bakad3v
commented
3 weeks ago Thank you for detailed description of your threat model. However, rebooting the device will be obvious for adversary, do you think it will not be a problem? In Russia, for example, there was a case when russian law put suspect in jail because he was caught wiping all his data and that looked suspicious for judge. I think, that rebooting the device automatically may look suspicious too, but if it wouldn't be enough for conviction in your case, than it's ok. Also, wouldn't it be better to delete the data and reboot then? Or to disable USB -> wipe data -> reboot?
ZincLasagna
Hey! The app is excellent, and I have a feature suggestion that could be really useful for users with moderate threat models.
Instead of wiping the device upon USB connection, perhaps the app could allow an option to reboot on USB connection, if user chooses this action instead of erase. This would clear the encryption keys from RAM, making any exploits that bypass the lock screen ineffective. In this state, device security would rely solely on rate limiting and password strength. With a strong password, brute-forcing becomes nearly impossible, so data would remain protected even if this feature is accidentally triggered—no data loss involved.
This feature primarily addresses the growing issue of tools like Cellebrite UFED, which are increasingly used in my country. Often, phones are confiscated and unlocked using devices like Cellebrite, and cases are then built based on the retrieved content (unfortunately, free speech protections are nonexistent). However, coercion to disclose passwords is rare.
In cases where adversaries cannot bypass encryption, the device may remain confiscated, but no further investigation is pursued. This feature could help mitigate risks for users in such situations, offering a balanced approach to protection against unauthorized data access and accidental data loss.
Assuming adversaries wouldn’t resort to extreme methods to obtain passwords (torture), this would provide a solid layer of protection. Thanks for considering!
UPD: Also could you consider adding an auto-reboot feature that triggers after a specified period of inactivity, similar to the auto-reboot feature in GrapheneOS? This would increase the likelihood of the device entering the 'Before First Unlock' (BFU) state, which significantly limits forensic access. In BFU mode, even if a forensic analyst gains physical access, they won’t get far without the correct password, and with a strong password, brute-forcing would be virtually impossible. Given these security benefits, implementing features that maximize the chances of the device entering BFU mode could be a valuable addition. I’d love to hear your thoughts on this.