree of Privacy and Security in their Internet-based communications.

Key Features of the Device include:

- Tamper-Resistant Packing
- Device Inspection
- Secure Hardware
- Multiple Passwords
- Zero Day Protection
- Security Peripherals

Among my key proposals that I sincerely hope will eventually make their place on COO Rob Chaboyer and CEO Kelaghn Noy's desk are:

• Security Researcher Working Space or a Security Module - the basic idea here would be to offer a built-in full-disclosure reader application including automatic subscription to major and popular Information Security and Hacking Mailing Lists.
• Built-in RSS Reader - the main idea here would be offer Armadillo Phone users to ability to take advantage of a built-in RSS reader with pre-defined set of major and high-profile Security and Provicacy Content Providers
• Security and Privacy Including National-Security Journalists' Opt-In Directory - have you ever wanted to directly reach out to a high-profile Security Privacy or National Security type of journalist for the purpose of sharing with them your opinion on a particular piece of to actually share a news tip? This is the main purpose behind this particular feature.
• Covert Channels - the main purpose behind this features is to allow Armadillo Phone users in particular journalists or hacktivists the opportunity to secure and convertly transmit information that's basically impossible to track down intercept
• Steganography - the main purpose behind this feature is to allow Armadillo Phone users with the opportunity to use an alternative secure communication channel that's basically impossible to intercept track down and censor

Key Security and Privacy Features of the Device include:

• AES-256-XTS block-level FDE
• Block-level FDE instead of Android's file-based encryption
• Scrypt work factors increased
• Minimum 8-character alphanumeric password
• Completely software-based
• Keymaster and gatekeeper disabled
• Normal password for deniable encryption
• Secret password stored at randomized offset
• Secret volume is hidden inside unused portion of decoy data
• Wipe password in footer to erase device
• Separate lockscreen password
• Password verification order randomized at runtime to prevent timing attacks 
• Enhanced KASLR and userland ASLR
• Increased ASLR entropy
• Several PaX patches ported
• Zygote uses exec() spawning instead of fork()
• Improved SELinux rules
• Hardened malloc implementation
• Stack and heap canaries detect overflows
• Enhanced FORTIFY_SOURCE implementation
• Function pointer protection
• Restrictive compile-time sanitization
• Additional attack surface reduction
• All connections made using pinned TLS 1.2 connections with high-entropy 4096-bit certificates
• Metadata can be further protected by enabling optional VPN
• Verify encryption keys using manual verification, QR code, SMP or NFC
• Chat uses OMEMO encryption
• Email uses PGP encryption
• Email uses randomized subjects
• Email uses encrypted connection to keyserver and mailserver
• Email requires 4096-bit PGP keys
• Radio Sentinel: Monitors WiFi networks for ARP poisoning. Monitors cellular networks for 2G networks, performs sanity checks and compares cellular towers to a database of known network
• RAM Sentinel: Monitors temperature to prevent cold-boot attacks
• Theft Sentinel: Connects to anti-theft beacon over BLE, alarms both beacon and phone if disconnected. If phone isn't unlocked or beacon isn't reconnected within 5 minutes the phone will shutdown. 

Based on my current experience with the device which I've recently started using for the purpose of keeping in touch with friends and colleagues I can easily say that this is one of the most advanced and technically sophisticated mobile security device that can be easily obtained from here and I sincerely hope that my research and security knowledge and technical knowledge expertise will prove highly valuable to what the Team at Armadillo Phone are currently doing.

Stay tuned!

Continue reading →

Joining Team Armadillo Phone!

Dear blog readers,

It's a pleasure and an honor to let you know that I've recently joined forces with Team Armadillo Phone in the fight against sophisticated nation-state and rogue cyber threat actors for the position of Security Blogger targeting mobile devices on their way to compromise sensitive and often classified personal information and that I'll be definitely looking forward to making impact with the company through the publication of high-quality security and cyber threat research including the active education and spreading of information and knowledge to the company's clients on their way to further protect their sensitive and often classified data from mobile threats courtesy of a multi-tude of malicious and fraudulent adversaries.

Among my responsibilities will include active cyber threat an nation and rogue cyber adversary research including actual client outreach in terms of Security Blogger including the actual work and eventual implementation of new never-published and seen-before privacy and security features including the actual Security Audit of the device in terms of possible Threat Modelling flaws and actual practical solution and advice-oriented implementation of new privacy and security features next to the usual cyber nation-state and rogue cyber actor type of threat analysis and research that I've been doing throughout the past decade.

Perfect timing to say big thanks to COO Rob Chaboyer and CEO Kelaghn Noy for bringing me on board and for actually taking the time and effort to go through my proposal and actually initiate a video conversation with me for the purpose of working together.

My initial idea would be reach out to the company's client-base in terms of possible security threats outreach including the active production of high-quality security and cyber adversary research targeting mobile devices at the company's blog including the production of a Threat Modelling Scenario Research Analysis which I intend to publish at the company's blog including an actual practical and solution-oriented Security Audit of the device next to the actual introduction of new privacy and security features.

I will be definitely looking forward to making an impact with the company and I'll be definitely looking forward to continue publishing the high-quality and never-published before type of research analysis at my personal blog. Continue reading →

Privacy issues related to mobile and wireless Internet access

I just came across a research worth checking out by all the wardrivers and mobile/wireless Internet users out there. While it's written in 2004, "Privacy, Control and Internet Mobility", provides relevant info on an important topic - what kind of information is leaking and how can this be reduced. The abstract describes it as :



"This position paper explores privacy issues created by mobile and wireless Internet access. We consider the information about the users identity, location, and the serviced accessed that is necessarily or unnecessarily revealed observers, including the access network, interme- diaries within the Internet, and the peer endpoints. In particular, we are interested in data that can be collected from packet headers and signaling messages and exploited to control the users access to communications resources and online services. We also suggest some solutions to reduce the amount of information that is leaked."



A more in-depth overview on the topic can also be found in "A Framework for Location Privacy in Wireless Networks", an excerpt :



"For example, even if an anonymous routing protocol such as ANODR is used, an attacker can track a user's location through each connection, and associate multiple connections with the same user. When the user arrives at home, she will have left a trail of packet crumbs which can be used to determine her identity. In this paper, we explore some of the possible requirements and designs, and present a toolbox of several techniques that can be used to achieve the required level of privacy protection."



Mobile/Wireless location privacy would inevitable emerge as an important issue given the growth of that type of communication, and the obvious abuses of it.



Technorati tags :
Security, Privacy, Wireless, Mobile, Tracking Continue reading →