Prince told investors the UP Phone is built by “engineers with deep experience in lawful interception, surveillance, and spoofing capabilities.”
While taking various privacy and security enhancements from open source projects, Unplugged spokesperson Alona Stein told MIT Technology Review via email, Unplugged’s proprietary operating system developed their own “enhancements” including “based on knowledge not available to the public (zero-days) and others.” A zero-day vulnerability is an unknown security weakness that can be attacked via exploit that can sell for millions of dollars.
Unplugged’s day-to-day technology operations are run by Eran Karpen, a former employee of CommuniTake, the Israeli startup that gave rise to the now infamous hacker-for-hire firm NSO Group. There, Karpen built the IntactPhone, which the company called a “military-grade mobile device.” He’s also a veteran of Israel’s Unit 8200, an agency that conducts cyber espionage and is the country’s equivalent of the NSA.
But anyone with that experience should be able to see through Prince’s claim that the UP Phone is impossible to surveil.
“When I worked in US intelligence, we [penetrated] a number of phone companies overseas,” says Liska. “We were inside those phone companies. We could easily track people based on where they connected to the towers. So when you talk about being impenetrable, that’s wrong.”
“This is a phone, and the way that phones work is they triangulate to cell towers, and there is always latitude and longitude for exactly where you’re sitting,” he adds. “Nothing you do to the phone is going to change that.”
The UP Phone’s operating system, called LibertOS, is a proprietary version of Google’s Android, according to an Unplugged spokesperson. It’s running on an unclear mix of hardware that a company spokesperson says they’ve designed on their own. Even just maintaining a unique Android “fork”—a version of the operating system that departs from the original, like a fork in the road—is a difficult endeavor that can cost massive money and resources, experts warn. For a small startup, that can be an insurmountable challenge.
“There’s such a high volume of vulnerabilities that Android is disclosing and patching on an ongoing basis that you really do need to stay on top of all of those,” says Richardson. Keeping all the software and hardware compatible with every new version of Android is something that very few companies other than tech giants can effectively do. To deal with that, some niche phones simply don’t adopt new Android versions—a cheaper but more dangerous road.