Phone Proxy

This will be a story about what I and a dear friend of mine are doing to keep our phone usage a little more private. I must admit he is faster at this, but I will try to weigh all the options before I go all in.

The problem with telephones

The main issue I have with my telephone usage is the fact that it’s a tracking device in your pocket. It beams out to every cell tower you walk past, every movement is monitored. This is only the first problem, though. The second, and more important issue, is that phones are useful as hell.

If phones were not useful, or addictive, we would not be using them. I remember, even with my old Nokia phone (no touch screen, a T9 brick), I had an issue putting it down. Snake, all the little knick-knacks, it was bliss. Nowadays, with the beauty of the internet, the pull is even stronger. I don’t know if I could last without a smartphone for a while, even if only for work. It’s difficult to give up my phone, but I want my cake and eat it, too.

What can be done about this? One thing is the OS. I use GrapheneOS (duh); it may not be the secure OS, but it’s the best of both worlds. Locked-down bootloader, no Google Play Services, and I got a phone that can run apps. But it’s still a beacon, it has my phone number, opening me to SIM-swapping, smishing, all the bad stuff. This is where a phone proxy comes in.

The design of the phone proxy

Now you may think I’m crazy, but hear me out for a second. The issues of one device… may be solved with two.

The system is nothing new. Basically, you offload the cell connection to a secondary device and disable all cell communication from the phone itself. Yes, I should not trust GrapheneOS in this regard, but it’s better than nothing, and they seem to flaunt their Airplane mode a lot. I will have to check the traffic logs or get someone at some telecom company to do so for me.

Next, the question becomes: What do we replace a phone with? You could jump around free WiFi, but there are places where you will not get any wireless connection at all. In that case, you can use a cheap 4G portable modem with a data-only SIM card. This gives you a WiFi connection anywhere, so you don’t even need to put a SIM card in your actual phone. Furthermore, you only need the modem if you’re not living off the land/home/office WiFi.

The modem does not have to be fancy, and I would even advise against it, since the modem itself becomes a tracking device. If you make a mistake in your usage, it is advisable to burn the device and start over. This means throwing out whatever device you have and starting over with a new SIM and a new modem. Only this way can you get a new IMSI and IMEI number. Tell me, which would you rather have to give up? Your 400$ phone, or a 40$ modem and a 15$ a month SIM card? If you fuck up with your main device, you must burn it down, start over. Migrating application settings is a pain, so I’d advise against it. This way? You can switch your “connection profile” at will.

The second part is the SIM. If you go to a phone provider, they’ll try to sell you stuff you don’t need, services your modem will not support. Calls, text messages, the works. The only thing I care about, though, is data. If you look online, ask for IoT SIM cards. These are not meant to work in a phone, they are just what it says on the tin: a SIM card with data, no phone service, no text messages. You can put these cards in your smart home devices and they can communicate anywhere you can get cell service. This is a plan you want, and the pricing, frankly, is ridiculously good for what it is. I found a SIM with 1TB of data per year for about 140$. This comes out to 80-ish gigabytes of data per month and 13-ish dollars per month. This is good even for the market I am in!

The last thing you need is a way to quickly disable your modem if need be. Turning it off is not enough. The device may not have a removable battery, at which point your device is as good as a powered-off phone, which is not much good at all. Who knows what firmware is running on the modem? This is what a Faraday cage is for. You can use a shielding bag to disable the modem at a moment’s notice, even without turning it off (although I’d recommend it, you don’t want to charge that thing in your home.)

After you’re all set up, the only physical device you worry about is your SIM card and your VoIP account. If someone, for some reason, gets access to the physical SIM card in my phone, what will they do with it? They can clone it, swap it for their own, but there is nothing tied to that number or any data to be had. All they get is a phone plan I paid for in advance. Big whoop, I’m out a hundred bucks, but I lose none of my security or sensitive information. It’s as useful to them as getting the password to a café WiFi network. They can connect, but not much more than that.

If you do not want to use an off-the-shelf modem, you can probably tinker and build your own. A raspberry Pi with a SIM card hat and a way to make a WiFi hotspot would be nice.

Phone calls and text messages - how and why

After some brainstorming, this seemed like a perfect setup. But even if all you use is Signal and PGP-encrypted e-mail, your friends will still send you text messages. No matter what you do, someone will need your phone number. But which do you give them? The modem will not ring, it will not forward or accept calls, and giving out the number of your modem will only compromise you. The solution is VoIP (which I have talked at length about). This way, you only use VoIP on your phone, no direct phone calls. If you get a good provider, you can actually have SMS forwarded through e-mail or into an application. If you can’t get text messages, you can always stop giving out a cell phone number for texts and train your contacts to use secure communication (or at least a method that does not rely on unencrypted text service.)

This next bit comes straight out of a book I enjoy and refer to regularly, Extreme Privacy by Michael Bazzell, on some of the ways you can persuade your friends and family to join you in your secure messaging platforms:

Step 1: Convince them to install the application
Step 2: Get them all in a big group chat (like a big family get-together)
Step 3: Start posting interesting stuff (family photos, updates, etc.)
Step 4: Train them to think of this application as their way to reach you.

The last step can be tricky, but you can basically Pavlov them. If they text you and you get the text message, do not reply right away. Give them a day, a few hours, whatever you feel is acceptable. If they message you on the secure platform, however, make it your first priority to reply. This way, you condition, Pavlov-style your friends and family to use better ways of communication. If your loved ones understand the need for secure comms, all the better, but keep this in mind when you start: You may have to give your contacts another way to reach you apart from text.

NOTE: Of course, if it’s an emergency, all this goes out the window, but you know what I mean.

The way I use my phone is with an always-on VPN, so my VoIP provider only knows the VPN address and who is calling me. On the other side, the SIM service provider (the one I use in the modem) only sees one IP address I am connecting to, the VPN endpoint. If someone wanted to find me, they would have to get into 3 separate companies which may or may not be in different countries altogether. Connecting the dots, that’s part of the plan. Next, if someone wants to send me a silent text message to ping my phone’s location, where will they send it to? Even if my airplane mode weren’t on, I don’t have a SIM in the phone, so no phone number. The only thing connecting to the network is the modem, which has no phone number (as far as I know) and no name in a phone book tied to that name. This may be good enough for me.

Since I started writing this, my colleague (the absolute legend) actually sent me a message saying just “I’m doing it. No going back.” He’s currently running this setup, modem, SIM, Faraday bag, everything. I hereby thank him for his service and dedication to the cause.

Now, why am I going to do this?

Is there a bounty on my head? No.
Is there a stalker following me? Probably not.

I’m doing this because it’s fun and because it’s a way to be more private with my life. This way, I can use my phone at home as well as outside, turn on navigation, and when I’m getting close to my destination, I can just disable the modem, but keep using my device as it was intended with an offline version of the maps. This is the way to go in the future, at least for me. It will take time getting used to, but I believe it will be find in the long run.

Are you doing this? Let me know what you think! Are there serious gaps in my setup? I know I’m relying on the airplane mode, but that’s about it.