The issue with duress pins is that they are generally obvious. Depending on your country/threat model you may face substantial harm for failing to provide a pin and yet equally substantial harm if the provided pin bricks or resets the device.

A solution would be a duress pin that upon use wipes all (or user preselected ideally) Profiles and any evidence that a duress pin was enabled in the first place.

So you provide the duress pin, it is used to unlock the Owner profile, and the secure profile that you want to protect is tracelessly erased as if it never was. The Owner Profile password should also be reset to the Duress pin so the hostile party has every reason to believe that the normal pin was provided.

Thoughts?

Essentially, the ideal would be to be able to turn your phone over to someone with Cellebrite for them to perform a Consent extraction and have them see no trace that the duress pin was utilized or that the secure profile(s) was/were wiped (or even existed in the first place).

    This only works if you use user profiles and have nothing sensible in the owner profile.

    But yes, it is important that you can wipe a device without anyone knowing it.

      missing-root

      If your threat profile suggests such measures then you should have one or more secure profiles that are protected behind strong passwords and contain all sensitive data. Note that said profile(s) should not be used as daily drivers.

      Instead use the Owner or another "daily driver" profile for anything whose exposure won't cause you issues.

      Bluntly, if a government is coming after you then a phone they can't get into and you refuse to unlock is very likely going to make your life difficult. A duress pin that plainly wipes the device is unlikely to make things better.

      Ideally, you want to be seen as compliant while simultaneously ensuring that any compromising information is gone and that an investigation into the other information on your device won't raise any eyebrows.

      A duress pin like I propose combined with good user security practices and keeping USB disabled except for charging would remove essentially all of the duress pin downsides while actually increasing user security.

        There is no way to hide this, and will therefore not be done.

        it would not be possible to hide from someone who is aware the feature exists, especially if they have physical access to the device for a prolonged amount of time.

        The duress PIN/Password is meant to irrevocably wipe the device's contents. It's not meant to be stealthy. That's a goal that can't be meaningfully achieved.

          matchboxbananasynergy

          I find it pretty quick to close this. I want to ask you to reopen it.

          How could there be no way to delete a guest profile without showing a popup screen? This sounds totally possible.

          Changing the user pin might not be necessary. The people will have access to the phone anyways, so simply

          • type in duress pin (previously configured to just wipe all user profiles, not the owner, to keep it simple)
          • it seemingly does nothing but loads for a while, looking like a normal pin cooldown
          • type in the real pin, it unlocks normally
          • nobody knows you ever had user profiles

          This does sound like a feature totally in scope of GrapheneOS' goals. User profiles are meant to be used to store information there, and if encryption is simply not enough (agencies torturing people until they give the pin, etc.), deletion is the only way.

          This combined with emergency shutdown/reboot would offer a very safe method of never opening the user profile, but being able to quickly delete it.

          A settings toggle could be used for this. I am sure there is a command that can be invoked, to delete a user profile. Cant this just be invoked for all existing ones?

            matchboxbananasynergy

            There is no way to hide that

            1) a User Profile was deleted
            2) the Owner password was changed
            3) that a duress pin feature was disabled

            So if I decided to delete a User Profile right now, evidence of that User Profiles existence would persist? Along with timing information regarding when it was deleted?

            The same if I chose to change my Owner password right now?

            If so, why is this logging extent? What is the use case it advantages?

            Bluntly, a duress pin that essentially just factory resets a device is worse than useless in virtually all threat models. If you already have elected to use a strong password/pin then wiping the device doesn't make it materially more secure but does open you up to destruction of evidence/tampering with evidence charges. In less pleasant circumstances, a duress pins use may well get you tortured to death.

            In the US for example, you have a Fifth Amendment Right not to provide a password and law enforcement's ability to use their inability to crack your phone against you in court is sharply limited. The use of a duress pin, however, would open you up to destruction of evidence charges and the courts are likely to presume that the evidence you destroyed was evidence of the crime you were facing in the first place and are able to use that against you.

            For a duress pin to have any real world use outside of some edge cases and very specific threat models it needs to leave the device in a state where the duress pin has been plausible not used and the compromising data is still wiped.

              People don't have to use the duress PIN feature if it does not fit into their threat model.

              This is not a new proposal, and has been considered in the past, which is why I'm marking the thread as solved.

              The duress PIN feature will not be implemented in a way that adds security theater, or which is incomplete.

              Deleting specific user profiles with the duress PIN could be possible, but detecting that this is occurring is unlikely to be so. If someone is relying on that fact being hidden from an adversary, pretending to do something stealthily which can then be detected is more likely to put people in harm's way rather than not.

              The same goes for the other usual proposal of having the duress PIN launch some "decoy profile", which is security theater in a more blatant way than what is being proposed here.

              At this time, there are no plans to change how the duress feature works.

                matchboxbananasynergy

                A Duress Pin that does nothing but wipe the whole device when used is useful in basically zero real world threat models.

                If you need high security then you should be using a high entropy password. In this case a Duress Pin is generally the very definition of security theater because your phone was already secure and thus the data it contained already inaccessible to your adversary.

                If you can be compelled to provide a password (and thus can provide a duress pin) then its use resulting in a phone that is wiped is very likely to result in your adversary punishing you.

                About the only threat models where a duress pin is useful are 1) extremely high threat environment where the risk of the data's compromise is greater than the users death/imprisonment, 2) bad security practices where you are using a weak PIN and your data is liable to be compromised given time AND the consequences of a wiped phone are less than the risk of that compromise, 3) where you deliberately leave the duress pin recorded somewhere that an adversary is likely to find it and use it without you actually providing it to them.

                Deleting specific user profiles with the duress PIN could be possible, but detecting that this is occurring is unlikely to be so.

                Impossible to hide when the phone is in the hand and not currently connected to forensic devices (because they need to be AFU to enable the USB connection needed for those devices)? Or impossible to hide after the fact?

                If someone is relying on that fact being hidden from an adversary, pretending to do something stealthily which can then be detected is more likely to put people in harm's way rather than not.

                Essentially any use of a duress pin would put the user at substantial risk. If one is being used you are either providing it to law enforcement, hostile state actors, or criminals who have already gained power over you.

                In the case of law enforcement, providing a duress pin is likely to get you years in jail and a wiped device makes it plain one was used.

                In the case of hostile state actors or criminals you are likely facing much worse than some jail time.

                Wiping a secondary user profile instead? Worst case you face the same downsides as a normal duress pin, best case you create plausible doubt as to whether or not a duress pin was used in the first place.

                The same goes for the other usual proposal of having the duress PIN launch some "decoy profile", which is security theater in a more blatant way than what is being proposed here.

                That one is an idiotic proposal that would be essentially impossible to conceal and would have basically no upside.

                At this time, there are no plans to change how the duress feature works.
                Then it will remain security theater. Extra options are always nice but its use is highly likely to harm the user with no material security increase compared to using a decent passphrase.

                  matchboxbananasynergy What do you mean it can't be hidden? I find the current implementation does hide it pretty well. The device says its corrupted after the wipe and thats it. U would need to record the wipe process in the logs of the phone to prove it was the duress feature.

                    Duress PIN/password serves as a quick way to securely wipe all user data in the device and erase the installed eSIMs compared to the old way of nagivating the settings menu or recovery options. There are more creative ways of using the current implementation but the fundamentals are the same, and there is no need to overly complicate on how things work in this subject in my opinion.

                    A robust implementation of a feature means that it still works as intended if the adversaries have full knowledge of the OS. I believe there is always traces of evidence of file/data deletion in a SSD even though they are not recoverable due to the encryption key being lost.

                    The usage of the duress PIN/pasword feature is not only applicable to the case when the right to control the device is lost, but also when the user have full control of it. For now, the OS does not have this feature enabled by default nor encourage using it in the setup wizard. Whether to use it and whether to activate it is up to the users' decision, regardless of such action is illegal or not. This is somehow similar to the call recording feature which is not legal in some area, but it is offered to all users anyway.

                    The request is for a natural thing to want.

                    In fact, this request is made roughly monthly.

                    Official project accounts have stated:

                    1. It is not possible given the current user profile systen to wipe some profiles without leaving traces available to a competent adversary.
                    2. The developers are not interested in writing code that would confuse only low-competence adversaries.

                    @matchboxbananasynergy is not the obstacle, merely the messenger.

                    Perhaps the developers are wrong about how hard it would be... in which case arguably the best way to demonstrate that might be via code.

                      de0u these 2 points make sense. The others, not so much.

                      I am very convinced about the description that @JollyRancher gave. Indeed, it is useless or harmful to wipe a device in case of such an emergency.

                      As GrapheneOS devs are very much into user profiles, I hope the underlying issue here can be fixed, that user profiles can be deleted without leaving traces.

                      Deleting a single user profile is the most useful duress action I can imagine. All others make little sense, like wiping all your data of presumably the most secure device on earth, well if you got no backups you have a problem.

                      • de0u replied to this.

                          Here's a thought. I am sure most of your lives are boring, but do NOT store anything incriminating on your phone or on a computer at home.

                          If you must, keep your phone backed up to a secure home or cloud server and be prepared to nuke the phone if placed in a situation where it may be seized. Deleting data before seizure and demand to unlock is probably not illegal. Doing it after with a duress password probably is. A 4 digit PIN is quick.

                          BTW, I am still trying to find the "reset my phone after x number of failed password attempts" feature.

                            missing-root I am very convinced about the description that @JollyRancher gave. Indeed, it is useless or harmful to wipe a device in case of such an emergency.

                            It may well be that the feature doesn't make sense given your threat model, including the rules in the legal jurisdiction you're in (presumably as interpreted by an attorney who practices in that jurisdiction). If that's the case, then configuring the feature might not be productive.

                            missing-root As GrapheneOS devs are very much into user profiles, I hope the underlying issue here can be fixed, that user profiles can be deleted without leaving traces.

                            I suspect that while they were modifying the code to implement the present duress-PIN feature they surveyed the landscape.

                            missing-root Deleting a single user profile is the most useful duress action I can imagine.

                            You are very much not alone in having that thought.

                            Having read a bunch of Android developer documentation, and a couple of Android architecture books, and also a very small amount of code... in my opinion, the Android software ecosystem is a bit of a monkey circus. If one observes a feature from the outside and imagines how it's implemented and then imagines how easy it should be to modify the imagined implementation in a particular way, whatever you imagined is probably missing at least 7 monkeys. As far as I can tell, the lower levels of the hardware/firmware stack (for Pixels) are relatively free of monkeys, but as you climb up the tree, there they are!

                                  FWIW, it appears you can delete a single profile in about 10 seconds from the lock screen with 1 swipe and 6 taps.

                                    HMC
                                    A Pixel 9 Pro/Pro XL can be had with a terabyte of storage and, running GOS with a strong password and decent security practices, is the most technically secure compute system that can be had for a reasonable investment of money and time.

                                    That it is also incredibly portable and concealable are just bonuses.

                                    To run a server that is more secure than GOS requires a fairly substantial time investment to learn how to do it, at least as much money, and generally has more downsides.

                                    If you are going to do things electronically that governments might dislike, doing them inside a secured GOS User Profile is generally the best choice.

                                    Backing up frowned upon data is generally a bad idea. But if you really need to to it, set up a proton account using good opsec, encrypt the data, upload the encrypted data to the proton account (which is used for nothing but this), make it a public share, and store the URL for the share somewhere safe and secret.

                                    Then you can access that data from anywhere in the world with basically zero chance any adversary will be able to find that it exists or access it even if they do learn the URL.

                                    Backup to your own servers and they are likely to end up seized. At least unless you have the resources to locate your backups securely in another country.

                                    Exhort14

                                    Yup. If you know your device is likely to be seized and can get a small amount of time with it then its easy yo make safe. Swipe, Swipe, tap users, manage users, secure profile, delete profile, restart phone.

                                    If you have engaged in good security practices then you should be able to turn that phone over for a full consent download secure in the knowledge that it won't incriminate you.

                                    The issue is when you can't get that alone time with the device.

                                    Provide the legit password and the existence of all the user profiles becomes obvious, and refusing to provide access to them is likely worse than refusing yo provide the Owner password.

                                    Provide the duress pin and you basically convict yourself of destruction of evidence (in the US at least).

                                    Refuse to provide any unlock code and you are likely to suffer fewer direct consequences (in the us at least) but will also make yourself suspect number 1 in whatever investigation is ongoing and get the government putting your life under a microscope.

                                          JollyRancher Provide the legit password and the existence of all the user profiles becomes obvious

                                          This is the place where you don't get it. Did you notice, Android boots to login screen without asking you for any credentials? At this point it is already possible to see what user profiles you have. There is no need to provide anything.