• matlag@sh.itjust.works
      link
      fedilink
      arrow-up
      94
      ·
      10 months ago

      In theory, yes, you could make a mess, and any firmware is supposed to be certified to allow the device to be used.

      In practice, this has been a convenient excuse to keep a whole chip with a separate OS in every smartphone, and it is very difficult to isolate from the rest of the system (see Graphene OS efforts).

      I say all firmware should be opensource. Whether you’re allowed to change them or not is a separate question… for now.

      • grue@lemmy.world
        link
        fedilink
        English
        arrow-up
        42
        ·
        10 months ago

        Different countries regulate the radio spectrum differently, so transmitting on a certain frequency might be legal in country A but illegal in country B. They don’t bother making different radios for different countries, though; instead, they just build hardware capable of transmitting on all the frequencies and then restrict what it can do via the firmware. The argument goes, if they allow device owners to modify the firmware, then they might modify the radio to transmit illegally. Never mind that there are myriad other ways an attacker could do that, that are almost as cheap and easy…

        • vexikron@lemmy.zip
          link
          fedilink
          arrow-up
          45
          arrow-down
          1
          ·
          edit-2
          10 months ago

          There are easier ways to cause chaos:

          Get a cheap phone.

          Write some code to have it play, at the loudest possible volume, a pure sine wave at 18000hz to 19000hz, just outside of the range nearly all humans can consciously be aware of hearing a sound, but within the range that prolonged exposure to this sound can cause humans to become panicked, irritable, delusional, sometimes even hallucinatory, and have immense difficulty sleeping.

          Leave the phone somewhere.

          Obviously, do not actually do this.

          Probably this would be considered terrorism, and get you in about as much trouble as fucking about with your conception of what could be used as a sort of crap tier EM jammer.

          • acockworkorange@mander.xyz
            link
            fedilink
            arrow-up
            10
            ·
            edit-2
            10 months ago

            You don’t need a phone at all to do this. Or code. Or silicon. Just a cheap RC oscillator circuit tuned to that frequency and connected to a battery and a tweeter speaker.

            Edit: where’s RadioShack when you need it?

            • Meowoem@sh.itjust.works
              link
              fedilink
              arrow-up
              7
              ·
              10 months ago

              AliExpress bots have probably already read this comment and put together a ‘panic inducer top quality rechargeable usb frequency tweeter for wedding, birthday, sonic warfare, corporate and special event’ which you can buy for five dollars

            • vexikron@lemmy.zip
              link
              fedilink
              arrow-up
              6
              ·
              10 months ago

              Driven out of business by the CIA and FBI to prevent this from being easily doable no doubt!

              (kidding, obviously lol)

            • vexikron@lemmy.zip
              link
              fedilink
              arrow-up
              8
              arrow-down
              2
              ·
              edit-2
              10 months ago

              To the best of my knowledge,

              no, which is why I said write some code,

              And,

              it technically depends but probably most speakers for most consumer grade hardware can do this, though I do not know about optimal decibel levels at such decibel ranges to be necessary to induce the effect, relative to time, battery life, energy cost, etc.

              I will again repeat DO NOT DO THIS.

              It legitimately could be considered terrorism.

      • jpeps@lemmy.world
        link
        fedilink
        arrow-up
        29
        ·
        10 months ago

        In additional to the other comment, I think there’s also a traditional fear of corruption in open source. If the code is public then malicious parties are free to read and take advantage of holes in the security. Secondly it would be possible to contribute code with secret functionality that goes unnoticed. These are fairly easily debunked but seem to remain in people’s heads.

        • blackbelt352@lemmy.world
          link
          fedilink
          arrow-up
          41
          ·
          10 months ago

          Ugh I hate these arguments about giving bad actors easier access. Bad actors are going to figure out flaws and security holes whether it’s open source or not. Security through obfuscation is a temporary measure and having more eyes on the source means more chances for good actors to find flaws and publicize them for fixes.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      11
      ·
      10 months ago

      Isn’t this actually more likely to happen if it’s closed-source, since the code isn’t visible to third-parties like security researchers? That’s why zero days are a thing.

    • MystikIncarnate@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      If everything that might cause disruption was forbidden, we wouldn’t be allowed to do anything. Even normal user traffic in high enough quantities can cause services to go down. No malicious intent involved.

      IMO, that argument is complete BS.

    • smileyhead@discuss.tchncs.de
      link
      fedilink
      arrow-up
      2
      ·
      10 months ago

      Heck, if only the firmware running on the modem itself was nonfree/proprietary I wouldn’t much care, but the drivers and device specifications itself are commonly secret too! Like, they sell a modem and do not tell how it even should be used, just throwing a garbage Android binary blob driver or posting the messy driver to Microsoft developer account and they don’t care if anyone else is able to use the devices.

    • MystikIncarnate@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      Easy, since it’s open source, anyone could, if they’re inclined, edit the code to do something just differently enough to cause a problem, or unlock features they’re not supposed to have access to, or spoof something that they shouldn’t be able to spoof.

      This was a big argument against Windows getting a full Unix style socket in Windows 10, I believe. MS did it anyway and basically nothing changed. The blunt realty is that if an attacker is so inclined, they will find a way. Whether anyone wants them to or not. In the case of Unix style sockets, simply pushing the attack onto a Linux VM running on the windows system is usually enough, at most, moving the attack to a Linux or Unix system is also pretty easy but requires additional hardware (even a raspberry Pi) to complete.

      As simply as I can, there’s enough software defined radios out there that you can hack to accurately spoof a genuine (closed source) device with enough effort, that this argument dies on the table to anyone with the technical knowledge to know what it actually means. It’s the same argument as outlawing guns. If you outlaw guns, only outlaws will have guns; which is also total horseshit in it’s own right, but makes a point. They’re making it hard for people (the non-malicious public) to get access to services in the way they want on the basis that it would “make it easier” for hackers to do the illegal. While it may be true that hackers will be able to do some things easier, by not requiring specialized hardware to do whatever malicious thing they want, they’re effectively punishing thousands or hundreds of thousands of people who are not malicious and want open source by prohibiting it, just to make the small number of hackers work harder to do things.

      Fact is, if they allow it, they need to invest time and effort into implementing safeguards to ensure that any abuse is caught and stopped. They don’t want to put in that effort. The idiotic thing is that they need to put in those safeguards anyways because other tools exist that can still attack in the same manner. So they’ve saved themselves nothing in the prohibition, made the job of malicious hackers “harder”, and punished a large percentage of their client base for no good reason.