Phone examination and plausible deniability

This is absolutely brilliant! The brief video on the Signal website is like "infosec p0rn" and gave me a huge smile. It doesn't really surprise me that Cellebrite contains bad code, and it would be simply AWFUL if random files that could corrupt their product were available to the public 😎. Gosh, I bet someone would even pay some of that evil fake money crypto stuff on ... what do they call it ... garlic sites ... leek sites ... no, wait, I remember: ONION SITES 😂😁🤗

My reading of the article, especially the final paragraph, suggests that such files can simply be uploaded & nothing needs to be done. All is well until SOMEBODY tries to use Cellebrite to image the device, then they begin to have a BAD DAY.

I cannot stop smiling about this 😁

One of the funniest things I have read in years.

I can only imagine the consternation.

Bravo, Signal!

Most anti-forensic mechanisms like these are redundant since GrapheneOS cannot be extracted by the tools by you just refusing to co-operate. Although while your phone is seized that also means your phone isn't being updated, which can open up security issues in the future.

riskingpilot99 Would this be something you could see in grapheneOS bundle with dummy password idea?

A dummy password is the most effective method but it is only best in certain scenarios, just as long as they don't know it is possible for this functionality to be there.

riskingpilot99 I read on the website that these types of features would not be included as if it was a feature of gOS then the OS would become known for it.

The reason GrapheneOS is against combatting Cellebrite with exploits or detection mechanisms is because they can easily be averted, and applications like Lockup are only effective when they aren't known by forensic investigators. If GrapheneOS was known to have anti-forensic mechanisms then investigators would simply just never plug the device in. Cellebrite sell a mounted camera to record the device's screen so the investigator can browse the phone manually where automated tools cant work. If GrapheneOS became known for having this then they would ALWAYS use the camera, essentially missing the whole purpose of the exploits/apps and making them useless.

Cellebrite also patch security issues or anti-forensic scenarios, the RCE by Signal was patched and the LockUp application is not fully capable, the original author of LockUp also cooperated and gave responsible disclosure to Cellebrite for UFED security issues. It's very likely they know about LockUp already.

https://cellebrite.com/wp-content/uploads/2020/03/ReleaseNotes_UFED_7.30_A4.pdf (Page 3 - Web archive doesn't work, also blocks VPNs)
https://korelogic.com/Resources/Advisories/KL-001-2020-001.txt

I also did some of my own looking up about the original blog post referenced in the app and saw that the Cellebrite UFED they performed this exploit on is quite old, even for the blog release date. UFED devices don't run Windows XP rather Windows 10, and the UI is also very old. I assumed correct that the exploitation of the UFED was already fixed in a newer version:

https://korelogic.com/Resources/Advisories/KL-001-2020-002.txt

Cellebrite could very likely patch or change behaviours of the UFED to overcome the app if this was a problem. If there is a likely chance it still works then all it would need is to ruin one case and they'd change it to overcome it.

riskingpilot99 But 'lockup' app for example has plausible deniability that also has the ability to mitigate any data extraction attempts, meaning it not possible to extract data even with password of phone. It stop the extraction of data because it can be detect by the app, are there any other apps that do this?

Some other apps like Wasted can perform a factory reset when connected to any USB device, although they aren't really directly targeted toward forensic toolkits since they will reset on any USB device being plugged in. This can be better than LockUp in some ways but is also extremely risky.

I wouldn't really consider LockUp plausibly deniable, when these apps perform the factory reset the Android OS says a factory reset is about to occur. Yes you hide what is incriminating, however they would have evidence the deivce had a killswitch and they'd try and use that against you. Plausibly deniable systems are meant to deny knowledge of anything incriminating. Depending on the country they could just get you for tampering.

final

Rats!

Oh well, it was funny while it lasted.

Blastoidea GrapheneOS is still resistant to forensics, which is the important part. Unless you had your PINs known or caught on camera then you're fine. The camera scenario is something a duress password wouldn't fix, and neither is getting your device seized, becoming more insecure over time...

Blastoidea every US Citizen just collectively sighed a breath of content.... begrudgingly

final
Wait. What about a feature that erases all secondary profiles? No phone reset, no warning, no nothing. And the phone is still working, so it should help with plausible deniability, no?

I am mentioning opinion and anecdotes here, just a forewarning.

riskingpilot99 Like my previous comments, I said that you cant really assure the viability of such a setup. Plausible deniability (while good at hiding evidence) sadly isn't very feasible in hiding itself, since there are some ways to figure out the existence of a deniable setup with physical access and good equipment. The device would have to be essentially tamper-resistant or have a destruction mechanism which is not just rare, but undesirable for some people. I imagine it could be harder to perform on a mobile device since you'd need to chip-off/get physical access to the logic board instead of just unplugging a hard drive. But, that possibility always remains.

For plausible deniability to really be effective, the OS would have to look completely identical to an every other setup of the same OS when it comes to forensic artefacts. This often isn't the case, even if they don't show evidence they may show signs. At that point it is just deniable, rather than plausibly deniable.

For example, you can figure out VeraCrypt plausible deniability setups by calculating entropy of the disk: https://www.researchgate.net/publication/318155607_Defeating_Plausible_Deniability_of_VeraCrypt_Hidden_Operating_Systems (and tools support hidden volumes: https://github.com/4144414D/pytruecrypt). If you have physical access to the Disk then for the most part that's all you would need.

CryptSetup/LUKS make some good discussion about plausible deniability encryption effectiveness: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#5-security-aspects (See 5.18, the headers are not good on this article)

And also Bruce Schneier: https://www.schneier.com/academic/paperfiles/paper-truecrypt-dfs.pdf

There'd still be no evidence to collect since everything is encrypted and wouldn't be cracked if you didn't set it up stupidly. Same goes for GrapheneOS. Overall would be better to have an amnestic, immutable operating system or environment (TAILS, a disposable VM, amnestic profile, etc.) that doesn't save any data. The plausible deniability setups are suitable if you aren't accounting threats very in-depth forensics knowledge.

A singular application like LockUp seems good on paper but like I previously said, investigators could easily just keep a spare phone to keep installing apps like this on to see what causes the app to trigger and then mitigate it from happening. A total solution like erasure on USB would work better but if something like that was an OS feature, they'd never plug the device in to bypass that. The entire system would need to be anti-forensic rather than just one application. From my experience I have found Windows Hyper-V Encrypted VMs/Application Guard instances, Qubes DispVMs, and TAILS to have little to no artefacts even if access to the operating system(s) were possible. I argue that could be more plausibly deniable than any disk encryption feature.

LockUp is a Proof-of-Concept and hasn't been updated, it was made by a KoreLogic employee to make a POC detector for Cellebrite after they performed attacks on the UFED that they disclosed. I personally don't think it could be viable. Cellebrite would have probably fixed it, or if not, they could very easily. I'll probably give it a try and see for myself.

Hb1hf
Erasing your secondary profile or even a possible amnestic profile feature would be deniable. Keeping stuff in a secondary profile and erasing it would make it unable to be recovered completely. Much better reaching plausible deniability with this in my opinion. I think it would help.

This is the relevent issue that seems to be the best solution to the duress / panic pin / plausible deniability problem.

https://github.com/x13a/Wasted/issues/37

This should be combined with regular backup solution like seedvault that is implemented in gos.

You can stack that with something like syncthing for intenet / cross platform sync.

final Erasing your secondary profile or even a possible amnestic profile feature would be deniable.

I would really like a duress PIN on the owner profile that would silently delete specified secondary user profiles. That, and maybe delete specified apps and directories too.

Graphite the duress pin/password would ideally be universal, ie, accessible in every profile. No sense switching profiles, logging in and then handling someone a phone with only one profile.

Graphite not sure we're saying the same thing or not.

My proposal is as follows: say the user has the owner profile with some very basic stuff, profile 2 which is your day to day profile, profile 3 with play services and maybe profile 4 with some extra sensitive stuff for people who need it (PS: I was thinking journalists, etc, but in my country it might just be banking apps)

In case of duress, that user wants to delete either profiles 2, 3 and 4 or just profile 4.

But, unless it's a predicable situation (like traveling to a country with known intrusive border control), users are more likely to be logged to profile 2 when the need arises. But maybe to profiles 3 or 4 as well.

So the duress PIN would have to be triggered from whatever profile the user was previously logged, erase the selected profiles (which might include the one currently selected) and then go back to the owner profile, hopefully without the "switching to profile X" message.

Hb1hf

To keep the thread alive... your idea is also what I would consider the most secure way to implement "plausible deniability"

To hand over a completely empty and wiped phone to anyone who lawfully or un-lawfully demands your credentials will just pizz them off and land you (or any other user) in hot water (either because it's considered "destruction of evidence" - or because the bad guys realize what you just did...)

unlocking the phone to land in a dummy-profile while in the background the real profiles (2, 3 and 4) get wiped solves the issue. Plus in most scenarios it will buy the user in a pinch enough time to complete the background wipe before anyone realizes what may or may not have happened... and at that point there is no trace of it left... hence "plausible deniability"

Further you could set up two potential profiles for spicy situations... one for a theft scenario where the phone starts sending distress signals in the background, and one for anything like border controls etc with no background signal.

If anyone is aware of such a solution since this post was last active, the input would be much appreciated.

intron

No offense taken at all. 😉
So on top of everything else, you suggest that I should learn coding now? lol....
oh well, guess if you want something done right, you gotta do it yourself after all... 🙄

hoped that anyone would have picked it up ever since "DueProcess"
https://android.ins.jku.at/plausible-deniability/

but seems not much progress was made in the meantime... that's a bummer somehow....

Explorer666

Didn't mean that exactly lol.

There is a lot more to it than coding or any single aspect..
Maybe a better way to try explain this;

View everything as 'tools' - some need certain ones, others don't.

GOS is a tool along with many, many other things in this context, be it a phone's OS, other software eg apps, the hardware itself, are also all tools, even 'law' is a tool.

Along with ones that have nothing to do with a phone, or even privacy or security -

Creating your own implementation to the degree you require in the real world, would inherently go far beyond a single device such as a phone in this specific context..

It also means when you view everything as a 'tool' - you can possibly utilise ones completely unrelated and not even designed for this purpose in your implementation..

Everyone also knows the golden rule "Nothing is secure"..

One that I've always attributed equally with that, is;
"You cant secure something unless you know how to break it"

Eg; If you want something that will work for your situation, you have to learn how each tool works to an extent and how you want to utilise them, if that makes sense?

I've never actually tried to put this in words for anyone else before, my apologies if it isn't phrased very well lol.

Knowledge and understanding are only gained through learning, and practice - people tend to dedicate as much as required in the context of what their goal or interest is :)

intron

A better way to maybe put the 'coding' aspect in this context;

Take the legal system, ie 'laws'..
You don't have to be able to practice (code) law to be able to understand it, eg; be a Lawyer/Solicitor

Likewise, Just because you do practice it (or code), doesn't mean you have much understanding of certain specifics, eg; a criminal lawyer, compared to a corporate lawyer filing copy right infringements..

Just because you can code even the same language, lets take C, as others - doesn't mean you know or have an interest in been able to code 'securely', let alone about security implementations etc..

That's what I mean by 'extent' - of course the more you learn and are able to do, the deeper your over all understanding - but you don't have to jump in the deep end of even studying 'law' at a uni, nor be lawyer, to be able to understand to a decent extent laws that you can utilise as one of the 'tools' in your implementation..

If that makes more sense?

intron

don't worry, I was joking about learning to code... I would be like 30 years late to the party.. lol

of course you are right about viewing everything as tools including apps or skills). it's just that there is no tool that does exactly what I want it to do - at least according to my status of research. that's why I am asking if missed something, or if anyone found a suitable tool to reach my goals.

And I completely agree with what you said about having to understand how to break it, before you can harden/fix it....
That's what threat scenarios are here for... what are the possible dangers and how do they work?
Then next step, what are the means to counter-act those threats?

While nothing is secure, we can just become "hard targets" or respectively "nothing to see here" for the bad guys so they go look somewhere else...

That's why I keep looking high and low for a solution that retains an unsuspicious basic profile while wiping the other profiles and related data on demand (from lock screen in the background with no suspicious messages popping up.)... as the topic here is "plausible deniability"... if there is nothing "off" to be found, then there is nothing to deny...

What one can do is put a piece of paper with the duress password in the back of the phone case, if they enter said password and it wipes the phone that's their problem now?

Bullion

that is really clever - seriously props!

that works on many levels as you didbt tell them to enter it, they obv didnt ask, so technically they destroyed any evidence.. all their choice.. just make sure in a police setting for example, you remain around multiple officers during that phase.. cops are human - some lie - multiple parties wont though (always exceptions but still)

intron

the best i came up with before yours was a low value # pin, or something simple - they cant bypass and speed up BF, but they will still attempt it in AFU one way or another

Explorer666

the problem is, same fundamental flaw with 'hidden containers' - they will assume you have them..

you cant prove you dont - same for random bytes on a drive no header - it looks random, it could be encrypted - you cant prove its not..

that's the point.. in any situation where you can be made to hand over a pass , those measures do more harm than good..

it's also what i mean about, you need to figure out a way even with multiple tools, to protect what you need..

eg- if its a border crossing.. keep the device clean and have all data encrypted on some random cloud storage, even buy your own instance for a server?

carry 2 devices also.. keep main phone off in your bag..

I don't really understand the "duress PIN" feature use case either.
Maybe it's an interim stage before implementing something better, but when I think about an actual
scenario of when you actually need to use it - i.e. under severe physical/psychological pressure,
the best thing would be a dummy profile that opens with the "dummy" PIN, w/ or w/o wiping the main
profile in the background. But a "working" phone state (for me) is a key part of the "duress" thing.

23Sha-ger

Yea - it's one of those things where it has valid and applicable use cases, but it's not universal as a solution..

there is another way to also use a device without actually using it in a way -
i have done this and it worked well for its purpose, however there are obvious draw backs and for every day use you would lose your mind..

vnc and either ssh or wireguard tunnel to a server you fully control (eg your hardware somewhere trusted)..
i have even done it using tablets, so it was android to android (cheap tablets are a great way to access services/servers on a site without having to deploy a sever for it, eg over 4g have it dial out where there is no net, even use it as the router - this was mostly cctv control related for that aspect)

23Sha-ger

Yea - that one does work well. You can do that without GOS also.

I'm not going to go into much detail as to why I did the first one listed - it was not related to anything where the 'concern' was everyday people however.

A key part of any form of security is having layers and redundancy as well..
I do that even for physical local security -
It's possibly myself just being a smart ass -
If someone breaks in for example, it's locked door after locked door (often with no lock.. :)
Doesn't cause myself any time loss when I want to access areas - but it would make it a complete deterrence for anyone not legally authorised, and just a pain in the ass for anyone legally authorised, which is half the fun in both cases of security, isnt it? lol

23Sha-ger When I think about an actual scenario of when you actually need to use it - i.e. under severe physical/psychological pressure, the best thing would be a dummy profile that opens with the "dummy" PIN, w/ or w/o wiping the main profile in the background. But a "working" phone state (for me) is a key part of the "duress" thing.

It depends on the threat model.

The "dummy profile" approach will work well if the adversary is, well, toward the "dummy" end of the sophistication scale. If somebody threatens you, demands your phone, demands an unlock code, and then runs away, a dummy profile may work fine. But if you are dealing with an adversary of even mild sophistication, the dummy-profile situation will be easy to detect (e.g., the device's free storage will be much smaller than it should be given the files that are visible in the dummy profile).

My sense is that the GrapheneOS developers prefer to focus on powerful (e.g., cryptographically strong) resistance to powerful attackers. That's not to say there's no room for a dummy-profile feature, but I'm not surprised that the first thing shipped was the "it's wiped for sure" version.

de0u

I'd say you're 100% right.

Data at rest is personally always my concern as you never know how long a copy if it could be in the hands of someone else if taken legally or not.
The first/only stand alone post i've made here was about the basic concept of using a yubikey for initial decryption (based on the work in progress implementation to use a long passphrase)
Keys like the Yubi (not cheapest ones) are modern day HSM's - used as an actual smart card - you can not extract the private key, which is by default protected with a pin or pass and x attempts)
Given api improvements for such a use case, it's more realistic than it has ever been etc.

Though not sure i wrote it well, don't think anyone noticed it lol

de0u

Any security firm half-worth their salt works with threat scenarios and then different solutions for each scenario, there's no "one solution fits all" approach.
as intron mentioned, it’s all tools and the presence of hidden files may do more harm in one situation while it would be perfectly safe in another.
For example, it would be total over reaction to wipe your phone if your co-worker wants to borrow your phone to call his wife as his battery died on him...lol
on the other hand, you can have different profiles/pin that can be used in different situations...and the level of expertise of your adversary...

a) under attack or being raided? Pin 1 – total wipe, no trace left…. ideally don’t let them connect the phone to you….

b) street robbery? pin 2 - lets them land on a dummy profile, may save your life while everything else gets wiped in the background. Specially if you have a small, limited bank account in it to “buy your life” if required. Pin 2 also sets the phone in alarm mode, transmitting GPS, photos etc…

c) travelling and TSA inspects your phone? Pin 3 – “silent” dummy profile while deleting everything else… just in case in their country crypto is outlawed. Even if they are more sophisticated as the data is deleted there is nothing to see for them… and they won’t arrest you for having used crypto back home as long as you don’t bring it along…

d) nosy GF? Co-worker making a call? Pin 4 – nothing to see here. Keeps your data intact

make pin 1 the easiest to be triggered by brute force as well as keeping it on a paper as suggested by Bullion. (I actually do that ever since phones have a “kill code”)

in situations b and c you would become even more suspicious with a wiped phone and data forensics may be able to recover the data anyway… besides TSA inspects hundreds of phones per day and don’t have time to go into detail unless you act suspicious….

Anyway, it would be cool to have the option – how and when you apply which of the codes is then up to you….

Explorer666

further to my previous post, for most scenarios there are available tools ready...
for scenario a) GOS duress code
For scenario c) Ripple
For scenario d) Shelter

It's really just the scenario b) that has no ready available tool to protect against a sufficiently sophisticated robber/kidnapper and depending on where you are those scenarios are more likely to occur than for example c)...

Explorer666

I do very much agree with you..

There's just a couple factors though -

Scenario B is one of only 2 situations I deem as 'critical',
Eg; Your life or the life of someone you know, is on the line in either 2, be it direct threat or of a legal nature, also done either illegally or not (neither is also worse than the other in this situation because it depends very much on the situation itself - the term 'waterboarding' is synonymous with the US.. and being done legally.. interestingly also not even viewed in a directly 'life threatening' way (the irony of which, is not lost on me..)

If you are in a situation where people unaffiliated with any 'state' are trying to gain access to your phone, your bank accounts (which have separate authentication inherently) - what they are doing is possibly one of the most serious crimes possible - anywhere..
They wont follow any sense of ethics or morality - a duress pin in that context, well, it's already a 'damned if you do, damned if you dont'..
Interestingly, that exactly sentiment applies to the 'state' version - at that level, people engaging in that 'dont exist' - nor would you - ethics and morality also goes out the window.. However, that specific adversary, absolutely would be prepared for a duress pin/failsafe - even if you dont have one or even anything to hide, it's already 'assumed' you do..

There is also a debate that can be made about, the more Pins - actually has a huge negative impact and infact creates a new attack surface, with it increasingly by it's own magnitude per one.. It starts after 2 also, as in a real and a duress, zero attack surface for this context..
Pin #3. automagically becomes 3 fold of that, from the moment that 3rd exists..
I'm definitely not sure i've worded this properly - it's a bit tricky to explain..

intron

Side note with that;

The first thing i do, also possibly only setting i change upon installation of any banking/financial app - is the 'quick view' or whatever name(s) organisations use..

It doesn't matter to me if the value is consistently $0 or higher - I just cant have that turned on (usually is by default) - it conflicts with myself personally as it is not common sense or logical
(could also be considered a 'lazy' feature - it's not hard to login, and if you have a lot of funds and increased levels of security to login, then why would you want that info displayed without needing any of those to be met? *facepalms)

intron

well yeah, you defo don't want to end up in the hospitality of "non-existing" agents... that's also less of my concern as you would have to do something first to pop up on their screen - and once you do, no grapheneOS and no system wipe can safe you... The phone goes to data forensics while you "enjoy" the SPA treatment....

On the other hand, in case of non-state-related incidents, the worst option is to give a wiped phone with black screen... the second worst to give them access to all you life savings... in most circumstances their adrenaline is just as much through the roof as yours - for other reasons... and as long as you hand them a working phone and are able to withdraw a few 100$ most situations are resolved...
(there may be even worse scenarios, but in those your phone usually plays little to no role, except that they will get rid of it ASAP to avoid tracking)
I used to travel a lot and explore in my younger years, even the shady sides of towns. Back then smartphones didn't even exist yet and few people had heavy, bulky Motorolas... was robbed at gunpoint twice and knowing that I was going to a potentially unsafe place I carried a secondary wallet containing just a small amount but no cards or IDs as those are a pain in the rear to replace.... in both instances they took the "dummy"-wallet, saw that it has a little bit something inside and ran off... so maybe a secondary phone to hand over in such a situation would be the better option? as I said, having access to a small bank account that acts as a life saver may be a beneficial strategy if forced at gunpoint to withdraw money...
If afraid of detection of the "real" phone either leave that at home to begin with (always be aware of where you are going) and if that is REALLY not an option, well, that's the situation where the "wipe all except for this dummy profile" would come in super handy.