The exact circumstances around the search are not known. But activist Samuel Tunick is charged with deleting data from a Google Pixel before CBP’s Tactical Terrorism Response Team could search it.
Always turn your phone offer before deplaning and don’t turn it back on until you’ve cleared customs. You can refuse a search and even if they take your phone they still don’t have a method of decrypting a phone that’s encrypted at rest after being turned off and all biometrics are disabled on start up until a password is entered (most phones).
You’ll most likely lose your phone and a few hours but that’s what you have backups for.
Reminder that Apple/Google will absolutely give law enforcement all your cloud data if presented with a warrant. I know this for a fact. Most people’s phone data is synced to the cloud. Be careful out there folks.
That’s also why I have advanced protection turned on. Granted they could always get the encrypted blob and try to crack it at that point, but there has to be some point you’re willing to draw the line.
And this is why encrypted backups should become the norm. Sure, they could always try to crack the encrypted file after it gets turned over, but (assuming you have a good password set for your account) we’re talking about a scale somewhere between “a few billion years” and “the heat death of the universe” with conventional (non quantum) computers.
The few times I’ve traveled internationally I just bought a cheap unlocked burner phone. No telling what you might catch in another country. Plus it’s just basic itsec.
You should read up on Celebrite. They most definitely can get into a wide variety of phones from a cold boot. GrapheneOS seems to be one of the only ones that make their job hard.
Here’s some charts from July last year. I don’t know if there’s any other leaked charts out there, but short answer is that your password doesn’t matter. Keep in mind that the images in the above link are a year and a half old, they can definitely crack updated OSs.
I thought that just means they can bypass the password limit and do a bruteforce, but they still need to do a bruteforce, I don’t think the key just just sitting there, right?
They can and still will run it through a password cracker with a dictionary provided the phone has some method of either exposing the password hash or can be bruteforced on device similar to PIN bruteforcing.
You can refuse a search
Which can lead to an up to 24 hour detainment which CBP has been allegedly doing, so do know the consequences.
Curious, how does that work? 10000 possibilities aren’t many but you get 30s break every 3 failed attempts then 5 more then its every single failed attempts so that’d be ~5000minutes so that’s about 3 days. Assuming they get “lucky” it’s about 1.5 day. I don’t know though what happens after 20 failed attempts, maybe it’s 1min break or 20min break.
Basically, does PIN bruteforcing actually work and if so on what timeframe?
Ah no it relies on either the battery drain method or another exploit that gives you a much higher rate without tripping the device.
I haven’t kept up with the CVEs for this, and I’m sure both Apple and Android have patched several, but for a while police forensics have had access to an AIO cracker tool made by a company that afaik never disclosed these CVEs for the sole purpose of keeping a method of PIN bruteforcing viable.
I don’t think that matters as much as the delay because with brute force you can precisely go through a LOT of possibilities so the practical aspect is the attempt frequency. Even 1 number if it’s 1 attempt per decade is enough to prevent intrusion.
I think Apple has fixed this, but they would remove the battery, hook it up to external power. When unlocking, there was a pause/dimming on the phone to show it was wrong, and the computer hacking it would kill the power before the phone wrote that there was a bogus attempt, so you got infinite attempts.
I don’t think infinite attempts is the issue, I think the timing of those attempts is what practically limit the usefulness of the attack. Here in the Apple example I imagine rebooting the phone takes longer than 30s. Also if one goes to the length of removing the battery of an iPhone to crack it, this is a pretty serious attempt. One better have proper protections in place.
Always turn your phone offer before deplaning and don’t turn it back on until you’ve cleared customs. You can refuse a search and even if they take your phone they still don’t have a method of decrypting a phone that’s encrypted at rest after being turned off and all biometrics are disabled on start up until a password is entered (most phones).
You’ll most likely lose your phone and a few hours but that’s what you have backups for.
Reminder that Apple/Google will absolutely give law enforcement all your cloud data if presented with a warrant. I know this for a fact. Most people’s phone data is synced to the cloud. Be careful out there folks.
That’s also why I have advanced protection turned on. Granted they could always get the encrypted blob and try to crack it at that point, but there has to be some point you’re willing to draw the line.
I would just use local backups tbh.
I would fully expect any cloud provider to do the same given a warrant, but I’ve heard some will provide data simply because it was requested.
And this is why encrypted backups should become the norm. Sure, they could always try to crack the encrypted file after it gets turned over, but (assuming you have a good password set for your account) we’re talking about a scale somewhere between “a few billion years” and “the heat death of the universe” with conventional (non quantum) computers.
I always wipe my phone before traveling.
There’s nothing in my phone that I’d be the least bit worried about “getting out” but it’s the principle of the thing.
The few times I’ve traveled internationally I just bought a cheap unlocked burner phone. No telling what you might catch in another country. Plus it’s just basic itsec.
This has to be the new norm. Memorize the password to LastPass or whatever and just go in clean.
As an added benefit, that protects you if your phone gets lost or stolen during the journey.
You should read up on Celebrite. They most definitely can get into a wide variety of phones from a cold boot. GrapheneOS seems to be one of the only ones that make their job hard.
I assume its because most people use 4 digit pins.
Can they crack a long passphrase?
https://stacker.news/items/616858
Here’s some charts from July last year. I don’t know if there’s any other leaked charts out there, but short answer is that your password doesn’t matter. Keep in mind that the images in the above link are a year and a half old, they can definitely crack updated OSs.
I thought that just means they can bypass the password limit and do a bruteforce, but they still need to do a bruteforce, I don’t think the key just just sitting there, right?
Sometimes they can, sometimes they can’t. It’s always a race.
*presuming you have a strong password set
They can and still will run it through a password cracker with a dictionary provided the phone has some method of either exposing the password hash or can be bruteforced on device similar to PIN bruteforcing.
Which can lead to an up to 24 hour detainment which CBP has been allegedly doing, so do know the consequences.
Curious, how does that work? 10000 possibilities aren’t many but you get 30s break every 3 failed attempts then 5 more then its every single failed attempts so that’d be ~5000minutes so that’s about 3 days. Assuming they get “lucky” it’s about 1.5 day. I don’t know though what happens after 20 failed attempts, maybe it’s 1min break or 20min break.
Basically, does PIN bruteforcing actually work and if so on what timeframe?
Data Visualization of the Most Common PIN Numbers https://kottke.org/24/05/data-visualization-of-the-most-common-pin-numbers
I think my phone will actually wipe after a certain number of failed password attempts. I’d like to say 20, but I’m not certain.
Ah no it relies on either the battery drain method or another exploit that gives you a much higher rate without tripping the device.
I haven’t kept up with the CVEs for this, and I’m sure both Apple and Android have patched several, but for a while police forensics have had access to an AIO cracker tool made by a company that afaik never disclosed these CVEs for the sole purpose of keeping a method of PIN bruteforcing viable.
There’s no 30 second rest on my phone. They have 3 tries.
3 tries then what, data wipeout?
Yup
It also depends wha kind of password. I know some phones allow longer than 4 digits, and some offer alphanumeric.
I don’t think that matters as much as the delay because with brute force you can precisely go through a LOT of possibilities so the practical aspect is the attempt frequency. Even 1 number if it’s 1 attempt per decade is enough to prevent intrusion.
I think Apple has fixed this, but they would remove the battery, hook it up to external power. When unlocking, there was a pause/dimming on the phone to show it was wrong, and the computer hacking it would kill the power before the phone wrote that there was a bogus attempt, so you got infinite attempts.
I don’t think infinite attempts is the issue, I think the timing of those attempts is what practically limit the usefulness of the attack. Here in the Apple example I imagine rebooting the phone takes longer than 30s. Also if one goes to the length of removing the battery of an iPhone to crack it, this is a pretty serious attempt. One better have proper protections in place.
at this point just leave your phone at home or get burner for this exact purpose