Threat model help needed: travelling through customs

science

Hoping to get help configuring a friend's P8a GOS phone for a specific scenario. Welcoming general critique / advice, and I also have a specific question relating to Cellebrite.

Background:

In my country border guards can demand that travelers give their phone password at customs. Refusing could result in the device being permanently confiscated and subjected to full file extraction with Cellebrite.

My friend also has sensitive info on the Owner profile. It is their daily driver.
The data is nothing too serious. Just some memes and articles shared via encrypted messaging with mild criticism of certain politicians. But in my country this is enough to trigger harassment and short detention if discovered by customs agents.

The goal:

Help my friend avoid getting the phone confiscated or harassed if targeted by casual snooping from a customs officer, without sacrificing the convenience of their current setup (Owner profile as their daily driver, 6 digit pin in Owner profile, no 2nd phone).

My friend is not very tech literate, and not a "hardcore" privacy person. It would be very difficult to convince them to adopt a 2nd phone, remove all sensitive info from their Owner profile, or change their Owner profile password to a long diceware passphrase for this upcoming trip.

They're coming to me for advice on how to present their current device to customs with minimum reasonable risk of getting the device confiscated, without relying on a 2nd phone or wiping the Owner profile.

Could anyone offer advice / critique on how to manage this risk, given the constraints above?

The best case scenario we came up with was -

Create a secondary Travel profile with a different password from Owner, filled with non-sensitive data and apps.

Before customs, reboot the phone, log in to Owner, then switch to Travel profile.

If targeted by a customs officer, comply with request for password to the Travel Profile.

Imagining a few different ways this could go:

In the best scenario, the customs agent doesn't notice the "end session" button on lockscreen or know what it means, logs in to Travel profile, swipes around for a moment, then returns the device and all is well.
In a worse case scenario, the customs agent takes the phone away to a back room and attempts full file extraction on the device's unlocked Traveler profile with Cellebrite.
In another bad scenario, the customs agent discovers that the phone is GOS and that they don't have access to the Owner profile, then confiscates it. My friend doesn't get harassed much but does have to buy an expensive new phone.

Specific question:

If scenario 2 happens (full file extraction on unlocked Travel profile), would the customs agents get access to the contents of the locked Owner profile as well?

Asking because I see here in the first post that post-2022 GOS is probably resistant to full file extraction from Cellebrite in AFU state:
https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation

Does this imply that the contents of the Owner profile would likely remain inaccessible in this scenario?

It matters because we think the harassment would be less severe if the device is simply confiscated for having an inaccessible Owner profile. My friend would simply lose their phone and have to buy a new one.

On the other hand, if customs agents are able to access the Owner profile and find the sensitive data, we think they could be harassed more.

So we're wondering - in scenario 2, is data in the Owner profile at risk?

Would appreciate friendly general advice on how to handle this low to moderate severity risk scenario, and also clarification about the specific question above.

Thanks for reading, I have a lot of respect for the community here.

Lilac6044

science To be honest, if getting a second device is out of the question, I would suggest backing up as much data as he can. That way they can wipe the phone, happily hand the device to the border agent with the password, and then back the device back up after.

natoal

science

If they've imaged it, it's safe to assume that it will get cracked. One month, two months... All OSes have vulnerabilities and they get revealed over time. I believe this is common sense but please delete my post if it's wrong. Also, using GOS might put a spotlight on you because most people use stock or manufacturer OS. The officers will find it suspicious. But even a 6 digit pin should be enough to wipe the phone after 20 attempts if the officers are dumb enough to try brute-forcing it rather than using whatever magic wand they got from their intelligence branch

de0u

science It is arguably prudent to discuss this with an attorney who is qualified to practice law in the relevant jurisdiction.

dc32f0cfe84def651e0e

science In my country border guards can demand that travelers give their phone password at customs. Refusing could result in the device being permanently confiscated and subjected to full file extraction with Cellebrite.

Don't travel to such locations then.

de0u

natoal But even a 6 digit pin should be enough to wipe the phone after 20 attempts if the officers are dumb enough to try brute-forcing it rather than using whatever magic wand they got from their intelligence branch

I don't believe "wipe after 20 attempts" is a Pixel feature or a GrapheneOS feature.

grayway2

de0u it's a feature from Samsung but I imagine cellebrite laughing right now.

I believe that if it's tied with the titan M2, it could be enough secure and very hard to bypassed. But from my understanding only Google can do something by changing the firmware of pixels.

I suggest OP to create a duress password and entering it when they will ask him to unlock the phone. No data, no reason to keep the phone and mistakes happen. I also suggest to keep the phone in bfu (rebooted but not unlocked) then only after entering the duress password. Customs often asks travellers to power on their devices.

de0u

grayway2 it's a feature from Samsung but I imagine cellebrite laughing right now.

I can imagine it being a non-Pixel feature, but, as you mention, empirically it doesn't seem to protect data very well. So I don't think the other poster's advice above is a good match for this audience.

grayway2 I suggest OP to create a duress password and entering it when they will ask him to unlock the phone. No data, no reason to keep the phone and mistakes happen.

It is arguably prudent to discuss this with an attorney who is qualified to practice law in the relevant jurisdiction.

natoal

Using a duress password is just asking for trouble. They will not be happy about you wiping it under their noses

natoal

dc32f0cfe84def651e0e

Are you asking him to not travel to his own country?

area51

science My friend is not very tech literate, and not a "hardcore" privacy person. It would be very difficult to convince them to adopt a 2nd phone, remove all sensitive info from their Owner profile, or change their Owner profile password to a long diceware passphrase for this upcoming trip.

So, if "they" don't want to help themselves, they must accept the consequences of inaction, when the phone is not in their possession any longer, but held by a border official, or they can act before that doomsday scenario, by removing and backing up said info. That's their options, yes GrapheneOS is secure, but with confidential info on the phone and it being seized, how long do you sit in a cell before agreeing to hand the password over!

LeslieFH

If you want to hide profiles with personal data from snooping, then the main profile should be the "decoy" one (just fill it with multiple casual games like Candy Crush and say you don't do social media and prefer gaming :-)), and keep your apps and data on a secondary profile, before going through customs switch off multiple profiles in settings.

It is possible for the customs agents to find this setting, enable it and try to log into other profiles, but it is much less probable than seeing the option to switch session if you give them the unlocked phone with a secondary profile active.

The only foolproof way, however, is to backup the phone, wipe it clean, install some inocuous games and news apps, pass the customs and then restore from backup. For highest level of security I'd restore stock Pixel OS before travelling through customs and then flash Graphene back after getting to my destination.