Authentication bypass is the process by which an adversary bypasses the Full Disk Encryption that protects access to a digital device. An adversary can achieve authentication bypass through human error, weak passwords, or technical exploits.
An adversary can achieve authentication bypass through:
- Accessing the device while it is turned on (and therefore its encryption is not effective).
- Finding the encryption password written down somewhere.
- Making the device owner provide the encryption password by using interrogation techniques including, in some contexts, extra-legal violence.
- Visual interception: watching the device owner type the encryption password through a hidden camera or an infiltrator.
- Brute force: guessing the password through repeated, automated authentication attempts.
- Compromising the device either through remotely-installed malware or physical access.
- Exploiting a flaw at the implementation level of the encryption process.
Used in tactics: Incrimination
Mitigations
Name | Description |
---|---|
Bug search | Before entering a password in a room where a hidden camera may be present, you can search the room using appropriate techniques and tools to locate and possibly remove such a camera. Since it's not possible to be certain that a camera is not present, you can enter the password while under an opaque sheet or blanket. |
Digital best practices | Using secure operating systems with Full Disk Encryption (FDE) and strong passwords should prevent authentication bypass. For example, on phones GrapheneOS implements encryption[1] to make brute-force password guessing impossible — after 140 failed attempts, each is delayed for a full day. On computers, the forensics department of the German federal police was unable to decrypt Linux FDE (called LUKS), used by many Linux systems such as Debian[2] and Tails[3], after a year of effort. FDE on MacOS, Windows, iPhone or stock Android should not be relied upon. |
Tamper-evident preparation | You can detect when a device has been physically accessed with tamper-evident preparation. Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data. |
Used in repressive operations
Name | Description |
---|---|
Repression of Lafarge factory sabotage | Investigators recovered several encrypted smartphones in the raids and attempted to access their encrypted data, with varying results depending on the phone[4]:
|
Repression against Zündlumpen | In some of the April 2022 raids, cops seized smartphones immediately after entering and plugged them into power banks, presumably to prevent them from shutting down and reverting to an encrypted state[5]. |