Urgent, but simple to implement additions on encryption in SFOS

SFOS now has encrypted LUKS storage and supports pin-code / fingerprints to unlock.
But in some aspects it looks more like a security theater, than an OS designed with security in mind.
What has to be implemented:

  1. decouple LUKS storage pw (boot pw) from PIN - allow them to be different.
  2. double Power Button click should disable fingerprint scanner till after next PIN code unlock.

Reasons:

  1. decouple LUKS storage password (boot pw) from PIN - allow them to be different.
    Currently the PIN code acts as a password for LUKS volume, and PIN codes are short numeric codes.
    In a situation when you lose access to your encrypted SFOS phone for some time, opponent can boot it into recovery, dump the LUKS volume header (or the whole storage), and then bruteforce you numeric PIN on a videocard. So he will have you PIN to unlock the phone and storage in some ~30 minutes.
    You even don’t have to know that this happened, i.e. he can boot the phone into recovery, dump the LUKS header and return the phone, it will take 5 minutes tops.
    Then he can bruteforce the PIN offline and unlock the phone secretly next time he has access to it.
    And you wouldn’t even know it.

Solution: leave PIN code only for runtime unlocking, allow to set different full-keyboard alpha-numeric password for boot LUKS unlocking (when turning on).

  1. double Power Button click should disable fingerprint scanner till after next PIN code unlock.
    This is already implemented on iOS at least, because there are situations in some countries when you can be forced to apply your finger to fingerprint scanner.
    So in such situations ability to quickly “block” fingerprint unlocking is essential.
9 Likes

how would you dump in recovery wihout knowing pin code?

1 Like

fastboot boot <kernel> [ <ramdisk> [ <second> ] ] Download and boot kernel.

1 Like

I think this post about easily decrypting your home directory is a good overview (I never tried it, don’t know if it works):

If it’s true, then Jolla strongly needs to consider adding the ability for either a separate boot passphrases, or allowing passphrases in addition to PINs. Either should be a very simple implementation.

1 Like

can you fastboot boot random image with locked bootloader?

Afaik, you cannot boot Sailfish with a locked bootloader, so it’s irrelevant if a locked bootloader prevents you from fastbooting random images… :wink:

Btw, Jolla, if you worry that Average Joe will forget the boot pw, you can generate a recovery key-file and put it into another LUKS slot and ask user to save it in case he forgets the boot pw.

1 Like

https://daltondur.st/secure_pinephone_1/

I don’t know how simple it is to implement, but a recovery QR-code would be a great solution from a usability point of view. Or even the possibility to use a QR-code as passphrase.

1 Like

That would then require access to the camera to be available before the boot password is entered, which sounds pretty dangerous to me. Not to mention a QR code is just text encoded in image form, so anyone who could see the QR code would be able to read your password by simply scanning it with their own device.

2 Likes

Very good ideas.

Additionally, Jolla should include a timer that automatically disables the fingerprint scanner after a certain amount of time. Because the problem with the “double power button click should disable fingerprint” is that you cannot disable the fingerprint scanner if you lose your device, or it is stolen.

Justification:

Suppose the timer is set to 1 hour. After you unlock your phone with the pin code, they can unlock your device with the fingerprint for 1 hour. If your device was stolen and the thief has the know-how to copy a fingerprint from your phone, he needs time to do it.
Let’s say he stole your phone and needs 30 minutes to go home and for example 1 hour to make a copy of a fingerprint from your phone. Doesn’t do him any good then either, because the scanner has long since been deactivated.

because there are situations in some countries when you can be forced to apply your finger to fingerprint scanner.
So in such situations ability to quickly “block” fingerprint unlocking is essential.

But in these situations can the user not also be forced to unlock the device with the pin-code?

I tried to try this but it is not working any more isn’t it?
Because once telnet is connected, one needs to provide the code to launch the shell (#3) or the ssh server (#5).
So, apart of having a weak pass"phrase", SFOS is not so easy to bruetforce, is that correct?

Incorrect. You could just a different recovery image, that doesn’t ask for any pin code ( either an old Jolla one, a random android one or you just create one youself).
To a somewhat dedicated attacker, this would be just a minor inconvenience, no real obstacle…

I understand. Thanks for explaining.
So we could say to this guy.
Is there a place where he could find one of these images?