Does the duress function make the deleted data inaccessible to Cellebrite?

benzo301

So I'm curious about whether I should just restart my phone when I have the funny blue guys at my door so it goes into BFU state (and from what I've seen Cellebrite can't crack that), OR i should just type the duress quickly.

My concern regarding this post is how safe that deleted data would be, as I've seen their tools extract a lot of "deleted" stuff from phones, and the main question is what does GOS actually do in this case of using the duress passwd? Does it just encrypt that data until it is overwritten or does it actually overwrite all that data so it would actually be inaccessible(like Extirpater)?

de0u

benzo301 So I'm curious about whether I should just restart my phone when I have the funny blue guys at my door so it goes into BFU state (and from what I've seen Cellebrite can't crack that), OR i should just type the duress quickly.

For legal advice it would be best to consult an attorney qualified to practice in your jurisdiction.

benzo301 My concern regarding this post is how safe that deleted data would be, as I've seen their tools extract a lot of "deleted" stuff from phones, and the main question is what does GOS actually do in this case of using the duress passwd? Does it just encrypt that data until it is overwritten or does it actually overwrite all that data so it would actually be inaccessible(like Extirpater)?

There is no known way to retrieve data encrypted by GrapheneOS once the encryption keys are wiped. Wiping the encryption keys makes the data "actually inaccessible".

benzo301

de0u thanks for explaining, and sorry for my wording, english is not my main language and activism has some unwanted implications here, that's why I mentioned this example specifically.

So it's safer to use the duress rather than their tools being used on the phone in the BFU state? I've seen the Cellebrite leaks about graphene but changes could have occurred lately.

thmf

benzo301 In short it goes roughly like this: user data on your phone is encrypted with a key (simplifying a bit), this key sits in a separate security chip which works independently from the main OS.
When your phone just booted it's in BFU state (before first unlock), meaning the data wasn't decrypted just yet, so it's safe unless someone has an exploit for the security chip (currently no such exploit is publicly known). If you don't trust the security chip you could use a long random password.
What happens when you use duress wipe is the OS just deletes the key from the security chip immediately rendering all your data unreadable, because now it's not possible to decrypt it. There's no data erasing or overwriting involved as it would be a very lengthy process and could be easily stopped with a simple reboot.
So, both BFU and duress wipe are safe, but duress wipe is safer.

Edit: @gristle-cause was faster :)

gristle-cause

Functionally, no difference. So long as youve followed GOS config guidance (locked bootloader, no developer mode, etc), there is no known vulnerability that may allow an adversary to 'crack' a GOS device in BFU state, nor is there any way to recover data after a secure wipe has been triggered from duress. In either case, your data is secure

If we depart from documented evidence and approach paranoia, you could argue that unknown future vulnerability may render your particular GOS device vulnerable, in which case a duress wipe would be more secure. On the other hand, in some legal jurisdictions, this action could be prosecuted as destruction of evidence

benzo301

gristle-cause
thmf

Thank you a lot good people, especially for making it easier to understand!

And most of all we should all thank the GOS devs for doing all of this. Also I'm sorry but really don't know what you talk about attorneys and jurisdiction, i don't understant USA law. In Russia the only real law is the state, so I'm doing everything in my power to stay as private as possible. The only thing that also applies here from US is "Everything will be used against you"😂

gristle-cause

thmf Edit: @gristle-cause was faster :)

You explained how the encryption works, I just told OP to 'trust me bro', tortoise wins the race :P

MotherShipton

I think for completeness, it should be mentioned about the '$5 wrench' method of accessing the data on your phone. Depending on where you are and who you are facing, your phone can potentially be unlocked from BFU state by a person who threatens you with physical violence if you do not give them your access code - no fancy software tools required, only a weapon such as the aforementioned $5 dollar wrench.

If this is a realistic scenario in your location, then the duress password gives you certainty that your data will not be accessed.

benzo301

MotherShipton Yeah but I was talking about feds at my door not some crackhead with a weapon, i think this might be a US or west EU problem mostly😂