After spending several weeks improving my setup I am kindly asking for feedback.
My threat model:
Indirectly politically exposed person
Potential target for reconnaissance
Everything that can be inferred through the first two points
My hardware:
Latest generation MacBook
Latest generation iPhone
Latest generation Pixel Pro w/ GOS
My hardening:
MacBook has no associated Apple ID
iPhone has anonymous Apple ID
They collect phone number, so not truly anonymous (one warrant away)
MDM profile applied to both iPhone and MacBook
MDM profile blocks all potentially dangerous services
iMessage, Facetime
Airdrop, Airplay, AirPrint
USB accessories
…
DNS over TLS profile
DNS server is only accessible through VPN
Prevents outbound connections without VPN
Pixel Pro has anonymous SIM
Always-on VPN
DNS over TLS profile
Maximum hardening in OS settings
MacBook runs LittleSnitch and various additional IP leak prevention configs
VPN prevents any outbound traffic except TCP port 443 and ICMP type 8
Prefer not to elaborate on VPN setup, I control the exit points, privacy is secondary
My exposure points:
I have Discord and Telegram on my devices. No personal data is associated with the accounts but it may be inferred through conversations. All conversations are considered leaked as general measure - regardless an entry-point for zero click RCE
I have disabled push notifications for all apps that could be used to identify me, so there is no push token associated. I doubt it has much effect but at least prevents a trail from my phone number to my online accounts through Apple ID
I do not use Lockdown Mode on Apple devices for convenience reasons - the MDM profile should cover the majority of it, minus the restrictions on Safari
My counter measures:
Private communication happens over Signal, only installed on my Pixel Pro
Two factor authentication over either Yubikey or TOTP on Pixel Pro
Every device is considered compromised and I act accordingly
I have a separate MacBook, without any applications that could be used for RCE, except a browser, which I give slightly higher trust to
For casual private browsing I use Tor
If confidentiality is a concern I use Linux live systems tailored to the level of confidentiality required, going as far as complete airgap
My biggest fear:
Zero days used against my devices
Misjudging confidentiality requirements - for medium confidentiality, I use empheral encrypted virtual machines on physical hardware in my control and a remote connection from my devices - any spyware that can monitor keystrokes and/or screen would compromise this
Final note: I am trying to stay sane and would prefer not going down a QubesOS rabbit hole. I would like to think that I have tried to account for everything and did everything within range of possibilities on commodity hardware. Now it’s your turn, please let me know if you concur or if I missed something!
You mention the Pixel Pro has an anonymous SIM (which I assume is pre-paid in cash) but do you ever give out that number? If so, it probably isn’t actually anonymous as the number can be associated with you in some way. It’d also be a good idea to go in airplane mode or even put the Pixel in a faraday bag when in the vicinity of locations which can identify that device as being yours such as when near your home, work, or other points of interest. I’m not sure if that sounds overkill to you but it’s a tip.
You don’t mention the iPhone has an anonymous number so I’ll just point out that you might want to assume the location of your iPhone can be tracked. If you’re going places you can’t be associated with, leave it somewhere else or put it in a faraday bag.
I am not going to comment on whether your threat model makes sense or whether these protections are necessary, I will just assume you have already thought about this.[1]
How did you apply the MDM profile? Are your devices in Supervised mode? I would not use that as a substitute for Lockdown Mode.
In particular your reasoning to not use Lockdown Mode for convenience reasons doesn’t make sense to me, because you only point out restrictions in Safari as a problem, but Lockdown Mode has the least restrictions on Safari, because you can individually control it per website…
Why do you have two phones? You don’t mention what you do exclusively on your iPhone. I have a similar hardware setup, but each device has a specific purpose, so I just want to make sure you have thought about that. If everything you do on your iPhone can be done on the Pixel, but not everything you do on the Pixel (Signal, 2FA) can be done on the iPhone, then it would make sense to drop the iPhone thereby reducing your attack surface a lot.
What is this “separate MacBook” you mention and is it also a latest generation MacBook? What hardware are you booting your live Linux systems on?
Have you considered running apps like Discord and Telegram in a separate user profile on your Pixel?
Thank you for the responses, I appreciate it. Let me add some more details.
I do not - the SIM is data-only and I intend to keep it that way. I have bought the device and never associated a SIM with personally identifying information, so the IMEI is not tainted
This makes sense and I agree, this is my baseline. My thought is that if the situation warrants, I can ditch my iPhone and the Pixel remains safe to use intermittently
Yes, they are supervised as otherwise most settings would not take effect on iOS
I watch YouTube, listen to Spotify - mostly leisure activities. I do not use the Pixel Pro at all for leisure, so my intention was applying a defense in depth principle which you can compare to an onion - the more trust I want to give a device, the more services are removed. In the onion’s center you would have something like an airgapped live system
Latest generation MacBook as well. I primarily use it to manage and access infrastructure and all other activities where I want to discount the possibility of a RCE through i.e. Discord or Telegram
If I access them remotely from a MacBook - I have virtualization infrastructure with physical control over, so the environment is as tight as I configure it to be. If I require more privacy than a remote desktop - I have a few fairly recent PC laptops that I use for this purpose.
I have but I decided against it for the time being. I do not have Google Play services installed. The only attack surface on my Pixel is through a RCE on Discord or Telegram. I do not accept messages from unknown people. Similarly, I do not add people I can not trust not to send me malicious attachments. This way, it would require Discord or Telegram to collaborate with a highly advanced adversary to deliver a payload ignoring my account and application settings (I disabled link previews, automated media downloads, etc).
I highly doubt an adversary would dare to attempt an attack through this channel considering the political blowout that ensues if discovered.