Targeted digital surveillance: Authentication bypass

Contents

Description
Mitigations
Used in repressive operations
- Repression of Lafarge factory sabotage
- Repression against Zündlumpen

Contents

Description
Mitigations
Used in repressive operations
- Repression of Lafarge factory sabotage
- Repression against Zündlumpen

Authentication bypass is the process by which an adversary bypasses the Full Disk Encryption that protects access to a digital device. An adversary can achieve authentication bypass through human error, weak passwords, or technical exploits.

An adversary can achieve authentication bypass through:

Accessing the device while it is turned on (and therefore its encryption is not effective).
Finding the encryption password written down somewhere.
Making the device owner provide the encryption password by using interrogation techniques including, in some contexts, extra-legal violence.
Visual interception: watching the device owner type the encryption password through a hidden camera or an infiltrator.
Brute force: guessing the password through repeated, automated authentication attempts.
Compromising the device either through remotely-installed malware or physical access.
Exploiting a flaw at the implementation level of the encryption process.

Used in tactics: Incrimination

Mitigations

Name	Description
Bug search	Before entering a password in a room where a hidden camera may be present, you can search the room using appropriate techniques and tools to locate and possibly remove such a camera. Since it's not possible to be certain that a camera is not present, you can enter the password while under an opaque sheet or blanket.
Digital best practices	Using secure operating systems with Full Disk Encryption (FDE) and strong passwords should prevent authentication bypass. For example, on phones GrapheneOS implements encryption^[1] to make brute-force password guessing impossible — after 140 failed attempts, each is delayed for a full day. On computers, the forensics department of the German federal police was unable to decrypt Linux FDE (called LUKS), used by many Linux systems such as Debian^[2] and Tails^[3], after a year of effort. FDE on MacOS, Windows, iPhone or stock Android should not be relied upon.
Tamper-evident preparation	You can detect when a device has been physically accessed with tamper-evident preparation. Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data.

Name

Description

Bug search

Before entering a password in a room where a hidden camera may be present, you can search the room using appropriate techniques and tools to locate and possibly remove such a camera.

Since it's not possible to be certain that a camera is not present, you can enter the password while under an opaque sheet or blanket.

Digital best practices

Using secure operating systems with Full Disk Encryption (FDE) and strong passwords should prevent authentication bypass. For example, on phones GrapheneOS implements encryption^[1] to make brute-force password guessing impossible — after 140 failed attempts, each is delayed for a full day. On computers, the forensics department of the German federal police was unable to decrypt Linux FDE (called LUKS), used by many Linux systems such as Debian^[2] and Tails^[3], after a year of effort. FDE on MacOS, Windows, iPhone or stock Android should not be relied upon.

Tamper-evident preparation

You can detect when a device has been physically accessed with tamper-evident preparation.

Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data.

Used in repressive operations

Name	Description
Repression of Lafarge factory sabotage	Investigators recovered several encrypted smartphones in the raids and attempted to access their encrypted data, with varying results depending on the phone^[4]: For the iPhones that were recovered turned on, they exploited the security vulnerabilities that exist when they are turned on to bypass their encryption and access the encrypted data. For all Android phones (whether recovered on or off) and one iPhone recovered off, they extracted the phones' encrypted partitions and attempted to brute force them from a computer.
Repression against Zündlumpen	In some of the April 2022 raids, cops seized smartphones immediately after entering and plugged them into power banks, presumably to prevent them from shutting down and reverting to an encrypted state^[5].

Name

Description

Repression of Lafarge factory sabotage

Investigators recovered several encrypted smartphones in the raids and attempted to access their encrypted data, with varying results depending on the phone^[4]:

For the iPhones that were recovered turned on, they exploited the security vulnerabilities that exist when they are turned on to bypass their encryption and access the encrypted data.
For all Android phones (whether recovered on or off) and one iPhone recovered off, they extracted the phones' encrypted partitions and attempted to brute force them from a computer.

Repression against Zündlumpen

In some of the April 2022 raids, cops seized smartphones immediately after entering and plugged them into power banks, presumably to prevent them from shutting down and reverting to an encrypted state^[5].

References

https://grapheneos.org/faq#encryption

https://debian.org

https://tails.boum.org

https://notrace.how/resources/index.html#affaire-lafarge-les-moyens-denquetes-utilises

https://zuendlappen.noblogs.org/post/2022/05/07/muenchen-ueber-razzien-und-ein-%c2%a7129-verfahren-gegen-anarchistinnen-und-den-raub-einer-druckerei