LE returned my device and I'm not sure if I can open it or not.

paps

Hi All,

I recently had issues with law enforcement and, after being in custody for about three months, I asked them to return my SIM card, as I’d likely get it back anyway, and it’s useless to them. It’s a company SIM I use for work, which is why I need a physical SIM. Surprisingly, they returned all my gear, including my Pixel 7a running GrapheneOS with a strong PIN, a 4-hour reboot schedule, and other security measures. It should be secure. They claimed they’ve copied all my data, but I’m skeptical.

I’m hesitant to enter my PIN because I’m unsure if it’s possible to backdoor the GrapheneOS boot process. Could entering the PIN trigger a “rootkit” that sends it to their server, allowing them to unlock an image they may or may not have?

I’m considering opening the device offline, where there’s no data connection, to recover any salvageable data and/or wipe it, then sell it and buy a used replacement. This seems like a safe plan, but I wanted to ask if this kind of tampering is possible.

Cheers, Paps

secrec

paps I’m hesitant to enter my PIN because I’m unsure if it’s possible to backdoor the GrapheneOS boot process. Could entering the PIN trigger a “rootkit” that sends it to their server, allowing them to unlock an image they may or may not have?

If a device has been outside of your physical control, all bets are off. You should NOT enter your pin, just go straight to factory reset and probably even reinstall GrapheneOS on both slots.

Watermelon

paps I’m hesitant to enter my PIN because I’m unsure if it’s possible to backdoor the GrapheneOS boot process.

bagel afaik that kind of tampering should not be possible under normal circumstances

secrec If a device has been outside of your physical control, all bets are off. You should NOT enter your pin, just go straight to factory reset and probably even reinstall GrapheneOS

Here's my answer from last week to someone else with the same concern:

https://discuss.grapheneos.org/d/26248-leaving-bootloader-unlocked/48

Wiping your data would do nothing to secure “your” “phone”. You go into a phone shop. You buy a Pixel phone to install GrapheneOS on it. How can you know it's an authentic, untampered Pixel phone? The state confiscates your phone. They want to attack you and get all your data. They give you a device looking like your phone. How can you know it's your authentic, untampered Pixel phone?

Purchasing an authentic Pixel phone, not a counterfeit or something that has a hardware modification that spies on you, is very important. Why are you willing to “buy” a “phone” from a state attacker that you know (once they actually confiscate your phone) are trying to get your data? This makes no sense and there's absolutely nothing you can do to secure the device they give you. Throw it to the trash and buy a new one.

Nothing can be done to secure a “phone” that was “bought” from law enforcement officials that have an interest to harm the person they “sold” this “phone” to. It's not necessary for them to tamper with the original confiscated phone in any way.

It's not necessary to reinstall GrapheneOS, I'd even say that's dangerous because (what you probably mean) it involves unlocking the bootloader, which is another opportunity to install an unofficial version of GrapheneOS that's not signed by GrapheneOS's official signing keys. It's better to reboot the phone and confirm that the hash matches while keeping the bootloader locked. Even then, that's only useful assuming that the hardware is trustworthy (a wild assumption since the “phone” was “bought” from law enforcement). There can be other modifications that can't be detected, such as an independent microphone+antenna inserted into the shell of the phone, not connected to the other hardware inside it. The microphone records, the antenna transmits. Wiping data or reinstalling GrapheneOS would do nothing to secure a phone with modified hardware, and the bootloader shouldn't be unlocked if it's already locked with GrapheneOS's official verified boot key.

bagel you could verify that it's still running graphene here

The hash cannot be trusted because the hardware cannot be trusted. Using the Auditor app might be better, but is still very problematic because (among several other reasons) Auditor can't possibly detect all hardware modifications to the phone.

paps but if I'm not able to get around the issue I'm confident that wiping device and installing GOS again is safe enough to give device to someone running with stock Android

You would have to disclose that you “bought” the device from law enforcement officials instead of from a phone shop. Not disclosing this would be immoral/fraud…

girgraph

What the individual meant when they gave you the phone and said “they’ve copied all your data” probably more accurately means “forensics said they are done with it”. I could be wrong, but I’m sure that individual didn’t know any of those details. If you truly had an up-to-date version of GOS, 4 hr reboot, and a decent pin (truly random and >6 characters), I doubt they were able to extract anything worth their time.

Again, I could be wrong but afaik, commercial products are still unable to bypass the secure element throttling. Now, if your pin is based on anything in your life, then all bets are off if you are a valuable enough target.

DeletedUser622

girgraph Now, if your pin is based on anything in your life, then all bets are off if you are a valuable enough target.

A duress PIN should be based on something in your life instead.

paps

girgraph What the individual meant when they gave you the phone and said “they’ve copied all your data” probably more accurately means “forensics said they are done with it”.

This is my assumption also and actually pretty sure about it. This won't remove the the issue in worried about but if I'm not able to get around the issue I'm confident that wiping device and installing GOS again is safe enough to give device to someone running with stock Android. This would probably be huge upgrade to his/her privacy anyways.

paps

girgraph f you truly had an up-to-date version of GOS, 4 hr reboot, and a decent pin (truly random and >6 characters)

All checks out. Had PIN not less than >₂₀ Digits. All random stuff from mostly cyberpunk/SciFi stuff :D USB C only allowed anything else than for charging etc. Should be OK from that front.

Also thanks for your thoughts!

bagel

afaik that kind of tampering should not be possible under normal circumstances, and you could verify that it's still running graphene here

paps

bagel

Nice 1. Will check this immediately! Cheers!!

paps

bagel afaik that kind of tampering should not be possible under normal circumstances, and you could verify that it's still running graphene here

Hash was correct, no PIN was ever entered, device was wiped and then fresh install was given via ADB sideload before giving it to happy new owner. (also all stuff was disclosed <3)

paps

DeletedUser622

DeletedUser622 A duress PIN should be based on something in your life instead.

Had my on post-it sticker easily to be found but it obviously was never used. Shame.

de0u

paps Had PIN not less than >20 Digits. All random stuff from mostly cyberpunk/SciFi stuff :D

That's not what is meant by "truly random". "Truly random" means the result of rolling dice, flipping coins, etc. People who want to break into things collect strings that are widely published (including from books and movies) and put them into dictionaries (and also concatenate them in various arrangements).

"Truly random" is hard to remember, but it's also hard to guess.

paps

de0u collect strings that are widely published (including from books and movies) and put them into dictionaries (and also concatenate them in various arrangements).

I'd ofc have some patterns mixed with other patterns and have some truly random "spacers" between those mixed patterns. This because it's easier at least for me to remember patterns then you really need to remember start of the pattern which is what ever and you would remember the shuffled pattern. First I used muscle memory of numpad but though that it's better to remember in all and what ever cases and started using scrambled keypad for eavesdropping mitigation. :D When it rains, it pours! <3

Meatheadmarty

secrec Unless it wouldn't be that bad if they opened it up, why would you risk puttinng in your password? It could be different code that is backdoored and only looks like GOS. I would be careful. Beware of greeks and police bearing gifts. Even if the operating system is fine, have you inspected the board inside?

paps

secrec If a device has been outside of your physical control, all bets are off. You should NOT enter your pin, just go straight to factory reset and probably even reinstall GrapheneOS on both slots.

Thanks for this. I'm not totally out of my head thinking about being too cautious about the situation. I ended up wiping the device, installing GOS again and then handing it over for someone running Oneplus with stock android. Free of charge ofc.

paps

Meatheadmarty Unless it wouldn't be that bad if they opened it up, why would you risk puttinng in your password? It could be different code that is backdoored and only looks like GOS. I would be careful. Beware of greeks and police bearing gifts. Even if the operating system is fine, have you inspected the board inside?

This. I was too suspicious about them giving my phone back "just like that" ofc after keeping me in concrete cubicle for what ever months. I was like WTF dude, why the fuck you give me all this stuff back when we all know that you fucking hate the fact that all my data belongs to me and only for me and up on this date is has been so. They even drove from one city to another to bring my gear back. How nice from them. :D

mushyoffice

It depends on how much you "trust" the law enforcement. Are you a valuable enough target that they went the extra mile to design a custom solution to unlock your phone? Or did they just use an off-the-shelf system like Cellebrite to give it a try?

If you fall into the first category, I see no reason to take the risk. What if they kept your device and gave you a phone that looks exactly the same, with the same wallpaper and verified boot key, but is actually a different phone that's rigged to send the passcode you enter back to them, and unlock your phone with this information?

paps

mushyoffice What if they kept your device and gave you a phone that looks exactly the same, with the same wallpaper and verified boot key, but is actually a different phone that's rigged to send the passcode you enter back to them, and unlock your phone with this information?

Well, this is also one thing. Here you pointed out my main concern which is entering the PIN. Either just another device with original device closure on it or then same device with some rootkit installed on it, in both cases would the endgame be the same, something would send the PIN back to "home" and I'd be in new, even more weird situation which was not expected.

Sorry for not answering in chronological order but:

mushyoffice It depends on how much you "trust" the law enforcement. Are you a valuable enough target that they went the extra mile to design a custom solution to unlock your phone? Or did they just use an off-the-shelf system like Cellebrite to give it a try?

My trust is "basic" with adversaries so with these ones also. The extra mile would need to be quite lengthy if they would come with something that Cellebrite wouldn't do and then, wouldn't we see these solutions all over the globe being used every day?

Cheers and thanks for your thoughtful answer. <3

paps

Watermelon You would have to disclose that you “bought” the device from law enforcement officials instead of from a phone shop. Not disclosing this would be immoral/fraud…

Well I already went and did all this. I did disclose the surrounding enviroment around the case for the person and they were OK with it. Nothing was charged and they now have some other device that's "bought" from LE instead of using their stock android also "bought" from same dealer. Don't even ask about how bad things can go when people start to love their "camera" more than they freedom. etc. Cheers Bro <3

paps

Watermelon Here's my answer from last week to someone else with the same concern:

https://discuss.grapheneos.org/d/26248-leaving-bootloader-unlocked/48

Bit OT but why in the dog name one would want to leave the bootloader unlocked? I tried to follow the thread but didn't really find any idea why would one do such thing? Also as @GrapheneOS mentioned IIRC leaving bootloader open is not considered as full/robus/valid/proper -install.

paps

Note to self:

Interact more with GOS board as people are nice there and try to bring something to the table by your self also.