Going NuclearProgrammatic Protections Against Extreme Vetting, Social Pressures, and Coercion

Cara Marie & Andy Grant Enigma 2018

DISCLAIMER #1All thoughts and opinions expressed are our own and are not endorsed by,

nor do they represent the thoughts and opinions of our employers.

Why Are We Here?

Device Searches Increased by Approximately 60%– technically 58.5129%

Out of ~400 million visitors

U.S. Customs And Border ProtectionCBP Directive No. 3340-049A

Subject: Border Search of Electronic Devices

What’s in an Encrypted Backup?

● Keychain Database○ Application Passwords○ Session Tokens

● Application Data○ Social Media Account Data○ Banking Data○ Images/Videos

● Location Data● Phone Data

○ Contacts○ Voicemails○ Text (& Sext!) Messages

Cellebrite Extraction Report Excerpt

UNMITIGATED PERPETUAL

ACCESS TO YOUR DIGITAL LIFE

BUT WAIT

It’s not 1984, yet...

Network Access Is Disabled

Network Access Is Disabled

1. Prevents MDM and other recovery solutions from remote wipe

2. Doesn’t prevent future cloud access (cause backups)

Misleading...

Applications Cache Data

Previously downloaded data is still accessible even when

network access has been disabled

WHAT ABOUT THE 4TH?!?

5.1.3 Basic Search. Any border search of an electronic device that is not an advanced search, as described below, may be referred to as a basic search. In the course of a basic search, with or without suspicion, an Officer may examine an electronic device and may review and analyze information encountered at the border, subject to the requirements and limitations provided herein and applicable law.

CBP Directive No. 3340-049A

5.1.4 Advanced Search. An advanced search is any search in which an Officer connects external equipment...to review, copy, and/or analyze its contents. In instances in which there is reasonable suspicion...or in which there is a national security concern...an Officer may perform an advanced search of an electronic device.

DUE PROCESSWe aren’t trying to prevent law enforcement from doing their job.

Move the Conversation Forward...

...since it’s currently stalled...

Digital Privacy Protections While Traveling

MULTIPLE USERS

CONFIGURATOR 2

BURNERS

Upload images to

the cloud

Download images and

reimage devices

(optional)

Revert device to factory

settings and install only

what’s needed for travel

1

2

3

Clean Device 101

We should have more options

WE CAN DO BETTER

DISCLAIMER #2We are not legal experts, but did consult lawyers during the creation of each PoC.

While these solutions and PoCs can be applied elsewhere, we caution the audience to do their own research (and consult your own legal experts) prior to using these solutions and PoCs to

cross a border or oppose law enforcement.

We structure them as individual solutions since that’s the best way we found to demonstrate them, but these should ideally be implemented by OEMs and service providers.

Dead Man’s Switch

● Programmatic wipe of device○ NOT an MDM solution○ Does not rely on a network solution

(entirely local to the device)● Automatically wipes device if connected while

unlocked (when enabled)● Password protected functionality

CAUTION! EXTREME MEASURE

B-PR (Beyond Password Reset)

Text one-time

password

Change passwords to randomly

generated passwords

Passwords are then

stored, encrypted,

on cloud storage

Enduser has no access

to decrypt at that time

DEMO

http://www.youtube.com/watch?v=eHH4mEFvoXQ

WE MUST DO BETTER

In offering user-friendly traveling privacy protections

Resourceshttps://github.com/nccgroup/escalating-measures

cara@datadoghq.com@bones_codes

andy.grant@nccgroup.trust@andywgrant

Resources

● Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud

● Protecting Data at the Border Act● 34C3: Protecting Your Privacy at the

Border

Tools

● 1Password● Apple Configurator 2● Dead Man’s Switch● usbkill ● B-PR

Android

● How to enable multiple user accounts on an Android smartphone

● How to Hide Apps from Android’s App Drawer with Nova Launcher

iOS

● Personal International Infosec● Counter-Forensics: Pair-Lock Your Device

with Apple’s Configurator● Reduced Annoyances and Increased

Security on iOS 9: A Win Win!