HN 用户提问:我可以使用 GrapheneOS 或 /e/OS Linux 手机来防止手机信号塔被黑吗?
1 分•作者: xrd•8 个月前
最近有很多关于手机网络的热门讨论。<p><i>纽约发现可导致手机网络崩溃的设备缓存</i><p>https://news.ycombinator.com/item?id=45345514<p><i>ICE 使用的假手机信号塔来追踪人员</i><p>https://www.forbes.com/sites/the-wiretap/2025/09/09/how-ice-...<p>与此同时,也有关于 Linux 手机的有趣讨论,比如 GrapheneOS(去谷歌化的安卓)和 FLX1s(纯 Linux 手机):<p>https://news.ycombinator.com/item?id=45312326<p>我的问题是:这些替代方案对付这类新型攻击有帮助吗?如果你的手机使用的是像 T-Mobile 这样的普通网络提供商,有没有什么方法可以阻止你的手机尝试连接到假网络?<p>如果我控制了整个手机堆栈,就像使用 FLX1s 一样,那么我是否可以拥有类似 ssh 初始连接签名这样的东西:<p><pre><code> 无法建立主机 '100.64.0.46 (100.64.0.46)' 的真实性。
ED25519 密钥指纹是 SHA256:yE4jh7gROroduLqbIFcInlUXrpDy8JIpJPc+XvtIpWs。
此密钥不以任何其他名称已知。
您确定要继续连接吗 (yes/no/[fingerprint])?
</code></pre>
一旦我接受了 sshd 端点,我就知道如果 sshd 发生变化并且我正在经历中间人攻击,我的 ssh 客户端会保护我。<p>我们能不能对手机信号塔也做同样的事情,除非手动批准并存储了该信号塔的签名以供将来连接,否则不连接它?<p>当我在一个新城市时,接受一个新的手机信号塔会有点麻烦,但我可以想象同步一个被列入白名单的、受信任的手机信号塔集合(哈,当我想到这一点时,“受信任”这个概念就变得可笑了)。但是,至少我可以更深入地了解我何时受到监视。而且,我可以这样说:“今天不行,ICE!”或者“T-Mobile,我不知道,请让我看看我的 HN,我甚至不在乎你们是否知道我意识到我的政府正在追踪我,因为我支付了服务费!”我敢打赌,在 GitHub 上托管的白名单更新速度会比 T-Mobile 安装新的手机信号塔更快,这样隐私爱好者就可以启用自己的安全措施了。
查看原文
Lots of interesting discussions about cell phone networks lately.<p><i>Cache of devices capable of crashing cell network is found in NYC</i><p>https://news.ycombinator.com/item?id=45345514<p><i>Fake cell phone towers ICE is using to track people</i><p>https://www.forbes.com/sites/the-wiretap/2025/09/09/how-ice-...<p>And, at the same time, interesting conversations about linux phones, like GrapheneOS (de-googled android) and FLX1s (pure Linux phone):<p>https://news.ycombinator.com/item?id=45312326<p>My question is: are any of these alternatives helpful against these kinds of novel attacks? If you are on a phone using a network vanilla provider like tmobile or otherwise, is there any way to prevent your phone from trying to connect to a fake network?<p>If I controlled the entire cell phone stack, like I would with FLX1s, then could I have something like the ssh initial connection signature:<p><pre><code> The authenticity of host '100.64.0.46 (100.64.0.46)' can't be established.
ED25519 key fingerprint is SHA256:yE4jh7gROroduLqbIFcInlUXrpDy8JIpJPc+XvtIpWs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
</code></pre>
Once I accept that sshd endpoint, I know my ssh client will protect me if the sshd changes and I'm experiencing a MITM.<p>Could we do the same thing with a cell tower and not jump to it unless it was approved manually and a signature of that tower was stored for future connections?<p>It would be a bit of a pain to accept a new cell tower when I'm in a new city, but I could imagine syncing a whitelisted trusted set of cell phone towers (ha, when I think of that the whole idea of "trusted" is laughable). But, at least I would have more insight into when I am getting surveilled. And, I could say "not today ICE!" or "tmobile, idk, please give me my HN fix, I don't even care if you know I'm aware my government is tracking me as I pay the service fee!" I bet a whitelist hosted on github would be faster to update than tmobile installing new cell phone towers so privacy enthusiasts could enable their own safety.