Targeted digital surveillance: Authentication bypass

Contents

Description
Mitigations
Used in repressive operations

Contents

Description
Mitigations
Used in repressive operations

Authentication bypass is the process by which an adversary bypasses the Full Disk Encryption that protects access to a digital device. An adversary can achieve authentication bypass through human error, weak passwords, or technical exploits.

An adversary can achieve authentication bypass in the following ways:

Accessing the device while it is turned on (and therefore its encryption is not effective).
Finding the encryption password written down somewhere.
Making the device owner provide the encryption password by using interrogation techniques including, in some contexts, physical violence.
Visual interception: watching the device owner type the encryption password through a hidden camera or an infiltrator or informant.
Brute force: guessing the encryption password through repeated, automated authentication attempts.
Compromising the device either through remotely-installed malware or physical access.
Exploiting a flaw at the implementation level of the encryption process.

Used in tactics: Incrimination

Mitigations

Name	Description
Bug search	Before entering a password in a room where covert video surveillance devices may be present, you can conduct a bug search to locate such devices and eventually remove them.
Digital best practices	You can follow digital best practices, and in particular use security-oriented operating systems with Full Disk Encryption (FDE) and strong passwords, to make it harder for an adversary to bypass authentication on your digital devices. For example: On computers, you can use the Linux FDE called LUKS, which is used by many Linux systems, such as Debian^[1] and Tails^[2], and which the forensics department of the German federal police was unable to decrypt after a year of effort. On phones, you can use GrapheneOS, whose FDE makes it difficult for an adversary to guess the encryption password by brute force: after 140 failed attempts, each is delayed for a full day^[3].
Tamper-evident preparation	You can use tamper-evident preparation to detect when a device has been physically accessed. Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data.

Name

Description

Bug search

Before entering a password in a room where covert video surveillance devices may be present, you can conduct a bug search to locate such devices and eventually remove them.

Digital best practices

You can follow digital best practices, and in particular use security-oriented operating systems with Full Disk Encryption (FDE) and strong passwords, to make it harder for an adversary to bypass authentication on your digital devices. For example:

On computers, you can use the Linux FDE called LUKS, which is used by many Linux systems, such as Debian^[1] and Tails^[2], and which the forensics department of the German federal police was unable to decrypt after a year of effort.
On phones, you can use GrapheneOS, whose FDE makes it difficult for an adversary to guess the encryption password by brute force: after 140 failed attempts, each is delayed for a full day^[3].

Tamper-evident preparation

You can use tamper-evident preparation to detect when a device has been physically accessed.

Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data.

Used in repressive operations

Name	Description
Repression of Lafarge factory sabotage	Investigators seized several encrypted smartphones in the raids and attempted to access their encrypted data, with varying results depending on the phone^[4]: For the iPhones that were seized turned on, they exploited the security vulnerabilities that exist when they are turned on to bypass their encryption and access the encrypted data. For all Android phones (whether recovered on or off) and one iPhone seized off, they extracted the phones' encrypted partitions and attempted to brute force them from a computer.
Repression against Zündlumpen	In some of the April 2022 raids, cops seized smartphones immediately after entering and plugged them into power banks, presumably to prevent them from shutting down and reverting to an encrypted state^[5].
Bure criminal association case	Investigators bypassed the authentication of five encrypted storage devices found in raids^[6]: One hard drive by using the very simple password “stopcigeo”, which they presumably guessed. One hard drive by using a password they found on a post-it note under the computer containing the hard drive. One hard drive by using a password given to them in custody by the owner of the computer containing the hard drive. Two hard drives by using passwords they found in a text document on a previously decrypted hard drive.

Name

Description

Repression of Lafarge factory sabotage

Investigators seized several encrypted smartphones in the raids and attempted to access their encrypted data, with varying results depending on the phone^[4]:

For the iPhones that were seized turned on, they exploited the security vulnerabilities that exist when they are turned on to bypass their encryption and access the encrypted data.
For all Android phones (whether recovered on or off) and one iPhone seized off, they extracted the phones' encrypted partitions and attempted to brute force them from a computer.

Repression against Zündlumpen

In some of the April 2022 raids, cops seized smartphones immediately after entering and plugged them into power banks, presumably to prevent them from shutting down and reverting to an encrypted state^[5].

Bure criminal association case

Investigators bypassed the authentication of five encrypted storage devices found in raids^[6]:

One hard drive by using the very simple password “stopcigeo”, which they presumably guessed.
One hard drive by using a password they found on a post-it note under the computer containing the hard drive.
One hard drive by using a password given to them in custody by the owner of the computer containing the hard drive.
Two hard drives by using passwords they found in a text document on a previously decrypted hard drive.

https://debian.org

https://tails.net

https://grapheneos.org/faq#encryption

https://notrace.how/resources/#lafarge

https://zuendlappen.noblogs.org/post/2022/05/07/muenchen-ueber-razzien-und-ein-%c2%a7129-verfahren-gegen-anarchistinnen-und-den-raub-einer-druckerei

Private source.