Most active commenters

    ←back to thread

    Reverse Engineering iOS 18 Inactivity Reboot

    (naehrdine.blogspot.com)
    511 points moonsword | 22 comments | 17 Nov 24 21:50 UTC | HN request time: 0.91s | source | bottom
    Show context
    Shank ◴[18 Nov 24 09:31 UTC] No.42170993[source]
    To me the biggest takeaway is that Apple is sufficiently paranoid to add this feature. Some people (like John Gruber) advocate for activating bio lockout at the border by squeezing the volume and power buttons. I would say if you’re the type of person who would do this, you should go one step further and power off.

    Similarly, if you’re in a situation where you cannot guarantee your phone’s security because it’s leaving your possession, and you’re sufficiently worried, again, power off fully.

    replies(6): >>42171295 #>>42171375 #>>42171383 #>>42171541 #>>42172129 #>>42173509 #
    1. phinnaeus ◴[18 Nov 24 10:48 UTC] No.42171295[source]
    What do you do if you’re at the border and they demand both the physical device and the password?

    Let’s assume “get back on the plane and leave” is not a viable option.

    replies(7): >>42171300 #>>42171336 #>>42171441 #>>42171689 #>>42172174 #>>42172240 #>>42172539 #
    2. mzhaase ◴[18 Nov 24 10:49 UTC] No.42171300[source]
    Burner phone
    3. cherryteastain ◴[18 Nov 24 10:57 UTC] No.42171336[source]
    GrapheneOS duress password [1] and user profiles [2] are quite solid solutions for this scenario

    [1] https://grapheneos.org/features#duress

    [2] https://grapheneos.org/features#improved-user-profiles

    replies(1): >>42171723 #
    4. wepple ◴[18 Nov 24 11:19 UTC] No.42171441[source]
    That’s a significantly higher bar. It’s not foolproof though.

    I believe in most countries, customs can inspect your luggage. They can’t force you to reveal information that they’re not even certain you have.

    Under your situation, the best idea is to simply have a wiped device. A Chromebook, for example, allows you to login with whatever credentials you choose, including a near empty profile

    replies(2): >>42171506 #>>42188878 #
    5. bananapub ◴[18 Nov 24 11:31 UTC] No.42171506[source]
    > I believe in most countries, customs can inspect your luggage. They can’t force you to reveal information that they’re not even certain you have.

    this isn't a very useful way to think about it.

    they can definitely search your luggage, obviously, but the border guards/immigration officials/random law enforcement people hanging around/etc can also just deny non-citizens entry to a country, usually for any or no reason.

    there's documented cases of Australia[0] demanding to search phones of even citizens entering the country, and the US CBP explicitly states they may deny entry for non citizens if you don't give them the password and while they can't deny entry to citizens, they state they may seize the device then do whatever they want to it[1].

    0: https://www.theguardian.com/world/2022/jan/18/returning-trav...

    1: https://www.cbp.gov/travel/cbp-search-authority/border-searc...

    6. ThePowerOfFuet ◴[18 Nov 24 12:06 UTC] No.42171689[source]
    You say no.

    Or, with GrapheneOS, you give them the duress password, on the understanding that you will have to set the device up from scratch IF you ever see it again.

    7. andyjohnson0 ◴[18 Nov 24 12:14 UTC] No.42171723[source]
    From the link:

    > GrapheneOS provides users with the ability to set a duress PIN/Password that will irreversibly wipe the device (along with any installed eSIMs) once entered anywhere where the device credentials are requested (on the lockscreen, along with any such prompt in the OS).

    In a border interrogation scenario, isn't that just likely to get you arrested for destroying evidence?

    replies(1): >>42172146 #
    8. verandaguy ◴[18 Nov 24 13:33 UTC] No.42172146{3}[source]
    Depends on the border. In most democracies, and at most borders, and in most LE cases, there is a line between “destruction of my own property/data” and “destruction of evidence,” where the latter usually needs a court document notifying the subject of the potential charge of their requirement to preserve evidence (for example, a subpoena, or in some cases, a direct request to avoid spoliation).
    replies(1): >>42173663 #
    9. wutwutwat ◴[18 Nov 24 13:37 UTC] No.42172174[source]
    you can be forced to place your thumb on a sensor, or have the device held to your face.

    you can't be forced to remember a password you "forgot"...

    biometric authentication is not always your friend

    replies(1): >>42175220 #
    10. ReptileMan ◴[18 Nov 24 13:46 UTC] No.42172240[source]
    Don't carry a phone with you. You can always buy one after the airport.
    11. thesuitonym ◴[18 Nov 24 14:27 UTC] No.42172539[source]
    If that's in your threat profile, you should not be traveling with a phone. If this is a real threat for you, no amount of hardware/software security will beat a wrench: https://xkcd.com/538/
    12. myflash13 ◴[18 Nov 24 16:02 UTC] No.42173663{4}[source]
    Theory. This is not how things work in practice, even in "democracies". Speaking as a person who has been harassed at the US border from Canada many times, I've learned it depends more on how the border agent "feels" about you. These people are often uneducated bullies who don't know or don't care about the law anyway. And if you start objecting on some legal basis, they can legally make things a LOT harder for you, including simply denying entry for no reason (yes, they have such a right). Better to cooperate rather than give the appearance of "destroying evidence" (even if completely legal) or you're in for a world of hurt if you got the wrong guy.
    replies(2): >>42174899 #>>42175199 #
    13. darkwater ◴[18 Nov 24 17:51 UTC] No.42174899{5}[source]
    Wella, if you are a "normal person" with actually nothing to hide, yes, cooperating as much as you can is probably the best thing to do. But if you are some "special person" (activist, journalist, diplomat etc) wiping out everything might be your best option.
    replies(1): >>42178549 #
    14. seanw444 ◴[18 Nov 24 18:16 UTC] No.42175199{5}[source]
    I have a solution to that problem that works 100% of the time:

    I don't leave the US.

    replies(1): >>42176073 #
    15. kevincox ◴[18 Nov 24 18:17 UTC] No.42175220[source]
    > you can't be forced to remember a password you "forgot"...

    No, but the border agents also aren't required to let you into the country. (Generally unless you are a citizen.)

    So border agents are very different than general laws of the country because while there may be legal protections about what they may be able to force you to do there are much less protections about when you have the right to pass the border (other than entering countries where you are a citizen).

    replies(2): >>42175342 #>>42175949 #
    16. wutwutwat ◴[18 Nov 24 18:26 UTC] No.42175342{3}[source]
    I never said anything about crossing a border. I said nobody can force you to remember something, for any reason, border crossing or otherwise
    17. projektfu ◴[18 Nov 24 19:26 UTC] No.42175949{3}[source]
    I don't think there is a technological solution for this unless you have some sort of sleight-of-hand. Typically, border agents of countries with lots of transit do not stop people for very long. Some other countries (North Korea, perhaps) might put everyone through the wringer because they do not have a lot of crossings. If a border agent of a relatively free country is stopping you, they probably have some suspicion, in which case it is best to not be holding evidence in your hand.

    There are steganographic methods to hide your stuff. You can also use burners on either side of the border crossing and keep your main line clean. But bringing a device full of encrypted data (even if it's just your regular photo collection) that you refuse to unlock will probably be suspicious.

    I know that there are times when there are no reasons for suspicion and people get stopped anyway. The border agent didn't like your look, or racism, or an order came down from on high to stop everyone from a particular country and annoy them. If that's the case, it's probably still best to not have a lot of incriminating evidence on your person, encrypted or not.

    18. iAMkenough ◴[18 Nov 24 19:38 UTC] No.42176073{6}[source]
    2 out of 3 people in the US live within U.S. Customs and Border Protection jurisdiction, where border agents can search without warrant if they determine they have "reasonable suspicion."

    Additionally, SCOTUS ruled in 2022 (Egbert v Boule) that someone who has had their Fourth Amendment rights violated by CBP agents are not entitled to any damages unless Congress clearly defines a punishment for the violation by a federal agent.

    replies(1): >>42177259 #
    19. seanw444 ◴[18 Nov 24 21:28 UTC] No.42177259{7}[source]
    True, that's ridiculous. But luckily I am one of the 1 out of 3.
    20. F7F7F7 ◴[18 Nov 24 23:47 UTC] No.42178549{6}[source]
    With all due respect. I used to think that only Boomers and anonymous Youtube edge lords repeated the "if you have nothing to worry about, comply!" nonsense.

    You surprised me today.

    replies(1): >>42188485 #
    21. darkwater ◴[19 Nov 24 21:51 UTC] No.42188485{7}[source]
    I didn't say that at all. What I mean is that if you are, let say, on a leisure trip or to meet your family, the last thing you want is to be sent back were you came from or put 2 days into custody because you valued more the privacy of your phone content.

    Now, if you do it, hat off, and even more if you can hire a lawyer and get justice done, but in that case you definitely are not "a normal person".

    22. golergka ◴[19 Nov 24 22:44 UTC] No.42188878[source]
    > I believe in most countries, customs can inspect your luggage. They can’t force you to reveal information that they’re not even certain you have.

    They can. And if you refuse, they can do a lot of very unpleasant things to you. It might against the local law, but it wouldn't really matter in a lot of countries.