To frame the post and the conversation, I am targeting a loose but not universal threat model. If threat of deadly force is higher up in your risk scale than shoulder-surfing, or Apple cooperation is a given, then you might want to make very different choices, but more importantly, you probably need better advice than a blog post.
The only things I want to add are pair-locking, maybe a forced VPN profile, and a correction on how to check the Whatsapp fingerprint. You can find all these things in the Twitter thread.
I'd avoid using TouchID to unlock your phone for legal reasons.
Once the phone is unlocked, you can use TouchID as the phone is already open and you would not gain/lose anything from using TouchID in that scenario. But until the courts rule that you cannot be compelled to TouchID unlock your phone like a PIN, I think that is the safer route to take for now.
If you expect you can reliably turn off your phone (7 seconds) before you get in a search situation, then use a full password instead of a numeric pin, then touch ID is a great balance of convenience and security. TouchID also prevents shoulder surfing of your code.
Correct me if I'm wrong, but isn't it also possible to just use one of your fingers that you didn't register with touch ID for 5 or so consecutive unlock attempts and it will have the same effect as rebooting your phone?
Keychain and NSFileManager have possible modes of "kSecAttrAccessibleAfterFirstUnlock" [0] and "NSFileProtectionCompleteUntilFirstUserAuthentication" [1] respectively that are (fittingly) in an open state within your app after you've unlocked the device.
As someone in a country with a serious mugging problem and having lost an iPhone already, one of the biggest security flaws I see is being able to power it off without providing any authentication.
What is even the point of Find my Phone and all that if anyone can just instantly switch off all the tracking?? You can't even ring your own number after that, and even law enforcement cannot look up the cell tower logs to see where it's been.
There should be an option to require a passcode for power-off, and another option to periodically send Find my Phone tracking even when "powered off," via any available network, until the battery dies.
EDIT: I agree they can just take out the SIM and we need to be able to force-power-off anyway.. but what can be done to increase the recoverability of these expensive items?
Even if Apple added that, it's trivially easy to pop the SIM. A phone without a network connection won't ping, so that won't help.
You have to think about it from the attacker's point of view. Anyone they sell it to is going to power it on to test it. Once it's powered on, it'll ping back.
Any black-market buyer knows to pop the SIM anyway before powering it on, and turn on the phone without any publicly-accessible Wifi access points available. But then they still have to restore it in order to see if it's iCloud locked, and the restore pings, too (it requires an Internet connection to Apple's servers to download a signed OS.)
What it comes down to is that stolen iPhones just aren't worth that much, since there's no easy way to remove an iCloud lock and the parts themselves aren't worth a lot. The good news is that far fewer iPhones are stolen these days (source: http://www.cbsnews.com/news/iphone-thefts-down-thanks-to-app... ), and thieves are pretty quickly learning that.
Even if the answer is "nothing" it still makes sense they're selling on ebay—people don't know that they're buying a brick, and I'd bet that's extremely difficult to contest via ebay/paypal.
I'm sure there are some folks trying to pass off locked iPhones as legit, but there are also people selling them "for parts" on Craigslist and I'm sure a load of other sites. I was just shopping for some test iPhones for work and there was one dude on Craigslist with a dozen or so new iPhones, all locked for like $80 "for parts".
Yeah, you could part the whole thing out, but there's so little demand for used parts currently that it's tough to make a business case for it.
New screens are pretty cheap these days; under $40 for a new iPhone 6 screen wholesale currently. Used batteries are worth nothing since new batteries are so cheap (a new 6 battery is less than $10 -- why would you want a used one?) Camera, home button, charge port, prox sensor...even if you put all those together you'd barely have $100 worth of parts, and that's talking about new part prices (wholesale).
> but what can be done to increase the recoverability of these expensive items?
Don't buy or walk with expensive items around? Sounds like I am being snarky, but I am serious. In some cities or areas, it is not possible to have nice stuff around. Couldn't have a nice car in my old neighborhood. The old beater I had was scratched, hit and broken into multiple times. I didn't care too much, as it was already scratched and beat up anyway. If it was a nice new car, I would have been upset, but I would have never gotten a nicer car living in that part of town.
As for phone, I broke my old flip phone some years ago, by sitting on it. And I was upset about it obviously, it was a nice model then. I was student, bought it by saving for a while. Didn't have insurance and so on. And since then realized that it didn't make any sense for me to buy these expensive toys if they can easily be lost, stolen, broken _if_ it causes me so much anguish when happens. So since then I've bought used, or lower end smart phones (last one is a Moto G for $170 from 3-4 years ago) so that if it gets, broken, stolen, lost I wouldn't be too upset about it, just inconvinienced some, and would just go and buy another one. Kind of like buying another pair of pants or socks.
I one day if I win the lottery, maybe I'll be able to buy $500-$600 iPhones like that too. But today If I had one, and cracked or lost, I would be quite upset.
I am saying this because I've seen people sign contracts to buy these phones (which is basically getting a loan), buying insurance for them and so on, and all I am think "it sounds like you can't afford it". Can't obviously tell them that in person, but's that the idea.
> And since then realized that it didn't make any sense for me to buy these expensive toys if they can easily be lost, stolen, broken _if_ it causes me so much anguish when happens. So since then I've bought used, or lower end smart phones (last one is a Moto G for $170 from 3-4 years ago) so that if it gets, broken, stolen, lost I wouldn't be too upset about it, just inconvinienced some, and would just go and buy another one. Kind of like buying another pair of pants or socks.
Interesting. Different ways of managing expected frustration. Personally, I stick to highest-end phones I can afford, for the simple reason - I was once stuck for 3 years with a phone that was so crappy that it could barely lift its own OS - fire up any app, homescreen gets killed to save memory. Somebody calls you? 25% chance that you won't be able to pick it up, because the phone will hang. Try and turn on Internet on it? If you didn't turn off sync, you'll have to powercycle the phone by removing its battery to get it working again.
I don't break or lose phones often (in the last 3 years, I managed to crack the screen of my S4 two times; got the glass replaced both times for relatively little cost). But I use them quite a lot, every day. Minor frustrations like apps crashing, hanging, or taking 30 seconds to load tend to add up into quite a bit of frustration daily. So I prefer to save up and buy a phone that I know will work flawlessly for the next 3 years or so (and, like with S4, then I happily give it away to someone when I buy a new one; they can probably squeeze 3 more years off it too).
I just use an old quality phone. I got a Nexus 5 in 2015 very cheap, and it works great to this day. Nexus 5X's price is on the way down, and there are plenty of other quality cheap phones to have, like the Chinese models. Some will need a new ROM, though, so one should check out CM devices page before buying.
In my experience, buying these phones offers a better experience than many of the flagship Samsungs which suffer from bloated, slow and unintuitive software.
>and even law enforcement cannot look up the cell tower logs to see where it's been.
I'm not so sure about that...
I worked at a TV news station in a major city where police told us they could track cell phones that were turned off. IIRC, it came up during an interview after they apprehended a suspect in a big rape/murder case. The suspect's phone was off, but they were able to track him. They told us they didn't really want the public to know they could do this, but it seems it's too late for that [1].
I'm not sure what the limitations are-- whether it'll work if the battery is removed (maybe there's amother battery?) or whether it only works with certain phones.
When the phone is off it is off.
Same goes with flight mode.
The NSA* or any other similar actor can load malware to your phone that would prevent it from being completely turned off, the police most likely cannot.
The police does have a vested interest in making the public think that turning the phone off is pointless.
*on older phones like late 90's very early 2000's there was enough power leaking from from the antenna into the modem part that you could ping turned off phones remotely even if the battery was removed I've seen this in action.
This doesn't or shouldn't work on new phones which require considerably more power and have very complicated hardware.
on older phones like late 90's very early 2000's there was enough power leaking from from the antenna into the modem part that you could ping turned off phones remotely even if the battery was removed I've seen this in action
I don't see how that could work - even if power through the antenna did cause the phone to transmit something, more than the radio would have to be powered up to get the phone to return any kind of identifier. But I'm skeptical that any transmitter could be powered through the antenna like that.
I could believe that if you transmit enough power that some sort of oscillation would occur in the phone to return a signal that can be detected, but I don't see how you could determine what phone returned that signal.
It wasn't transmitting a proper cell signal, it was transmitting something that they could detect.
I would assume that you would profile phones (of a certain make and model) and based on the return signal identify them.
This was used in the early days of in places where there wasn't high cellphone density to begin with.
I don't think this actually violates any FCC regulations given the right circumstances a can of coke can probably be induced to create enough backscatter to be trackable via RF.
>The police does have a vested interest in making the public think that turning the phone off is pointless.
An interesting point, but...
If I were a criminal (I am not), and I were going to commit a crime (I am not), and I knew turning off my phone was pointless because the police can still track it, then I would just leave my phone at home, or give it to a friend.
It's very old phones, with external antennas the power came from the same place that the power came from to say power the LED in the aftermarket NOKIA antennas that would light up when you are getting a call or a text - wireless power.
The phone had enough leakage to modulate the return signal sufficiently to be detected, it would not be the same thing as tracking a phone via its normal cellular signal it would just indicate the presence of one.
Those aftermarket lighty-uppy things work by sensing your phone's response burst, which is a much stronger signal, being driven by the phone's battery, and radiated from the very nearby antenna.
I do believe that you can induce a signal in a powered-off phone that can be detected nearby (several feet), by virtue of the tuned antenna if nothing else. I'm skeptical of the claim that a normal arbitrarily-distant cell transmission could do so. Regardless, I do not believe the induced signal could be detected back at the cell tower.
This would be wireless power. Not possible, at the levels and ranges asserted.
Believe what you want but at least read it through first.
This isn't about powering a cell phone via wireless power and make it connect to a cell tower this is about inducing enough power into the cell phone's RF parts to make it modulate the signal sufficiently to be able to be picked up.
Essentially this isn't that much different than the passive wifi or any other backscatter communication based system.
I've seen this demonstrated around 5 years ago at an Intelligence Technology seminar open to the public at the intelligence community heritage museum, it was done across the room during a demonstration which showed active and passive phone tracking techniques (they put the phones in and out of a faraday cages during the demonstration).
The phone that was used in the demonstration for the "powerless" tracking was a very old Ericsson (before it became Sony Ericsson) phone from the mid to late 90's, during that demonstration we've also been told that this method of tracking became obsolete around the early 2000's.
They did not elaborate exactly what ranges this work on but what they said is that the emitter and receiver were usually separated in order to accommodate operational requirements.
As I read it, that's a fine way to detect the presence of a cell phone. It might be able to discriminate between several models of cell phones. But it will not be able to identify a specific cell phone.
Yes, I said it was used to track cell phones in low density areas back when they were simply enough for this trick to work, what I assume is that if someone back then had a cell phone/radio phone/sat phone or anything similar with a susceptible transmitter in the middle of nowhere-stan you could probably identify them via other means, or at least be able to classify them sufficiently.
> When the phone is off it is off. Same goes with flight mode.
You're forgetting about the baseband. Modern phones have a secondary processor loaded with proprietary software that has a secondary battery soldered on. You can't turn that device off, and it has the ability to phone home. Even removing the battery won't help you.
No i didn't forget about the baseband, hence the NSA grade malware.
That said I haven't seen a single phone that when in airplane mode or off showed any signs of transmitting anything.
I've also done testing with RF fuzzing phones and nothing happened.
Other people did more analysis including power consumption monitoring etc. and there is no "on by default" home phone feature on basebands.
Can a base band be backdoored? sure, can the police do that most likely not, if anything the "quality" of commercial cellphone malware is fairly low most of it requires physical access to the phone or social engineering to install.
US Law enforcement relies mostly on cell provider and IMSI catcher based tracking, some departments might have access to commercial RAT products ala FinFisher but I have seen no evidence that anyone has access to baseband based exploits.
If anything it seems that even state actors do not have turn key solutions for remotely accessing the basebands of commercial mobile phones and often have to resort to compromising the supply chain to launch targeted attacks.
So yes the baseband is a CPU, it's probably considerably less secure than you would want, but saying that every baseband or even the top 10 most popular ones are or can be compromised at will doesn't pass the current smell test.
When you worked at that TV news station, were Blackberry phones prevalent? Blackberrys had two types of "off" -- one type periodically checks the network for texts and the other is an actual off.
I don't buy it. The top quora response you link to makes claims that tracking happens when off, but it's sources make no such claims. Specifically, I highly doubt that GPS is useful towards tracking an off phone.
The problem is that there has to be a way to forcefully power off the phone in case it freezes. If the OS depends on software to power off and the software is not reponsive, there's no way to shut it down without exhausting/removing the battery.
I think that's what sleep/wake+home button is for. Holding sleep/wake still requires 'slide to power off' (which i assume wouldn't respond when iOS locks up.)
sleep/wake+home button restarts iOS but ultimately reconnects to the device to the web.
The ability to quickly turn off the phone is useful when you need to activate a long password so that you cannot be forced to use your fingerprint to unlock it.
If you are in a place where you can be forced to unlock it with your finger they'll force you to give out the password too, it would probably even be more painful.
The only place where you would not want to use biometrics are western* countries which would allow the police to compel you to give out your fingerprints to unlock the phone.
With the exception of the UK in which not giving out a password or decryption key in the course of an investigation even if you are not the suspect of a crime can land you 7 years in prison these days.
What I miss in this article in using MDM to harden an iOS devices in the first place. Eg. you can prevent the ability to make backups [0] diminishing that as a route to exfiltrate information. Secondly an always-on VPN [1] to a fixed IP address prevents network information leakage from the moment the device is turned on the first time. A quick search resulted in these two links but I didn't hit a comprehensive guide, other than Apples MDM docs, combining this travel guide combined with iOS MDM hardening.
A key step missing is to set up the iOS device as Supervised in Apple Configurator and prevent pairing with non-Configurator hosts. Additionally, you can install your own non-removable profile via Configurator on the device disabling a bunch of privacy-damaging features there.
I think two security related changes could be made to iOS that would benefit many people.
1) PIN/TouchID locking of contacts, like you can do with notes. Don't allow messages and emails to and from the contact to be decrypted from the encrypted store without authenticating, like you can now do with notes. Would help with securing communications with legal counsel or other privileged parties from being captured.
2) A "duress" PIN/TouchID registration; if I unlock my phone with a duress code or imprint my duress-coded fingerprint, reboot the phone (to look like it was a glitch-induced reboot) and present the PIN prompt again. Auto-wipe the phone if the duress code is given again this second time.
if I unlock my phone with a duress code or imprint my duress-coded fingerprint, reboot the phone (to look like it was a glitch-induced reboot) and present the PIN prompt again. Auto-wipe the phone if the duress code is given again this second time.
If such a feature was commonplace, criminals would know about it and wouldn't be happy when they saw you activate it with your middle finger (I mean, who wouldn't use their middle finger to activate such a function!?) after they just threatened you enough to make you attempt to unlock your phone.
So you'd use the PIN. Then they get the metaphorical middle finger without seeing you use the real one.
Besides, no criminal cares about your phone being unlocked. They just want the phone. Well, I guess there are circumstances where a criminal wants information, but if they're the ones compelling you, you have other pressing issues that go beyond protecting information from unauthorized parties.
I'm talking about being compelled to unlock your phone by someone seeking information on it, either depriving you of due process or your civil liberties.
A criminal who is motivated to steal your phone under threat if violence is motivated to have you unlock the phone and disable 'Find my Phone' or whatever the Android equivalent is. It considerably increases the resale value since the phone can then be wiped and used by a new Apple ID.
Ask anyone leaving or entering the US (or, indeed, any of several countries who may choose to screen phones upon entry/exit) if it's niche. I'd also submit that the iPhone is hardly a luxury item. I know that's a relative term - feature phones are luxury items in some regions of the world - but it's no yacht or Maserati or other such "luxury" item. Many, in fact, got their iPhone for free.
I thought I once read that, since Touch ID relies on fingerprints, a US court order can compel you to provide those, thus forcing you to unlock an iPhone in question.
This, as opposed to a passcode-only configuration, which a court order cannot compel you to give (I believe since this would fall in the category of 'forcing you to testify against yourself').
If that is indeed the case, I imagine it would make better sense to leave Touch ID disabled, unlike what this article suggests.
I leave it enabled, then power the phone off before interacting with The Man, like when going through customs. Touch ID is disabled on a fresh boot until you enter your passcode, so that basically turns it off temporarily. This is briefly mentioned in the article.
Another thing you could do is set it up with an unusual finger, like the middle-finger of your non-dominant hand. After five failed tries, Touch ID is disabled until you enter your passcode, so you can use the wrong finger five times when they ask you, and disable it that way. Say you're sweating too much or something (a common cause for real Touch ID failures for me).
It all depends on just how paranoid you are and what you want to defend against.
I did this so I can unlock my phone with my snowboarding gloves on. I can unlock with the nose and then press the texting app button with my nose to read tests.
I did this and then tested it against several friends and family. I could only unlock the phone about 75% of the time, but I never got a false positive after about 20 different tries over the next week or two (cleaning the sensor regularly, of course)
Keep in mind this is strictly relevant to US jurisdiction. In Canada, I recall that you can be compelled by a court to give up a password, or be held in contempt. That being said, something like TouchID is irrelevant if the password is going to be forced out of you anyways.
This makes sense if you tell them that you know the password and refuse to give it, but what if you claim not to remember the password? Or claim never to have known it? What burden of proof is required then in order to be held in contempt?
They won't believe and lock you up until you remember?
Contempt of court can basically be "get into jail indefinitely" card.
From the wiki: "The civil sanction for contempt (which is typically incarceration in the custody of the sheriff or similar court officer) is limited in its imposition for so long as the disobedience to the court's order continues: once the party complies with the court's order, the sanction is lifted."
It seems a judge can "choose" not to believe you. Whether they truly don't or not is another problem, but officially they can claim so. I am not sure if it takes another superior judge to get someone out of jail in that case or ... or just wait for the original judge to retire...
This would be useful if you had information that would put you in jail for the rest of your life, and certainly should be something offered for users who need it. However, being put in contempt of the court is not joke, and I can't imagine this would go over well if you tried it when compelled to unlock the phone.
Hidden containers similar to what TrueCrypt could do might take you farther in this regard. Self-destructing a hidden container should ideally not expose what you wish to protect and at least provide plausible deniability.
> If that is indeed the case, I imagine it would make better sense to leave Touch ID disabled, unlike what this article suggests.
It entirely depends on your threat model. If you are at hacker or tech conferences, TouchID is far better as it can't be shoulder surfed. If your threat model is nation-states, then you would take a different approach. As TFA says:
> Turn the phone off before entering any situation that might lead to you being coerced to use your fingerprint to unlock the phone.
If you never want Touch ID to work, you can just replace the home button in the phone. It's a security feature from Apple--a new home button will never work with Touch ID again.
It's not too difficult to swap a home button yourself with the right tools, or most stores will do it for ~$49 to $59 (depending on your iPhone model.)
If you have a store do it, definitely ask for your original home button back in case you change your mind later or sell your phone.
Obviously, but if you're as security-minded as this article author is, I'd trust a hardware solution over a software solution. It's the difference between turning off your camera and actually unplugging your camera (for instance.)
Except, it's really not. If you've never set up Touch ID on the device, then there's no fingerprint for it to even compare to; it'd be impossible for it to authenticate.
Talk about throwing out the baby with bathwater.
Being unconscious ir a very rare use case for iPhone.
In other cases having protection provided by Touch ID beats passcode which is to inconvenient so many would skip and left without ANY protection. Touch ID is basically transparent and provides adequate protection for common scenarios.
Nice guide. Just some other OPSEC stuff we have done for occasional problems in the field training human rights defenders and journalists (who needed specific solutions)...
You can always use a call relay. So you can give people one phone number that relays to your own real number (for voice calls) - although an voice call is obviously more vulnerable than Signal call etc.
Ditto, AFAIK there is the ability to setup a relay for SMS through an Android. I can't remember the app but basically people could SMS that number and it relays to you real number.
Before people jump on me, yes I am aware of the weaknesses of both of the above but sometimes a specific type of threat model requires these two tricks. I recommend it unless you are aware of the trade offs.
I was once mugged for a crappy Nokia feature phone. I had a prepaid sim for a long time. Very hard to replace (in Hungary) without loosing the phone number. I managed to convince my muggers to let me take the SIM.
Ironically they got caught and I got the phone back.
About turning off iCloud backup: You say that messages are being stored unencrypted. That may be true as we do not know what happens on Apple servers. But this is about securing the phone for traveling i.e. you would have to worry about the transport. And I would strongly guess that backup traffic would happen with http, probably with pinned certificates.
If I may ask, in what circumstances would one want to go this far in securing their travel phone? Is this meant to be for a "general trip somewhere", or something more specific?
You can mitigate a downgrade to 2G by using a VPN and a VOIP app like Whatsapp or Viber. Call quality would be abysmal on EDGE. I haven't seen any stock configuration of iOS that permits you to disable 2G.
Using 3G or LTE wouldn't help someone trying to evade a state or higher law enforcement organization, since all they need to do is use the cellular provider's Lawful Intercept capability somewhere in the packet core, such as the GGSN (for metadata) or at a tower's next IP router (for call content).
I think the purpose of this guide was primarily for border crossings. Filippo almost certainly gets hassled at borders, as many security professionals do. His comment about the Great Firewall was more likely about accessing an unrestricted internet, and less as an phone call anti-surveillance measure.
Given that rooting an Android phone frequently involves turning off security features (for example, rooting a Nexus device entails unlocking the bootloader to accept an unsigned boot image), you're probably better off running a stock, unrooted firmware to make it easier to tell if things have been modified.
That's in addition to the added attack surface that the root itself provides once the phone's up and running. Yes, the SU app on the phone (whatever that is nowadays) is supposed to prompt for permission before granting an app root access, but are you sure that code's bug free? Or free of intentional backdoors?
You are correct, but you can still get around some of the warts involved if you want.
You can always lock the bootloader again after installing your ROM. Unlocking it will wipe the device again which is inconvenient for ROM updates etc, but if you're a trooper, you can do it. This inconvenience was pretty easily fixed with the open source bootunlocker[0] apk which allowed to you unlock and relock the bootloader once in rooted userspace, but sadly it doesn't work on anything newer than the original Nexus 5 due to security features in newer Android hardware. Manual unlocking, re-installation and boot re-locking is still possible.
The decryption password can be beefed up with adb from the terminal as well. There isn't a pretty gui for it, but that way you can get a strong safe encryption password and a short screen unlock pin. Unfortunately the two are tied iirc normally. Some would argue that having an organically strong password is safer than allowing the hardware to help beef up weak pins.
I'm sure there are other problems, sadly Google seems to look at privacy and security on Android as issues for later. And running anything besides a nexus device is entirely less safe due to the toxic OEM/Google update environment.
Not that I disagree with what you've outlined, but to play devil's advocate:
Some security settings that pertain particularly to Android devices only (such as ADB, internal SSH server) can only be disabled if you use apps that require root [0]. Maybe if you assume you have a targeted attacker, and they have physical access, root seems like a very bad target. If you install malware that gains root access, doubly so. But if the user is intelligent enough to not install random, non-vetted apps, and to turn auto-updates off, then rooting may actually provide a security benefit here, because you can at least avoid blind network attacks.
I'll also say that if you choose to unroot after using SecDroid [0], then you may find it difficult if not impossible to root the phone again, as you won't be able to use ADB anymore. In any case, there's a lot of vulnerabilities in mobile phones, and you really have to pick and choose to see which ones you think will most likely affect you.
To frame the post and the conversation, I am targeting a loose but not universal threat model. If threat of deadly force is higher up in your risk scale than shoulder-surfing, or Apple cooperation is a given, then you might want to make very different choices, but more importantly, you probably need better advice than a blog post.
The only things I want to add are pair-locking, maybe a forced VPN profile, and a correction on how to check the Whatsapp fingerprint. You can find all these things in the Twitter thread.