Holy crap! That sounds like what we need for a 2026 phone in China and the US! Given GOS’s reputation, the implementation should be good. One more tool to deal with the surveillance state!
nitter link added by staff.
8 Likes
That would be amazing, I’m assuming that’s with their OEM partnership? I wonder what sensors they will be looking at for this, just camera and mic or also gyroscope/accelerometer?
5 Likes
Definitely need more details, but cameras, mics, Bluetooth, and cellular would be a massive win for privacy. Will I even need a Faraday bag anymore?
I would love to see Apple copy GOS. iOS definitely needs a sensor kill switch too!
2 Likes
Interestingly Apple actually has hardware kill switches for the microphone in iPads and MacBooks, not on iPhones though.
5 Likes
If the sensor kill switch is the reason for a 2027 launch then I won’t mind. GOS gotta get this right. I’ll reconsider a Google P11 if the Motorola GOS phone has the kill switch. For anyone living or traveling to China and the US, they have to get this phone!
2 Likes
This doesn’t seem very concrete. Also, by future generation I assume it is meant that this won’t be with the first generation GrapheneOS-compatible device in 2027.
I think the GrapheneOS team have talked about privacy switches beyond just sensors for a variety of purposes. The idea is that they have a strong focus on what is protected/mitigated through using them.
I think the main ones they have been talking about are stopping the use of GrapheneOS phone as a remote recording device (microphones, speakers, sensors, cameras?) and another example maybe stopping GrapheneOS being used for location monitoring (radios Bluetooth, Wi-Fi, Cellular, UWB, NFC, Thread and sensors). I don’t think it would be a switch for sensors alone, but I am just speculating.
3 Likes
I don’t think the kill switch will work for current devices, but I hope I’m wrong!
1 Like
ELI5: why is this a desirable feature?
GOS already has software-defined control for all sensors & radios. Users can disable location, mic, camera, BT, cell & wifi system-wide. On a per-app basis, you can do the same through the GOS permission manager, with added control over gyroscope & accelerometer sensors
A Level1 hardware kill switch seems redundant, unless there is a reason not to trust GOS software-defined controls. And we’re adding a mechanical point of failure
2 Likes
A hardware killswitch operates at a lower level than the software. So if the software is compromised, then the hardware killswitch will still prevent say the camera or microphone from recording.
7 Likes
I think it is something nice to have, but doesn’t really change the game in meaningful way, since it primarily fights against compromised OS / apps. It will only be useful for users with very high risk profiles.
GOS provides sensor permission toggle for apps, Android 16 also includes Mic / Camera access toggles. If an user installed app could somehow escape those controls, thats definitely some sophisticated spyware. If an malware / spyware was planted without user noticing, that user is very likely to be targeted by state actors, leveraging multiple undisclosed zero days, which costs millions.
For 99.99% of users, sensor permission toggle should be sufficient, though I think GOS could improve it by introducing sensor-scope, tricking apps to think that sensor permission was granted.
3 Likes
Yes but it’s still nice to have 100% assurance that it would be impossible for someone to get camera access. A lot of people in this community like me will always be paranoid without a hardware switch, even if it might be unrealistic.
3 Likes
Interesting… this feels like another threat modelling debate. Zero-trust security model vs redundancy
What is the actual risk that GOS is compromised in this way? To render the OS software permission controls moot & make a hardware kill switch necessary? I’m not sure that’s a super quantifiable risk, but I expect it’s very, very low
This is indeed my belief. No real opposition to the move, I’m just surprised GOS is making hardware decisions based on a niche threat model.
2 Likes
It doesn’t render the software controls moot at all. I’m just saying it’s not redundant: it explicitly covers a situation that the software ones can’t. I’m definitely not saying it’s even a huge risk, but full device compromise is definitely a real thing and hardware kill switches defend the sensors in that situation.
3 Likes
Alright I’m definitely confused, or otherwise just dense 
Im trying to say the hypothetical ‘full device compromise’ would render the software controls moot & make the hardware kill switch necessary
On stock android, sure. But on GrapheneOS? With a locked bootloader, disabled USB port, and no dev options enabled? Im not so sure. Probably not literally 0% chance, but pretty darn close Id think
1 Like
We would like to have a proper audio recording kill switch (not simply a microphone kill switch) on a future GrapheneOS device, but it has a very narrow use case of defending against a compromised device. We wouldn’t present this as a huge feature. The main benefit would be that it would help convince people to use a secure device meeting our main security requirements because they believe that it’s important to them.
So basically they just think it’s a marketing feature for people they think are misinformed. Kill switch necessary? - GrapheneOS Discussion Forum
1 Like
That’s a CRAZY quote
GOS project is usually pretty strict with tying their security features to concrete threats. I’m… flabbergasted to see they’d make a hardware design decision like that
1 Like
I guess it has a very limited benefit and scope. To me none of these kill switches make sense because I am not doing anything very sensitive around devices, generally, and how many people are having super sensitive phone calls or whatever these days?
If my device was fully compromised I would be far, far more concerned about the text messages and other data on my devices being compromised, than anyone watching or listening to me.
Anyways, that’s why I have no camera covers or mic switches. If anyone wants to waste time seeing what I’m up to IRL when I’m using my phone or laptop I’ll just start an OnlyFans for them to subscribe to 
3 Likes
It really depends on your threat profile. I wouldn’t call it overkill. You obviously don’t live in China.
4 Likes
I can’t speak for other countries, but if you’re entering the US, both citizens and non-citizens could be subjected to phone inspection and seizures without a warrant.
Overkill? Not sure if I agree with it. The more secure and private the phone is, the better.
2 Likes
Oh wow, I had no idea! I’m really surprised that the iPhone doesn’t have it. Is it confirmed that all MFi iPad cases will disable the iPad’s microphone? It would be nice if the hardware kill switch could be enabled on a Mac without closing the lid.
1 Like