Duress Codes for Fingerprint Access Control

Mike Specter has an interesting idea on how to make biometric access-control systems more secure: add a duress code. For example, you might configure your iPhone so that either thumb or forefinger unlocks the device, but your left middle finger disables the fingerprint mechanism (useful in the US where being compelled to divulge your password is a 5th Amendment violation but being forced to place your finger on the fingerprint reader is not) and the right middle finger permanently wipes the phone (useful in other countries where coercion techniques are much more severe).

Tags: , , , ,

Posted on January 26, 2017 at 2:03 PM65 Comments

Comments

Wael January 26, 2017 2:18 PM

Wait until @Thoth reads this. I’m sure he’ll say a thing or two (after he changes his pants.) lol !

Matt G-L January 26, 2017 2:24 PM

Would utilizing such a feature make you liable for obstruction of justice?

That might or might not be preferable to anything you might be charged with (or other personal embarrassment or other costs) based on what’s on the phone…

The wipe variant seems really dangerous to usability given how easy it is to accidentally tap a finger on the sensor while pulling your phone out of your pocket…

Wael January 26, 2017 2:31 PM

Mike Specter has an interesting idea on how to make biometric access-control systems more secure

The idea isn’t new. Not at all!

Alan January 26, 2017 2:32 PM

Wiping a phone would probably get you charged with obstruction of justice, and be used as evidence of guilt in whatever underlying crime is being investigated. You have to either not put sensitive info on the phone in the first place, or hide it so there’s no way to tell it has been wiped.

Tinfoil 2.0 January 26, 2017 2:39 PM

This idea has been around for at least a couple of years. It would be great to have highly configurable duress fingers with various outcomes possible (require passcode, wipe, show alternate partition), but Apple would probably never do all of that due to UX complexity.

Wael January 26, 2017 2:40 PM

Aaaaand there are additional supporting ideas and mechanisms that we haven’t discussed either. You know, would be nice if they stick some of our names on these research papers. I mean what’s the purpose of Schneier’s Obelisk” that’s been saving recorded ideas for time immemorial! [1]

Duress codes are a small thread in a piece of fabric.

[1] I won’t say anything about the fellow who’s been engraving parables on the obelisk for 734 years 🙂

Dirk Praet January 26, 2017 2:52 PM

@ Matt G-L

The wipe variant seems really dangerous to usability given how easy it is to accidentally tap a finger on the sensor while pulling your phone out of your pocket…

Which can easily be remedied by a requirement for keeping the button pressed for several seconds. It’s hardly an innovative idea. @Thoth here has been developing his own OpenPGP smart card self-destruct code.

The real question is rather why it hasn’t been impemented yet.

@ Alan

Wiping a phone would probably get you charged with obstruction of justice, and be used as evidence of guilt in whatever underlying crime is being investigated.

Not necessarily. The wipe could be set up to be done in a selective way erasing only data previously marked to be erased – including reconfiguration of the wipe finger – , leaving you plausible deniability in a court of law.

vas pup January 26, 2017 3:17 PM

@Alan • January 26, 2017 2:32 PM
Alan, can you explain the concept of obstruction of justice in criminal case versus civil case in plain English?
Since 5th applied to criminal cases only, could defendant be compel by the court in civil case to disclose password on electronic device where information related to civil case stored? E.g. when rape case in criminal court, then 5th, but in US victim even when defendant was founded not guilty in a criminal case, could file for civil case on the same event. Then, if defendant delete all information just after criminal trial altogether could it be considered obstruction of justice for civil trial? My point is that when you have in law concept which is not clear for general Joe/Jane, but applies to them on regular bases you create slippery slope of selective justice (aka discrimination – on what basis not important).

Scott January 26, 2017 3:19 PM

@Dirk
Yes, you want it selective, so the people investigating a human rights journalist are left with a device that has “stuff” on it, but nothing related to anything they’re interested in.
One concern would be things that are numbered, like the filenames of pictures from an iPhone. If all the photographs of human rights violations are wiped there would be suspicious gaps, and those missing pictures wouldn’t be recoverable even using the best forensic tools. The wiping would have to renumber everything that’s numbered to avoid the gaps.

Greg January 26, 2017 3:21 PM

Trivial to “defeat”…

present the suspect with a phone dressed up to look indistinguishable from theirs. Ask to unlock.

Note which finger they use.

Now force them to attempt to unlock their actual phone, but trying all other 9 fingers first.

So now you have to make it so that 9 of your fingers wipe the phone, and only one unlocks.

You have a one in nine chance they’ll manage to unlock the phone without wiping.

My Info January 26, 2017 3:27 PM

The trouble is that by the time we need “duress codes” for fingerprint access control, our enemy already has a pair of pruning shears ready to cut off said fingers.

Wael January 26, 2017 3:52 PM

Savvy LEOs will clone the phone first. Duress codes are less effective then without additional “things”. The state of evidence must be preserved. That is what I would do if I were a spook. It’s not like they aren’t aware of duress codes!

There was also a recent thread (can’t find it now) in which an LEO would slither behind a subject and snatch the phone from them once it’s unlocked.

Wael January 26, 2017 4:11 PM

@Douglas Fairbank Jr,

I like the symbolism of the middle finger

Sweet! Do the following next time you’re under “duress”…

LEO: Scan a phinger
Victim: what’s this?
LEO: I don’t know!
Victim: It’s this, encrypted!
LEO: pretty good, melikesit!

Later on, in the police station…

LEO: what happens if you add ‘n’ to your “Duress” code and rearrange the letters?
Victim: I don’t know!
LEO: Undress! Strip, little sh*t! Who’s laughing now?

Joe Random January 26, 2017 4:21 PM

How about the duress code doesn’t signal that anything’s wrong? E.g., for a phone, just unlock to a different user, or keep the important apps and data hidden?

Fred P January 26, 2017 4:47 PM

@vas pup- your last point is why the common response to legal problems is that “you need a lawyer” – who will presumably either already know this stuff, or be able to figure it out quickly and reasonably accurately.

“…a defendant intended to intefere with an official proceeding, by doing things such as destroying evidence, or intefering with the duties of jurors or court officers.” Source: https://www.law.cornell.edu/wex/obstruction_of_justice (misspellings in original)

Text of the relevant (federal) statute: https://www.law.cornell.edu/uscode/text/18/part-I/chapter-73

The subsection: https://www.law.cornell.edu/uscode/text/18/1519

The relevant text: “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”

I am not a lawyer. I have no expertise in this area of law. Any legal claims I make may not apply to your jurisdiction, and may have case law I am entirely unaware of that substantially modifies the application of the statute I’m talking about.

Clive Robinson January 26, 2017 5:00 PM

@ Wael,

The idea isn’t new. Not at all!

You myself and others of the usuall suspects have talked at length about it.

And if you want to go back to the mists of time I argued the point with one of the researchers[1] over at the UKs Cambridge Labs on their light blue touch paper blog when he appeared in capable of grasping the point.

[1] Hi Richard, I hope you are well.

contributor January 26, 2017 5:12 PM

Wanted to point out that you can implement such a system out of box with an Apple iPhone today… The way you can do this is by using one thumb as your credential for TouchID and reserving another thumb or finger for duress as stated.

By default, if you use the thumb of finger reserved for duress 5 times, Touch ID will automatically disable forcing the user to enter a passcode. I tried this myself and it works OK.

It’s not ideal for deniability purposes, but chances are that under duress you’ll be able to disable Touch ID faster than the attacker will notice and by the time they notice the only way to unlock the phone will be by what’s in your head.

Good luck.

Dirk Praet January 26, 2017 5:26 PM

@ Scott

The wiping would have to renumber everything that’s numbered to avoid the gaps.

It’s clear some serious functional analysis and design would need to be done. Perhaps even opening up the API, but that would fast become an attack surface for ransomware writers.

@ Wael

Savvy LEOs will clone the phone first.

First rule of any DFIR operation. As usual, one’s actions will depend on the adversary/threat model, and in which use of a duress code should be only one of several options available.

@ Greg

present the suspect with a phone dressed up to look indistinguishable from theirs. Ask to unlock. Note which finger they use.

Good thinking. See my previous remark to @Wael.

@ Contributor

By default, if you use the thumb of finger reserved for duress 5 times, Touch ID will automatically disable forcing the user to enter a passcode.

You need to assume that your adversary will find a way to make you give up the password, either legally (e.g. UK, US) or by using the proverbial $5 wrench.

Clive Robinson January 26, 2017 5:28 PM

@ Bruce,

The idea of a duress code/key/finger and similar “Dead Mans switch” have been talked about and they are a bad idea due to legal sanctions.

It’s something @Nick P and myself discussed some years ago on this blog when looking at crossing boarders.

More recently (past few days) I’ve been discussing it in a different way with @Wael with regards extending the “something you know” authentication factor past the limits of “technical measures” that are available to LEO’s and similar.

Currently the “something you know” is thought of as a passphrase/word which is generally hard for the human mind. Thus I’ve been considering adding other sub factors of geolocation and temporal –a place and a time– which is much easier for the human mind to remember, and add a very significant work factor to any technical measures.

The idea being that a user simply has to say nothing as is their right and the device locks by forgetting the decryption key used in the White Box crypto.

The second part is a key recovery mechanism which is outside the current jurisdiction and uses the likes of shared secrets held in a number of other sovereign states that are unlikely to cooperate with the jurisdiction you are in.

A third part is to change the way people think about how they use a device. That is if your fingerprint is used to unlock a decryption key, how short a time does it need to have the key unlocked?. The answer is just long enough for a single file to be unlocked, which is milliseconds.

Further how many keys need to be kept unlocked? The answer is only the key for the open file. Thus using a different key for every object generated only when needed means that even if the phone was grabbed what is available to the LEO is only the objects that have been opened.

There’s a bit more behind it but the above two points are the seeds a furtile mind requires.

Dirk Praet January 26, 2017 5:51 PM

@ Clive

The idea being that a user simply has to say nothing as is their right and the device locks by forgetting the decryption key used in the White Box crypto.

I’m not entirely sure what you mean by this. Aren’t we assuming that you can be made to say/give your passphrase?

Thoth January 26, 2017 6:02 PM

@all

Wow. I woke up and the first thing I saw is this. Someone must have been reading the posts here and copying our ideas. Do a search and there will be a few times I talked about duress fingerprints in the past besides duress PINs and pribably others like @Clive Robinson have mentioned as well in the past.

@Clive Robinson

Is it just coincidence or maybe I strongly suspect someone is lifting our ideas without saying a thank you ? Either way, they are free to use our work since we havd dedicated our ideas for public free use by putting them in the public domain. Also, using alternative fingerprints as duress codes (i.e. little or middle finger prints) would be too obvious. Back to using PINs, duress PINs and multi factors as usual.

Thoth January 26, 2017 6:22 PM

@all

Obstruction of justice must be provable. If you implement the duress feature in a way someone can dump the data from the device and present a convincing measurement that the wipe has occured, than that kind of duress function is very easy to bypass and pretty useless.

My variant of duress wiping feature takes into the account of a Secure Enclave in the form of tamper resisting smart cards holding crypto keys for encrypted data and by losing it, it cannot be detected because the secure key storage uses a tamper resisting smart card. If the LEOs wants to attempt to decap the smart card with a unique secret key, they are bound to fail hard since assuming the key is unique and the destructive nature of a physical decap, the are unlikely to get the unique keys which makes it suitable for duress functionalities.

For higher level of protection, a duress PIN or feature would not suffice and this is where multi factor auth with secret sharing comes in.

If you are looking to implement a PGP smart card and simply have moderately high security, it should suffice to use a smart card protected with self destruct codes and some other confusing features to confuse attackers. If you want to protect something exceedingly important, use the secret share and trusted courier method as we habe discussed before.

To conclude, it is nice having duress functionalities but the functionalities should be applied in a manmer that it should look unchanged on the surface thus the necessity of executing the security critical stuff in a Secure Enclave in the form of a smart card or at least inside a TrustZone capable partition which is very common modern smart phones despite me disliking the TrustZone stuff these days.

Wael January 26, 2017 6:38 PM

@Clive Robinson,

decryption key used in the White Box crypto.

WBC is better than nothing, but it’s not known to be a proven mechanism of protection (formal proof.) Consider it a last resort control to be used under special circumstances. Given enough time (less than the number of atoms in the universe, of course), a competent person or team can break it. I haven’t seen a work factor estimation of breaking various forms of WBC.

By the way, in the case of WBC, forgetting the key isn’t an easy option! The key is frequently some code (as in programming instructions) in the code segment. So self modifying code maybe the likely choice to “forget a key”.

@Dirk Praet,

one of several options available.

Right on, Bro! Some of these methods need to be unadvertised, too. Like for example 🙂 … um having the data reside elsewhere in an obfuscated / encrypted with key-split methods, and scattered across various servers.

You myself and others of the usuall suspects have talked at length about it.

I have an idea! Next time MIT grabs an idea from here, we force them to take another idea! This isn’t a cafeteria blog where you pick only what you like! You gotta take the good and the bad, dawg! So they must take this idea:

They need to build a big statue of salt on their campus that resembles Lot’s wife. Every time someone from there copies and idea from here, (and I’m not claiming they did — we’re being cutsie) then @Bruce will make sure they eat a piece of her for breakfast. A saltlick, if you will. What’s wrong with taking that idea? And that’s for the first ophense! A second ophense… something a little more substantial will need to be done: @Clive Robinson will need to mix a nice drink for them to go along with the saltlick. Knowing @Clive Robinson, he’ll probably concoct a drink with “naked protons”! Fluoroantimonic “juice” comes to mind.

neill January 26, 2017 7:00 PM

as with all biometrics, this could be disabled easily … the accused could just create papercuts on his finger, or ‘chew’ the skin off a bit …

(you would be able to re-create his fingerprint via photoshop or databases)

Wael January 26, 2017 7:02 PM

@Anura,

it’s taking an existing idea and just making it fingerprints instead of passwords:

It can be viewed that way. Depends how good your patent attorney is, and how well the password patent was written!

contributor January 26, 2017 7:02 PM

@ Dirk Praet

To Bruce’s original point, there is varying usefulness in implementing a duress response on your device.

I believe the general premise here is that the 5th Amendment protects U.S. citizens from being compelled to provide their password and a duress code that triggers either disablement of biometrics or forcibly erases data is useful depending on the circumstance.

That isn’t to say that 5th Amendment rights aren’t bent or broken now and then on various levels or that consequences (negative or positive) don’t arise out of saying nothing.

Nonetheless, it remains both a constitutional right and really an inherent human right to say nothing if one wills it or believes that they are being compelled to incriminate themselves during an investigation.

I suppose it’s up to the individual to weigh the costs and benefits of such self-defense given a particular circumstance. Both innocents and criminals likely have the same goals to maintain their life, liberty and property when they are threatened by an authority. Since innocents and criminals actually begin on the same level during an investigation, this is really why such protections are critical to self-preservation. In thinking about this, I realize the ratio of suspects to criminals must be huge in society in general, therefore protecting ones innocence is paramount to any sound justice system and seems to be a much needed tradeoff to criminals exploiting the rights to meet their goals.

Security tradeoffs vary-all day. Whether you’re facing handcuffs or a baton, it’s good to have options. 😉

El Aura January 26, 2017 7:32 PM

If an action that switches the phone to requiring the passcode can be considered obstruction of justice, wouldn’t then simply powering down your phone already be illegal?

Tõnis January 26, 2017 9:40 PM

Americans need to grow some balls and brush up on their civics while they’re at it. Imagine going through life in your “land of the free” worrying about “obstruction of justice” nonsense because you wiped your phone or refused to divulge your password when ordered to by an attorney in a black dress. I’m an American, and I stand ready to serve as a juror, to nullify all bad law by voting “not guilty,” to send an accused home when it’s clear that he’s being served up a trial-by-government (which is probably most of the time). I used to say that I would reserve this option for defendants charged with non-violent offenses where no one actually got hurt, but I’m losing my patience with judicial sophistry and the legal industry’ antics. At this point, I don’t even care if he stands accused of murder. I’ll hang the jury and send the accused home if I witness a judge using a constitution as toilet paper.

Notes:

  1. Judges don’t “interpret” the law, they apply it. The law is written in English, not some foreign language that requires interpretation. If a law needs to be interpreted, we cannot logically be required to follow it.

  2. http://fija.org/ (I’m not a member.)

Clive Robinson January 27, 2017 12:15 AM

@ Dirk Praet,

I’m not entirely sure what you mean by this. Aren’t we assuming that you can be made to say/give your passphrase?

Yes and no, in the US you have the right to legal representation, and untill you have that you have the right not to say anything or do anything that might prejudice your right to a defence[1]. Because the authorities are alowed to lie to you as an individual, there is a grey area on who counts as your legal representation, they can not just wheel some body in and say “I’m your asigned public defender” you still have the right to challenge that they are both real and competent, and not just some cop dressed up in a slightly less grubby suite. There is also a grey area as to when you are actually “in custody”, is it at the point when they say your are being arrested, or when you have been processed into custody.

The point is time it’s self does not stop and that gives you a small advantage… Because all the while a crypto counter counts down towards zero. When it gets there it deletes the storage object subkey(s) of all active objects, but keeps the in memory object subkey(s). So you can go one using objects that are encrypted in RAM. It’s only when you need to access the less mutable memory of storage will you get presented with a challenge, that will if answered correctly re-build the active object storage key. If you don’t compleate the challenge in a required time period or number of tries then the in memory object keys get flushed along with the higher level sub keys from which the various object keys are derived. As time goes on at a user set time period the highest level key gets flushed as well and will have to be rebuilt from the out of jurisdiction key shares.

If the time periods are kept short then it is unlikely they will get any object keys, thus the stored objects remain out of reach in that jurisdiction.

@ Wael,

WBC is better than nothing, but it’s not known to be a proven mechanism of protection (formal proof.)

True, and I don’t reley on it. We have had previous conversations about “data shadows” and how keys or parts of keys can be kept in RAM encrypted by a secret kept in a CPU register. You can do that as well, and use it as a necessary prerequisite to WBC.

The point is to put things beyond “technical measures” that can be brought to bare on the device within a given time period.

I don’t know how far back your knowledge goes, but some 8-bit CPUs like the Z80 had a minimum clock speed, because the internal registers were in effect equivalent to “dynamic memory” (DRAM) and thus had to be refreshed. If used correctly this adds to the tamper resistance of a device. Thus puting the CPU into a halt state or trying to tamper with the count down timer will flush the CPU registers and any keys/secrets they hold.

As we know, nothing is realy tamper proof from physical attack, some one will work their way in somehow the trick is by using a combination of techniques to put them against a clock they can not stop.

[1] Basically your fifth amedment rights since Miranda-v-Arizona back in 66 have to be read out to you “when you are in custody” and “you have to be able to understand them”. (though how much longer this will be the case the Devil alone knows). The four things are,

1, You have the right to remain silent.
2, Anything you say can and will be used against you in a court of law.
3, You have the right to an attorney.
4, If you cannot afford an attorney, one will be appointed for you.

And they have to be read out in that order, and you have to give a clear and not misrepresentable sign that you understand them. Which is why they are not alowed to question you whilst you are ill, intoxicated or otherwise not fit.

Jen Gold Stockholm January 27, 2017 12:35 AM

“[1] Basically your fifth amedment rights since Miranda-v-Arizona back in 66 have to be read out to you “when you are in custody” and “you have to be able to understand them”. (though how much longer this will be the case the Devil alone knows). The four things are,

1, You have the right to remain silent.
2, Anything you say can and will be used against you in a court of law.
3, You have the right to an attorney.
4, If you cannot afford an attorney, one will be appointed for you.”

I know those because the movies taught me

seeing as we are on this subject.
In commonwealth countries to my understanding, any interviewing or anything one says BEFORE ones rights are read to them (an approximation of the miranda spiel) can be dismissed out of hand in court. It’s amazing criminal lawyers don’t know or action this on behalf of their client, most of the time. only anything one says AFTER ones rights are read, can be tendered as evidence.

For anyone that missed it, this is a must watch
“don’t’t talk to the police”
a detective explains all the ways you can tricked into incriminating oneself, and how something like 60% of convictions are self confessions. It is just talking heads mostly so you can listen to the audio. @ Nick P has shared before

https://www.youtube.com/watch?v=CkZf6_jK3Zs

Clive Robinson January 27, 2017 12:39 AM

@ Thoth,

Is it just coincidence or maybe I strongly suspect someone is lifting our ideas without saying a thank you ?

It’s happened so many times I think it’s safe to say it’s well beyond coincidence.

I’ve even challenged an academic on their doing this, and their response was “I had not published a paper” therefore in effect I had no rights…

If you look at the page Bruce links to, Mike Specter (nice Bond Name 😉 does not claim it as an original idea, just something he’s blogging about.

I have in the past wished that Bruce would actually mention posters to this blogs original ideas. As far as I can remember he has not done that in the past except when the poster has it also up on their own blog etc.

Clive Robinson January 27, 2017 1:00 AM

@ Wael,

… he’ll probably concoct a drink with “naked protons”! Fluoroantimonic “juice” comes to mind.

Oddly I have just the perfect mug, it’s made of PTFE fits on top of a British armed forces water bottle and can be put on top of a hexemethane burner so you can “brew up”.

Fluoroantimonic acid is realy nasty stuff, and will eat your teeth faster than you can spit it out. If you were daft enough to add milk the exothermic reaction would redecorate a warehouse and who ever happened to be in it. So it would fit the other armed forces use of the term “brew up”…

Wael January 27, 2017 1:18 AM

@LWR,

“Hey Siri, disable TouchID.”

I’m sorry @LWR, I’m afraid I can’t do that!

@Clive Robinson,

Oddly I have just the perfect mug…

It would only be odd if you didn’t have it! And I’ve done some projects on Z80 ion the past.

would redecorate a warehouse…

Or redecorate a dead body. Teeth and all 🙂

Wael January 27, 2017 1:42 AM

@Clive Robinson,

I have in the past wished that Bruce would actually mention posters to this blogs original ideas.

But he did that just recently! He mentioned someone virtually unknown (like me) and bang… @Rolf Weber became an instant celebrity!

Reminds me of a Dave Chappelle piece about Bill and Monica. Go out there, and be somebody…

Clive Robinson January 27, 2017 2:34 AM

@ Wael,

But he did that… @Rolf Weber…

Not quite he linked to a post Rolf made off this blog, not to anything on this blog.

Bruce has done similar with Nicholas Weaver and his published papers etc.

But as I said I don’t remember him linking to comments to original ideas posted within this blog. There could be several reasons for this not the least being “broken links” and “Blog managment”, giving rise to much more administrative load.

neill January 27, 2017 2:52 AM

@clive robinson

RE Z80CPU

you could, in fact, ‘freeze’ the CPU in its state by just not clocking it anymore

i used this trick developing Z80DMA hardware, where, when needed, the DMA chip would be programmed by the CPU, and when given the start command, it would effectively freeze the CPU and give it an “output disable” on the bus (= open connections on almost all pins), till the DMA finished its transfer (alike EDB0 or LDIR) (or search command)

the clock limitation told by the datasheets was because the R register was incremented in an M1 cycle (exceptions apply) and that was directly put on the A bus during decode operations for the DRAM refresh … too slow could really mess up DRAM … but IF you didnt have any then all bets were off

i actually had a toggle switch in my Z80 system to switch memory banks 32kB at a time … of course that took a few seconds to do … till i used a PIO pin to implement in software (alike the famous A20 gate) … MUCH more convenient

anyways, don’t believe the data aheets … and yes, it was an original ZILOG chip

Clive Robinson January 27, 2017 2:53 AM

@ Wael,

someone virtually unknown (like me)

Hardly, need I remind you about a patent…

They are after all plans with your name on, that get filed away. Douglas Adams made comment about filed plans that might feel familiar, 😉

Offencive planning officer to Arthur Dent, “But the plans were on display…”

Arthur incredulously replies “On display? I eventually had to go down to the cellar to find them.”

“That’s the display department.”

“With a flashlight.”

“Ah, well, the lights had probably gone.”

“So had the stairs.”

“But look, you found the notice, didn’t you?”

“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”

Clive Robinson January 27, 2017 4:40 AM

@ Neill,

you could, in fact, ‘freeze’ the CPU in its state by just not clocking it anymore

Whilst that was true for the later CMOS part, it was not true for the original NMOS parts, as I found out to my cost many years ago.

It’s one of the reasons the 6502 was much more popular with people because you could easily “hardware single step” the processor.

Winter January 27, 2017 5:03 AM

This phone duress code seems a kludge to me. You really want something like the hidden partition in TrueCrypt. One password gives you the public phone, another gives you your secret phone.

As this seems to be not really possible with current smartphones, the next best thing would be to have a special TrueCrypt like encrypted area “on disk” with its own hidden partition. When pressed, you open the public part with “plausible” content.

The Duress Code could then be used to wipe evidence for that encrypted area. To make it even more deniable, make two of such volumes. One contains “public” and “hidden” parts with stuff the adversary can be safely shown, which is kept. The other one with the really bad stuff is deleted with the duress code. If the containers can be made looking like noise, the deleting can be nothing more than writing a dummy file over the key area.

When pressed, you can open up the hidden container in the honeypot volume, showing you have cooperated in full.

It won’t work for all the hardware reasons given above and in earlier threads.

jon January 27, 2017 7:58 AM

I’m waiting for a feature that will disable my fingerprint scanner when I’ve left a specific area, or if my location is a police station. Or Maybe even a bit of wizardry based on the accelerometer to determine if I pulled the phone out of my pocket or if some one else did and disable the fingerprint scanner if that’s the case…

Fingerprint to unlock is easy. That’s why it’s used… disabling that feature and reverting to the pin the moment something seems a miss should be the norm.

Same with face to unlock, voice to unlock, and any other unlock features that aren’t a pin/password.

Heck a real treat would be switching to two factor authentication both a pin and a fingerprint the moment something unusual is detect.
Maybe even just powering the phone down the moment it’s in a police station… that’ll eliminate a few physical attack vectors for the encryption, and on my pixel at least requires a pin to boot back up.

William January 27, 2017 9:01 AM

As “contributor” pointed out above, the iPhone requires you to enter your passcode after several failed attempts to unlock using Touch ID. So as long as you haven’t registered all your fingers, you can intentionally use the wrong finger several times.

Bob,QubesOS January 27, 2017 9:28 AM

Instead of deleting the phone, what about opening an alternate storage volume, that looks less incriminating.

You technically unlocked your phone, and data is not revealed. Mabey when you open this volume, the 1st set of data is wiped. This 2nd decoy volume would have to be convincing enough though.

I just remember hearing, law can subvert technology, and technology can subvert law.

MikeA January 27, 2017 11:21 AM

Two unrelated things:

1) IIRC the vast majority of early 4 and 8 bit microprocessors were dynamic (minimum clock rate). Signetics made a big deal about the 2650 being fully static. Later CMOS processor had substantial static sections. The 6502 “single step” was implemented by the RDY line, which did not stop the clock, but stopped the advancement of the memory state-machine (only for READ, btw). So the clock could keep the internal registers refreshed.

2) Miranda may not be the friend you think: http://lawcomic.net/guide/?p=2533 explains how, once the magic words are said, anything you say, even if at the end of 48 hours without sleep and with numerous lies from LEO, is deemed “not coerced”, hence admissible without regard to your rights.

Spellucci January 27, 2017 12:00 PM

I want one of the phones you folks have. My phone’s fingerprint unlock won’t work when my fingers are too cold, too hot, too sweaty, too dry, too dirty, burned (while cooking), and I don’t know how many other cases. I’m lucky I can get into it, let alone the LEOs.

My Info January 27, 2017 1:44 PM

@Spellucci

I accidentally cut my finger on the back of a cheap kitchen knife while I was cutting some frozen meat years ago. It was not the originally intended cutting edge of the knife. Anyways, it left a slight scar, which for the most part would not even be visible, except that the scar contracted unevenly and then the ridges and grooves of my fingerprint never lined up there when it healed.

albert January 27, 2017 3:27 PM

@Clive,
“…Fluoroantimonic acid is realy nasty stuff…”

Really nasty doesn’t begin to cover it. It would quite literally blow up in your mouth. Radioactive elements and compounds are bad enough, but those fluorine compounds are the work of the Devil Himself.

@Anyone,
If the perfect solution exists, it ceases to be perfect once it’s revealed.

The LE/IC wants total transparency for us, and total secrecy for them. Neither is possible.

The best advice a lawyer can give you is: Shut up!

. .. . .. — ….

neill January 28, 2017 1:56 AM

@MikeA
@Clive

zilog PDF manual UM0080

page 2 “… registers are implemented using static RAM.”

page 15 “when the clock … is stopped …the z80 cpu stops its operation and maintains all registers and control signals”

maybe i was just lucky with mine, it was a 5Volt Zilog part, but unfortunately does not exist anymore … i did BUSREQ / BUSACK, then clock stop … could also be undocumented alike the DD/FD trick with HL registers

was fun! did hardware & machine code dev for 6 years, wiring with solid copper wire strands from phone wiring 😉

Clive Robinson January 28, 2017 5:02 AM

@ neill,

maybe i was just lucky with mine, it was a 5Volt Zilog part, but unfortunately does not exist anymore

Ahhh and therby is the answer, Zilog did not make the first Z80 parts as they did not have their own fab with the required ion system to work correctly at 5volts (though it did not take them long).

The internal issue with the clock got fixed as did a number of other things (though other probs got in) in the main because the embedded market was changing. Originaly the Z80 was aimed at the new “peripheral” embeded market where power was not an issue, not the initially non computerized “industrial” controler market (still lader logic in 76). The arival of the 8bit micros kicked of a new embed market place in not just industrial control, but also in remote control where power was an issue. Thus halting the Z80 into a low power standy mode quickly became a critical feature to build share against the 1802 and other CMOS CPUs with lowpower modes. Within a couple of years the Z80 had moved into “office” and 6502 into “home”. And as the 80’s dawned the Z80 was driving hard into the home market as well. These days the Z80 in the guise of SoC systems is selling almost better in terms of numbers than it did last century, and it has improved in various ways. The 6502 however appeared to slide into the new communications market and until relatively recently could be found hiding in high end modem chips. As for Motorola, they made lots of MCUs as well as CPUs but never appeared to make it big though they will be found in many home and personal products (and yes I’m expecting the “waily waily crivens” comments from East Kilbride 😉

Now many home projects are built around MicroChip products with higher end maker and ham radio using ARM, and the “Maker” market is becoming seen as a new market for micro format SBC products which the likes of the Raspberry Pi has made a name for it’s self. Many of these SBCs have way more power than Pentium based PCs of a few years ago without quite a few of the “troublesome” hidden things like Intels managment engine etc that are,causing considerable concern in certain quarters.

As, for a “changing of the times MicroChip make a part you can buy in one of prices for about $1 that jas more power than a microvax, and people have ported an earlier version of Berkley BSD onto it… And it runs on the realy low cost development boards without problems.

Tatütata January 28, 2017 9:37 AM

Mike Specter is at least three years late. In any case, he might be well advised to brush up his knowledge on the topic of contributory patent infringement and also take a look at patent US9218474B1 issued to Amazon titled “Enhanced biometric security measures”

Abstract:

Functionality is disclosed for enhancing the security of a computing device equipped with a fingerprint input device. A pre-unlock operation is performed when a duress fingerprint is used to access a locked device. The pre-unlock operation may include one or more computer-implemented mechanisms to secure, hide, remove, move, encrypt, disassociate, communicate or modify data stored on the device and/or remote locations. In some embodiments, the pre-unlock operation may direct a device to capture information and communicate such information to remote computers contemporaneously with the receipt of a duress fingerprint.

It has only one independent claim which reads as follows:

1. A computing device configured to perform a pre-unlock operation comprising:
a processor;
a memory;
an input device; and
at least one storage device storing or receiving a first dataset identifying at least one fingerprint and a second dataset identifying at least one fingerprint, the first dataset associated with an unlock operation, the second dataset associated with the pre-unlock operation, the at least one storage device also storing computer-executable instructions which, when loaded into the memory and executed by the processor, cause the computing device to
receive an input from the input device while the computing device is in a locked state, the input comprising an input dataset identifying at least one input fingerprint,
compare the input dataset with the first dataset associated with the unlock operation and the second dataset associated with the pre-unlock operation,
determine that the input dataset is associated with the second dataset, and
in response to determining that the input dataset is associated with the second dataset, perform the pre-unlock operation before transitioning the computing device from the locked state to the unlocked state, wherein the pre-unlock operation is selected based at least partly on one or more of data associated with a location of the computing device or data associated with a time of receiving the input.

My gut feeling is that this patent is invalid, but I won’t waste my Saturday in investigating it or reasoning alternative facts. Fortunately there are no foreign family members, and the US won’t exist for much longer anyway.

Clive Robinson January 28, 2017 12:06 PM

@ Tatütata,

also take a look at patent US9218474B1 issued to Amazon titled “Enhanced biometric security measures”

I’d forgotton about that patent, I’ve never read it[1] but I’m aware of it through legal “clean room techniques” where I had to work out ways to circumvent it (which I did).

As for if it will hold up in court or not is another matter, US IP judgments have a history of going against foreign companies even when a patent should never have been granted and being remarkably expensive to fight let alone loose.

You only have to look at the sums of money Apple have thrown around on things that there is very clear prior art including copyrights, patents etc issued in other countries. They are more than the GDP of something like the bottom sixty or seventy countries…

[1] As Bruce has noted in the past you should never read US patents due to the intentional infringment clause that tripples the payout. Thus the “clean room” trick of being given specifications drawn up by one legal team who have read the patent, then comming up with alternatives / circumventions based on the specification and submitting it to a second legal team as though you are submitting your own patent (which you often do through a holding company in a tax haven you then licence back from).

vas pup January 28, 2017 2:21 PM

@Alan. Thank you. I did Google search, and it is still kind of unclear.
At what time after crime committed spoliation by itself become additional crime?
Let say, you kill somebody with a hammer, then cleaned the hammer with solution – no blood left: obstruction or not?
You dumped dead body in the acid and dissolve it altogether. Is that is additional obstruction of justice? My point is that somebody else, not killer tempering with evidence of the crime is actually committing obstruction of justice, but how in the hell criminal by him/herself is required to protect incrimination evidence for the future prosecution/trial? I was thinking that collecting all incriminating evidence is duty of LEAs/prosecutors due to burden of proof, but how as democratic state could require suspect to cooperate for his own prosecution? Are we switching burden on proof to defendant?

neill January 29, 2017 4:57 AM

@clive robinson

as always, i appreciate your expertise and thoughtfulness 😉

as for the 1970’s and 80’s chips i might add the powerpc, which was a nice design and very successful (automotive) … loved altivec and its possibilities … unfortunatelty IBM decided not to cater to the consumer market (mobile, low power etc)

my fav of that 1980’s was the NS32032 or its smaller part the NS320016 (or NS32008), for which i wrote machinecode for a trade show demo 😉 “bit field operations” just blew my mind – coming from Z80 and 68k (and TMS990!)

ohhhh and those ‘magnetic bubbles’ from TI …. (smiles)

vas pup January 30, 2017 12:45 PM

@Tõnis • January 26, 2017 9:40 PM.
Most of the criminal cases are going trial without jury and have plea bargain in the core – so your options for jury nullification are substantially restricted.
Substantial amount of civil case are going through settlement outside the court or arbitration. For the former you as a jury excluded altogether. For latter – Big Business ‘twisted’ your hands in such way that you have currently almost zero chance to win. Big business (their law departments) do this by including in most legally binding service and similar contracts (utility,Internet providers, banks, insurance companies, etc.) arbitration provision (you can’t go to court to resolve the issue), jurisdiction applied where their headquarter located(e.g. California even you live and use their service e.g. in Montana), no class action law suit allowed, other legal tricks you name it. And last but not least, most of them located in the same area are controlling most of the market (no competition) and/or have similar provisions meaning you have no chance to select provider with better legal options for your protection. That is reality.

Randy Stegbauer January 31, 2017 7:23 AM

Obvious…I’m sure…

If you do have a duress finger that wipes a phone, I would make it the index finger since that is the finger everyone expects you to use to normally unlock a phone.

newbieitis February 14, 2017 11:04 PM

here’s how this could work:

the user can choose to run certain apps in “secure mode”. these apps write to an encrypted virtual disk instead of the normal filesystem. entering the duress code / fingerprint destroys the encryption key (rendering the data inaccessible), and also immediately deletes the “secure mode” apps.

so the bad guy asks you to unlock, you use the “duress finger” to unlock, hold it down several seconds, and boom, it instantly opens, but there’s no twitter/facebook/gmail. just a bunch of games or whatever.

oh, and you should use your thumb as the duress finger, seems more natural right?

Ken May 9, 2017 1:42 PM

Probably better would be a combination fingerprint+duress PIN. As others have mentioned, even with safeguards, swiping the wrong finger on something you carry in your pocket is just too risky.

Android already sometimes requires a PIN to unlock, so when a middle fingerprint is used, have the device require a PIN thereafter. If the PIN is a duress PIN, then wipe the encryption keys.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.