• Announcements
  • Claims made by forensics companies, their capabilities, and how GrapheneOS fares

  • Edited

Rcif419 Assuming random digits, a four-digit PIN is 99% less secure than six digits, because there are 100 times as many six-digit numbers as four-digit numbers.

Security people often make recommendations based on what should be good enough for a given use case, plus some margin. Four digits might be good enough? But not good enough plus some margin.

Edit: note that the "140 attempts" figure above is 1% of the way through the space of a four-digit PIN, so the attacker could get lucky. You might choose to take that bet, but I doubt you will find somebody willing to recommend it as a good bet to take.

Hey all. I have a Pixel 8 pro and followed all the recommendations with Diceware password, auto boot every hour, turned off what I need etc. I understand this is a Graphene OS forum, But I just don't know where I can go to ask this question.

Does the same apply with an Iphone? Latest Iphone with the latest ios, alphanumerical passphrase of 20+, lock down mode on and iCloud all turned off. Is that strong enough?

    • Edited

    uppa9 iphines are pretty secure. Renowned in the field in fact. The problem with iphones are; not open source, and tied strongly to apple. Who knows what they know of you, even not logged in to icloud. Its kind of mandatory anyway if you want to use it properly. They're not as private as apple would have you believe. Damn secure though.

    But a strong password makes those things pretty unbreakable too. They're not GraoheneOS though!

    Interesting.
    Since the major point of failure here is a powered-on device, maybe it will be considered
    to add a feature to the new USB-C HAL exploit protection, such as - if a charger is plugged,
    require the passphrase? Since I assume most tricky part for forensics companies will be keeping
    the device charged before it's rebooted. If this can't be achieved, they will have to somehow
    wirelessly charge the battery without passphrase (if it's possible) or they will be left with the power
    level currently left on the device. Since I know that most investigations are not "hot", it will be safe
    to assume that the device will be BFU if this feature is implemented.

    uppa9 Is that strong enough?

    Strong enough for what? Maybe it's too strong. Without a detailed threat model, it's hard to say.

      de0u More so keeping my data safe for a very long time

      • de0u replied to this.
        21 days later

        de0u Strong enough for what?

        uppa9 More so keeping my data safe for a very long time

        It's hard to say.

        For example, if the question is "What if I put ultra-private data on an iPhone, turn it off, and lock it up a safe, will the data remain private in 50 years?" I would not want to predict that. Fifty years is a long time for somebody to find bugs in an obsolete iPhone.

        If the iPhone is getting regular software updates, that's different (and presumably the ultra-private data will need to migrate to a new device every five years or so).

        It also matters who wants the data. If it's a large state actor with powerful supercomputers, that's different than if it's a rural police detective. And if the state actor can torture you until you divulge your passphrase, that's entirely different.

        It's hard to answer the question at all, and pretty impossible without a detailed threat model.

          de0u If there's a 10 diceware word passphrase, as in 128 bits of entropy, then there would need to be truly massive breaks in AES, scrypt or the other cryptography used as part of key derivation to recover any of the data in that profile. Cryptography is considered broken when an algorithm meant to have 128 bit security has an attack reducing the security to 127 bits even only in a certain edge case. It's using AES256 rather than AES128 so even a massive break 30 years from now reducing AES256 to 100-bit security doesn't mean any data can be recovered. The disk encryption is already protected against theoretical powerful quantum computers, unlike TLS connections with ed25519 key exchange or using AES128 instead of AES256.

            GrapheneOS If there's a 10 diceware word passphrase, as in 128 bits of entropy, then there would need to be truly massive breaks in AES, scrypt or the other cryptography used as part of key derivation to recover any of the data in that profile.

            It sounds as if AES-256 with a 128-bit random key is good enough for a long time, even hopefully quantum-resistant. That's good to know.

            The question about the iPhone scenario (uppa9) was "alphanumerical passphrase of 20+". I think (26+26+10)20 is pretty close to 2128, so it sounds as if that scenario is probably good too, assuming the passphrase is truly random?

              de0u Adding a couple more lowercase letters usually makes more sense than using uppercase. It's very rare that anyone would be entering a password consisting of completely random characters though. It's generally harder to remember and type correctly than a diceware-style passphrase, although it'd be a lot shorter.

              • Edited

              They say that Supersonic BF can only do around 5000 guesses per day:

              https://blog.elcomsoft.com/2023/06/what-forensic-vendors-dont-like-to-tell-their-customers-part-2/

              In case if you are curios, “supersonic” brute-force is slightly above 5,000 APD (Attempts Per Day); I am not saying this speed is bad (especially as most other vendors cannot do that at all), but I definitely would not call it “supersonic”.

              Is this true or bullshit? If it's true then why the hell is it so damn slow?

              matchboxbananasynergy https://grapheneos.social/system/media_attachments/files/112/462/760/076/651/069/original/abb6bfdb2d3cbc6a.png

              As a laymen I'm still confused after reading the thread. Why is it possible to extract data from devices which are cold BFU (1st column) 6th+ gen pixels included? Is the first column only applies to encrypted data, meaning data is extracted, but it's encrypted?
              It's possible to bruteforce the encryption key for most other types of devices – except 6th and latter Pixels – because the secure elements has been bypassed which means throttling is disabled, which in turn allows for decryption of the extracted encryption data?
              Hope I'm not completely misunderstanding the whole chart.

                • Edited

                ticklemyIP These companies can't bypass the throttling on Pixel 6 and up. They can do it on every other device. Maybe not on the latest iPhone, but I think they will figure it out pretty quick.

                According to the latest iOS Support Matrix 7.69.5 (as of July) uploaded by a Reddit user, Cellebrite can unlock up to iOS 17.5.1. Also, it seems that the CAS service (not Premium or Inseyets) can unlock the iPhone 15.

                https://imgur.com//WpuUNGh

                  de0u

                  Appreciate you replying back. And the follow up comments have been very helpful.

                  orangecola There's one / too many in that link. Also, yes, would be nice to have a link to the Reddit post in question.