Related Work

You may like my highly related article, "How to Use a Pixel Tablet as a Secure Calling and Messaging Device".

Intro

This is a human-made and peer-reviewed article.

This guide is aimed at providing a detailed method for maximizing security and privacy on an Apple iPad (non-cellular). This guide should be adapted to fit your threat model, including using this guide on cellular iPads that support iPadOS 26 or iPhones that support iOS 26. While this guide aims to provide a high level of operational security, I am not your security engineer. If you'd like to hire me to talk about your threat model, please email c@stellarwind.net.

Legacy phone calling and texting (SMS, MMS) are inherently insecure. Communications content and metadata is collected and stored by various organizations and for many years. All people, but especially those in at-risk professions, have a responsibility to safeguard their communications with strong encryption technologies because only then will your coworkers, friends, and family be able to collectively defend your rights. In professions where privacy is expected between you and clients like in law and journalism, policy should dictate to either communicate securely or not at all.

Encryption technology is not new but default strong encryption in mass-market devices is. The political cost of default privacy and security is at an all-time low while the social expectations of strong encryption are at an all-time high. Modern telecommunications largely depend on legacy and vulnerable communications infrastructure, which is by design:

• All cell phones (baseband processor) transmit insecure content and metadata because cell networks were designed for connectivity and surveillance of said connectivity.
• All cell phones (baseband processor) not broken, off, or in Airplane Mode can be easily tracked.
• The majority of SIM cards require registration using government-issued ID.
• Most Androids get slowly patched, if at all.
• Carrier modified versions of Android are poorly developed and maintained.

“Nobody is listening to your telephone calls” –President Obama, 2013

President Obama is not lying. It is not possible for the US government to "listen" to every phone call. However, the technical requirements for recording phone calls (MYSTIC, DAPINO GAMMA) and text messages (DISHFIRE) is more than feasible. It is cheaper and more effective to transcribe voice data to text, transcriptions that can be stored forever. The solution is easy: don’t give it to them.

What is bad for U.S. Intelligence, China, or enemies of the Netherlands is also bad for all other malicious actors. It is up to us to cause the social change that in turn lowers the personal costs of default privacy and security and the financial risk of businesses to support what we need.

The financial cost of surveillance equipment is also at an all-time low. Mobile IMSI catchers can be built and deployed by anyone technically savvy enough to learn how to build one, and law enforcement has large budgets for more feature rich devices. The most effective way to assure that you are not a victim of cell tracking or attack is to not use those systems.

Not the iPod anymore

Due to a massive lapse in judgement by Apple to put the A10 Fusion chip from 2016 in the 2019 iPod Touch, no version of iPod Touch is secure. Also, as of 2022, the iPod has been discontinued.

The Apple iPad, from a hardware point of view

The iPad fills a much needed space:

• Supports Wi-Fi only
• Supports >= A12 chip
• Supports wired headsets for audio and video calls, including 3.5mm ports, Lighting ports, or USB-C with a USB-C adapter. Not all iPads have the same port options, that's important to validate based on your needs.
• Supports >= iPadOS/iOS 26 as of writing (September 2025)
• Supports Signal

Advised iPads

Ranked in order of security, then cost:

Most secure (TBD)

2025-September Alert! Apple's MTE implementation is finally here! If you are thinking about buying a new iPad, consider waiting until the new A19 models are released in late 2025 or early 2026. The reason for this is Apple's new Memory Integrity Enforcement security feature that will objectively reduce the effectiveness of local and remote exploitation attack chains. It will also be important to see if the M5 will include MIE.

Very secure (as of September 2025)

The M4 iPad Pros have a new hardware feature called Secure Indicator Light (SIL). A security researcher writes: "When using the microphone or camera, the corresponding indicator dot is effectively rendered in hardware (using the display), making it a lot less likely that any malware or user space app would be able to access those sensors without the user’s knowledge." If money is no obstacle, I advise the newest M4 iPad Pro. However, the SIL feature is most important when a user is installing random, untrustworthy apps. If you are going to follow all of my advice in this article and only use your iPad for Signal, the SIL feature is less valuable.

Reasonably secure (as of September 2025)

The A17 Pro has no meaningful difference compared to M2 or M3 chips as of March 2025. However, it very well could have a meaningful difference in the future. The A17 has hardware support for MTE -- M3 and before does not. MTE is not yet turned on in the OS, but it's possible that Apple software may support MTE one day.

Questionably secure (as of September 2025)

The A12 - A14 chisets, and the M1 chipset, utilize Apple's older PPL featue, which was replaced by the newer, more capable SPTM + TXM feature on A15 and M2. On this technicality alone, I rank the M1 iPads as being less secure. (Personal note: I use an M1 iPad Pro -- but my threat model does not require me to fuss about this small detail.)

Generally speaking, the newer the chip -- in generation, not year of sale --, the longer that Apple will likely support it with security patches. Do not use a device no longer getting the latest version iPadOS/iOS. Validate the latest iPadOS is supported here. See if I've missed any newer models here.

At this point, in September 2025 with the release of iPadOS 26, I do not advise any A12 model. I advise people on these models to start planning an upgrade.

Why is the A12 (or greater) chip so important?

Prior to the A12 chipset, Apple devices did not have the following critical technologies, making them vulnerable to easy-to-perform physical and remote exploits:

1. Page Protection Layer (PPL)

Page Protection Layer (PPL) in [iPadOS] is designed to prevent user space code from being modified after code signature verification is complete. Building on Kernel Integrity Protection and Fast Permission Restrictions, PPL manages the page table permission overrides to make sure only the PPL can alter protected pages containing user code and page tables. The system provides a massive reduction in attack surface by supporting systemwide code integrity enforcement, even in the face of a compromised kernel. This protection isn’t offered in macOS because PPL is only applicable on systems where all executed code must be signed.

2. Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM)

Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM) on [iPadOS] are designed to work together to help protect page tables for both user and kernel processes against modification, even when attackers have kernel write capabilities and can bypass control flow protections. SPTM does this by utilizing a higher privilege level than the kernel, and utilizing the lower privileged TXM to actually enforce the policies that govern code execution. This system is designed so that a TXM compromise doesn’t automatically translate to an SPTM bypass due to this privilege separation and the governing of trust between them. In the A15 or later and M2 or later SOCs, SPTM (in combination with TXM) replaces the PPL, providing a smaller attack surface that doesn’t rely on trust of the kernel, even during early boot. SPTM relies on new silicon primitives that are an evolution of the Fast Permission Restrictions that PPL utilizes, and are available only on the processors listed in the table above.

3. Pointer Authentication Codes (PAC)

Pointer Authentication Codes (PACs) are used to protect against exploitation of memory corruption bugs. System software and built-in apps use PAC to help prevent modification of function pointers and return addresses (code pointers).

4. Execute Never (XN) (PDF)

Further protection is provided by [iPadOS] using ARM’s Execute Never (XN) feature, which marks memory pages as nonexecutable. Memory pages marked as both writable and executable can be used only by apps under tightly controlled conditions: The kernel checks for the presence of the Apple-only dynamic code-signing entitlement. Even then, only a single mmap call can be made to request an executable and writable page, which is given a randomized address. Safari uses this functionality for its JavaScript just-in-time (JIT) compiler.

See more in Apple's high-level breakdown of SoC Security and Operating system integrity. For more details, see Apple's Pratform Security Guide (version 5) (PDF), updated 2024 December. All of the technical details of these low-level technologies are out of scope from this publication, but there are many resources to learn about them, like here and here.

Blending In

One reason why Tor is so valuable compared to any for-profit VPN provider is that you blend in with everyone else using Tor. Don't stick out. Using "un-hackable phones" or hardware-modded devices sticks out. Using commodity hardware like an Apple iPad does not. This has important value for both physical surveillance and network surveillance.

Why not use a phone in Airplane Mode? Why does it need to be a Wi-Fi-only device?

In cell phones, or generally any device with a cellular baseband processor, the baseband is an isolated computer within your phone, with its own power controller, CPU, memory, firmware, and operating system. When a phone boots up, the initialization sequence of the phone includes the boot up of the baseband. This means that the baseband is initialized, before and in parallel to, the phone's main operating system. This is done for power-saving and security reasons. It means that when you put a phone into Airplane Mode, all you're doing is turning your phone's operating system's access to the baseband off. Airplane Mode does not guarantee that the baseband hardware, firmware, or software stack is turned off. Airplane Mode effectively preventing baseband from I/O'ing may be dependent on the hardware, firmware, and OS of the device, and it should be presumed that no baseband is trustworthy unless proven otherwise.

Another issue is that Airplane Mode is an OS feature. If the OS hasn't even booted, a user has extremely limited control over baseband. Recently confirming this issue is a security researcher observing an RF spike during cellular Pixel devices (phones, with basebands) during boot. Wether it's a hardware or firmware design decision, or accident, different operating systems cannot guarantee that lower levels of a phone will not behave in unexpected ways, particularly during the phone's boot process before the OS even initializes. It should be assumed that every kernel patch and every firmware patch may change the behavior of baseband. Testing all patch levels with RF meters would be necessary to guarantee expected outcomes. Or, don't use devices with basebands.

Even without a SIM card, a baseband processor can and does connect to cell towers, including the disclosure of the device's IMEI along with "when" and "where" metadata read more here. This is how a SIM-less phone can call 911. It's impossible to mitigate cellular communications without resorting to Faraday cages.

Apple, the National Security Agency, and Data Link-Ability

Apple is an American company that works with the NSA and is part of the PRISM program. If you are, or ever could be a target of U.S. intelligence or U.S. military organizations, you are already playing difficult game by choosing an Apple product. However, you probably aren't defending against the NSA. Not all adversaries are the NSA, nor do they have the budgets and reach as the NSA. Risk minimization should not always be compared to NSA-style actors. Care about your threat model, not someone else's.

Just turning on an Apple product, the device is working against you by collecting all WiFi and Bluetooth network information around you to attempt to "streamline" a user's setup experience. Some of that data is uploaded to Apple's servers as soon as the device is connected to the internet. Every Apple device uploads its unique hardware identifiers to Apple, along with surrounding network metadata that can disclose physical location information to Apple, and thus to US government agencies and other FVEY entities.

1. Your device's hardware identifiers.
2. Your public IP address used to connect to *.apple.com services.
3. All other information that you input into the device for device setup and account sign-in, which are both required in order to access the Apple Store.

From Apple's Legal Process Guidelines - Government & Law Enforcement within the United States

When a customer activates an iOS device with a cellular service provider or upgrades the software, certain information is provided to Apple from the service provider or from the device, depending on the event. IP addresses of the event, ICCID numbers, and other device identifiers may be available. IP address information may be limited to the most recent 18 months. This information, if available, may be obtained with a subpoena or greater legal process.

If Apple, or any of the U.S. intelligence or military organizations, have any other data that links anything about you to the this Apple device, your identity can be tracked by these organizations.

1. Your credit card or debit card used to make the purchase.
2. Your physical address for device delivery.
3. Your car license plate seen by Automatic License Plate Readers (ALPR) going to pick up the device.

Apple Push Notification Service (APNS)

When you're using Signal on iPadOS, this requires use of APNS. This means that Apple has a metadata record of when, where, and what service you're using. NSA/FVEY is spying on and storing this data.

Per Meredith Whittaker, Signal's President, "In Signal, push notifications simply act as a ping that tells the app to wake up. They don't reveal who sent the message or who is calling (not to Apple, Google, or anyone). Notifications are processed entirely on your device."

That "ping" is more than just a ping, and requires Apple to have a lot of data about the target service and the target device. Apple is able to see, and thus FVEY is able to make a permanent record of:

1. APN identifiers, such as hardware identifiers, of who is receiving a message.
2. The messaging application; in this case, Signal.
3. The date and time associated with received messages.
4. Any network metadata, such as IP, associated with receiving messages.

All of this can and will be used with FVEY's other records, such as internet backbone or ISP metadata, and will be used to confirm assumptions made when identifying who is talking to whom.

To further break this down:

1. A Signal user sends a message to an Apple user via Signal (the receiver).
2. Signal's servers notify APNS that there is a message or call waiting for a specific user.
3. APNS "pings" the specific user's Apple device.
4. The receiver's Apple device receives the "ping" and notifies the end user that there are new Signal messages, or a call.
5. The receiver's Signal application then activates and requests any new messages (or calls) from Signal's servers.

There are ways to deal with APNS metadata leakage, but it is not for the average user. I'll go into more detail in the DEFCON ONE section below.

Critical Notes

Wi-Fi iPad + Signal Advantages

1. Wi-Fi iPads do not have baseband processors, SIM cards, or SIM card port insecurities.
2. You can control which Wi-Fi networks to expose your device to, if you choose to use Wi-Fi.
3. Wi-Fi iPads employs default Full Disk Encryption that is dependent on hardware and firmware cryptographic integrity controls.
4. Apple publishes security patches quickly and are not dependent on carrier restrictions.
5. Signal uses only modern, always-on, end-to-end cryptography. As of September 2023, Signal now has quantum resistance.
6. Signal allows users to verify encryption key fingerprints.
7. Signal is free, open source, and has public security audits.
8. Signal supports interoperability, meaning that other people can use Signal on iOS or Android devices.

Wi-Fi iPad + Signal Disadvantages

1. The default settings for iOS devices are bad for operational security. To use Signal anonymously or pseudo-anonymously requires great effort.
2. Wired or Wi-Fi internet access is not as abundant as cellular internet access. These days, people depend heavily on having an always-connected device to function.
3. iPadOS/iOS require an AppleID to download and update apps.

Notes on Charging

Only use genuine Apple chargers and charging cables that you have purchased yourself, ideally in-person with cash. Do not use friend's, family's, or borrow stranger's chargers or charging cables. Do not use third-party chargers or charging cables. Do not let anyone else use your chargers or charging cables. Read more here.

Notes about iOS Updates

Update iOS always. Update as soon as possible. Every update comes with very important security patches.

Be aware that privacy settings may be reconfigured without your knowledge when you perform iOS updates. Review all settings after every update.

Airplane Mode gets disabled automatically after every iOS update. This "feature" is great for idiots, but terrible for operational security. Presume that after every iOS update + reboot, Airplane Mode will be disabled upon startup until you reactive Airplane Mode. See my DEFCON ONE section below if this matters to your threat model.

Notes on "Inactivity Reboot", Before First Unlock (BFU) and After First Unlock (AFU) states

In iOS 18, Apple silently released a security feature being called "Inactivity Reboot" that was discovered and independently verified (see 1, see 2) that iPhones, when left locked for 72-hours, reboot themselves to force BFU.

It's not clear to me if this is also a feature of iPadOS that is on by default. In some of Apple's MDM documentation for iPadOS 18.4, a feature called "idle reboot" is avaialble for enablement via MDM. Again, it's not clear if this is enabled by default on non-MDM-enrolled devices.

An excellent learning resource on this topic is from the Dakota State University DigForCE Lab in a post titled "BFU and AFU Lock States". Some excerps:

BFU Extractions

In the case that a device is locked with a passcode that is not known, examiners may have an option to receive an extraction based on the device’s lock state. When a device is in the BFU lock state, a BFU extraction is able to be created. This type of extraction contains a somewhat limited amount of information, but may be useful in certain cases. Information contained within a BFU extraction mainly includes system data; However, there may be a small amount of user-generated data found within the extraction that may provide new leads for certain cases. This type of extraction is small, and a majority of the information is either system/application data, as well as cached images and videos that are not user-generated. Generally, iOS devices seem to give a larger amount of data than Android in the BFU state.

AFU Extractions

When a device is in the AFU lock state, an AFU extraction may be created. Compared to a BFU extraction, an AFU extraction contains a vast majority of all user-generated data, which can be seen as about 95% of a Full Filesystem extraction (these extractions will be discussed in the next section). This means an AFU extraction will contain user-generated chats, images, videos, web-browsing data, and much more. Compared to a Full Filesystem extraction, an AFU extraction does not contain Apple Mail, Apple Health, or significant location information. The amount of information you can receive from a device in the AFU lock state can be substantial, so it is important to keep an AFU device powered on. If the device is powered off, the lock state will switch to BFU which could lead to the loss of a lot of potential information.

Full Filesystem Extractions

The ideal situation is when the passcode of the device is known or can be bruteforced. The device may be able to have its passcode bruteforced using validated forensic tools such as GrayKey or Cellebrite. Once the passcode is known, a Full File System extraction of the device is able to be created, which is the most comprehensive type of extraction you can receive from a mobile device. This type of extraction will give you all the data included within the filesystem of the device.

Notes on "Lockdown Mode" (LDM)

Should you use LDM? Yes, absolutely. LDM has two features that improve the security of a device that this guide is written for: device connections hardening and configuration profiles hardening. All the other features of LDM are for people who do not take privacy and security as seriously as this guide is intended for; meaning, people who use an iPhone more normally by using iMessage, iCloud, and who browse the internet with Safari.

LDM should be enabled before your device is ever networked. Particularly, if you are using an iPad with cellular or using an iPhone, and your SIM card is inserted, malicious SMS messages or iMessages can be received by your device before LDM is enabled, potentially opening up your device to remote exploitation before the mitation can be implemented. Even SIM-less devices, like a Wi-Fi iPad that this guide focuses on, malicious actors might be able to perform remote or local network attacks (Wi-Fi or Bluetooth), or physical attacks if threat actors have physical access to your device, that might be mitigated by LDM.

iPadOS and iOS 17 have some Lockdown Mode improvements. Devices won't automatically join non-secure WiFi networks (open, WEP or WPA encrypted, etc) and will disconnect from a non-secure Wi-Fi network when you turn on Lockdown Mode. 2G cellular support is turned off. 2G being disabled by default is an evolution of LDM, one that I hope gets further enhanced to mitigate cellular insecurities. Of course, this doesn't help a Wi-fi iPad. However, by disabling 2G by default in cellular devices, Apple is attempting to better protect at-risk users from IMSI catchers or fraudulent cell towers performing MitM attacks. By disabling automatic joining to insecure Wi-fi is also very important to protect against similair MitM attacks within Wi-Fi range.

Notes on Advanced Data Protection (ADP)

Since ADP only applies to data uploaded to Apple's servers (iCloud), ADP, while amazing for a lot of people, is not in scope of this guide.

Notes on Security Keys

Security Keys is an iCloud security feature. Don't use iCloud, so you should not need Security Keys for this device.

Device Setup Directions

Set up a new or recently wiped device. Please perform steps 1 - 5 before doing anything else on the device.

(!) Critical notes if you are adapting this guide for an iPhone or cellular iPad: _ Remove the SIM card before powering on the device. Ideally this would be a brand new device having never been connected to a network. _ If the device is cellular but does not have a SIM tray, be sure that the device is brand new and will NOT self-activate. In other words, do NOT have Apple of your cellular carrier automatically transfer your phone number to the new device until AFTER steps 1 - 5 are complete. * It is critical to understand that Lockdown Mode is imperative to have turned on before a cell device can be remotely messaged (SMS, MMS, iMessage, etc). Apple's designed the new device setup process to active in the background BEFORE at-risk people can go into settings and enable Lockdown Mode. A failure on Apple's part to best protect at-risk people. Because the cell device will attempt to active in the background during the new device setup process, SMS, MMS, and iMessage can work and potentially allow a remote attacker to compromise a cell device before you are able to get into Settings, enable Lockdown Mode, and restart.

1. Create a >= 12 digit PIN or alpha-numeric passphrase (see Upgrade Your iPhone Passcode to Defeat the FBI’s Backdoor Strategy)

2. AppleID

   • Click "Forgot password or don't have an Apple ID?"
   • Click "Set Up Later in Settings" then "Don't Use"

3. Click "Customize Settings"

   • Location Services: Disable
   • Siri: Set Up Later in Settings
   • Screen Time: Set Up Later in Settings
   • iPad Analytics: Don't Share

4. Disable the Network

   • Settings > Airplane Mode: Enabled
   • Settings > Wi-Fi: Off
   • Settings > Bluetooth: Off

5. Enable Lockdown Mode

   • Settings > Privacy & Security > Lockdown Mode > Turn On Lockdown Mode, then immediately restart.

Perform steps 6 and 7 below before setting up your AppleID, and before connecting to any network of any kind (Wifi, Bluetooth, or cellular).

6. Other Settings

   • Notifications - Show Previews: Never
   • General - AirDrop: Off
   • General - AirDrop - NameDrop: Off
   • General - AirPlay and Handoff - Automatically AirPlay to TVs: Never
   • General - AirPlay and Handoff - Handoff: Off
   • General - Background App Refresh: Turn every app off independently because you will want background refresh on once Signal is installed
   • Control Center - Remove all controls
   • Siri & Search - Siri Suggestions: Disable all
   • Touch ID & Passcode - Allow Access When Locked: Disable all
   • Privacy - Tracking: Disable
   • Privacy - Motion & Fitness: Disable
   • Privacy - Apple Advertising - Personalized Ads: Disable
   • Safari - Advanced - JavaScript: Disable

7. Delete any iPadOS/iOS apps that you feel you will not need.

AppleID setup and configuration

Before you can setup your AppleID, you need to create a new email address that:

• Has no ties to your identity. Don't use any names, pseudonyms, passwords, or anchor points that you've ever used.

• Supports two-factor authentication (2FA).

• Is created and only accessed via Tor Browser; ideally, Tails Linux.

8. Open the App Store app on your iPad.

9. Click the Profile icon in the top-right corner.

10. Create a New AppleID.

Signing into the App Store app is important for being able to install Signal and perform app updates. Signing into the App Store app will not automatically sign into iCloud. Never sign into iCloud.

11. Install Signal

Setting up Signal

There are lots of choices to be made here. What's most important when choosing a Signal number is that you have long-term, secure control of the phone number, or trust the person or organization managing the phone number. Choosing the right method really depends on your threat model and your goals for your publicity or anonymity.

Journalists, lawyers, and other professionals might have an already-public phone number given to them from their employer. You can use that phone number in Signal on this device, and on this device only.

Americans can leverage Google Voice. Digital phone number services might be a good solution for a Signal phone number, but only if access and control of that phone number is legitimately secure. Google Voice, for example, leverages the same nation-state defenses that Gmail accounts use. Two-factor authentication must be used to access these services. Americans with access to Google Voice can also pay Google $20 to transfer in a phone number to Google Voice, and doing so will make it a permanent number on your Google account and will not get purged due to lack of activity.

You can request that a friend or family member add a new phone number to their cellular provider's plan. Active the phone number on an old cell phone and get the Signal registration SMS, then destroy that phone and SIM card, and remember anchor points (dont activate the phone number and use cellular services in places where you regularly go).

Note: The updated Signal app has a bad user interface when it is the first and only device for your Signal number. When you have a fresh install of Signal, in the first couple of setup screens there is an unlink icon in the top right corner that you have to click.

Notes on the use of the Contacts, Calendars, and Notes apps

You have two choices when it comes to managing your contacts list, calendars, and notes data. There are many pros and cons with these two options and will depend on your threat model, so please think very carefully about your operational security practices.

1. Offline data: Since you are not signed into iCloud, you cannot risk disclosing your contacts, calendars, and notes data to Apple or your local government willingly (if your government has forced Apple to host iCloud data in your country instead of, or in addition to, the USA). This means it is relatively safe to use the Contacts, Calendar, and Notes apps, depending on your threat model. Using Apple's Contacts app is seamless since you can safely grant Signal access to contacts.

   • You have to trust Signal to continue to implement trustworthy cryptographic security mechanisms that continue to prevent themselves from ever having cleartext access to your contacts. This risk is low, since you are already trusting Signal with the confidentiality and integrity of the content of your communications and whom you communicate with via Signal. This risk is also low because Signal does not have any financial motivation to collect your contacts in any way. In fact, data storage is expensive, and responding to government requests for users data is expensive, so it is cheaper for Signal to never have this data.

   • Apple native apps are the default places to look for this data if you ever are stopped and searched by government or private security agents. If this risk applies to you, store your data in a trustworthy offline password manager that supports a "key file" like Strongbox. Strongbox is like KeypassXC but for iOS, where the database is encrypted in addition to iOS disk encryption, but you can use a key file to make bruteforcing of this database impossible. Keep your key file online somewhere so you can remotely download it when you need access to your Strongbox database contents. Like your passphrase to the database, the key file should never be shared.

2. Online data: If you are technically savvy, or have access to trustworthy technical friends or coworkers, you can self host your contacts, calendars, and notes. I use Mail-in-a-Box to self host these things, but there are many open source, self-host solutions out there.

   • Since data is remotely available, you can easily wipe your phone when crossing security check points, including regional borders like at airports, and re-setup your device and re-download your data from anywhere in the world after you have safely cross these types of high-risk areas.

   • Since data is remotely available, it may be possible for your adversaries to know of the existence of where your data is stored online. In my example of using Mail-in-a-Box, this setup requires a public domain name that is registered to my name. Government and private entities can buy full access to domain registry data. Online storage is a risk for remote exploitation by way of illegal or legal (government warrant) means.

   • Running your own Tor hidden service, like from a Raspberry Pi hosted in a secure location, means that you can use Onion Browser by Mike Tigas to safely and privately access or download remote data.

DEFCON ONE configuration

There are two options that can be used independently, or combined, to enhance operational security.

Why DEFCON ONE might be critical for you

Are you worried about, or have you ever experienced, attackers physically stalking, harassing, or assaulting you? If the answer is yes, then you have a high risk of those same abusers conducting wireless attacks against your wireless device.

Wireless (Wi-Fi or Bluetooth) attacks are "physical" attacks. They require an attacker to be physically near and aim to:

1. Capture your wireless packets in order to conduct surveillance. Your abusers might be trying to determine:
   • Are you nearby?
   • When are you online and active?
   • How long are your conversations?
   • How often do you have conversations?
2. Capture your wireless packets in order to attempt to hack the security vulnerabilities in wireless protocols. Your abusers might be trying to determine:
   • What type of device are you using?
   • What methods are you using in order to communicate with others?
   • Are there any vulnerabilities that could be taken advantage of?
3. DoS (Denial of Service) your device to prevent you from being able to communicate.
4. Hack the wireless protocols allowing active surveillance of wireless transmissions or to hack the device through protocol, driver, or operating system vulnerabilities. Your abusers might be trying to determine:
   • What apps are you using?
   • Do those apps have any vulnerabilities?
5. Hack the wireless device directly through unknown or unpatched vulnerabilities in the wireless service, driver, and/or operating system. Your abusers might be trying to:
   • Have complete access to your device, including apps like Signal.

DEFCON ONE setup directions

The GL-iNet Beryl is a router that supports some outstanding features:

1. Wi-Fi can be disabled
2. Supports a WAN port and LAN port for wired-only networking
3. Supports transparent Tor proxying

The Belkin USB-C to Gigabit Ethernet Adapter or Belkin Ethernet + Power Adapter with Lightning Connector allows you to mitigate all wireless attacks when the iPad is in persistant Airplane Mode.

1. Connect an ethernet cable to the ethernet adapter.
2. Connect the ethernet adapter to a new, out-of-box iPad without turning the iPad on.
3. Power on the iPad for the firs time

Following steps 1-3, upon iPad boot-up, the iPad will not go searching for Wi-Fi access points and will automatically use the wired connection.

Combine the GL-iNet Beryl with a wired ethernet adapter, and you can then Torify the iPad initialization and all future use, in effect never disclosing your physical location metadata to Apple or Signal.

Notes on DEFCON ONE configuration

1. If you do this, be sure that the wired ethernet connection is always active before, during, and after all iOS updates because of the unfortunate automatic disabling of Airplane Mode after iOS updates.
2. The Belkin USB-C adapter does not support USB-C charging. You will not be able to leave the iPad with an always-on internet connection, but this is not necessarily a bad thing.
3. Assure that Airplane Mode is enabled immediately after setting up the iPad for the first time. Assure that Airplane Mode is always enabled. Assure that you never connect to any Wi-Fi access point, ever, so that if Airplane Mode ever becomes disabled accidentally, it will not broadcast any Wi-Fi connect packets.
4. If you are not worried about physical wireless attacks (attackers who physically stalk you and try to break into your iPad via wireless hacks), then you can use the GL-iNet Beryl as a wireless device while leveraging the transparent Tor proxy.

yawnbox