Mobile Phone - Cell Phone - Flip Phone - Dumb Phone - Man Using Flip Phone

Should You Use a Dumb Phone for Privacy & Security?

Intro

The constant stream of mobile security issues we see in the news is leading many to question whether they should give up on smart phones altogether. A dumb phone, it’s reasoned, may protect you from many of these threats. However, does this idea hold water? Should you really use a dumb phone to protect your privacy and security?

We see this in the movies and on TV. In Breaking Bad, Gustavo Fring concludes a shady phone call, then breaks his flip phone in half and throws it in the garbage. This makes for interesting TV, but isn’t necessarily a good idea in the real world.

Podcast

1
00:00:00,000 –> 00:00:14,200
Hey everybody, welcome back to the Bigger Insights Privacy & Security podcast, where

2
00:00:14,200 –> 00:00:17,320
we’ll help you live a more private and secure life.

3
00:00:17,320 –> 00:00:19,640
Let’s talk about dumb phones.

4
00:00:19,640 –> 00:00:25,200
The constant stream of mobile security issues we see in the news is leading many to question

5
00:00:25,200 –> 00:00:30,600
whether they should just give up on smartphones altogether, but you still need a phone.

6
00:00:30,600 –> 00:00:37,200
So this begs the question, should you use a dumb phone for privacy and security reasons?

7
00:00:37,200 –> 00:00:42,680
The idea here being that dumb phones have a smaller attack surface, so they may provide

8
00:00:42,680 –> 00:00:44,680
you with better protections.

9
00:00:44,680 –> 00:00:48,980
Minimizing your attack surface is generally a good thing, but we’re going to go into

10
00:00:48,980 –> 00:00:54,720
some detail in this episode about whether there’s any validity to this idea.

11
00:00:54,720 –> 00:01:01,040
Also by the way, we wrote a blog version of this episode on our website, BiggerInsights.com,

12
00:01:01,040 –> 00:01:06,000
on July 29th, 2022, so go check that out if you’re interested.

13
00:01:06,000 –> 00:01:10,800
There are some links in there about spying on phone calls and text messages and things

14
00:01:10,800 –> 00:01:13,480
like that, which you might be interested in.

15
00:01:13,480 –> 00:01:20,000
We see this in the movies and on TV. In Breaking Bad, Gustavo Fring concludes a shady phone

16
00:01:20,000 –> 00:01:24,400
call, then breaks his flip phone in half and throws it in the garbage.

17
00:01:24,400 –> 00:01:29,880
This makes for interesting TV, but it isn’t necessarily a good idea in the real world.

18
00:01:29,880 –> 00:01:35,480
Alright, so before we crap on dumb phones too much, let’s talk about some of the advantages

19
00:01:35,480 –> 00:01:37,080
that they offer.

20
00:01:37,080 –> 00:01:42,600
From a privacy standpoint, a dumb phone can be advantageous when used as a burner, although

21
00:01:42,600 –> 00:01:46,280
this is a very niche and expensive use case.

22
00:01:46,280 –> 00:01:51,360
In some parts of the world, including the United States, you can buy a phone and a SIM

23
00:01:51,360 –> 00:01:55,280
card without any kind of identity verification.

24
00:01:55,280 –> 00:02:01,600
If you pay for a burner phone and a prepaid SIM with cash, this won’t immediately be tied

25
00:02:01,600 –> 00:02:07,560
to your identity. However, you can still lose your anonymity depending on how you use your

26
00:02:07,560 –> 00:02:08,560
phone.

27
00:02:08,560 –> 00:02:14,680
You may be identified as the owner of your dumb phone by location tracking, and anytime

28
00:02:14,680 –> 00:02:20,520
you make a phone call, you also run the risk of losing your anonymity by being identified

29
00:02:20,520 –> 00:02:25,280
with your voiceprint, which we’ll go over in more detail later in this episode.

30
00:02:25,280 –> 00:02:32,080
However, those concerns aside, there are some privacy advantages to using a dumb phone.

31
00:02:32,080 –> 00:02:36,880
You’ll probably have fewer apps on the phone that are leaking your private information

32
00:02:36,880 –> 00:02:40,840
like Fecesbook for example, so that’s better than nothing.

33
00:02:40,840 –> 00:02:46,520
If your phone doesn’t have Wi-Fi or Bluetooth, this can also improve your privacy by preventing

34
00:02:46,520 –> 00:02:52,400
third parties and the operating system from collecting and sharing data collected from

35
00:02:52,400 –> 00:02:53,960
those radios.

36
00:02:53,960 –> 00:02:59,600
But other than that, there aren’t many privacy benefits of a dumb phone unless you’re swapping

37
00:02:59,600 –> 00:03:03,720
the phone and the SIM card on a somewhat regular basis.

38
00:03:03,720 –> 00:03:09,960
And we say that because anyone you call or anyone who can identify you as the owner of

39
00:03:09,960 –> 00:03:16,920
the phone is liable to record your IMSI and your IMEI identifiers, which you can’t reliably

40
00:03:16,920 –> 00:03:19,840
change without getting new hardware.

41
00:03:19,840 –> 00:03:25,800
From a security standpoint, dumb phones have a perceived advantage due to having a much

42
00:03:25,800 –> 00:03:29,040
lower attack surface than a smartphone.

43
00:03:29,040 –> 00:03:35,080
In theory, the operating system should be much simpler, which should present fewer vulnerabilities.

44
00:03:35,080 –> 00:03:41,160
However, this is a double-edged sword. For example, the Pegasus spyware suite had a feature

45
00:03:41,160 –> 00:03:48,720
that delivered infected files through iMessage and exploited an XPDF vulnerability in iOS.

46
00:03:48,720 –> 00:03:53,920
iMessage and its components are more complicated than most people realize.

47
00:03:53,920 –> 00:03:59,720
This increases its attack surface, which in turn increases the odds of finding such a

48
00:03:59,720 –> 00:04:01,240
vulnerability.

49
00:04:01,240 –> 00:04:06,840
On the other hand, you have to also kind of wonder how easily a malicious text message

50
00:04:06,840 –> 00:04:10,480
could be used to pwn an average dumb phone.

51
00:04:10,480 –> 00:04:16,440
But yes, we do agree that the smaller attack surface of a dumb phone is a security advantage

52
00:04:16,440 –> 00:04:17,760
on paper.

53
00:04:17,760 –> 00:04:23,480
It should also be noted that since dumb phones aren’t as popular anymore, especially among

54
00:04:23,480 –> 00:04:30,440
high-value targets like journalists, CEOs, politicians, and so on, malicious actors probably

55
00:04:30,440 –> 00:04:34,800
don’t spend much time crafting exploits for these phones.

56
00:04:34,800 –> 00:04:39,600
They probably focused most or all of their effort on smartphones.

57
00:04:39,600 –> 00:04:44,480
You know, does Pegasus and related spyware work on dumb phones?

58
00:04:44,480 –> 00:04:47,520
Probably not, so there is some advantage here.

59
00:04:47,520 –> 00:04:54,960
Alright, now let’s keep it real and talk about why dumb phones fail for privacy and security.

60
00:04:54,960 –> 00:05:02,440
For starters, if the device has power, even if it’s off, its location may still be recorded.

61
00:05:02,440 –> 00:05:08,360
This can be done with cell tower triangulation, among other techniques. And with enough location

62
00:05:08,360 –> 00:05:13,960
history, this alone can identify you as the owner of the phone.

63
00:05:13,960 –> 00:05:18,840
This can also apply to a phone that doesn’t even have a SIM card in it.

64
00:05:18,840 –> 00:05:23,960
Phones without a SIM card will still engage in some contact with the cell phone network

65
00:05:23,960 –> 00:05:26,720
to facilitate emergency calls.

66
00:05:26,720 –> 00:05:32,760
And of course, when that happens, the network can identify your phone in particular because

67
00:05:32,760 –> 00:05:37,880
each cell phone has a unique identifier called the IMEI.

68
00:05:37,880 –> 00:05:43,080
Each phone call you make can also increase the chance of losing your anonymity.

69
00:05:43,080 –> 00:05:48,080
Whomever is listening to that phone call, be it the person on the other end of the line,

70
00:05:48,080 –> 00:05:53,920
the government, or anyone in the phone infrastructure, may be able to identify you using your

71
00:05:53,920 –> 00:05:55,840
voiceprint alone.

72
00:05:55,840 –> 00:06:02,360
Voiceprints can be recorded and identified automatically in as little as a few seconds.

73
00:06:02,360 –> 00:06:07,200
This may sound kind of tinfoil hat, but it’s no secret anymore that a lot of businesses

74
00:06:07,200 –> 00:06:11,640
record phone calls and collect voiceprints when you call them.

75
00:06:11,640 –> 00:06:16,640
Some of them are actually upfront about this and say that they use this for security.

76
00:06:16,640 –> 00:06:22,040
But obviously, that information can be shared with anyone else, so you would never know

77
00:06:22,040 –> 00:06:28,480
for sure if the person on the other end of the line can identify you, automatically, just

78
00:06:28,480 –> 00:06:30,280
by your voice.

79
00:06:30,280 –> 00:06:36,840
So many businesses are for sure recording your voiceprint, but what about the government?

80
00:06:36,840 –> 00:06:41,120
Would you have privacy from them when you make a phone call?

81
00:06:41,120 –> 00:06:43,560
Obama: “Nobody is listening to your telephone calls.”

82
00:06:43,560 –> 00:06:48,880
Of course, only they could tell you that for sure, but what we tell our clients is to be

83
00:06:48,880 –> 00:06:55,440
conservative and assume that every phone call and SMS message that you make are being recorded

84
00:06:55,440 –> 00:06:56,920
by the government.

85
00:06:56,920 –> 00:07:02,680
If you’re not familiar with our work, we provide one-on-one consulting services to help clients

86
00:07:02,680 –> 00:07:05,760
like you live more private and secure lives.

87
00:07:05,760 –> 00:07:10,680
If that sounds interesting to you, go to our website, BiggerInsights.com, and fill out

88
00:07:10,680 –> 00:07:15,680
the short form at the bottom of the page so we can schedule your initial consultation.

89
00:07:15,680 –> 00:07:19,600
But if you really sit down and think about it, there are two things that would make this

90
00:07:19,600 –> 00:07:21,160
very feasible.

91
00:07:21,160 –> 00:07:25,760
1. Phone calls and SMS messages are unencrypted.

92
00:07:25,760 –> 00:07:31,920
These are legacy technologies that were designed to be simple and easy to implement, not secure.

93
00:07:31,920 –> 00:07:38,480
2. These communications flow through very few data centers, so it would be quite trivial

94
00:07:38,480 –> 00:07:44,480
for a state actor to essentially copy every bit of information that flows through them.

95
00:07:44,480 –> 00:07:46,640
But don’t just take our word for it.

96
00:07:46,640 –> 00:07:50,640
There are many resources you can read online about the government collecting this type

97
00:07:50,640 –> 00:07:54,720
of information from the Snowden leaks and other sources.

98
00:07:54,720 –> 00:07:59,720
You can actually read about some of this on Wikipedia, so this isn’t exactly a secret

99
00:07:59,720 –> 00:08:00,720
anymore.

100
00:08:00,720 –> 00:08:06,760
But now we’re going to play two clips from CNN where they interviewed former FBI agent

101
00:08:06,760 –> 00:08:13,320
Tim Clemente regarding the gathering of information about a phone call that was made between one

102
00:08:13,320 –> 00:08:17,560
of the Boston Marathon bombing suspects and his wife.

103
00:08:17,560 –> 00:08:22,720
But before I play them, just bear in mind that they’re talking about analyzing a phone

104
00:08:22,720 –> 00:08:25,520
call that was made in the past.

105
00:08:25,520 –> 00:08:27,520
All right, here’s clip one.

106
00:08:27,520 –> 00:08:32,520
“Tim, is there any way, now I guess it was a voicemail, they could try to get the phone

107
00:08:32,520 –> 00:08:33,520
companies to get that out at this point.

108
00:08:33,520 –> 00:08:36,520
But it was not a voicemail, it’s just a conversation.

109
00:08:36,520 –> 00:08:40,520
There’s no way they actually could find out what happened, right, unless she tells them.

110
00:08:40,520 –> 00:08:42,160
No, there is a way.

111
00:08:42,160 –> 00:08:46,720
We certainly have ways in national security investigations to find out exactly what was

112
00:08:46,720 –> 00:08:48,720
said in that conversation.

113
00:08:48,720 –> 00:08:52,440
It’s not necessarily something that the FBI is going to want to present in court, but

114
00:08:52,440 –> 00:08:55,640
it may help lead the investigation and/or lead the questioning of her.

115
00:08:55,640 –> 00:08:58,840
So, somewhere it’s being digitized or they can actually get that?

116
00:08:58,840 –> 00:09:00,840
Because people were saying, look, that would be possible.

117
00:09:00,840 –> 00:09:02,560
It’s pretty incredible what you’re saying.”

118
00:09:02,560 –> 00:09:04,680
All right, pretty interesting.

119
00:09:04,680 –> 00:09:06,480
Now let’s listen to clip two.

120
00:09:06,480 –> 00:09:10,280
“Okay, let’s turn our attention now to the phone call between Katherine Russell and her

121
00:09:10,280 –> 00:09:12,440
husband Tamerlan Tsarnaev.

122
00:09:12,440 –> 00:09:15,640
You said something very interesting on Erin Burnett’s show last night.

123
00:09:15,640 –> 00:09:20,760
You said that if Katherine Russell does not divulge the contents of this phone call, that

124
00:09:20,760 –> 00:09:24,200
the FBI had other methods finding out what was said.

125
00:09:24,200 –> 00:09:26,560
What did you mean by that?

126
00:09:26,560 –> 00:09:30,840
Well, on the national security side of the house, in the federal government, you know,

127
00:09:30,840 –> 00:09:31,840
we have assets.

128
00:09:31,840 –> 00:09:36,600
There’s lots of assets at our disposal throughout the intelligence community and also not just

129
00:09:36,600 –> 00:09:38,600
domestically but overseas.

130
00:09:38,600 –> 00:09:43,800
Those assets allow us to gain information and intelligence on things that we can’t use

131
00:09:43,800 –> 00:09:47,880
ordinarily in a criminal investigation but are used for major terrorism investigations

132
00:09:47,880 –> 00:09:49,280
or counterintelligence investigations.

133
00:09:49,280 –> 00:09:51,480
And you’re not talking about a voicemail, right?

134
00:09:51,480 –> 00:09:54,000
What are you talking about exactly?

135
00:09:54,000 –> 00:10:00,040
I’m talking about all digital communications are… there’s a way to look at digital communications

136
00:10:00,040 –> 00:10:01,040
in the past.

137
00:10:01,040 –> 00:10:05,080
And I can’t go into detail of how that’s done or what’s done, but I can tell you that

138
00:10:05,080 –> 00:10:07,400
no digital communication is secure.

139
00:10:07,400 –> 00:10:12,480
And so these communications will be found out, the conversation will be known, and it’s

140
00:10:12,480 –> 00:10:17,240
just a question of whether or not Katherine Russell decides to own up to what was said

141
00:10:17,240 –> 00:10:20,280
prior to that information being known or after the fact.

142
00:10:20,280 –> 00:10:24,000
And if it’s, it’ll be unfortunate for her if she doesn’t own up to it completely and

143
00:10:24,000 –> 00:10:28,960
fully because the facts of this case, the facts of her involvement and communication

144
00:10:28,960 –> 00:10:31,520
with her husband will be known.”

145
00:10:31,520 –> 00:10:37,360
So basically what he appears to be admitting to is that our phone calls are being recorded.

146
00:10:37,360 –> 00:10:43,200
Obama: “Nobody is listening to your phone calls.” That can either be in raw form.

147
00:10:43,200 –> 00:10:48,040
It could be that they’re being transcribed. But it could also be that he’s just making

148
00:10:48,040 –> 00:10:51,840
this up, although we’re not sure why he would do that.

149
00:10:51,840 –> 00:10:56,840
Based on what we know of the government and what technologies are available, we’re betting

150
00:10:56,840 –> 00:11:02,560
our money that they are either being recorded or at least transcribed.

151
00:11:02,560 –> 00:11:07,840
That reminds me of that scene on True Lives where Harry is reading the transcript of a

152
00:11:07,840 –> 00:11:11,920
phone call between his wife and Simon, the car dealer.

153
00:11:11,920 –> 00:11:12,920
That’s a great movie.

154
00:11:12,920 –> 00:11:16,360
So you should watch it if you haven’t seen it yet.

155
00:11:16,360 –> 00:11:21,480
But one of the most interesting things that Clemente said in these interviews was that

156
00:11:21,480 –> 00:11:26,040
this information isn’t something that the FBI would use in court.

157
00:11:26,040 –> 00:11:32,520
Now this is very telling because mass surveillance is unconstitutional under the Fourth Amendment.

158
00:11:32,520 –> 00:11:39,000
You can’t use illegally acquired evidence in court, so this gives us further confidence

159
00:11:39,000 –> 00:11:42,400
that they really are recording this information.

160
00:11:42,400 –> 00:11:47,880
When it comes to digital security, we’re of the opinion that if something can be abused,

161
00:11:47,880 –> 00:11:49,240
it will be.

162
00:11:49,240 –> 00:11:55,080
With our phone calls, SMS messages, and other communications flowing unencrypted through

163
00:11:55,080 –> 00:12:00,840
centralized infrastructure, it doesn’t take much of an imagination to see this happening.

164
00:12:00,840 –> 00:12:07,080
The better question would be, why would our communications not be monitored?

165
00:12:07,080 –> 00:12:13,120
But government snooping aside, from a privacy standpoint, the lack of access to apps like

166
00:12:13,120 –> 00:12:22,920
Signal, Session, Briar, Orbot, Proton Mail, Tutanota, VPNs, VOIP, and so on, leaves

167
00:12:22,920 –> 00:12:27,240
dumb phone users vulnerable to snooping and tracking.

168
00:12:27,240 –> 00:12:34,360
If you value your privacy, you need end-to-end encrypted, trustworthy communication channels.

169
00:12:34,360 –> 00:12:37,680
That’s not something that you’re going to get with a dumb phone.

170
00:12:37,680 –> 00:12:44,360
When you use SMS or you make voice calls using the public switched telephone network (PSTN), the contents

171
00:12:44,360 –> 00:12:48,360
of your communications are not end-to-end encrypted.

172
00:12:48,360 –> 00:12:53,440
This leaves your communications vulnerable to snooping by operators in the telephone

173
00:12:53,440 –> 00:12:57,800
network, as well as various government agencies.

174
00:12:57,800 –> 00:13:00,960
Now let’s switch gears and talk about security.

175
00:13:00,960 –> 00:13:05,240
It is true that a dumb phone’s operating system is simpler.

176
00:13:05,240 –> 00:13:11,400
It’s also true that dumb phones generally contain less sensitive data and capabilities

177
00:13:11,400 –> 00:13:13,320
than most smartphones do.

178
00:13:13,320 –> 00:13:18,800
However, dumb phone operating systems are likely not developed with as high of a security

179
00:13:18,800 –> 00:13:22,440
standard as Android and iOS are.

180
00:13:22,440 –> 00:13:26,160
This reminds me of something I call the Chipotle Effect.

181
00:13:26,160 –> 00:13:30,480
I used to go to Chipotle a lot, but got tired of waiting in line.

182
00:13:30,480 –> 00:13:35,760
I started going later and later to miss the lunch rush. But what I noticed was that even

183
00:13:35,760 –> 00:13:40,880
though there were far fewer customers, I still had to wait quite a bit because there were

184
00:13:40,880 –> 00:13:44,000
far fewer staff members as well.

185
00:13:44,000 –> 00:13:49,800
Analogously, dumb phone operating systems are smaller and less common, but that also

186
00:13:49,800 –> 00:13:56,240
means they probably don’t have as much security staff, researchers, and hackers trying to

187
00:13:56,240 –> 00:13:59,000
find security vulnerabilities.

188
00:13:59,000 –> 00:14:05,880
So yes, we do agree that a dumb phone would have a smaller attack surface than a smartphone,

189
00:14:05,880 –> 00:14:12,600
and we don’t know this for sure, but we would bet that most dumb phones have very poor security.

190
00:14:12,600 –> 00:14:18,240
We should also mention that most dumb phone operating systems are closed source, which

191
00:14:18,240 –> 00:14:23,520
of course operates on the security-through-obscurity philosophy.

192
00:14:23,520 –> 00:14:28,280
So we find this very concerning from a security standpoint as well.

193
00:14:28,280 –> 00:14:33,520
So if you’re going to use a dumb phone, at least from a security standpoint, you might

194
00:14:33,520 –> 00:14:36,520
want to choose one that’s as dumb as possible.

195
00:14:36,520 –> 00:14:42,400
The more features it has like opening PDFs, rendering GIFs, and so on, the more likely

196
00:14:42,400 –> 00:14:48,280
it is that there is a serious vulnerability that can be exploited to pwn your phone.

197
00:14:48,280 –> 00:14:53,360
Now let’s switch gears and talk about smartphones because you may want to use one of those over

198
00:14:53,360 –> 00:14:54,680
a dumb phone.

199
00:14:54,680 –> 00:14:58,640
A smartphone is only as smart as how you use it.

200
00:14:58,640 –> 00:15:04,160
From a security standpoint, Android and iOS are actually quite sophisticated, so they’re

201
00:15:04,160 –> 00:15:08,320
generally secure as long as you’re using them properly.

202
00:15:08,320 –> 00:15:14,280
Of course, that’s not always the case because we do see high-profile cases where smartphone

203
00:15:14,280 –> 00:15:18,080
users get pwned by zero-click exploits.

204
00:15:18,080 –> 00:15:23,560
But even in these cases, you can still avoid some of these attacks by locking down the

205
00:15:23,560 –> 00:15:25,600
settings on your phone.

206
00:15:25,600 –> 00:15:32,360
For example, there was recently a major Android vulnerability that affected my phone.

207
00:15:32,360 –> 00:15:38,040
I apologize, but I can’t remember what exactly that was. But what I do remember was it did

208
00:15:38,040 –> 00:15:45,680
not affect me personally because I have always had Wi-Fi calling disabled, which this particular

209
00:15:45,680 –> 00:15:47,960
exploit relied on.

210
00:15:47,960 –> 00:15:52,400
Hardening phones is one of the things that we help our clients with, and one of the things

211
00:15:52,400 –> 00:15:56,160
that we can help you with if you become a client as well.

212
00:15:56,160 –> 00:16:01,720
But in general, you should disable all features that you don’t absolutely need. Things like

213
00:16:01,720 –> 00:16:08,440
Wi-Fi calling, link previews, and pretty much any kind of nice-to-have feature regarding

214
00:16:08,440 –> 00:16:16,080
discoverability, sharing, social stuff, and so on, presents serious privacy and security

215
00:16:16,080 –> 00:16:17,280
risks.

216
00:16:17,280 –> 00:16:22,040
If you can get by without them, you should consider disabling them.

217
00:16:22,040 –> 00:16:26,920
Every one of these features that you disable reduces your attack surface.

218
00:16:26,920 –> 00:16:31,160
And there’s a lot more to using a smartphone privately and securely, but we’ll just leave

219
00:16:31,160 –> 00:16:36,000
that for another episode, so make sure you subscribe and stay tuned for that.

220
00:16:36,000 –> 00:16:42,040
To start wrapping this up, let’s spend a few minutes talking about why this all matters.

221
00:16:42,040 –> 00:16:47,400
We get the impression that privacy and security are as large of a problem as they are, because

222
00:16:47,400 –> 00:16:53,920
many people just don’t understand how serious the consequences are when they experience

223
00:16:53,920 –> 00:16:54,920
a serious event.

224
00:16:54,920 –> 00:17:01,760
And from my experience, if people don’t understand the Why, they’re not going to care about

225
00:17:01,760 –> 00:17:03,440
the What.

226
00:17:03,440 –> 00:17:08,600
Always bear in mind that our mobile phones present unique privacy and security risks

227
00:17:08,600 –> 00:17:12,480
because they have access to such sensitive data.

228
00:17:12,480 –> 00:17:16,720
They are unique to us, and they follow us religiously.

229
00:17:16,720 –> 00:17:22,240
In essence, your mobile phone is a digital manifestation of you.

230
00:17:22,240 –> 00:17:27,520
If someone had full access to your phone, think about what they would have access to

231
00:17:27,520 –> 00:17:29,880
and how this may impact you.

232
00:17:29,880 –> 00:17:35,800
That may include accounts and data, which might include bank accounts, email, social

233
00:17:35,800 –> 00:17:43,400
media and so on, contact information and social graphs, real-time and historical location

234
00:17:43,400 –> 00:17:51,040
information, camera and microphone feeds, call history and voicemails, text messages,

235
00:17:51,040 –> 00:17:58,080
emails, calendar events and reminders, photos and videos, search, browsing and purchase

236
00:17:58,080 –> 00:18:05,160
history, device identifiers and fingerprint, health data, notes, and so on.

237
00:18:05,160 –> 00:18:09,760
Not only could someone get access to all of that information if they compromise your phone,

238
00:18:09,760 –> 00:18:16,040
but they may even be able to use your phone to do things like send out calls, text messages

239
00:18:16,040 –> 00:18:18,720
and emails from your accounts.

240
00:18:18,720 –> 00:18:22,360
Now if that doesn’t terrify you, I don’t know what would.

241
00:18:22,360 –> 00:18:26,000
So take the privacy and security of your phone very seriously.

242
00:18:26,000 –> 00:18:32,240
Alright, so the last thing we’ll say is that a dumb phone can be used to improve your privacy

243
00:18:32,240 –> 00:18:37,400
and security, but only if you really know what you’re doing and you have a particular

244
00:18:37,400 –> 00:18:41,320
use case that a dumb phone can be effective for.

245
00:18:41,320 –> 00:18:47,840
However, in most cases, and for most people, using a good quality smartphone that has been

246
00:18:47,840 –> 00:18:54,680
hardened and is kept up-to-date with the latest security patches will generally be more effective

247
00:18:54,680 –> 00:18:58,920
at guarding your privacy and security than using a dumb phone.

248
00:18:58,920 –> 00:19:00,600
That’s it for this episode.

249
00:19:00,600 –> 00:19:05,000
We would like to remind you again to consider becoming a Bigger Insights client so we can

250
00:19:05,000 –> 00:19:07,560
help you with things like hardening your smartphone.

251
00:19:07,560 –> 00:19:13,080
If that’s interesting to you, go ahead and reach out to us at BiggerInsights.com.

252
00:19:13,080 –> 00:19:18,520
We are once again asking you to share and subscribe to this podcast so we can help as many

253
00:19:18,520 –> 00:19:20,360
people as possible.

254
00:19:20,360 –> 00:19:22,120
Thanks for tuning in.

255
00:19:22,120 –> 00:19:45,880
Get yourself a secure smartphone and stay safe out there.

Blog

What Dumb Phones Have to Offer

Privacy

From a privacy standpoint, dumb phones may offer a privacy advantage if you use them as burners. However, this is a very niche (and expensive) use case.

In some parts of the world, including the US, you can buy a phone and SIM card without identity verification. If you pay for a burner phone and pre-paid SIM with cash, this won’t be immediately tied to your identity. However, it may not be long before you lose your anonymity depending on how you use it.

For starters, if the device has power, even if it’s off, its location may be recorded. This can be done with cell tower triangulation, among other techniques. With enough location history, this alone can identify you. For every phone call you make, you increase the chance that you lose your anonymity. Also bear in mind that, in relying on the traditional phone system, a voice call could theoretically give you away if the operator and/or government are de-anonymizing phone calls using voice prints. We don’t know if this is happening, but we do know this is very much technically feasible. We know very little about what data is actually being collected, but what we’ve seen* so far is highly disturbing.

*Further reading:

  1. Former FBI agent discussing the analysis of phone calls made prior to an investigation
  2. NSA Room 641A
  3. NSA collecting phone call records from millions of Verizon customers
  4. NSA Files: Decoded
  5. NSA PRISM Program
  6. NSA XKeyscore surveillance system

Security

From a security standpoint, dumb phones have a perceived advantage due to having a much lower attack surface than a smart phone. In theory, the operating system should be much simpler, which should present fewer vulnerabilities. However, this may be a double-edged sword. For example, the Pegasus spyware suite had a feature that delivered infected files through iMessage and exploited an Xpdf vulnerability in iOS. iMessage and its components are more complicated than most realize. This increases its attack surface, which in turn increases the odds of such a vulnerability. On the other hand, one must also wonder how easily a malicious text message could be used to pwn an average dumb phone.

Mobile Phone - Cell Phone - Flip Phone - Dumb Phone - Old Woman Using Flip Phone

Why Dumb Phones Fail for Privacy & Security

Using a dumb phone is generally dumb if your intention is to protect your privacy and security.

Privacy

The lack of access to apps like Signal, Session, Briar, Orbot, Proton Mail, VPNs, and VOIP apps etc. leaves dumb phone users vulnerable to snooping and tracking. If you value your privacy, you need end-to-end encrypted, trustworthy communication channels. That’s not something you get with a dumb phone.

When you use SMS or make a voice call using the Public Switched Telephone Network (PSTN), the contents of your communications are not end-to-end encrypted. This leaves your communications vulnerable to snooping by operators in the PSTN system as well as various government agencies.

Admission of Phone Call Recording: Part 1

Don’t just take our word for it read what former FBI agent Tim Clemente said on CNN about analyzing the call of someone made prior to an investigation (i.e. a past phone call). Here is a brief overview of the interview between Erin Burnett (new anchor), Tim Clemente, and attorney Mark Geragos:

  1. April 15, 2013: The Boston Marathon bombing happened
  2. One of the bombers died and the other was captured
  3. The FBI started their investigation
  4. May 1, 2013: Clemente is interviewed on CNN. Below is a sample from that interview:

BURNETT: “Tim, is there any way, obviously, there is a voice mail they can try to get the phone companies to give that up at this point. It’s not a voice mail. It’s just a conversation. There’s no way they actually can find out what happened, right, unless she tells them?”

What Burnett is referring to is phone calls made by one of the bombers’ wife… before the bombing happened.

CLEMENTE: “No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It’s not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.

In the bold statement, Clemente is stating that the government can determine “exactly what was said” in a past phone conversation.

BURNETT: “So they can actually get that? People are saying, look, that is incredible.

GERAGOS: “No, welcome to America. All of that stuff is being captured as we speak whether we know it or like it or not.”

When Geragos says “that stuff” he’s referring to phone calls, text messages, emails, and other communications. Clemente nodded his head during this statement and followed up with, “Exactly.”

Admission of Phone Call Recording: Part 2

Not surprisingly, what Clemente said was pretty mind-blowing. He appeared on CNN again the following night and continued this story. Below is an excerpt from Clemente:

“All digital communications are… There’s a way to look at digital communications in the past. I can’t go into detail of how that’s done or what’s done, but I can tell you that no digital communication is secure. And so, these communications will be found out. The conversation will be known.”

How exactly does one “look at digital communications in the past”? Either the government has a time machine, or they’re recording phone calls in some manner. Our estimation is that phone calls, unless flagged has a high priority, are stored in transcript form.

Of course, there is also the chance that he made all of this up in attempt to get the wife to spill the beans. This would be the classic, “You might as well confess because we already know everything” trick. However, us mere mortals don’t have the luxury of knowing what’s actually going on. We just have to take our best guess and act accordingly. When it comes to digital security, we’re of the opinion that, if something can be abused, it will be. With our phone calls, SMS messages, and other communications flowing unecrypted through centralized infrastructure, it doesn’t take much of an imagination to see this happening. The better question would be, “Why would our communications not be monitored?”

Security

It’s true that a dumb phone OS is simpler. It’s also true that dumb phones generally contain less sensitive data and capabilities than most smart phones do. However, dumb phone operating systems are likely not developed with as high of a standard for security as Android and iOS are. Admittedly, we don’t have the data, but we assume that most dumb phone operating systems are also closed-source. This makes it difficult for the security community to identify vulnerabilities before bad actors do. In our estimation, dumb phone operating systems are likely easier to exploit than Android or iOS.

With all of this in mind, if you’re going to use a dumb phone, try to choose one that’s as dumb as possible. The more features it has (e.g. opening PDFs, rendering GIFs, etc.), the more likely it is that it will contain exploitable vulnerabilities.

Mobile Phone - Cell Phone - Smart Phone - Man Talking on Phone

Smart Phones: You Need to be Smart in How You Use Them

We call them smart phones because they have general purpose hardware and software which makes them highly capable. These features allow you to use a smart phone for many of the tasks you could with a PC. However, like any computing device, how effective their “smarts” are is dependent on the user. From a security standpoint, Android and iOS are actually quite sophisticated and effective.

We may go into more detail in a future post, but if you value your privacy and security, here’s how you should use a smart phone:

  1. Use it primarily for phone (voice, text) and email. It’s usually when users install games, social media apps, and other distractions that risks grow substantially.
  2. Use end-to-end encrypted voice and text message apps (Signal, Session, Briar, etc.) when you can
  3. Enable automatic updates (app and OS) or at least install updates on a frequent basis
  4. Keep radios (Wi-Fi, Bluetooth), other communication channels (e.g. AirDrop), and location (GPS) disabled when not in use
  5. Uninstall all apps you don’t really need
  6. Don’t use OS email or calendar apps – use the clients made by your provider instead
  7. Go through every setting (app and OS) and disable every permission and setting that isn’t required
  8. Skip the cloud – back up your data locally and create backup copies
  9. Disable GPS tagging in your camera app
  10. Don’t use your personal email address for your phone’s account. Create a new one that’s dedicated to this purpose.
  11. Use Tor (Orbot) or a VPN most of the time
  12. Disable voice assistants (e.g. Siri)
  13. Restart your phone on a regular basis. This may clear malware – a lot of Android and iOS malware won’t survive a reboot.
  14. Disable all tracking, analytics, and telemetry where you can
  15. Don’t let others have access to or use your phone

There’s plenty more where this came from. If you’d like to learn more, please reach out to schedule your free initial consultation with the form at the bottom of the page.

Why This Matters

Always bear in mind that our mobile phones present unique privacy risks because they have access to such sensitive data. They are unique to us and follow us religiously. In essence, your mobile phone is a digital manifestation of you. If someone had full access to your phone, think about what they would have access to and how this may impact you:

  1. Accounts and data: Bank, email, social media, etc.
  2. Contact information and social graphs: You and your contacts
  3. Location: Current and historical
  4. Camera and microphone feeds
  5. Call history and voicemails
  6. Text messages and emails
  7. Calendar events and reminders
  8. Photos and videos
  9. History: Search, browsing, and purchases
  10. Device identifiers and fingerprint
  11. Health data
  12. Notes
  13. Inferred data: Interests, health, religion, sexual orientation, political views, etc.

Final Thoughts

Using a dumb phone to protect your privacy and security may make for interesting TV. In reality, using a quality smart phone intelligently is usually more effective.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top