Suggestion: Several Duress pins

u7912

By allowing many duress pins, we could exponentially increase the probability that a bad actor wipes the device instead of gaining access. Success!

Is there possibility of this feature being added/improved?

AcidDemon

u7912
It might come down to the techniques used by the attacker.
I think some will do a backup before trying to brute force the pw/pin for example.

other8026

u7912 this has been requested and the issue for it has been left open here: https://github.com/GrapheneOS/os-issue-tracker/issues/3839. I'm not sure what the developers' thoughts are on adding the option to have multiple duress PINs/passwords and usually feature requests that they are planning on implementing will have tags indicating as much.

ryrona

u7912 I think that if one want to have traps like that to hopefully wipe the device if someone is trying to brute-force into it with random guesses, one could just as well wipe the device after 30 failed unlock attempts or something like that. More reliable and easier to set up.

u7912

other8026
Thanks for link

AcidDemon
The average thief ALWAYS tries most common password / pattern, if they fail they sell on or pass to smarter person.

ryrona
If the failed auto wipe is stealth, sure thats an option.
If its not stealth IE "The next attempt will wipe the device", even the dumbest thief likely think "let me ask somebody before I make this irreversible move.

fph
Say I have 5 duress pins #1234 ,#1111, #0000, #1212, #7777 + real pin #105718, its exponential because those 5 duress are the most commonly used pins worldwide. IE we are benefiting more than just 5:1 ratio

one study - 26% of worldwide pins fall into only 20 combinations.

fph

In which sense "exponentially"? If you set up one true PIN and n fake pins, the probability of finding the right one before wiping the device is 1/(n+1). Nothing is exponential in this problem.

dc32f0cfe84def651e0e

u7912 Say I have 5 duress pins #1234 ,#1111, #0000, #1212, #7777 + real pin #105718, its exponential because those 5 duress are the most commonly used pins worldwide.

Not to forget the birthday related ones.

Hb1hf

u7912 The average thief ALWAYS tries most common password

So do the average kid...

u7912 Say I have 5 duress pins #1234 ,#1111, #0000, #1212, #7777

...so don't try this method of you've got one lying around the house

u7912

dc32f0cfe84def651e0e
Good point, if our suspect knows us, likely that's their first attempt

Hb1hf You dont seem to understand the objective... We want to use these pins as duress, to fool the suspect into wiping the device.

DeletedUser87

u7912 okay, then why not just set the currently available single duress pin to something like 1234? If that's one that's gonna get tried with a high probability, that should be enough as a safeguard. Apart from that, I don't think there's much incentive to delete the data on the device, if it's not breakable by brute forcing AFU even with Cellebrite tools as of right now. I don't think the average thief is gonna spend weeks or months trying to unlock the device for potentially useless data when they can just reboot to bootloader and factory reset in a manner of seconds. The hypothetical criminal you're describing must be incredibly rare and will likely be shouldersurfing to guarantee a successful entry if he/she was really after the data and not the phone. The point of the duress pin is also in its name "duress", when somebody forces you (maybe physically) to unlock a device or enter a password to gain access to data, not as a anti-theft factory reset tool.
What you're suggesting seems like security theater - not offering any real benefit, but investing time to develop additional features is (from an end user perspective like mine) not optimal.

Hb1hf

u7912 You dont seem to understand the objective... We want to use these pins as duress, to fool the suspect into wiping the device.

I'm fully aware of the objective. You're the one who seems not to understand the risks. To protect from a 0.01% chance an attacker would get your phone, you need to be willing to take a 70% chance your kid erases your phone on a radom Tuesday night while trying to play Minecraft or whatever.

u7912

DeletedUser87

"okay, then why not just set the currently available single duress pin to something like 1234? "

I already answered this - To increase the probability.

"Apart from that, I don't think there's much incentive to delete the data on the device"

The incentive is obvious - Its better to increase the probability your stolen data is wiped, than at risk for any future attack vector.

" The hypothetical criminal you're describing must be incredibly rare"
Not rare at all, Plenty of people use their phones for crypto, banking, OTP, etc

" The point of the duress pin is also in its name "duress", when somebody forces you (maybe physically) to unlock a device or enter a password to gain access to data, not as a anti-theft factory reset tool. "

The point of the mobile phone was to make phone calls... its now also a camera, satnav, banking, crypto wallet... etc...

u7912

Hb1hf

0.01% chance? Dont promote stupid statistics here.

Inner city phone theft is rampant, Lets use London - 250 phones are stolen a day.
70% of all reported personal robberies involved a phone being stolen.

"radom minecraft"??? Please leave the thread as you clearly offer no value or rational statistics.

Sources :
[1] 70% of robberies involved a phone
[2] 1 phone snatched every 6 minutes in London

[1] https://www.standard.co.uk/news/crime/sadiq-khan-mobile-phone-theft-london-mark-rowley-met-police-b1099459.html
[2] https://www.cnn.com/videos/tech/2024/06/15/mobile-phone-theft-on-the-rise.cnn

u7912

Hb1hf
You edited your comment to which I replied "You misunderstand", completely changing your perspective of your initial post to conceal your mistake.

Nice try lol

DeletedUser87

u7912 London has a population of 8.9 million. 0.01% of that is 890 people. So the chances of your phone being stolen are actually even lower on any given day.

u7912

DeletedUser87

In westminster, London " That equates to 85.4 thefts per every 1,000 people. "

Source: https://www.newhamrecorder.co.uk/news/24612232.londons-phone-snatching-problem-kids-targeted/

u7912

DeletedUser87

In addition to above.

"Westminster is the worse area in London for phone snatching - with a shocking 22,253 incidents reported in the year leading up to September 2024. "

These statistics do not include those who don't report the theft.

Clearly a genuine risk.

To correct you, inner city of London has a population of <5000

"Primarily a business district, the City has a small resident population of 8,583 based on 2021 census figures,[11][12] but over 500,000 are employed there (as of 2019)[13] and some estimates put the number of workers in the City to be over 1 million. "

source : https://en.wikipedia.org/wiki/City_of_London

DeletedUser87

u7912 you don't increase probability. Again, set it to a known easy to guess pin. Criminals are not some technological masterminds, quite the opposite most of the time. Not rare at all? Please back that up with some data. I would really love to know how many stupid thieves are out there trying random passwords for weeks with a 1% chance to get some valuable data and a one in a million chance to successfully unlock the phone with a random pin. When thieves are looking for data (and not just the phone for the resale value), they won't be taking any chances. They will absolutely shouldersurf you and get your pin before stealing the phone, which makes even 999999 duress pins useless.

Now you are also conflating data regarding London's phone theft problem. Taking a tourist hotspot (where phone theft somehow seems to affect mostly tourists) as 'proof' that my numbers are wrong based on a previous article you posted, is disingenuous. I can only elaborate: if you're outside of Westminster, your chances to get your phone stolen are EVEN LOWER then.

Hb1hf

u7912 You edited your comment to which I replied "You misunderstand", completely changing your perspective of your initial post to conceal your mistake.

Nice try lol

Yes, I edited it, from "so do kids" to "so do the average kid", to give it a nice parallel to "the average thief". It was edited 10s after the original reply and before you replied. [removed]

u7912

DeletedUser87

You do increase probability.
I already posted a study above that shows 26% of worldwide pins fall into only 20 combinations.

If you cant understand this I cant simplify it anymore for you.

As for me conflating data, not at all. I made it clear when I said "Inner city phone theft is rampant".
Westminster is inner City, Where phone theft is rampant, I provided a source to back it up.

It was you who tried to be smart and dug yourself into a hole... Now you are trying to play the victim...

I provide a genuine use-case for having several duress pins - those who live in theft hotspots/people @ higher risk of theft.

If you don't personally require the feature then thats fair enough, but your situation doesn't apply to everybody.
and you don't need to campaign religiously about it, you just wouldn't use said feature.

Anyway im not here to argue or point score like you are trying, so if you dont see the value in the feature then dont need to post.

As the core functionality already exists for 1 duress pin, it wouldn't be that hard for the devs to allow multiple

Hb1hf

DeletedUser87 Taking a tourist hotspot (where phone theft somehow seems to affect mostly tourists)

Those italics lol. You're wasting some cool sarcasm-through-formatting with someone who can't seem to understand that if you set 1234 as a duress pin your kid will end up wiping your phone trying to watch SpongeBob Square Pants.

DeletedUser87

u7912 okay, since you seem pretty determined to hypothesize about a 180 IQ thief who will try random, often used passwords, here's two links for very helpful answers regarding a "self destruct" feature after a number of failed attempts:
https://discuss.grapheneos.org/d/9490-wrong-pin-erasing-phone-data/6
https://discuss.grapheneos.org/d/6910-self-destruction-after-10-incorrect-attempts-erases-and-encrypts-everything/11

This should answer everything. As a closing note, if you're afraid that someone will randomly guess your pin - don't use a pin. Use a password with a <20 char length with special characters included and the probability of someone randomly unlocking the phone becomes virtually 0.

u7912

DeletedUser87

It was never about somebody guessing my pin, you've missed the point.

Its about increasing the likelihood that our data is destroyed in the event of theft/misplaced phone.