Reverse Engineering iOS 18 Inactivity Reboot

To me the biggest takeaway is that Apple is sufficiently paranoid to add this feature. Some people (like John Gruber) advocate for activating bio lockout at the border by squeezing the volume and power buttons. I would say if you’re the type of person who would do this, you should go one step further and power off.

Similarly, if you’re in a situation where you cannot guarantee your phone’s security because it’s leaving your possession, and you’re sufficiently worried, again, power off fully.

What do you do if you’re at the border and they demand both the physical device and the password?

Let’s assume “get back on the plane and leave” is not a viable option.

Burner phone

GrapheneOS duress password [1] and user profiles [2] are quite solid solutions for this scenario

[1] https://grapheneos.org/features#duress

[2] https://grapheneos.org/features#improved-user-profiles

Also, lockdown mode and pair locking your device. Pair locking iirc is how you protect against cellubrite type attacks

Doesn't the volume+power gesture transition into BFU, i.e. be equivalent to power-cycling?

That’s a significantly higher bar. It’s not foolproof though.

I believe in most countries, customs can inspect your luggage. They can’t force you to reveal information that they’re not even certain you have.

Under your situation, the best idea is to simply have a wiped device. A Chromebook, for example, allows you to login with whatever credentials you choose, including a near empty profile

> I believe in most countries, customs can inspect your luggage. They can’t force you to reveal information that they’re not even certain you have.

this isn't a very useful way to think about it.

they can definitely search your luggage, obviously, but the border guards/immigration officials/random law enforcement people hanging around/etc can also just deny non-citizens entry to a country, usually for any or no reason.

there's documented cases of Australia[0] demanding to search phones of even citizens entering the country, and the US CBP explicitly states they may deny entry for non citizens if you don't give them the password and while they can't deny entry to citizens, they state they may seize the device then do whatever they want to it[1].

0: https://www.theguardian.com/world/2022/jan/18/returning-trav...

1: https://www.cbp.gov/travel/cbp-search-authority/border-searc...

No. This is a myth, and while it does force you to enter your password instead of using biometrics on the next unlock, it is not the same as returning to BFU.

> I would say if you’re the type of person who would do this, you should go one step further and power off.

I'd travel with a different device, honestly. I can get a new-in-box android device for under £60 from a shop, travel with that, set it up properly on the other side, and then either leave it behind or wipe it again.

You say no.

Or, with GrapheneOS, you give them the duress password, on the understanding that you will have to set the device up from scratch IF you ever see it again.

From the link:

> GrapheneOS provides users with the ability to set a duress PIN/Password that will irreversibly wipe the device (along with any installed eSIMs) once entered anywhere where the device credentials are requested (on the lockscreen, along with any such prompt in the OS).

In a border interrogation scenario, isn't that just likely to get you arrested for destroying evidence?

If I had to guess, there must have been an exploit in the wild that took advantage of this. It sounds like it eliminates the oldest tools in one swoop. Which is pretty sweet

Depends on the border. In most democracies, and at most borders, and in most LE cases, there is a line between “destruction of my own property/data” and “destruction of evidence,” where the latter usually needs a court document notifying the subject of the potential charge of their requirement to preserve evidence (for example, a subpoena, or in some cases, a direct request to avoid spoliation).

The £60 burner sounds like a leader on the device security front. No way it could possibly be running an ancient version of android that is no longer getting security patches, or is hacked up to shit by the device manufacture to reskin it and install their vulnerable suite of bloatware, or built off of a base os and firmware flocked to by folks for its ease of being able to gain root access/root it and run whatever you want at the kernel level.

you can be forced to place your thumb on a sensor, or have the device held to your face.

you can't be forced to remember a password you "forgot"...

biometric authentication is not always your friend

Even without an exploit in the wild, having such a feature is critical for security. Otherwise any device that's seized by police can be kept powered on indefinitely, until firms like Cellebrite can find an exploit.

Don't carry a phone with you. You can always buy one after the airport.

It could be doing all that actually but you are not obliged to install all your apps on the burner, just the basic minimum.

There’s no guarantee your $1000 flagship isn’t doing that either.

I chose it because it’s a mainstream provider (Nokia) readily available running a supported version of android (12).

If you want to install a custom rom, you can get an older flagship (galaxy s9) and flash it for about the same price.

My point is if your threat model is devices seized at border, then a burner phone is far more suitable for you than a reboot.

If that's in your threat profile, you should not be traveling with a phone. If this is a real threat for you, no amount of hardware/software security will beat a wrench: https://xkcd.com/538/

> advocate for activating bio lockout at the border

This is a terrible idea. When you're crossing a border you have to submit to the rules of entry. If one of those rules is that you let them create an image of your phone with all of its contents, that's the rule. If you say no, then, if you're lucky, you get to turn around and return to where you came from. If you're not lucky, then you get to go to jail.

What needs doing is the ability to make a backup then a way to reconcile the backup at a later date with the contents of a device. That is, I should be able to backup my phone to my home computer (or cloud I guess) and then wipe my phone or selectively delete contents. Then I travel abroad, take photos and movies, exchange messages with people, and so on. Then when I get home I should be able to restore the contents of my phone that were deleted without having to wipe all the new stuff from the trip.

Theory. This is not how things work in practice, even in "democracies". Speaking as a person who has been harassed at the US border from Canada many times, I've learned it depends more on how the border agent "feels" about you. These people are often uneducated bullies who don't know or don't care about the law anyway. And if you start objecting on some legal basis, they can legally make things a LOT harder for you, including simply denying entry for no reason (yes, they have such a right). Better to cooperate rather than give the appearance of "destroying evidence" (even if completely legal) or you're in for a world of hurt if you got the wrong guy.

You're still walking around with a microphone and gps tracker connected to a cellular network even if the only thing you do is power it on

levels of trust. I have more trust in the largest most heavily scrutinized device manufacture making an attempt at security than I do with a rando burner device reseller. To be clear, I don't trust either fully, but one has way less trust than the other

Wella, if you are a "normal person" with actually nothing to hide, yes, cooperating as much as you can is probably the best thing to do. But if you are some "special person" (activist, journalist, diplomat etc) wiping out everything might be your best option.

The whole point of a burner is that you don’t trust it. You only store what you absolutely need to store on there, if anything, and basically assume it’s compromised the second it leaves your sight.

The advantage of a burner phone is that it can’t contain anything important, because you’ve never put anything important on it, or connected it to any system that contains important data. So it doesn’t really matter if it’s compromised, because the whole point of a burner, is that it’s so unimportant you can burn it the moment it so much as looks at you funny.

I have a solution to that problem that works 100% of the time:

I don't leave the US.

> you can't be forced to remember a password you "forgot"...

No, but the border agents also aren't required to let you into the country. (Generally unless you are a citizen.)

So border agents are very different than general laws of the country because while there may be legal protections about what they may be able to force you to do there are much less protections about when you have the right to pass the border (other than entering countries where you are a citizen).

I never said anything about crossing a border. I said nobody can force you to remember something, for any reason, border crossing or otherwise

I don't think there is a technological solution for this unless you have some sort of sleight-of-hand. Typically, border agents of countries with lots of transit do not stop people for very long. Some other countries (North Korea, perhaps) might put everyone through the wringer because they do not have a lot of crossings. If a border agent of a relatively free country is stopping you, they probably have some suspicion, in which case it is best to not be holding evidence in your hand.

There are steganographic methods to hide your stuff. You can also use burners on either side of the border crossing and keep your main line clean. But bringing a device full of encrypted data (even if it's just your regular photo collection) that you refuse to unlock will probably be suspicious.

I know that there are times when there are no reasons for suspicion and people get stopped anyway. The border agent didn't like your look, or racism, or an order came down from on high to stop everyone from a particular country and annoy them. If that's the case, it's probably still best to not have a lot of incriminating evidence on your person, encrypted or not.

2 out of 3 people in the US live within U.S. Customs and Border Protection jurisdiction, where border agents can search without warrant if they determine they have "reasonable suspicion."

Additionally, SCOTUS ruled in 2022 (Egbert v Boule) that someone who has had their Fourth Amendment rights violated by CBP agents are not entitled to any damages unless Congress clearly defines a punishment for the violation by a federal agent.

If that's your threat model, don't carry ANY phone. Probably best not to carry any modern electronic device at all.

True, that's ridiculous. But luckily I am one of the 1 out of 3.

Something a lot of people don't really consider is that people who are doing things that could get them unwanted attention, they wouldn't have incriminating evidence on any device, burner or otherwise. So the theoretical ways around not getting busted, like using a burner, are for movie villains and bond type secret agents. Real criminals (smart ones anyway) aren't conducting anything important over any network, be it ip, telephony, morse code, smoke signal, or otherwise, regardless of the burn-ability of the device they would be using to do so

Real criminals who don't want to be caught don't carry phones for this exact reason.

Sometimes the alternative blows up in your face though.

With all due respect. I used to think that only Boomers and anonymous Youtube edge lords repeated the "if you have nothing to worry about, comply!" nonsense.

You surprised me today.

The £60 burner isn’t a rando reseller of a shitty no name phone, it’s one of the largest phone retailers in the Uk selling a low end android device that’s fully supported. So you have that option. If you want a brand new different device you have the option too, but it’ll cost you more.

If your threat model is “I think my provider and a nation state are colluding to target me” you probably wouldn’t be posting on HN about it.

That’s why I chose a low end mass market smartphone as my example.

My wife works for the government in a low level role that involves some amount of travel to local authorities (other major areas in Scotland). She has a phone, and strict instructions to never carry it across the border ofmany countries (as a blanket policy). They’re told they’ll be provided a device for travelling and not to install any work apps on it. It’s basic security - don’t travel with information that you can lose control over.

You’re worried about this with your original phone too, right? That has nothing to do with being a burner.

I didn't say that at all. What I mean is that if you are, let say, on a leisure trip or to meet your family, the last thing you want is to be sent back were you came from or put 2 days into custody because you valued more the privacy of your phone content.

Now, if you do it, hat off, and even more if you can hire a lawyer and get justice done, but in that case you definitely are not "a normal person".

> I believe in most countries, customs can inspect your luggage. They can’t force you to reveal information that they’re not even certain you have.

They can. And if you refuse, they can do a lot of very unpleasant things to you. It might against the local law, but it wouldn't really matter in a lot of countries.

Too soon