Duress PIN idea

de0u

The request is for a natural thing to want.

In fact, this request is made roughly monthly.

Official project accounts have stated:

It is not possible given the current user profile systen to wipe some profiles without leaving traces available to a competent adversary.
The developers are not interested in writing code that would confuse only low-competence adversaries.

@matchboxbananasynergy is not the obstacle, merely the messenger.

Perhaps the developers are wrong about how hard it would be... in which case arguably the best way to demonstrate that might be via code.

missing-root

de0u these 2 points make sense. The others, not so much.

I am very convinced about the description that @JollyRancher gave. Indeed, it is useless or harmful to wipe a device in case of such an emergency.

As GrapheneOS devs are very much into user profiles, I hope the underlying issue here can be fixed, that user profiles can be deleted without leaving traces.

Deleting a single user profile is the most useful duress action I can imagine. All others make little sense, like wiping all your data of presumably the most secure device on earth, well if you got no backups you have a problem.

de0u

missing-root I am very convinced about the description that @JollyRancher gave. Indeed, it is useless or harmful to wipe a device in case of such an emergency.

It may well be that the feature doesn't make sense given your threat model, including the rules in the legal jurisdiction you're in (presumably as interpreted by an attorney who practices in that jurisdiction). If that's the case, then configuring the feature might not be productive.

missing-root As GrapheneOS devs are very much into user profiles, I hope the underlying issue here can be fixed, that user profiles can be deleted without leaving traces.

I suspect that while they were modifying the code to implement the present duress-PIN feature they surveyed the landscape.

missing-root Deleting a single user profile is the most useful duress action I can imagine.

You are very much not alone in having that thought.

Having read a bunch of Android developer documentation, and a couple of Android architecture books, and also a very small amount of code... in my opinion, the Android software ecosystem is a bit of a monkey circus. If one observes a feature from the outside and imagines how it's implemented and then imagines how easy it should be to modify the imagined implementation in a particular way, whatever you imagined is probably missing at least 7 monkeys. As far as I can tell, the lower levels of the hardware/firmware stack (for Pixels) are relatively free of monkeys, but as you climb up the tree, there they are!

HMC

Here's a thought. I am sure most of your lives are boring, but do NOT store anything incriminating on your phone or on a computer at home.

If you must, keep your phone backed up to a secure home or cloud server and be prepared to nuke the phone if placed in a situation where it may be seized. Deleting data before seizure and demand to unlock is probably not illegal. Doing it after with a duress password probably is. A 4 digit PIN is quick.

BTW, I am still trying to find the "reset my phone after x number of failed password attempts" feature.

JollyRancher

HMC
A Pixel 9 Pro/Pro XL can be had with a terabyte of storage and, running GOS with a strong password and decent security practices, is the most technically secure compute system that can be had for a reasonable investment of money and time.

That it is also incredibly portable and concealable are just bonuses.

To run a server that is more secure than GOS requires a fairly substantial time investment to learn how to do it, at least as much money, and generally has more downsides.

If you are going to do things electronically that governments might dislike, doing them inside a secured GOS User Profile is generally the best choice.

Backing up frowned upon data is generally a bad idea. But if you really need to to it, set up a proton account using good opsec, encrypt the data, upload the encrypted data to the proton account (which is used for nothing but this), make it a public share, and store the URL for the share somewhere safe and secret.

Then you can access that data from anywhere in the world with basically zero chance any adversary will be able to find that it exists or access it even if they do learn the URL.

Backup to your own servers and they are likely to end up seized. At least unless you have the resources to locate your backups securely in another country.

Exhort14

Yup. If you know your device is likely to be seized and can get a small amount of time with it then its easy yo make safe. Swipe, Swipe, tap users, manage users, secure profile, delete profile, restart phone.

If you have engaged in good security practices then you should be able to turn that phone over for a full consent download secure in the knowledge that it won't incriminate you.

The issue is when you can't get that alone time with the device.

Provide the legit password and the existence of all the user profiles becomes obvious, and refusing to provide access to them is likely worse than refusing yo provide the Owner password.

Provide the duress pin and you basically convict yourself of destruction of evidence (in the US at least).

Refuse to provide any unlock code and you are likely to suffer fewer direct consequences (in the us at least) but will also make yourself suspect number 1 in whatever investigation is ongoing and get the government putting your life under a microscope.

Exhort14

FWIW, it appears you can delete a single profile in about 10 seconds from the lock screen with 1 swipe and 6 taps.

DeletedUser43

JollyRancher Provide the legit password and the existence of all the user profiles becomes obvious

This is the place where you don't get it. Did you notice, Android boots to login screen without asking you for any credentials? At this point it is already possible to see what user profiles you have. There is no need to provide anything.

HMC

JollyRancher

How long are you willing to sit in a jail cell when you refuse to open your phone. In many countries that is exactly what you would face and that is how they get into your "secure" phone.

US customs has similar powers and even though I carry nothing incriminating, the contents of my phone is private and I will not carry any electronics through US customs.

So, while you talk about electronic security, I am talking about physical security and how your freedom may be leveraged to unlock a phone.

I do wonder how many supposedly security conscious use fingerprint or face id logins. GOS supports fingerprint. It is a common practice for LEOs to use your biometrics to unlock your phone while you're in handcuffs.

JollyRancher

DeletedUser43
True, and that is probably the single biggest security/privacy issue in GOS.

DeletedUser43

JollyRancher Full security and privacy in not possible without removing all functionality. It's always a compromise. I even started to think how to implement what you want on a PC with whatever OS, and I'm at a lost for now. Best I have so far, is a plain (no LUKS, deniable) full disk encryption, with you setting up partitions every time you start the machine. Then you would have to remember two sets of information:

encryption key and partition scheme for real use
encryption key and partition scheme for show

Partition scheme would be just a couple of numbers to remember.

Carlos-Anso

There will be various indications that a profile existed, also that it has been deleted in system logs. Attempting to somehow ensure every possible mention is avoided or purged and ensuring that this can be guaranteed forward into the future through the regular changes to AOSP is not something the team is interested in trying to achieve.

Hearing people call the current implementation useless isnt great. There are likely lots of people where it doesnt really make sense to bother setting a duress PIN or password. But for some people it could be very valuable.

As has been mentioned theres clearly a use where the risks of an adversary gaining the data on the phone outweigh the risks from an adversary knowing youve destroyed all the data on the phone.

Also theres potential benefit to everyone who uses GeapheneOS even if they dont have Duress set. If an adversary knows that there could be a duress PIN or password set it acts as a deterrent against attempts to brute force the unlock PIN/pass.

Similarly could also potentially deter attempts to force someone to reveal their PIN/pass as it gives the potential for them to supply the Duress PIN/pass and cause irreversible data loss.

JollyRancher

HMC

How one should handle their security and system setup absolutely depends on the jurisdiction(s) in question.

Biometrics are security theater in basically every jurisdiction as law enforcement, much less other threat actors that might detain you, will force your finger on the phone or hold it up to your face.

In most US states you have 5th Amendment protection against being forced to provide a password/pin yo unlock a device. Refusal to provide that information can't even be mentioned in front of the jury. Note that this isn't all states and a case has yet to make its way to the US Supreme Court for a definitive answer.

If you are crossing the US border and are a US citizen, the US governments ability to examine your electronics, much less unlock them, is sharply limited. The most they could do (generally speaking) is seize the device but even that is unlikely.

If you aren't a US citizen then they absolutely can force you to unlock the device and even perform a full forensic extraction if you want to enter the US.

Other jurisdictions have their own quarks and rules. Always be careful when traveling and if you have questions talk to a legal professional in advance of visiting the jurisdiction.

If US customs are your concern, you are generally better off encrypting the data, uploading that encrypted data to Proton Drive or the like, crossing the border with a clean phone, buying a pixel in the us (can be done with cash at basically any electronics store), loading GOS onto it, and downloading the encrypted data via said device.

None of this really gets to my point in this thread though.

Once you become a person of interest in an investigation, law enforcement us going to ask to view your phone. Assuming the jurisdiction in question allows you to refuse, the simple fact that you have refused is going to make you a bigger focus in the investigation.

Getting a warrant to seize a phone is generally fairly trivial, and once law enforcement has that they will seize it and try for a full extraction.

If you provide a duress pin and wipe the device then you are very likely to be found guilty of destruction of evidence. In some jurisdictions, the mere fact that you have destroyed evidence means that the court gets to assume that the destroyed evidence is basically as bad for you as it could possibly be.

So, assuming that your phone is secured with a strong password/phrase, the usage of a duress pin is often worse than doing nothing.

Your phone is seized and its encryption won't be broken in your lifetime. In the US the inability of law enforcement to crack your device can't be used in trial (generally speaking).

If the use of a duress pin could be concealed and it only wiped specific data (I.e. a private space) then when law enforcement asks for access you can freely provide it, confident in the knowledge that your phone won't incriminate you. Instead of evidence against you, this makes your phone evidence in your favor at trial.

Where you get into more of a gray area is writing down the duress pin somewhere it is liable to be found, refusing to help law enforcement get access to your phone, and then waiting for them to try that written passcode on their own initiative. Again, consult a legal professional before doing something like this.

Personally? When I travel I use a device specific to that trip. It is factory reset before the trip, loaded with only what is needed for the trip, and my assumption is that everything on that device is compromised by the government of wherever I go. Upon return the device is factory reset again. If I visited some countries, most notably the PRC, that device is then sold to someone else.

If you are crossing a border with GOS on your phone and it is examined at all you will become a person of interest to that jurisdiction. Period. If you want to avoid that, buy an iPhone to use for traveling and don't do anything dubious on that device.

HMC

Oh, and BTW, anyone with TB of data on their phone should have it backed up.

HMC

TL;DR

« Previous Page