Phone examination and plausible deniability

de0u

23Sha-ger When I think about an actual scenario of when you actually need to use it - i.e. under severe physical/psychological pressure, the best thing would be a dummy profile that opens with the "dummy" PIN, w/ or w/o wiping the main profile in the background. But a "working" phone state (for me) is a key part of the "duress" thing.

It depends on the threat model.

The "dummy profile" approach will work well if the adversary is, well, toward the "dummy" end of the sophistication scale. If somebody threatens you, demands your phone, demands an unlock code, and then runs away, a dummy profile may work fine. But if you are dealing with an adversary of even mild sophistication, the dummy-profile situation will be easy to detect (e.g., the device's free storage will be much smaller than it should be given the files that are visible in the dummy profile).

My sense is that the GrapheneOS developers prefer to focus on powerful (e.g., cryptographically strong) resistance to powerful attackers. That's not to say there's no room for a dummy-profile feature, but I'm not surprised that the first thing shipped was the "it's wiped for sure" version.

intron

de0u

I'd say you're 100% right.

Data at rest is personally always my concern as you never know how long a copy if it could be in the hands of someone else if taken legally or not.
The first/only stand alone post i've made here was about the basic concept of using a yubikey for initial decryption (based on the work in progress implementation to use a long passphrase)
Keys like the Yubi (not cheapest ones) are modern day HSM's - used as an actual smart card - you can not extract the private key, which is by default protected with a pin or pass and x attempts)
Given api improvements for such a use case, it's more realistic than it has ever been etc.

Though not sure i wrote it well, don't think anyone noticed it lol

Explorer666

de0u

Any security firm half-worth their salt works with threat scenarios and then different solutions for each scenario, there's no "one solution fits all" approach.
as intron mentioned, it’s all tools and the presence of hidden files may do more harm in one situation while it would be perfectly safe in another.
For example, it would be total over reaction to wipe your phone if your co-worker wants to borrow your phone to call his wife as his battery died on him...lol
on the other hand, you can have different profiles/pin that can be used in different situations...and the level of expertise of your adversary...

a) under attack or being raided? Pin 1 – total wipe, no trace left…. ideally don’t let them connect the phone to you….

b) street robbery? pin 2 - lets them land on a dummy profile, may save your life while everything else gets wiped in the background. Specially if you have a small, limited bank account in it to “buy your life” if required. Pin 2 also sets the phone in alarm mode, transmitting GPS, photos etc…

c) travelling and TSA inspects your phone? Pin 3 – “silent” dummy profile while deleting everything else… just in case in their country crypto is outlawed. Even if they are more sophisticated as the data is deleted there is nothing to see for them… and they won’t arrest you for having used crypto back home as long as you don’t bring it along…

d) nosy GF? Co-worker making a call? Pin 4 – nothing to see here. Keeps your data intact

make pin 1 the easiest to be triggered by brute force as well as keeping it on a paper as suggested by Bullion. (I actually do that ever since phones have a “kill code”)

in situations b and c you would become even more suspicious with a wiped phone and data forensics may be able to recover the data anyway… besides TSA inspects hundreds of phones per day and don’t have time to go into detail unless you act suspicious….

Anyway, it would be cool to have the option – how and when you apply which of the codes is then up to you….

Explorer666

further to my previous post, for most scenarios there are available tools ready...
for scenario a) GOS duress code
For scenario c) Ripple
For scenario d) Shelter

It's really just the scenario b) that has no ready available tool to protect against a sufficiently sophisticated robber/kidnapper and depending on where you are those scenarios are more likely to occur than for example c)...

intron

Explorer666

I do very much agree with you..

There's just a couple factors though -

Scenario B is one of only 2 situations I deem as 'critical',
Eg; Your life or the life of someone you know, is on the line in either 2, be it direct threat or of a legal nature, also done either illegally or not (neither is also worse than the other in this situation because it depends very much on the situation itself - the term 'waterboarding' is synonymous with the US.. and being done legally.. interestingly also not even viewed in a directly 'life threatening' way (the irony of which, is not lost on me..)

If you are in a situation where people unaffiliated with any 'state' are trying to gain access to your phone, your bank accounts (which have separate authentication inherently) - what they are doing is possibly one of the most serious crimes possible - anywhere..
They wont follow any sense of ethics or morality - a duress pin in that context, well, it's already a 'damned if you do, damned if you dont'..
Interestingly, that exactly sentiment applies to the 'state' version - at that level, people engaging in that 'dont exist' - nor would you - ethics and morality also goes out the window.. However, that specific adversary, absolutely would be prepared for a duress pin/failsafe - even if you dont have one or even anything to hide, it's already 'assumed' you do..

There is also a debate that can be made about, the more Pins - actually has a huge negative impact and infact creates a new attack surface, with it increasingly by it's own magnitude per one.. It starts after 2 also, as in a real and a duress, zero attack surface for this context..
Pin #3. automagically becomes 3 fold of that, from the moment that 3rd exists..
I'm definitely not sure i've worded this properly - it's a bit tricky to explain..

intron

Side note with that;

The first thing i do, also possibly only setting i change upon installation of any banking/financial app - is the 'quick view' or whatever name(s) organisations use..

It doesn't matter to me if the value is consistently $0 or higher - I just cant have that turned on (usually is by default) - it conflicts with myself personally as it is not common sense or logical
(could also be considered a 'lazy' feature - it's not hard to login, and if you have a lot of funds and increased levels of security to login, then why would you want that info displayed without needing any of those to be met? *facepalms)

Explorer666

intron

well yeah, you defo don't want to end up in the hospitality of "non-existing" agents... that's also less of my concern as you would have to do something first to pop up on their screen - and once you do, no grapheneOS and no system wipe can safe you... The phone goes to data forensics while you "enjoy" the SPA treatment....

On the other hand, in case of non-state-related incidents, the worst option is to give a wiped phone with black screen... the second worst to give them access to all you life savings... in most circumstances their adrenaline is just as much through the roof as yours - for other reasons... and as long as you hand them a working phone and are able to withdraw a few 100$ most situations are resolved...
(there may be even worse scenarios, but in those your phone usually plays little to no role, except that they will get rid of it ASAP to avoid tracking)
I used to travel a lot and explore in my younger years, even the shady sides of towns. Back then smartphones didn't even exist yet and few people had heavy, bulky Motorolas... was robbed at gunpoint twice and knowing that I was going to a potentially unsafe place I carried a secondary wallet containing just a small amount but no cards or IDs as those are a pain in the rear to replace.... in both instances they took the "dummy"-wallet, saw that it has a little bit something inside and ran off... so maybe a secondary phone to hand over in such a situation would be the better option? as I said, having access to a small bank account that acts as a life saver may be a beneficial strategy if forced at gunpoint to withdraw money...
If afraid of detection of the "real" phone either leave that at home to begin with (always be aware of where you are going) and if that is REALLY not an option, well, that's the situation where the "wipe all except for this dummy profile" would come in super handy.

Explorer666

intron

as for the last part - I haven't heard about that theory, but the whole point of threat scenarios is to factor in what the likelihood of such event is, and IF it happens, what is the potential gravity of consequences (aside from desirable/undesirable outcome of course)
Everything has its trade-offs so I would take the risk of a potentially increased vulnerability to hacking over a negative outcome in a life-threatening situation any time of the day in a heartbeat... lol... but that's just me 😉

Explorer666

intron

That's all at least on 2FA with no pop-up alarms or quick view etc enabled what so ever... it's common sense, but I reckon it's not THAT common anymore these days.... 🙄

intron

Explorer666

You may be surprised..

Tbh, i've never setup a a new device nor after a reset of existing, via a copy/transfer/or even from backups..
It's always done from scratch, and data is populated as required (even contacts) (only exception would be anything stored on imap(mail), but given the very nature of that, it would fall in its own category for several reasons anyway)

Every financial app i've used had a 'quick view' enabled as default - some were persistent settings attributed to the profile on their end (so would replicate across installs), most are not though (some quick views also arnt as obvious as others, still accessible though).

Re the 'attack surface' more just using that term due to it usage in this very place, ie; by GOS devs in the docs, and on this forum - it is a term i personally have a great appreciation for also..
It's an ingenious way to refer to issues and/or implications of implementations, that is only limited by the readers perception and/or understanding.
(I'm feeling incredibly arrogant right now wording it that way, just not sure how to for that direct part)

It sort of ties in with earlier re 'tools', 'extent', etc

In the context of cryptography and security - everything that has any link in any form to the implementation, falls under the overall 'attack surface' -
The exact same as the concept of something is; "only as strong as its weakest link'"

Vulnerabilities or their potential to exist can not be attributed or limited to any specific or single general area, eg; be it with a device, programming related, or degree and variance of implementation(largest array possible as its also based on amount of users and the fact we are all unique, have our own style and wants/needs/changes we make/never ending list..)

Obviously, the line has to be drawn somewhere and that 'endless array', is well out of the scope, but does have a degree of 'predictability, and 'realism', eg; the very topic(s) we are talking about and defining along with their relevance ugh this is tricky to explain lol..

Cryptography as a whole needs to always still have the realistic view there of what it is; Theoretical.. No this isn't a constant, nor should be broken down to such a simple word - for the sake of trying to explain in this context though, it is.
Eg; Look at a brute force - for 'realistic' reasons we default to the 50% rule, as in, however long and how much it costs to run through x combinations upto and including y length and complexity(entropy) we get z - we halve that because it's 'realistic' it could be found in the first half of iterations performed / 'first half of the potential time/cost'
However it's not unrealistic that it could be in the 90% of iterations done, or even the first 10% (..yea)

'Attack surface' when applied to real world use case, potential implications and severity of (which is a vast spectrum) - The further something deviates and expands from its most basic realistic implementation, the attack space there also travels parallel to it, eg also increasing..

Willl stop here - have a feeling this is way too long - hopefully this might help explain.. or possibly make it more confusing lol :(
(the joys of being audhd lol)

intron

23Sha-ger

"123456" is very clever for multiple reasons :)

in an automated or someone manually entering context, it's very probable early on, and at all for the latter
the scrambled keypad would only further increase the likelihood of a human to try that - from a psychological perspective, anyone attempting it manually period, doesn't have any notion to your intelligence (or their underestimation of) which only makes it more plausible to those types to attempt.
its also very unlikely for that sequence to be entered in any 'accidental' way - (probability of structure etc etc)
it removes the need of a 'planted' code somewhere
it also removes to a huge extent the possibility for yourself to be accused of 'tampering with evidence' - which is difficult to argue in the 'planted' scenario, though still likely to happen (situation dependent of course)

intron

A possible way to increase with a plausible plant;

write something like 12--6 or something similar

It seems silly to do that - 'who would need that to remember 123456' -- however..

Personally, have always gone by the concepts;

'overkill is underrated'
'never underestimate anything or anyone'
'hope for the best, plan for the worst'

To this day, am still also astounded at how many people don't adhere to any of that - in fact the complete opposite..
Especially in situations of 'perceived power'
(obviously those types are drawn to that, it's why it seems like you find so many of them in those industries lol)

Explorer666

intron

as the old joke goes... my PW is 1234.... writes 2444....lol

Explorer666

intron

you mean "never underestimate anything or anyone, specially not human stupidity" ? Wasn't that Einstein who allegedly said "two things are infinite - the universe and human stupidity, but not entirely sure about the former..."?

Hope for the best but prepare for the worst, for what CAN go wrong WILL go wrong (Murphy's laws)

okay, "overkill is underrated" is new but noted, I defo have good use for this one... lol

write 123456 on a paper, laminate and keep inside the phone case... AFTER "they" used it.... "oh why the hell would you do that? that's the reset code.... do you really think I would need to write down my pin?" lol

but back to the discussion of plausible deniability and "dummy profiles" which wipe everything else....
the corresponding threat scenario ranks in certain places as "not unlikely" and the implications as "very severe"
(and no, that does not involve any state-backed or law enforcement activity as THEY can undo the wipe which lands you in even more trouble)

could be that duress profile boots from another partition and formats the other partitions in the background or something like that... really just throwing stuff on the wall here and see if anything sticks....

So if anyone knows of a viable solution and knows what sticks, please answer here or on GrapheneOS Discord (same nick)

Thanks a bunch

« Previous Page