The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.
Listen to Motherboard’s new hacking podcast, CYBER, here.
SIM-jacking. Warrantless access to location data. SS7 interception. The threats against devices on traditional mobile phone networks are varied and serious. But what if there was a way to largely avoid these issues while maintaining some degree of connectivity with friends and colleagues, all on a pretty secure device?
There is. It’s using an iPod touch, which only works over Wi-Fi, and here’s how you can set one up as your phone substitute.
At the end, you’ll be able to send messages securely through apps such as Signal, protect your traffic with your own VPN, and, if you like, make calls to normal phones over the internet as well.
The issues with a regular cell phone
Hackers have targeted at least thousands of people with a technique known as SIM-jacking, in which the attackers call up the victim's telecom, and trick the company into porting the victim’s number over to the hacker’s own SIM card. The hacker then receives password reset text messages and two-factor authentication codes, letting them break into banking services and other sensitive online accounts. Sometimes the hackers bribe workers inside telecoms such as T-Mobile and AT&T to give them control over a target’s phone number.
Attacks against SS7, a protocol and related network used particularly for mobile roaming, have trickled down from nation states to cybercriminals. Last year, hackers exploited SS7 to grab text message-based two-factor authentication tokens to break into the bank accounts of mobile service provider O2 customers.
For years, low level law enforcement have been buying cheap access to mobile phone location data from a number of dodgy resellers with minimal legal oversight. In May Senator Ron Wyden’s office and The New York Times revealed the practice; a few days later we reported that another company offered a similar product to bounty hunters, allowing them to pinpoint the location of nearly any phone in the United States. Multiple telecoms went on to say they are stopping the sale of their US customer’s location data, but the main point arguably stands: telecoms have access to a wide bevy of information on their users, often with lax security.
Some of these problems are about fundamental design decisions that ultimately won’t be fixed anytime soon. So why not take action into your own hands and stop your reliance on these networks in the first place?
How to replace your cell phone with an iPod Touch
That’s where the iPod comes in. Only communicating over Wi-Fi and lacking a baseband or SIM card, iPods are not typically susceptible to SIM jacking, SS7 interception or telecom data sharing. That’s not to say they’re without any risks, of course.
The usual tips for keeping an iPhone secure still stand: install updates when Apple releases them to make sure you have the latest security fixes; don’t jailbreak the device, as that opens it up to dodgier apps or other attacks, and use a strong passcode to ensure casual inspectors can’t flick through your data.
In order to get encrypted messaging app Signal running on the iPod, you may need to use a voice-over-internet-protocol (VoIP) service. Skype offers a paid phone number product, meaning you can make and receive normal phone calls through its iOS app. People in the US can setup a free Google Voice number. Both of these can be used to receive the initial sign-up text message from Signal to register the iPod. You could then delete any VoIP apps if you prefer to only have Signal as a way to contact you, or keep them handy for making ordinary calls and texts.
Since you’ll presumably be using a lot of public Wi-Fi with your iPod, it may be worth setting up a VPN to protect your traffic from potential snoopers too. This is possible with Algo, a set of scripts that automate much of the VPN creation process. Just make an account on a hosting provider such as Digitalocean, run the script on your PC, and answer the questions. The script will output a file that you then transfer over to your iPod; if you’re using a Mac, AirDrop works well for this. If that sounds a bit too technical, you could download a commercial VPN app instead.
But how many extra apps you wish to install depends on how seriously you want to take the security of your iPod. You could have a device solely dedicated to Signal, with no Apple ID signed in so iMessage won’t work, or other apps. This would be to decrease your so-called attack surface; limiting the number of possibilities hackers have to try and get into your device. With that being said, if you are already concerned about an attacker directly hacking into your iOS device—something typically only available to nation states, as iOS is generally considered the most robust consumer operating system in the world—you may have much more serious things to worry about.
The drawbacks of using an iPod Touch over a cell phone
An iPod does have some other drawbacks over a fully-fledged iPhone though. The iPod does not come with Touch or FaceID, Apple’s relatively robust alternatives to using a device passcode. Then again, using an iPod is supposed to be focused on dealing with remote threats, not ones when a hacker has physical access to the device. If you need to worry more about the latter, perhaps this approach isn’t for you.
And to be clear, this quite drastic switch from a phone over to an iPod is not for everyone. It may simply be too inconvenient for a lot of people, both socially and professionally, to only rely on an internet rather than a cellular connection. Maybe the place you live doesn’t have much public Wi-Fi, or it is otherwise difficult to get online when out and about.
But for those with the means and concern around telecom threats, switching to an iPod can be a way of doing the things you would normally do on a phone but with much more security and privacy in mind.
Correction: A previous version of this article incorrectly stated that the iPod Touch does not come with the Secure Enclave Processor (SEP). This is false; Apple later clarified in an email that, although the iPod Touch does not have Touch or FaceID, it does still have SEP. Motherboard regrets the error.