[Cryptography] stegophone (was: escalating threats to privacy)

Wed Mar 29 19:27:55 EDT 2017

On Wed, Mar 29, 2017 at 12:39:45PM -0700, John Denker via cryptography wrote:
> Date: Wed, 29 Mar 2017 12:39:45 -0700
> From: John Denker via cryptography <cryptography at metzdowd.com>
> To: cryptography at metzdowd.com
> Subject: [Cryptography] stegophone (was: escalating threats to privacy)
> 
>[...]
> What I would like to see is something very simple, which I call a
> stegophone, although the idea applies to all devices, including
> laptops, not just phones.  The specifications are as follows:
>  *) There are two passcodes:  one for normal use, and one for duress.
>  *) Unlocking the phone using the normal passcode results in a completely
>   normal phone.
[...]

Sadly, the hardware is a big problem. No one as far as I know makes
phones with a separate, isolated, unlocked computer side. The closest
thing would be to start with Replicant on a Galaxy S2 or S3, which
would have the advantage of looking pretty innocuous and ordinary.
Add an encrypted file system which looks like an uninitialized
partition or memory chip, and so on.

Ultimately, however, I can't see how to make this undetectable without
somehow booting off an external device, and the boot on those devices
is a closed program. Sooner or later, whoever makes the gadgets for the
TSA or cops or whoever comes around to demand your phone would add some
kind of detector for these stegophones. Someone would have to develop
boot firmware to give this a remote chance of being "safe", so the user
wouldn't be discoverable or would at least have plausible deniability.
This isn't really different from my laptops, which are encrypted but
without an external boot device (USB drive or whatever) I can't hide
the fact that they are encrypted. Yes, with something like VeraCrypt
I can hide an encrypted drive inside a drive, but I can't prove that
there is no drive hidden within. Turtles all the way down, I believe.

Going across the border is one thing (you usually have advance notice)
but getting stopped by cops or border police inside or outside the
country is unpredictable. This makes even an external boot device a
little problematic.

This is a problem I haven't seen addressed, even by people like
Blackphone.

But it's a great idea, I'd love to see it implemented, and I'd sign up
for some part of it myself.

>  *) The device is protected against disassembly and against cold-boot
>   attacks.

Ideas come to mind, but none practical. Perhaps what we need is some
kind of FIPS-140 phone innards.

This is a hard problem, that sounds like it might be only a little less
hard with lots of money for hardware. It almost sounds as if it would
be easier if we could convince someone to make the necessary h/w
features common and cheap, like a UEFI boot or something, but usable
for some "normal" purpose, so that if you had such a phone no one would
know if you bought it to run a decoy system & app alongside the real
one. If EVERYONE had one, then they wouldn't stand out.

Maybe the Russians would make one for us, in cooperation with the
Chinese. (Yes, they Russians are now selling cell phones in Europe,
but I don't know where they're made.)

The two-key app suggested by John Denker, though, is a nearly flawless
idea if you make the decoy key trigger suicide: if you enter the wrong
passphrase, then the memory is scrambled, and you have to restore from
backup. If we were to have a running backup by sending (encrypted)
updates to some server, the damage from most attacks would consist
mainly of having to restore the phone once and if it were returned to
you. I just can't see how to protect it from a clever attack with probes
and clock generators and refrigerants and such, and I can't see how to
make it undetectable.

Does someone know how to make an Android virus or trojan which will
do this? Then we wouldn't even need to explain how we came to have the
suicide app on our phones. "I just downloaded this app and the phone
has been funny ever since..."

>[...] 