Detecting and mitigating adversarial physical access w/ known PIN

jcom

If an adversary knows your PIN and has physical access to your device while unattended, what technical approach could be used to reliably inform you after the fact that your device had been accessed?

Scenario:
Bob, a friendly and upstanding GOS user, has a soon-to-be-ex wife Alice who has hired some nasty private investigators to try to uncover Bob's undisclosed crypto assets or retrieve incriminating data from his GOS device to use against him in divorce proceedings.

Bob must occasionally leave his GOS device unattended in a not-completely-secure area for periods of ~ 30 minutes, and cannot reasonably avoid having to do so. Bob is a regular guy, and assumes that eventually Alice's unscrupulous PIs are going to get physical access to his device after having surveilled him entering his PIN, by whatever not-necessarily-legal means.

Given this scenario, Bob seeks a purely technical approach to detecting any access to his unattended device after the fact. Hindering or mitigating the impact of that access would be lovely, but Bob accepts that physical access + PIN is catastrophic and just wants to know that access potentially occurred.

So far Bob has considered powering down his device before leaving it unattended, then:

Use Tasker to send text/email on boot
- Low effort, but seems easily defeated by denying connectivity (airplane mode/faraday bag/jamming)?
Inspect permission usage in Privacy Dashboard on boot
- Any permissions guaranteed to be used at boot? IMSService using location maybe? Can those permission access entries be wiped?
Inspect logs of some kind to determine last boot
- Appears that this will need root or adb, both of which seem like a bad idea in this scenario?

Watermelon

jcom If an adversary knows your PIN and has physical access to your device while unattended, what technical approach could be used to reliably inform you after the fact that your device had been accessed?

Currently none. You're assuming that the device you return to is still the device you expect it to be physically, but with potentially tampered software/data. This assumption is unfounded. No matter what software you use on the device, it won't be able to save you from a fake device set up to mimic your real device, or from physical modifications like an independent microphone+antenna module inserted into the shell of your device, or a microphone being implanted in the room, etc. If you believe an adversary had physical access to your stuff, the correct approach in my opinion would be to throw the device to the trash and not be in the room anymore.

The GrapheneOS website says that they want attestation to also include the serial number. Since the attestation verifiably comes from an authentic Google Pixel Titan M2 chip, this could be used to know that it's the device you expect. But it won't be able to detect the antenna+microphone as I said above. And you won't be able to use it without first unlocking the device with your credentials. Actually, I don't see how it's possible for you to know that the device that sends attestation info (e.g. using the Auditor app) is the authentic device without you authenticating to it first, and then the device you're authenticating to could be a fake device proxing your authentication to your real device somewhere, and you have no idea to know it's proxying it before authenticating yourself and revealing your credentials. If you're relying on attested info that doesn't require you authenticating towards your device to see it, you're relying on info that an attacker could also access from your real device and proxy on a fake device mimicking what you expect your device to show you.

Murcielago

jcom

Given this scenario, Bob seeks a purely technical approach to detecting any access to his unattended device after the fact. Hindering or mitigating the impact of that access would be lovely, but Bob accepts that physical access + PIN is catastrophic and just wants to know that access potentially occurred.
[...]
This is less about preventing the access from occurring or safeguarding any data than it is about knowing with absolute certainty that the device wasn't accessed while left unattended, if that makes sense.

Unfortunately, I still don't quite understand why you prioritize monitoring access to your device instead of preventing it in the first place.

That's like setting up a security camera in your house to film burglars stealing your valuables instead of putting good locks on the door to prevent that from happening.

gristle-cause

GrapheneOS unique 2FA biometric login should be sufficient. Even if an adversary somehow learns the pin and has access to the device, it's inaccessible without Bob's finger

If Bob suspects he is being surveiled in an attempt to learn his pin, enabling pin scrambling may further obfuscate his login details

For good measure, maybe segment data across multiple users with different pins, so one compromised user does not expose all sensitive data

If Bob's threat model includes adversaries with the capability to steal a pin & fake his biometrics, Bob should not use a smart phone to conduct any business

jcom

gristle-cause Thanks for the reply - great ideas, Bob has switched to a primary passphrase already. However, if I am understanding the 2FA biometric login completely, it's only a secondary method and the device is still technically accessible without a fingerprint if the primary PIN/passphrase are known. Fingerprint 2FA would be almost perfect here if it was available as primary 2FA rather than secondary...

This is less about preventing the access from occurring or safeguarding any data than it is about knowing with absolute certainty that the device wasn't accessed while left unattended, if that makes sense. Hence the smartphone, easier to minimize the time it's unattended vs. a laptop/desktop.

gristle-cause

jcom if I am understanding the 2FA biometric login completely, it's only a secondary method to track logins. Nor would I be comfortable running one, as

That's right. The primary pin is your disk encryption key. Biometrics are not as secure in this use as a strong password, random 14 char+ ideally. GOS doesnt allow biometrics here

jcom This is less about preventing the access from occurring or safeguarding any data than it is about knowing with absolute certainty that the device wasn't accessed

I hear you. I'm not aware of any login tracker tools on GOS. Tbh this is not a threat model that makes sense to me. Bob should focus on ensuring the device is secure, not trying to track successful breaches

jcom the device is still technically accessible without a fingerprint if the primary PIN/passphrase are known

the primary pin only needs to be entered at first unlock, whether it be on a manual restart or when the system is automatically configured to reboot. It should be pretty straightforward to only need this once a day, in the morning, entered while in a secure space where an adversary cannot watch, thus ensuring no adversary can ever compromise it - if all else fails, go to a bathroom stall

At the end of the day, if Bob has access to no secure spaces in his life, and is targeted by a adversary to such a degree that his threat model must assume every pin is/will be compromised, GOS cannot be secured; he falls under a category of high-risk user that should not store data on a smart phone

Murcielago

jcom

This is less about preventing the access from occurring or safeguarding any data than it is about knowing with absolute certainty that the device wasn't accessed while left unattended, if that makes sense.

Is it possible to setup a hidden camera to detect / rule out device access?

de0u

gristle-cause It should be pretty straightforward to only need this once a day, in the morning, entered while in a secure space - if all else fails, go to a bathroom stall

I think in Citizenfour Edward Snowden entered an unlock key into a laptop by putting a blanket over his head.

gristle-cause

de0u you've made my core point here in 20 words or less, nice

If this hypothetical threat model is more unforgiving than Edward Snowden's, Bob either needs to reassess his threat model, his life choices, or throw out anything with a transistor & move into the woods

jcom

Bob LOLs and begrudgingly admits that the two of you are making a pretty decent point here. Bob resolves in the new year to learn to develop Android applications in order to create a tamper-proof cryptographically signed boot log application that will sell probably dozens of copies.

de0u

jcom Bob resolves in the new year to learn to develop Android applications in order to create a tamper-proof cryptographically signed boot log application that will sell probably dozens of copies.

Auditor might be a good place to look for inspiration.

Also, now that there are lock-screen widgets, perhaps a widget displaying uptime (which the system already tracks) might be of interest.

jcom

Watermelon Excellent points that I hadn't considered, thank you, appreciate the post.

DeletedUser622

Watermelon You're assuming that the device you return to is still the device you expect it to be physically, but with potentially tampered software/data. This assumption is unfounded.

Can be another smartphone of the same model.

Watermelon

jcom I think there's a very doubtable chance it might be possible to unlock the device securely if you take it and enter a faraday cage, unlock it there, and use the Auditor app and it passes the verification (this requires your real phone to already be paired in Auditor). Even if the device could be a fake one that'd unlock without caring what credential you actually put into it, your real phone with the Auditor app would not pass attestation without being unlocked for running the Auditor app, and proxying from the device you're holding to your real phone should(?) be impossible: only after both unlocking and passing verification with Auditor, you'd have proof that your real phone is present with you in the faraday cage. It still doesn't rule out physical tampering, and I'm not a wireless radio expert. And if unlocking or the attestation fails, you'd have to disintegrate the device within the faraday cage so it won't transmit your unlock credential when you take it outside.

AcclaimSublevel19

I think Haven is a great choice for this problem. Even if you can't prevent unauthorized access, it can enable you to be aware of it and take necessary precautions.

Of course, I'm assuming that the attacker has the capability to compromise the phone if they have physical access. If your scenario enables you to take precautions like choosing a stronger password, using a duress PIN, disabling the USB port, etc. you should absolutely do so.

By the way, making electronics tamper evident is probably easier at the hardware level. I think you may find this guide interesting: https://www.anarsec.guide/posts/tamper

jcom

AcclaimSublevel19 Fantastic links, thank you! Haven comes as close to solving the original problem with software as I think one can realistically get. There are certainly ways it could be defeated, but it definitely raises the level of effort to do so substantially. The tamper protection stuff is great as well, that entire site looks to be an excellent rabbit hole to go down. Thanks a lot for the post.

MetropleX

AcclaimSublevel19 Haven was last updated in 2021 and is effectively abandonware.

Like Hardware Kill Switches this approach is literally closing the door after the horse has bolted.

Bob would be best doing practical things such as factory resetting or changing his pin. If they have access to it just consider it exploited and be sure to remove sensitive data before it is left.

Don't be like Bob or use some deprecated panacea is the best advice.

AcclaimSublevel19

I'm glad you found it useful! By the way that site is where I first learned about GrapheneOS 😁

jcom

Murcielago Bob doesn't totally control the space where the device must be left unattended unfortunately, it's not a place where he could set up and secure a camera.

Murcielago A better metaphor: You think your wife may try to poison you with arsenic. You could take the coffeemaker to bed and sleep with your arm around it. You could throw out all coffee and never drink it again. Or, you could test the mug you're about to drink each morning for arsenic so you know it hasn't been adulterated. That's basically the objective

Watermelon

DeletedUser622 another smartphone of the same model

That would be one kind of a “fake device” as I called it.

name22222

jcom

I am not a software engineer in any way, but isn't there surely some kind of available "rootkit" I have come to be informed of that would allow you to send any kind of signal anywhere based on any kind of event (such as access)?

I sadly can't tell bob that there's a trusted rootkit for him to download to his phone. Perhaps Bob could buy an identical phone and do it on that. That would cost a lot of money though.