Graphene OS in particular comes with a default feature enabled called Auto Reboot to protect against this. I think it’s set to 18 hours by default because that’s what mine is, but you can go as low as 4 hours.
Comment on Feds in Catalonia, Spain think everyone using a Google Pixel must be a drug dealer
boonhet@sopuli.xyz 3 days agoYes. They (cellebrite) don’t mention GrapheneOS support very loudly because it’s poor. They can’t decrypt one that’s BFU (Before First Unlock), not even by brute force if it’s a 6 digit passcode apparently. Don’t know if they can get data from an AFU GOS pixel. A year ago when their internal docs leaked, they also had no support for latest iOS at the time, but had brute force support for older versions as long as phone itself wasn’t too new and had AFU access without brute force for even older versions.
Moral of the story: if there’s a chance police might take your phone to investigate for a crime you hopefully didn’t even commit, shut down your phone completely - the 5x power button trick on iOS disables biometric unlock, but the device itself stays decrypted and thus more vulnerable. Also keep your OS up to date.
If you’ve got a phone that’s neither iOS nor GrapheneOS, it’s probably pretty much Swiss cheese anyway. IOS isn’t as good as GrapheneOS either, but it offers some protection against Cellebrite if up to date and BFU. But if they keep your phone for long enough (months, years), they’ll get it unlocked because you can’t install updates that would patch any newly discovered vulnerabilities and one day they’ll find a BFU unlock for it, probably.
Zetta@mander.xyz 3 days ago
sugar_in_your_tea@sh.itjust.works 2 days ago
Yeah, I have mine at 4 hours and it’s pretty good. It triggers while I’m at work sometimes, but other than that, it’s mostly just when I sleep.
boonhet@sopuli.xyz 3 days ago
iOS started doing this a year or 2 ago, but unfortunately it’s 3 days and not configurable
realitista@lemmy.world 3 days ago
Does a full shutdown encrypt all contents on iOS? This is something that everyone entering the USA as I have to do annually needs to think about.
Natanael@infosec.pub 3 days ago
It’s all encrypted in storage. The decryption key is in the secure element / TPM chip, additionally protected by your PIN / password. Shutting it down unloads all encryption keys from memory.
Beware that US customs / immigration / border control can seize your phone and refuse entry.
realitista@lemmy.world 3 days ago
What happens if I turn it back on but don’t unlock it? Are the encryption keys in memory?
boonhet@sopuli.xyz 3 days ago
They’re not in memory until the first unlock, that’s why there’s the AFU vs BFU distinction for cellebrite unlocking devices incl iPhones.
But as the other person said, they can seize your phone and refuse entry. If you need to travel to the USA annually and you don’t want them to see your shit, you may want to have a decoy phone that’s not logged into your real accounts or have many photos on it. Just enough to make it believable it’s your real phone, but not enough to help them forge anything on you.
defaultusername@lemmy.dbzer0.com 3 days ago
Yes, but customs can still compel you to unlock your phone as we have recently seen with the Norweigan tourist who was denied entry due to having a JD Vance meme on his phone.
I would recommend having a separate phone with non-important data on it to take with you to the US, or have a self hosted cloud service that you can backup your data to before wiping your device.
realitista@lemmy.world 3 days ago
How can they compel me?
Tja@programming.dev 3 days ago
You either unlock it or we send you back.
defaultusername@lemmy.dbzer0.com 3 days ago
Threatening to detain you indefinitely (your rights aren’t the same at the border/customs as they are after entering the country), or just outright deny you entry.
Zorsith@lemmy.blahaj.zone 3 days ago
Grapheneos also has options to just disable data over the USB port when its locked. Or disable it outright.
AmbiguousProps@lemmy.today 3 days ago
Yep, disabling it entirely allows for charging when the device is off, but otherwise, it is functionally useless and is disabled at the hardware level.
boonhet@sopuli.xyz 3 days ago
Ooh nice.
defaultusername@lemmy.dbzer0.com 3 days ago
LineageOS also has this feature.