If you don't use something like GrapheneOS or Calyx, but the stock trash installed by the manufacturer, you should behave as if you had Pegasus installed. Therefore every E2EE is defeated, even Signal.
I want to agree but I think using a messenger like Signal is still worth it, even if you use "stock trash installed by the manufacturer". Do you agree?
If we go further down this path, does installing another OS really help? If they exploit your CPU, a different OS wouldn't help, right?
reply
595 sats \ 1 reply \ @0xIlmari 1 Jan
Sure, FOSS is always better for security applications than proprietary garbage. Which is why Signal, Matrix, Nostr are superior to WhatsApp, Telegram, etc.
And yes, hardware can be compromised as well, keyloggers can be installed, for example, Tails OS is not a silver bullet either.
But according to my threat model, it's harder to do these things at a hardware level if you don't have a cooperating software. Say a malicious CPU has recorded your secret - how is it going to exfiltrate it out of the device? Without cooperation from the software (and an open source OS wouldn't cooperate), it would need a completely separate communication hardware+software stack built in just for that purpose.
I posit that it would be orders of magnitude harder for hardware manufacturers to hide the presence of such malicious circuitry than it is to sneak in a rootkit with the OS.
reply
I see, makes sense, thanks for your reply!
reply