I’ve been thinking about this for a bit but I couldn’t come up with anything.
The idea is that you have a VOIP number and some self-hosted VOIP infrastructure connected to a landline phone. WhatsApp, Signal and voice traffic from other apps would be redirected to this landline phone instead of your mobile phone.
Is there a way to do this? How do I get started?
Reasoning: I can now keep my phone isolated, wrapped in a thick towel and inside a solid box to prevent it from eavesdropping on me inside my own house.
Please do not respond with messages like “you’re too paranoid”, it doesn’t help.
Thanks
I don’t think you’re too paranoid, but it seems like this idea is kinda unexamined and needs to be bounced off someone else first:
Wrapping your phone up and putting it in a box won’t be nearly effective enough to prevent audio recording. If you want to try this yourself, start your voice recorder app, wrap up your phone and set it in the box, say some stuff at a normal volume then play it back. It’s been a while since I used that function on android, but a long time ago ios had variable gain automatically applied so in quiet situations (like being wrapped up in a box, or night time in the woods) recordings would contain the information you’re trying to capture.
If you do this (or have already done it), and feel like it’s good enough for your needs, export the audio to a program like audacity and run some of the voice filters there on it. Even in situations where your voice is, to human ears, completely covered up in background and room tone often these free, open source tools can automatically pull them up out of the noise floor.
Imagine what a professional using purpose built software is capable of.
But even if you had a perfect towel and box: your computer has a microphone and camera on it.
Now you might be able to comfortably disconnect both of those and only connect them when someone calls, but if you’re forwarding the data stream through the device you want to treat as compromised there is a good chance that your communication data will have to be decrypted on the device before retransmission.
But if somehow your preferred platform can maintain perfect forward secrecy while handing off between clients (it shouldn’t, because this is a feature used by surveillance organizations), going through voip is a security downgrade because the encryption used from your pots ata (the box that goes Ethernet to phone) to the pc running the pbx software is less strong than that used by your communication platform.
In addition, surfacing your communications to the whole network like this would do opens you up to attacks on your ata and the ones for soho that you’d use are incredibly insecure to the network they are on. They’re worse than those consumer routers you always see with internet facing management pages.
So the next logical step, assuming you have the aforementioned perfect towel and box, is to just use the native pc programs for the communications software you want to make and receive calls through.
Of course, theres nothing preventing your assigned agent from compromising your pc, and in some ways thats an easier job than with a phone.
So I want to ask this as a person who has been surveilled: what kind of eavesdropping are you trying to avoid?
Thank you for your comment. Your response had me thinking for a while, and yes I think you uncovered it: I had a theoretical idea without actually considering the practical outcome.
I do not have a 3-letter agency targeting me to my knowledge. I quickly realised that sending signals over VOIP is a bad idea, I won’t be doing that.
You are again correct: I run Debian as my daily driver, and it would be foolish to not consider my computer to have been compromised already. I have removed the built-in camera and microphone but I haven’t attempted to clean out Intel ME from my system.
All of this makes my question look pointless since there’s already so many attack vectors. In which case, I’d be interested in your opinion in physically cutting off attack vectors from an Android phone as an academic question.
Thank you for the wonderful comment.
Probably the best way is to unplug it from the charger and remove the battery.
You can’t effectively use the device while it’s not vulnerable to attack.
What kind of eavesdropping are you worried about? I ask because concern over advertising is different than concern about laser listening (a technology that was available to me in kit form as a middle school student many years ago).
It’s not reasonable to ask how to avoid all eavesdropping because without any context you quickly start wondering if you could recover from being rendered and detained for the maximum legal duration in your jurisdiction.
Why not use the clients for Pc?
Not to argue about the privacy issue, but aren’t there better options than a towel? Get a phone without camera? Get one of those phones with physical switches for sensors? Get graphene OS and don’t install anything but signal? I feel the towel wrapping is not the best solution for your privacy issue.
The issue is cost. Purchasing a pixel just to keep it lying around for one app is a bit too expensive. I’ll just use my of phone instead
Yep. Look at something like the PinePhone. It has hardware switches that can disable camera, microphone and all types of wireless communication, respectively. And no need to degoogle, since it’s not googled in the first place (runs either Manjaro, PostmarketOS, Mobian or whatever you put on there yourself). Only drawbacks: it’s not really cheap for the specs and a little hard to find these days. But there are probably comparable devices out there.
You can bridge it through e.g. Twilio but it will add latency that makes the voice calls less pleasant. You’re better off with a phone that has a microphone kill switch, or physically remove the microphones (hack the hardware) and only use an external mic. Or power down the phone altogether.
As somebody else mentioned, using a computer and just taking calls there would work and give you solid control over microphone activation etc. If you really want the landline experience, look into adding a USB handset to that setup. It’ll just act like a mic and headphone from your computer but in the classic phone form factor
Yeah, Snowden himself says he desolders microphone and camera on his devices. I’m sure a pc with no mic and cam would do just fine. Or go the desolder route. You can use Signal on a burner phone for the initial setup and then take the battery out so now you just have Signal on your presumably private linux pc with nothing on there.
You could use a computer with a headset as a linked device, that’s the closest I can think of.
Hmm, do you think there’s a way to have the ringing happen on the speakers but the conversation on the headphones? TBH if this is possible then I don’t need to use such complicated measures
If you’re on the pc you can just switch audio output to your speakers, then run to your pc and switch audio output to headphones to proceed with the call
Wrapped in towel inside solid box? Would wifi or 4g work then reliably?
I’m not putting it in a Faraday cage, just preventing it from listening and seeing anything. I’ll place it closer to my WAP if it needs it
Might be easiest to just drill out the mic and camera, and use a usb headset for calls. I also suggest specific threat modelling and learning about opsec as that may help you feel more in control. After that, please look after your mental well-being. We all should.
Interesting concept. There’s https://github.com/AsamK/signal-cli which specifically allows piping messages from Signal to another process, but at a glance its not clear if it allows for that with audio calls.
This would be a cool gimmick
If you want to maximize paranoia, don’t forwarded end to end encrypted communication over unencrypted systems
Yes I realised that after I posted, sorry. Do you have any other ideas I could look at? I just want to keep my phone locked up and away from me when I’m in the house but still be able to talk to family over the chat apps they use (they are not very technically literate so Simplex is out of the question; it took a lot of convincing to get some of them in Signal)
use a house phone with only signal installed on it.
use a different phone user with only signal installed on it (you can use molly to share the same account on multiple phones)
It’s still the same problem no? If I can’t DeGoogle a phone then I don’t know what and how much data is being captured. Honestly I really liked the idea to just keep the desktop app running on a separate PC with headphones plugged in. I’m wondering if USB landline converters exist so I can have it ring when a call comes but then I can speak like when I’m wearing headphones.
Thank you for the suggestion though
You can use some voip service to have regular phone calls go to your pc.
Why can’t you degoogle a phone?
You can use GrapheneOS, or lineageOS… or a iphone, or a chinese phone…
Since its your home network you can block all network access except to signal for the phone.
Haven’t had landlines in a long time but when I did I remember looking at cordless phones with Bluetooth to connect to your cell phone so you can answer both phones (cell phone and landline) on the handset. Beyond that look into pbx.
