I'm really not sure how serious I should take the threat of Chinese made electronics - almost all electronics are made China, not just Xaiomi and Hauwei.
My iphone is made in China by Chinese contract manufacturer (Foxconn) - does that mean all iphones could be compromised with Chinese malware? It could be possible, but how can you tell? Is it possible to observe network packets going form my phone to a Chinese or Chinese-allied country?
Genuinely curious, btw. Any feedback would be very appreciated.
Presumably Apple ensures there is nothing nefarious in the hardware, but it seems an unlikely avenue for compromise. Most of the "phone" is Apple-provided software.
In theory sure, you could have a chip snooping on the bus. But it would have to have a lot of OS-level knowledge and then how would it exfiltrate the data without OS-level access to the IP stack?
Like the Bloomberg/Supermicro story, I am extremely skeptical.
A Chinese-built phone that comes supplied with an OS, that's a totally different matter.
Apple itself nefarious. Leeching data to FBI and cops. Google is absolutely horrendous when comes to invading privacy. Amazon literally listens to people using home devices.
Good luck using any tech without compromising your and your family's privacy.
No, they're separate baseband chips with Qualcomm-designed Snapdragon ICs running Apple-signed firmware with their own build flavors of Qualcomm's RTOS. Apple has to verify that the fab produces the low-level hardware exactly as designed, but nothing is going to sneak into that firmware.
The exact same protocol and route as any normal packets - I'd presume that for a phone it's just as for computer network hardware, that OS is not in full control of the IP stack and the firmware can send extra packets that OS won't see (with the same source/routing as configured by the OS after it does it) and process the response packets without propagating them to where the OS might see them.
Well no, if the baseband firmware sends that then only the cell operator would see them, there's no user-controlled software or hardware between the chip and the mobile operator (like the router in the wifi scenario) unless you run your own 4G cell and record packets there. Just as for your laptop, if your ethernet firmware would be malicious in this way then it would apply only to the ethernet adapter and not any other network adapters like wifi.
As far as I can tell, the meta solution here is open source hardware and software. Otherwise it just doesn't matter who is doing this, why they do it, or who is affected.
The core issue is the lack of end to end encryption and open source hardware and software. Options today are okay, but they need to be great to reach the right people. See my post in this thread about Pinephone and Librem.
> As far as I can tell, the meta solution here is open source hardware and software. Otherwise it just doesn't matter who is doing this, why they do it, or who is affected.
I agree with you there, but I want to know how to analyze devices that are closed source.
Foxconn is not Chinese, it's a Taiwanese contract manufacturer, that does have most factories in China (but it also has factories in other countries). The reason why Foxconn is so successful is because they do a good job in quality control and honoring contracts, which sets them apart. They are trying to blend Western-style rule of law with Chinese wages and infrastructure.
The successful stories about western companies outsourcing to China do tend to fall into the category of building and running your own factory there, rather than contracting with a Chinese owned and managed factory to produce to spec, which suffers from all the ethical problems discussed in the parent post. E.g. these are all decisions taken by management, not individual factory workers, so if you want to reduce risk, then install your own management.
Network isn’t even the only egress route out of a cellphone. They have sophisticated radios, so a low-level (e.g. on-silicon) backdoor could send your data out to a nearby agent using all manner of electro-magnetic emissions.
You just have to trust the manufacturer and its supply chain, and that applies to open source too.
I think the whole discussion is missing the mark, so much so that I personally tend to believe that is the point. Your electronics spies on you, that's just how it is. The important question is if the data gathered could possibly hurt you now or in the future. We can only speculate on what thoughts and opinions become dangerous in the future. So with that said I would look at the problem from the perspective of "can this hurtful data be accessed by someone with reach to reach me". All the way from targeted advertisements to someone kicking in your door. That only leaves one answer as far as I can tell: Chinese phones are safer for everyone not inside China or maybe in one or two other countries. Using US electronics or software on the other hand and you can be reached in pretty much all the countries left out above.
"made" in this case tends to refer to created, not just manufactured. it (as the article states) is mostly an issue for chinese brands with poor quality control or ulterior motives.
My iphone is made in China by Chinese contract manufacturer (Foxconn) - does that mean all iphones could be compromised with Chinese malware? It could be possible, but how can you tell? Is it possible to observe network packets going form my phone to a Chinese or Chinese-allied country?
Genuinely curious, btw. Any feedback would be very appreciated.