Security – A Geek With Guns

Don’t Use Wi-Fi for Security Cameras

I’ve been asked for my opinion on Wi-Fi security cameras many times. My opinion is to avoid them. Wi-Fi is susceptible for many easy to perform attacks. For example, Wi-Fi deauthentication attacks are a favorite of script kiddies because they are so easy to perform. I’ve demonstrated how easy it is to many friends. WPA3 helps alleviate this, but most access points that I’ve seen are still using WPA2. If you buy a Wi-Fi camera that can’t use WPA3, it is vulnerable to this trivial attack.

Deauthentication attacks aren’t the only way to bring a Wi-Fi network down. Wi-Fi is a wireless protocol, which means it’s susceptible to jamming. When I explain this to friends, they often say that I’m being overly paranoid. But just because you’re paranoid doesn’t mean that they’re not out to get you:

A serial burglar in Edina, Minnesota is suspected of using a Wi-Fi jammer to knock out connected security cameras before stealing and making off with the victim’s prized possessions. Minnesota doesn’t generally have a reputation as a hotbed for technology, so readers shouldn’t be surprised to hear that reports of Wi-Fi jammers used to assist burglaries in the U.S. go back several years. PSA: even criminals use technology, and more are now catching on — so homeowners should think about mitigations.

This is the exact thing I’ve been warning about since Wi-Fi cameras came on the market.

The purpose of a security camera is in the name: security. You want security cameras to be a deterrence and, failing that, to collect evidence that can be provided to law enforcers, insurance companies, etc. A Wi-Fi camera isn’t going to deter a burglar who has access to jamming hardware and knows how to use it. Wi-Fi cameras that have been disconnected from their recording device aren’t going to collect evidence (a camera with a built-in SD card could, but then you’re trusting an SD card, which is a crap shoot).

If you’re going through the trouble of buying and installing security cameras, get hard wired cameras. There are a lot of excellent Power over Ethernet (PoE) options on the market. PoE cameras only require a single Ethernet cable to provide both power and data connectivity.

In Praise of Pen and Paper

Back before the Internet became ubiquitous, one of the most commonly given pieces of computer security advice was to not write passwords down on Post-It notes and stick them to your computer. The threat model was obvious. Anyone sitting down at the computer would have access to the password. This threat model was the most common one back then. While writing passwords down on Post-It notes isn’t a good idea today, it’s actually quite secure against today’s most common threats because a piece of paper can’t be accessed remotely. Ubiquitous Internet connectivity has shifted the most common threat models from local access to remote access.

Data breaches, ransomware, and distributed denial of service are three of the most common forms of attack we read about today. Data breaches in business and government networks have resulted to tremendous amounts of personal information being leaked online. Ransomware attacks can grind businesses to a halt by locking away the data needed to complete day to day tasks. Likewise, distributed denial of service attacks can bring businesses to a halt because so much data has been uploaded to other people’s computers. If those computers are knocked offline, the data uploaded to them becomes inaccessible. A folder containing information written on paper forms stored in a filing cabinet can’t be stolen remotely. It can’t be maliciously encrypted remotely. Access to it can’t be taken away remotely.

The benefits of paper don’t stop there. Paper has an intuitive interface. You pick it up and you read it. Accessing information on a piece of paper doesn’t require trying to figure out a command line or graphical user interface designed by a mad programmer who seemed to take design cues from Daedalus. The user interface of paper also doesn’t change. You don’t have to worry about a software company releasing an update to a piece of paper that drastically changes the user interface for no reason other than the sake of changing it.

Paper is resilient. Data stored on a computer can be corrupted in so many ways. A file loaded into RAM can be corrupted due to a memory error and that corrupted data can be dutifully written to disk and then included in backups. It’s possible that a file that is accessed infrequently can be corrupted without anyone noticing until all of the backups of the uncorrected file are cycled out. A file can also be corrupted while it’s stored on a hard drive or SSD. Paper doesn’t suffer such weaknesses.

Writing information down on paper has a lot of security and integrity benefits. None of this is to say there aren’t downsides to using paper. But the next time you read about patient information being leaked online because a hospital suffered a data breach, consider how much safer that information would have been if it had been stored on paper forms instead of a database. When half of the Internet disappears due to another Cloudflare misconfiguration and you are unable to perform a task because the information you need is hosted on somebody else’s computer, consider that you’d still be able to complete the task if the information was on a paper form in your filing cabinet.

Just because a technology is old doesn’t mean it’s completely outdated.

Averages Apply to Criminals Too

George Carlin once said, “Think of how stupid the average person is, and realize half of them are stupider than that.” This applies to criminals as well.

If you believed the claims of politicians and law enforcers, you’d think that the invention of encryption and the tools it enables, like Tor and Bitcoin, is the end of law enforcement. We’re constantly told that without backdoor access to all encryption, the government is unable to thwart the schemes of terrorists, drug dealers, and child pornographers. Their claims assume that everybody using encryption is knowledgeable about it and technology in general. But real world criminals aren’t James Bond supervillains. They’re human beings, which means most of them are of average or below average intelligence.

The recent high profile child pornography site bust is a perfect example of this point:

He was taken aback by what he saw: Many of this child abuse site’s users—and, by all appearances, its administrators—had done almost nothing to obscure their cryptocurrency trails. An entire network of criminal payments, all intended to be secret, was laid bare before him.

[…]

He spotted what he was looking for almost instantly: an IP address. In fact, to Gambaryan’s surprise, every thumbnail image on the site seemed to display, within the site’s HTML, the IP address of the server where it was physically hosted: 121.185.153.64. He copied those 11 digits into his computer’s command line and ran a basic traceroute function, following its path across the internet back to the location of that server.

Incredibly, the results showed that this computer wasn’t obscured by Tor’s anonymizing network at all; Gambaryan was looking at the actual, unprotected address of a Welcome to Video server. Confirming Levin’s initial hunch, the site was hosted on a residential connection of an internet service provider in South Korea, outside of Seoul.

[…]

Janczewski knew that Torbox and Sigaint, both dark-web services themselves, wouldn’t respond to legal requests for their users’ information. But the BTC-e data included IP addresses for 10 past logins on the exchange by the same user. In nine out of 10, the IP address was obscured with a VPN or Tor. But in one single visit to BTC-e, the user had slipped up: They had left their actual home IP address exposed. “That opened the whole door,” says Janczewski.

Despite the use of several commonly cited tools that supposedly thwart law enforcement efforts, law enforcers were able to discover the location of the server hosting the site and identity of suspected administrators using old fashioned investigative techniques. This was possible because criminals are human beings with all the flaws that entails.

One thing this story illustrates is that it takes only a single slip up to render an otherwise effective security model irrelevant. It also illustrates that just because one is using a tool doesn’t mean they’re using it effectively. Despite what politicians and law enforcers often claim, Bitcoin makes no effort to anonymize transactions. If, for example, law enforcers know the identity of the owner of some Bitcoin and that individual knows the identify of the person buying some of that Bitcoin, it’s simple for law enforcers to identify the buyer. Popular legal crypto exchanges operating in the United States are required to follow know your customer laws, which means they know the real world identity of their users. If you setup an account with one of those exchanges and buy some Bitcoin, then law enforcers can determine your identity by subpoenaing the exchange. Even if the exchange you’re using doesn’t follow know your customer laws, if you connect to it without obscuring your IP address even once, it’s possible for law enforcers to identify you if they can identify and put pressure on the exchange.

No fewer than three mistakes were made by the criminals in this case. First, they falsely believed that Bitcoin anonymizes transactions. Second, they failed to obscure the real world location of the server. Third, one of the individuals involved connected to their Bitcoin exchange without a VPN once. These mistakes made their efforts to secure themselves against law enforcers useless.

When politicians and law enforcers tell you that the government requires backdoor access to encryption in order to thwart terrorists, drug dealers, and child pornographers, they’re lying. Their claims might have some validity in a world where every criminal was as brilliant as a James Bond supervillain, but we don’t live in that world. Here criminals are regular humans. They’re usually of average or below average intelligence. Even though they may know that tools to assist their criminal efforts exist, they likely don’t know how to employ them correctly.

Securing Financial Applications Behind Secondary Accounts

Many people run their entire lives from their mobile devices. Unfortunately, this makes mobile devices prime targets for malicious actors. Apple and Google have responded to this by continuously bolstering the security of their respective mobile operating systems (although the openness of Android means device manufacturers can and often do undo a lot of that security work). One major security improvement has been the optional use of biometrics to unlock devices. Before fingerprint and facial recognition on mobile devices, you had to type in a password (or optionally draw a pattern on Android) every time you wanted to unlock your device. This dissuaded people from setting an unlock password on their devices. Now that mobile devices can be quickly unlocked with fingerprint or facial recognition, implementing a proper unlock password on a device isn’t as inconvenient. With this increase in convenience came an increase in the number of people properly locking their devices.

Setting a proper unlock password protects the owner from the consequences of their mobile device being stolen. A thief might get the device, but if it’s a properly locked (which implies all security updates are installed and the device is actively supported by the manufacturer) device, the thief will be blocked from accessing data on the device such as any financial applications.

Now that locked devices are more prevalent, thieves are resorting to new forms of trickery to gain access to the valuable information on devices:

Most scams that utilize payment apps involve a range of tricks to get you to send money. But some criminals are now skipping that step; they simply ask strangers to use their phones and then send the money themselves.

The victim often doesn’t realize what’s happened until hours or even days later. And by that point, there’s very little they can do about it.

If somebody asks to borrow your phone, tell them no. But asking to borrow a phone isn’t the only way thieves acquire access to unlocked devices. Thieves are also targeting people who are actively using their devices (and since those people often aren’t paying attention to their surrounding, they’re easy targets). If a thief steals an unlocked device from somebody, they can gain access to the information on the device until it is locked again.

Most financial applications offer the ability to set an application specific password, which you should do. However, Android offers another level of security. Android supports multiple user accounts. Applications and data in one user account cannot be accessed by other user accounts (an application can be installed in multiple accounts, but each installation is unique to an account). A user can add a separate user and install their financial applications in that account. When they’re using their main account for things like making calls and instant messaging, their financial accounts remained locked behind the secondary account. So long as the user isn’t actively using the secondary account, any thief who swipes the device while it’s unlocked will not even be able to see which, if any, financial applications are installed.

Financial applications aren’t the only ones that you can hide behind secondary user accounts, but they’re good candidates because unauthorized access to those applications can result in real world consequences. Furthermore, financial applications usually aren’t accessed frequently. They’re accessed when a user needs to check the status of an account or make a transaction.

Malicious Automatic Updates

The early days of the Internet demonstrated both the importance and lack of computer security. Versions of Windows before XP had no security to speak off. But even by the time Windows XP was released, your could still easily compromise your entire system by visiting a malicious site (while this is still a possibility today, it was a guarantee back then). It was during the reign of Windows XP when Microsoft started taking security more seriously. Windows XP Service Pack 2 included a number of security improvements to the operating system. However, this didn’t solve the problem of woeful computer security because even the best security improvements are worthless if nobody actually installs them.

Most users won’t manually check for software updates. Even if the system automatically checks for updates and notifies users when they’re available, those users often still won’t install those updates. This behavior lead to the rise of automatic updates.

In regards to security, automatic updates are good. But like all good things, automatic updates are also abused by malicious actors. Nowhere is this more prominent than with smart appliances. Vizio recently released an update for some of their smart televisions. The update included a new “feature” that spies on what you’re watching and displays tailored ads over that content:

The Vizio TV that you bought with hard-earned cash has a new feature; Jump Ads. Vizio will first identify what is on your screen and then place interactive banner ads over live TV programs.

[…]

It is based on Vizio’s in-house technology from subsidiary company Inscape that uses automatic content recognition (ACR) to identify what is on your screen at any given moment. If the system detects a specific show on live TV it can then show ads in real-time.

Vizio isn’t unique in this behavior. Many device manufacturers use automatic updates to push out bullshit “features.” This strategy is especially insidious because the malicious behavior isn’t present when the device is purchased and, oftentimes, the buyer has no method to stop the updates from being installed. Many smart devices demand an active Internet connection before they’ll provide any functionality, even offline functionality. Some smart devices when not given Internet access will scan for open Wi-Fi networks and automatically connect to any one they find (which is a notable security problem). And as the price of machine to machine cellular access continues to drop, more manufacturers are going to cut out the local network requirement and setup their smart devices to automatically connect to any available cellular network.

This pisses me off for a number of reasons. The biggest reason is that the functionality of the device is being significantly altered after purchase. S consumer may buy a specific device for a reason that ceases to exists after an automatic update is pushed out by the manufacturer. The second biggest reason this behavior pisses me off is because it taints the idea of automatic updates in the eyes of consumers. Automatic updates are an important component in consumer computer security, but consumers will shy away from them if they are continually used to provide a negative experience. Hence this behavior is a detriment to consumer computer security.

As an aside, this behavior illustrates another important fact that I’ve ranted about numerous times: you don’t own your smart devices. When you buy a smart device, you’re paying money to grant a manufacturer the privilege to dictate how you will use that device. If the manufacturer decides that you need to view ads on the screen of your smart oven in order to use it, there is nothing you as an end consumer can do (if you’re sufficiently technical you might be able to work around it, but then you’re just paying money to suffer the headache of fighting your own device).

Once again I encourage everybody reading this to give serious consideration to the dwindling number of dumb devices. Even if a smart device offers features that are appealing to your use case, you have to remember that the manufacturer can take those features away at any time without giving you any prior notice. Moreover, they can also add features you don’t want at any time without any notice (such as spyware on your television).

Preparing for Bad Times

It’s obvious that inflation and shortages are long term trends, not short term “transitory” states as claimed by the current rulers and their mouthpieces in the mainstream media. If history is any indicator, we’re moving towards bad times. However, the effects of bad times can be mitigated with a bit of planning and preparation.

I’m guessing a large percentage of people reading this have been preparing for bad times for a while. If you have been, good on you. You were smart. If you haven’t, don’t worry. There’s still time. Although most goods are harder to come by than they were two years ago, necessities can still be readily had in most places (although you may have to go to several stores to get everything on a list).

If you haven’t been, this post is a primer for you. It’s not all encompassing. It’s a bullet point list meant to get your started.

Creating a Plan

During the first wave of lock downs people snapped up toilet paper and frozen pizzas like they were gold. They did this because they realized that they needed to “do something” but didn’t bother to develop a plan.

When preparing for bad times, you want to allocate resources where they will do the most good. Having a stockpile of toilet paper is good, but all the toilet paper in the world is worthless if you don’t have any food. The first step of developing a plan is identifying what you need. The most immediate needs of a person are water, food, and protection from the elements (shelter and clothing). If you want to avoid disease, you will also need a hygienic environment and medical supplies. I suggest starting with these categories.

Water

Water availability will differ from region to region. If you live in a desert, you will need more stored water than somebody who lives near plentiful fresh surface water (in which case filtration can be an alternative to storage). Unless the water coming out of your tap is poisonous (in other words what I’m writing doesn’t apply if you live in Flint, Michigan), I’d suggest storing tap water over buying bottled water from a store. Do keep in mind that filling random containers with water isn’t sufficient. You need to store your water properly if you want it to last.

Food

Judging by availability immediately after the lock downs, a lot of people believe they can eat frozen pizzas forever. Setting aside the dubious nutritional value of frozen pizzas, putting all of your eggs in one freezer isn’t a smart long term plan. Freezers require electricity and can breakdown. If electricity is unavailable for an extended period of time or your freezer suffers a mechanical failure, everything stored in it will thaw and spoil. You can mitigate the risk of power loss with a generator (so long as fuel is available), but you can’t mitigate the effects of a breakdown unless you have a backup freezer (two is one, one is none). I don’t want to discourage you from making frozen food part of your plan, just don’t make it your entire plan. Having a backup plan for your backup plan is never a dumb idea (again, two is one…).

The good news for your preparedness plan is that there are options in addition to frozen food. Canned goods are the most obvious. Canned goods in good condition can last for a very long time if properly stored. Dry goods are also worth adding to your plan. Dried beans, rice, pasta, etc. store well without the need for refrigeration. Specially prepared foods such as pemmican and hard tack also store well without refrigeration and can serve as alternative ways to store otherwise perishable foods like meat if a freezer isn’t available.

Before you run to the store and buy every can of Spam on the shelf, consider your current diet. If you don’t like Spam, buying pallets of it is foolish. Survival is the primary purpose of preparing for bad times, but there’s no reason you have to suffer to survive. Focus on buying foods you actually like to eat. This will make your life more pleasant in bad times and allow you to cycle through your stockpile during good times (more on that in a bit). Moreover, buy a variety of foods you like to eat. That will allow you to mitigate appetite fatigue (the point where you become so sick of eating the same thing that you can no longer choke it down even in a survival situation).

Protection from the Elements

I’m not going to spend much time on this. You need appropriate living arrangements to both protect yourself from the elements and to store your necessities. Proper clothing for where you live is also necessary (for example, if you live in an area with harsh winters, make sure you have clothing that will protect you from those conditions).

A bug out destination can be included in this category. Depending on the type of bad time you’re experiencing, your home may not be safe.

A Hygienic Environment

Medical care may be limited or unavailable during bad times. That makes getting sick more dangerous. The best way to avoid sickness is to maintain a hygienic environment. You want to have sufficient cleaning supplies to keep your home clean. That means supplies to sanitize where you prepare your food, supplies to prevent mold from growing in your bathroom, and supplies to keep your clothing and body clean.

This seems to be the most often overlooked part of a preparedness plan. Most people remember food and water, but often forget soap, laundry detergent, bleach, etc. Don’t be one of those individuals or all the water and food you painstakingly stocked will be wasted.

Medical Supplies

Speaking of illness, make sure you have stocks of basic medical supplies. Bandages, gauze, medical tape, tourniquets, disinfectant, etc. are all good things to have and usually store for a long time. Again, medical care may be limited so you may have to fend for yourself if you are injured. Moreover, try to stockpile any medications you need (this can be hard because the state artificially restricts access to prescription medications).

Pets

Do you have pets? Do you want them to survive bad times? If so, makes sure you stock supplies for your pets as well. How easy this is will depend on the kind of pets you have.

Cycling Stock

Instead of building a stockpile and forgetting about it until bad times hit, you should use and replace items from your stockpile during good times. For example, if you have a recipe calling for green beans, pull a can of green beans from your stockpile and replace that can with a new one. This serves two purposes. First, it guards against spoilage by limiting the amount of time any good is stored. Second, it increases your chances of discovering spoiled stock when it can be readily replaced. A can of rancid meat is less of a problem when you can go to the store and buy a replacement than it is when canned meat is unavailable.

Allocating Resources

So you put together a plan, crunched the numbers, and realized that this is going to cost a lot of money. Don’t be disparaged. You don’t have to buy everything immediately.

Your plan should be prioritized. This can be done by asking some simple questions. What items do you need immediately? What items can be acquired cheaply? What items will require saving money to acquire? What items are more readily available?

Obviously items you need immediately should be prioritized. If, for example, you were one of those individuals who stockpiled toilet paper during the beginning of the lock downs and still have several months worth in stock, toilet paper should have a low priority. You may want to prioritize items that you need and are already in short supply. For example, many of the recipes my wife cooks require coconut milk. We live in the Midwest where coconut milk is usually relegated to the “Asian section” of the grocery store, which usually has limited stock in the best of times. So coconut milk is prioritized higher on my list.

Items that can be acquired cheaply are good add-ons to your normal grocery list. For example, many canned vegetables can still be found for under a dollar a can (this is being written on November of 2021, if you’re reading this months after I wrote it, inflation may have made this claim look absurd). Adding a few cans of vegetables to your grocery list probably won’t break the bank. Over time a few cans here and there will result in a very comfortable stockpile. Keep an eye out for sales. If your grocery store is having a sale on an item on your preparedness plan, use the opportunity to stock up for less.

What about expensive items like generators and hiring and electrician to wire your house so you can connect your generator to your home? Budget for them. Save some money each month for the purpose of acquiring more expensive items.

Don’t Panic

Preparing for bad times is, in my opinion, a continuous process. If you do a little bit every week or month, you will be in a solid position surprisingly quickly. It’s easy to convince yourself that everything could fall to pieces tomorrow and panic. Remember that things seldom fall to pieces overnight. When you wake up tomorrow, there will likely still be food on store shelves and the money in your wallet will likely still be able to buy it.

One VPN Provider to Rule Them All

When somebody first develops an interest in privacy, the first piece of advice they usually come across is to use a virtual private network (VPN). Because their interest in privacy is newly developed, they usually have little knowledge beyond that they “need a VPN.” So they do a Google (again, their interest in privacy is new) search for VPN and find a number of review sites and providers. Being a smart consumer they read the review sites and choose a provider that consistently receives good reviews. What the poor bastard doesn’t know is that many of those review sites and providers are owned by the same company (a company, I will add, that is shady as fuck):

Kape Technologies, a former malware distributor that operates in Israel, has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations. This report examines the controversial history of Kape Technologies and its rapid expansion into the VPN industry.

If you’re not familiar with Kape Technologies, the linked report provides a good overview. If you want a TL;DR, Kape Technologies has a history of distributing malware and now owns ExpressVPN, CyberGhost, Private Internet Access, and Zenmate. Because of Kape Technologies’ history, I would advise against using one of its VPN providers. It’s not impossible for a company to turn over a new leaf, but with other options available (at least until Kape buys them all), why take chances?

If you’re a person with a newfound interest in privacy and looking for recommendations, I unfortunately don’t have any good recommendations for review sites. The handful of review sites that I used to trust have either disappeared or been bought by VPN providers (which by itself doesn’t necessary make a review site untrustworthy, but I’m always wary of such conflicts of interest).

As far as VPN providers go, I use Mullvad and I like it. It supports WireGuard (my preferred VPN protocol), doesn’t ask for any personally identifiable information when signing up for an account, accepts anonymous forms of payment (including straight cash mailed in an envelope), and seems determined to remain independent (at least for now).

It’s a Tracking Device, Not a Smartphone

I like to refer smartphones as voluntary tracking devices. Cellular technology provides your location to the network provide as a side effect. Smartphones can also leak your location through other means. But location isn’t the only type of information collected by smartphones. Android has a sordid reputation when it comes to data collection. Part of this is because Google’s primary business is collecting information to sell to advertisers. Another part is that handset manufacturers can bake additional data collection into their Android devices. Another part is that Android lacked granular application permissions until more recent versions, which allowed application developers to collect more information.

Apple on the other hand has enjoyed a much better reputation. Part of this is because Apple’s primary business model was selling hardware (now its primary business model is selling services). But Apple also invested a lot in securing its platform. iOS provided users more granular control over what applications could access earlier than Android. It also included a lot of privacy enhancements. However, Apple’s reputation isn’t as deserved as one might think. Research shows that iOS collects a lot of information:

“Both iOS and Google Android share data with Apple/Google on average every 4.5 [minutes],” a research paper published last week by Trinity College in Dublin says. “The ‘essential’ data collection is extensive, and likely at odds with reasonable user expectations.”

Much of this data collection takes place after the phone is first turned on, before the user logs into an Apple or Google account, and even when all optional data-sharing settings are disabled.

“Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this,” the paper adds. “However, Google collects a notably larger volume of handset data than Apple.”

I can’t say that this surprises me. Apple is a publicly traded company, which means its executives are beholden to share holders interested almost exclusively in increasing the price of their shares. That means Apple’s executives needs to constantly increase the company’s revenue. User information is incredibly valuable. Mark Zuckerberg made a multi-billion dollar company out of collective user information. So it was unrealistic to expect Apple to leave that kind of potential revenue on the table. Even if Apple isn’t currently selling the information, it can start at any time. Moreover, if it has the information, it can be obtained by state agents via a warrant.

This brings up an obvious question. What smartphone should individuals concerned about privacy get? Unfortunately, Android and iOS are the two biggest players in the smartphone market. They are also the only two players readily available to consumers who aren’t tech savvy. GrapheneOS is an example of an Android version that offers better privacy than the stock versions found on most devices. But using it requires buying a supported Pixel and flashing GrapheneOS to it yourself. There are also phones that run mainline Linux such as the PinePhone and Librem 5. The problem with those devices is the state of the available software. Mainline Linux distributions designed for those phones are still in development and likely won’t meet the needs of most consumers.

Right now the market looks grim if you want a smartphone, are concerned about privacy, and aren’t tech savvy enough to flash third-party firmware to your phone.

Before and After First Unlock

If you’ve used a desktop operating system, you may have encountered full-disk encryption. The name is self explanatory. When full-disk encryption is used on a desktop or laptop, the entire contents of the hard drive (minus whatever is needed to properly boot the system far enough to enter the decryption key) are encrypted. The contents are only accessible after the decryption key has been provided during boot up.

iOS and modern versions of Android use a different model called file-based encryption. Rather than encrypt the entire contents of the device, files are encrypted individually per a policy. This is why you can make a call on an iOS or Android phone after is has been booted but before it has been unlocked. But like with full-disk encryption, the encrypted files are only accessible after the device is first unlocked after a boot up.

The states where encrypted data is inaccessible and accessible are referred to as before and after first unlock respectively. Before the first unlock data is considered at rest. The device is unable to decrypt the encrypted data because the necessary decryption key hasn’t been provided by the owner. After the first unlock the device stores the decryption key so it can decrypt and access the encrypted data. How the keys are stored varies. Many devices store the decryption keys in memory, but the more secure method is to store decryption keys in a secure chip such as the Secure Enclave hardware on iPhones or the Titan M chip on Pixel devices (technically the decryption key is usually derived by the secure chip using the provided decryption key and other inputs, but I’ll skip over those details in this post). Using a secure chip adds a barrier between the decryption key and malicious software or hardware able to gain unfettered access to system memory.

When you read stories about law enforcers extracting encrypted data from a device without the owner’s cooperation, they are almost always extracting the data after the first unlock:

The main difference between Complete Protection and AFU relates to how quick and easy it is for applications to access the keys to decrypt data. When data is in the Complete Protection state, the keys to decrypt it are stored deep within the operating system and encrypted themselves. But once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone.

Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, the researchers realized that this is how almost all smartphone access tools likely work right now. It’s true that you need a specific type of operating system vulnerability to grab the keys—and both Apple and Google patch as many of those flaws as possible—but if you can find it, the keys are available, too.

When law enforcers confiscate a device, it’s common practice to both prevent the device from powering off and to isolate it from any network access. This prevents the device from entering before the first unlock state and from being remotely wiped. Mobile phones have their own batteries, which increases the time law enforcers have between confiscation and connecting it to a secondary power source. Placing the phone into a Faraday bag isolates it from network access. Once a device has been prevented from powering off or being remotely wiped, law enforcers can work to decrypt the contents of the phone at their leisure.

Before continuing I will note that law enforcers aren’t the only individuals interested in gaining unauthorized access to the encrypted contents on a device. I’m highlighting them because they receive the most press coverage. Keep in mind that many unauthorized parties such as abusers and stalkers have the same interest albeit for different reasons.

The safest state for encrypted content is at rest. This is why I always recommend people power down their devices before entering airport checkpoints or border crossings. Those are situations where encounters with law enforcers are guaranteed and the chances of devices being confiscated is higher than average. I also recommend people power down their desktops and especially laptops when not in use. That way if the device is stolen, the contents remain inaccessible to the thief. However, powering down devices isn’t always practical, especially when the device in question is a smartphone. If you’re meeting somebody at an airport, you might need to keep your phone powered on in case the party with whom you’re meeting needs to contact you (although I will argue that proper planning can avoid this scenario and, if not, rebooting the device and leaving it in before the first unlock state will allow you to be accessible while keeping your data at rest). If a mugger demands your smartphone, they probably won’t allow you to power it down before handing it over.

This is why I was happy to discover a feature in GrapheneOS. In the settings application under the Security category there is an option called Auto reboot. By default this is disabled, but if you tap on it, you’ll be greeted with a dialog box offering different lengths of time. If you select one of those options, the phone will automatically reboot if it hasn’t been unlocked in the selected period of time. This ensures that the device will return to before the first unlock state after you haven’t unlocked it for the selected period of time. If you unlock your device frequently and don’t mind entering your password when you wake up in the morning, you can select a short time period. If you don’t want to enter the password every morning, you can select eight hours (or slightly more than however many hours you typically sleep). This feature creates a specific window of time between when a device is confiscated or stolen and when it returns to before the first unlock state.

This is a security feature I would like to see adopted by other operating systems. Knowing my laptop had a finite period of time between when I last unlocked it and when it returns to before the first unlock state would give me the convenience of putting it in sleep mode rather than powering it down completely when transporting it (I fully admit powering down isn’t a huge inconvenience for me since I don’t transport my laptop frequently, but a lot of people transport their laptop between home and work twice a day).

Maybe Connecting Everything to the Internet Isn’t a Great Idea

I’ve made my feelings about the so-called Internet of things (IoT) abundantly clear over the years. While I won’t dismiss the advantages that come with making devices Internet accessible, I’m put off by industry’s general apathy towards security. This is especially true when critical infrastructure is connected to the Internet. Doing so can leads to stories like this:

Someone broke into the computer system of a water treatment plant in Florida and tried to poison drinking water for a Florida municipality’s roughly 15,000 residents, officials said on Monday.

The intrusion occurred on Friday evening, when an unknown person remotely accessed the computer interface used to adjust the chemicals that treat drinking water for Oldsmar, a small city that’s about 16 miles northwest of Tampa. The intruder changed the level of sodium hydroxide to 11,100 parts per million, a significant increase from the normal amount of 100 ppm, Pinellas County Sheriff Bob Gualtieri said in a Monday morning press conference.

The individuals involved with the water treatment plant have been surprisingly dismissive about this. They’ve pointed out that there was never any danger to the people of Oldsmar because treated water doesn’t hit the supply system for 24 to 36 hours and there procedures in place that would have caught the dangerous levels of sodium hydroxide in the water before it could be release. I believe both claims. I’m certain there are a number of water quality sensors involved in verifying that treated water is safe before it is released into the supply system. However, they’re not mentioning other dangers.

Poisoning isn’t the only danger of this kind of attack. What happens when treated water can’t be released into the supply system? If an attacker poisons some of the treated water, is there isolated surplus that can be released into the supply system instead? If not, this kind of attack is can work as a denial of service against the city’s water supply. What can be done with poisoned water? It can’t be released into the supply system and I doubt environmental regulations will allow it to be dumped into the ground. Even if it could be dumped into the ground, doing so would risk poisoning groundwater supplies. It’s possible that a percentage of the plant’s treatment capacity becomes unavailable for an extended period of time while the poisoned water is purified.

What’s even more concerning is that this attack wasn’t detected by an intrusion detection system. It was detected by dumb luck:

Then, around 1:30 that same day, the operator watched as someone remotely accessed the system again. The operator could see the mouse on his screen being moved to open various functions that controlled the treatment process. The unknown person then opened the function that controls the input of sodium hydroxide and increased it by 111-fold. The intrusion lasted from three to five minutes.

This indicates that the plant’s network security isn’t adequate for the task at hand. Had the operator not been at the console at the time, it’s quite possible that the attacker would have been able to poison the water. There is also a valid question about the user interface. Why does it apparently allow raising the levels of sodium hydroxide to a dangerous amount? If there are valid reasons for doing so (which there absolutely could be), why doesn’t doing so at least require some kind of supervisory approval?

It’s not uncommon for people involved in industries to cite the lack of budget necessary to address the issues I’ve raised. But if there isn’t a sufficient budget to address important security concerns when connecting critical infrastructure to the Internet, I will argue that it shouldn’t be done at all. The risks of introducing remote access to a system aren’t insignificant and the probability of an attack occurring are extremely high.

Whenever somebody discussing connecting a device to the Internet, I immediately ask what benefits doing so will provide. I then ask which of those benefits can be realized with a local automation system. For example, a Nest thermostat offers some convenient features, but many of those features can be realized with a local Home Assistant controller.