what up cuties
This is sweet!
I had a similar idea a while back that I never fully fleshed out, but using WiFi mesh networking instead of lora. I figured lora was more specific, but I didnāt know as much about itās long range capability. The idea was to build handsets using esp32 modules with external antennas, and build out a huge city wide mesh network working on wifi bands based on small, local repeaters (also ESP based). Esp32 since you can encrypt the onboard flash, theyāre pretty powerful and decently cheap.
Since your threat model here includes the most enthusiastic spy agency of any nation-state, I would be EXTREMELY careful about the firmware flashed onto the phones. Frankly, I donāt trust android or IOS for something like this - maybe using a linux ROM on android would be good enough, but Iād say the preferable and way more labor intensive option would be to build your application specifically for your hardware, and only using open source packages. Iād also encourage the ability to perform on-air key revocation, so if a radio is confirmed to have been compromised it can be removed from the talkgroup immediately.
Maybe using a pi would be a good idea, since the radio can communicate over both serial and usb? Or if you can manage to shave the code down enough, you could try to run it directly off of another microcontroller.
Iād love to talk more about this if youāre able to, let me know.
but using WiFi mesh networking instead of lora
so I know for a fact we can use WiFi-Direct for a lot of this as itās one of the things we regularly test at work. problem is the range is much shorter and that matters real fast when youāre surrounded by buildings.
The idea was to build handsets using esp32 modules with external antennas, and build out a huge city wide mesh network working on wifi bands based on small, local repeaters (also ESP based). Esp32 since you can encrypt the onboard flash, theyāre pretty powerful and decently cheap.
we actually explored doing this a couple of years ago as well. main issue came down to not having a suitable hub for a backhaul to the internet from which we could expand the network. weāre better situated now and might pick this up at some point.
Since your threat model here includes the most enthusiastic spy agency of any nation-state, I would be EXTREMELY careful about the firmware flashed onto the phones.
I mean more make a ROM myself to kill the wireless capabilities on the device, then ensure itās done through mechanical damage to the antenna. this gets us as close as we can feasibly get to airgapped and our primary mode of attack becomes the radios themselves. we canāt solve the trusting trust problem, obviously, but we can do enough to make it so that the people using these have to be explicitly targeted by the NSA, using techniques weāve only theorized to exist ā Iām ok with that for a prototype. with more time, thereās a lot we can do to make the underlying network safer by, for example, abandoning tcp/ip (it assumes you can trust the network under you) for more suitable alternatives ā these canāt compete with the maturity of tcp/ip, so any implementation time is going to be massive here. and thereās a bunch of stuff like that.
maybe using a linux ROM on android would be good enough
yeah, this is definitely one of the things I want to try. weāre also considering not starting with phones and instead working up from like beagle boards or something but I think the form factor becomes too unwieldy, unfortunately. weāll see, though ā depends on how testing goes.
but Iād say the preferable and way more labor intensive option would be to build your application specifically for your hardware, and only using open source packages
yeah, of course. the part I canāt do too much about are the firmware blobs to run the various hardware components on basically every android phone (reallyā¦ itās virtually every piece of hardware you might conceivably use for thisā¦). one of the advantages here, though, is that these devices never, ever touch the internet and the goal is to kill all the radios but the one weāre attaching (a radio thatās fully open hardware, open software, etc.). so there are only two modes of attack ā try and get on the network and then spoof one of the other identities, a mode of attack thatās actually well covered by signalās double ratchet/libolm, or to get physical control of one of the devices. we have some thoughts on how to protect against this last mode of attack but this is an area where weāre going to be trying things and right now Iām leaning towards āwipe the device at the first sign of intrusionā.
Maybe using a pi would be a good idea, since the radio can communicate over both serial and usb? Or if you can manage to shave the code down enough, you could try to run it directly off of another microcontroller.
yeah, definitely considering this. the main worry here is that the device is difficult to actually use in practice because people are very used to phones. remember that one of the goals is to get people to stop bringing their phones to anything even mildly spicy and to use these instead to talk to their comrades, instead (and we really are focused on that mode right now ā Iām not putting together any plans right now for trying to authenticate and validate communication between unknown parties for the forseeable futureā¦ the plan right now is to force everyone into the same room together to generate and cross sign keys, and that will be the only way on to these things.) the usage model is already going to be strange for people and people working in a mode they donāt understand, taking shortcuts, or just bypassing security features altogether is a much more likely cause for compromise than anything else weāre discussing. that said, this was also my first thought when I sat down to try and put together a plan for this project and something much more custom is very likely if we make it to a second round of development (right now we really just need to prove to ourselves and others that this is viable in the first place, with the caveats of what this canāt protect you from up front and center).
and yeah, Iām super excited about this and Iād love to talk more. Iām @therivercass:matrix.org, hit me up.