
Securing a travel iPhone - jsudhams
https://blog.filippo.io/securing-a-travel-iphone/
======
FiloSottile
Hey, author here. Happy to answer questions. There's also a big Twitter thread
here
[https://twitter.com/FiloSottile/status/750273921568485377](https://twitter.com/FiloSottile/status/750273921568485377)

To frame the post and the conversation, I am targeting a loose but not
universal threat model. If threat of deadly force is higher up in your risk
scale than shoulder-surfing, or Apple cooperation is a given, then you might
want to make very different choices, but more importantly, you probably need
better advice than a blog post.

The only things I want to add are pair-locking, maybe a forced VPN profile,
and a correction on how to check the Whatsapp fingerprint. You can find all
these things in the Twitter thread.

~~~
newman314
I'd avoid using TouchID to unlock your phone for legal reasons.

Once the phone is unlocked, you can use TouchID as the phone is already open
and you would not gain/lose anything from using TouchID in that scenario. But
until the courts rule that you cannot be compelled to TouchID unlock your
phone like a PIN, I think that is the safer route to take for now.

~~~
mahyarm
If you expect you can reliably turn off your phone (7 seconds) before you get
in a search situation, then use a full password instead of a numeric pin, then
touch ID is a great balance of convenience and security. TouchID also prevents
shoulder surfing of your code.

It's all about the threat model.

~~~
watson
Correct me if I'm wrong, but isn't it also possible to just use one of your
fingers that you didn't register with touch ID for 5 or so consecutive unlock
attempts and it will have the same effect as rebooting your phone?

~~~
notjosh
There is a slight difference.

Keychain and NSFileManager have possible modes of
"kSecAttrAccessibleAfterFirstUnlock" [0] and
"NSFileProtectionCompleteUntilFirstUserAuthentication" [1] respectively that
are (fittingly) in an open state within your app after you've unlocked the
device.

[0]:
[https://developer.apple.com/reference/security/ksecattracces...](https://developer.apple.com/reference/security/ksecattraccessibleafterfirstunlock)

[1]:
[https://developer.apple.com/reference/foundation/nsfilemanag...](https://developer.apple.com/reference/foundation/nsfilemanager/1653059-file_protection_values)

------
Razengan
As someone in a country with a serious mugging problem and having lost an
iPhone already, one of the biggest security flaws I see is being able to power
it off without providing any authentication.

What is even the point of Find my Phone and all that if anyone can just
instantly switch off all the tracking?? You can't even ring your own number
after that, and even law enforcement cannot look up the cell tower logs to see
where it's been.

There should be an option to require a passcode for power-off, and another
option to periodically send Find my Phone tracking even when "powered off,"
via any available network, until the battery dies.

EDIT: I agree they can just take out the SIM and we need to be able to force-
power-off anyway.. but what can be done to increase the recoverability of
these expensive items?

~~~
ericabiz
Even if Apple added that, it's trivially easy to pop the SIM. A phone without
a network connection won't ping, so that won't help.

You have to think about it from the attacker's point of view. Anyone they sell
it to is going to power it on to test it. Once it's powered on, it'll ping
back.

Any black-market buyer knows to pop the SIM anyway before powering it on, and
turn on the phone without any publicly-accessible Wifi access points
available. But then they still have to restore it in order to see if it's
iCloud locked, and the restore pings, too (it requires an Internet connection
to Apple's servers to download a signed OS.)

What it comes down to is that stolen iPhones just aren't worth that much,
since there's no easy way to remove an iCloud lock and the parts themselves
aren't worth a lot. The good news is that far fewer iPhones are stolen these
days (source: [http://www.cbsnews.com/news/iphone-thefts-down-thanks-to-
app...](http://www.cbsnews.com/news/iphone-thefts-down-thanks-to-apple-kill-
switch/) ), and thieves are pretty quickly learning that.

~~~
ivank
Going by eBay, a lot of people are still managing to sell stolen iPhones for
$100-$300:
[http://www.ebay.com/sch/i.html?_nkw=icl0ud%20locked&LH_Compl...](http://www.ebay.com/sch/i.html?_nkw=icl0ud%20locked&LH_Complete=1&LH_Sold=1)

~~~
MrMullen
What do you do with a iCould locked phone? It seems like a completely
worthless device if it is locked.

~~~
post_break
Perfect for parts. New screens aren't cheap. Battery, camera modules, etc.

~~~
MrMullen
New screens are a lot cheaper than $200, which appears to be the price of
iCloud locked phone.

~~~
ams6110
"genuine Apple screen" vs. cheap aftermarket knockoff? I have no idea if
there's much of a difference.

------
smartbit
What I miss in this article in using MDM to harden an iOS devices in the first
place. Eg. you can prevent the ability to make backups [0] diminishing that as
a route to exfiltrate information. Secondly an always-on VPN [1] to a fixed IP
address prevents network information leakage from the moment the device is
turned on the first time. A quick search resulted in these two links but I
didn't hit a comprehensive guide, other than Apples MDM docs, combining this
travel guide combined with iOS MDM hardening.

[0]
[https://community.rapid7.com/community/infosec/blog/2015/11/...](https://community.rapid7.com/community/infosec/blog/2015/11/26/reduced-
annoyances-and-increased-security-on-ios-9-a-win-win)

[1] [http://www.howtogeek.com/218851/how-to-enable-always-on-
vpn-...](http://www.howtogeek.com/218851/how-to-enable-always-on-vpn-on-an-
iphone-or-ipad/)

------
mehrdada
A key step missing is to set up the iOS device as Supervised in Apple
Configurator and _prevent pairing with non-Configurator hosts_. Additionally,
you can install your own non-removable profile via Configurator on the device
disabling a bunch of privacy-damaging features there.

------
spdustin
I think two security related changes could be made to iOS that would benefit
many people.

1) PIN/TouchID locking of contacts, like you can do with notes. Don't allow
messages and emails to and from the contact to be decrypted from the encrypted
store without authenticating, like you can now do with notes. Would help with
securing communications with legal counsel or other privileged parties from
being captured.

2) A "duress" PIN/TouchID registration; if I unlock my phone with a duress
code or imprint my duress-coded fingerprint, reboot the phone (to look like it
was a glitch-induced reboot) and present the PIN prompt again. Auto-wipe the
phone if the duress code is given again this second time.

~~~
Johnny555
_if I unlock my phone with a duress code or imprint my duress-coded
fingerprint, reboot the phone (to look like it was a glitch-induced reboot)
and present the PIN prompt again. Auto-wipe the phone if the duress code is
given again this second time._

If such a feature was commonplace, criminals would know about it and wouldn't
be happy when they saw you activate it with your middle finger (I mean, who
wouldn't use their middle finger to activate such a function!?) after they
just threatened you enough to make you attempt to unlock your phone.

~~~
spdustin
So you'd use the PIN. Then they get the metaphorical middle finger without
seeing you use the real one.

Besides, no criminal cares about your phone being unlocked. They just want the
phone. Well, I guess there are circumstances where a criminal wants
information, but if they're the ones compelling you, you have other pressing
issues that go beyond protecting information from unauthorized parties.

I'm talking about being compelled to unlock your phone by someone seeking
information on it, either depriving you of due process or your civil
liberties.

~~~
krrrh
A criminal who is motivated to steal your phone under threat if violence is
motivated to have you unlock the phone and disable 'Find my Phone' or whatever
the Android equivalent is. It _considerably_ increases the resale value since
the phone can then be wiped and used by a new Apple ID.

------
joshavant
I thought I once read that, since Touch ID relies on fingerprints, a US court
order can compel you to provide those, thus forcing you to unlock an iPhone in
question.

This, as opposed to a passcode-only configuration, which a court order cannot
compel you to give (I believe since this would fall in the category of
'forcing you to testify against yourself').

If that is indeed the case, I imagine it would make better sense to leave
Touch ID disabled, unlike what this article suggests.

~~~
mikeash
I leave it enabled, then power the phone off before interacting with The Man,
like when going through customs. Touch ID is disabled on a fresh boot until
you enter your passcode, so that basically turns it off temporarily. This is
briefly mentioned in the article.

Another thing you could do is set it up with an unusual finger, like the
middle-finger of your non-dominant hand. After five failed tries, Touch ID is
disabled until you enter your passcode, so you can use the wrong finger five
times when they ask you, and disable it that way. Say you're sweating too much
or something (a common cause for real Touch ID failures for me).

It all depends on just how paranoid you are and what you want to defend
against.

~~~
lostlogin
Having got sick of damp fingers blocking Touch ID I added my nose as one of
the options. No more lockout during dish washing.

~~~
robotmlg
Can a US court order compel you to provide your nose print?

~~~
prawn
Someone needs to be the first to make the news for refusing to do so!

------
spraak
Related, are there any guides for securing a laptop for travel?

------
secfirstmd
Nice guide. Just some other OPSEC stuff we have done for occasional problems
in the field training human rights defenders and journalists (who needed
specific solutions)...

You can always use a call relay. So you can give people one phone number that
relays to your own real number (for voice calls) - although an voice call is
obviously more vulnerable than Signal call etc.

Ditto, AFAIK there is the ability to setup a relay for SMS through an Android.
I can't remember the app but basically people could SMS that number and it
relays to you real number.

Before people jump on me, yes I am aware of the weaknesses of both of the
above but sometimes a specific type of threat model requires these two tricks.
I recommend it unless you are aware of the trade offs.

------
walterbell
The OP has responded to questions on Twitter, including TouchID criticism,
[https://twitter.com/FiloSottile/status/750273921568485377](https://twitter.com/FiloSottile/status/750273921568485377)

------
sly010
I was once mugged for a crappy Nokia feature phone. I had a prepaid sim for a
long time. Very hard to replace (in Hungary) without loosing the phone number.
I managed to convince my muggers to let me take the SIM.

Ironically they got caught and I got the phone back.

------
xnzakg
[https://xkcd.com/538/](https://xkcd.com/538/)

Well, at least it prevents the thieves from doing more damage if it's stolen.

------
b15h0p
About turning off iCloud backup: You say that messages are being stored
unencrypted. That may be true as we do not know what happens on Apple servers.
But this is about securing the phone for traveling i.e. you would have to
worry about the transport. And I would strongly guess that backup traffic
would happen with http, probably with pinned certificates.

------
shurcooL
If I may ask, in what circumstances would one want to go this far in securing
their travel phone? Is this meant to be for a "general trip somewhere", or
something more specific?

------
st3fan
I also like to power off/on my phone at airports. So that it will be on (which
you have to show sometimes) but requires the passcode to unlock.

------
fhood
I would put extra emphasis on don't use wifi. Preferably ever.

~~~
linkregister
I think it's acceptable to trust the cryptography used in a well-used VPN,
such as OpenVPN.

~~~
dylz
I wonder how many people don't bother preloading CA/certs onto the .ovpn
config and just allow whatever though..

------
r00fus
Does any of this avoid the pitfall of a stingray device[1]? Is there any way
to prevent 2G?

[1] [https://epic.org/foia/fbi/stingray/](https://epic.org/foia/fbi/stingray/)

~~~
linkregister
You can mitigate a downgrade to 2G by using a VPN and a VOIP app like Whatsapp
or Viber. Call quality would be abysmal on EDGE. I haven't seen any stock
configuration of iOS that permits you to disable 2G.

Using 3G or LTE wouldn't help someone trying to evade a state or higher law
enforcement organization, since all they need to do is use the cellular
provider's Lawful Intercept capability somewhere in the packet core, such as
the GGSN (for metadata) or at a tower's next IP router (for call content).

I think the purpose of this guide was primarily for border crossings. Filippo
almost certainly gets hassled at borders, as many security professionals do.
His comment about the Great Firewall was more likely about accessing an
unrestricted internet, and less as an phone call anti-surveillance measure.

------
peteretep
No VPN? I'm using Freedome and I like it.

------
rdslw
It's also an ultimate checklist of potential vector attacks.

------
ape4
I would have thought a rooted Android or Ubuntu phone would more secure (done
right).

~~~
JonathonW
Given that rooting an Android phone frequently involves turning _off_ security
features (for example, rooting a Nexus device entails unlocking the bootloader
to accept an unsigned boot image), you're probably better off running a stock,
unrooted firmware to make it easier to tell if things have been modified.

That's in addition to the added attack surface that the root itself provides
once the phone's up and running. Yes, the SU app on the phone (whatever that
is nowadays) is supposed to prompt for permission before granting an app root
access, but are you sure that code's bug free? Or free of intentional
backdoors?

~~~
jalami
You are correct, but you can still get around some of the warts involved if
you want.

You can always lock the bootloader again after installing your ROM. Unlocking
it will wipe the device again which is inconvenient for ROM updates etc, but
if you're a trooper, you can do it. This inconvenience was pretty easily fixed
with the open source bootunlocker[0] apk which allowed to you unlock and
relock the bootloader once in rooted userspace, but sadly it doesn't work on
anything newer than the original Nexus 5 due to security features in newer
Android hardware. Manual unlocking, re-installation and boot re-locking is
still possible.

The decryption password can be beefed up with adb from the terminal as well.
There isn't a pretty gui for it, but that way you can get a strong safe
encryption password and a short screen unlock pin. Unfortunately the two are
tied iirc normally. Some would argue that having an organically strong
password is safer than allowing the hardware to help beef up weak pins.

I'm sure there are other problems, sadly Google seems to look at privacy and
security on Android as issues for later. And running anything besides a nexus
device is entirely less safe due to the toxic OEM/Google update environment.

[0] [https://code.google.com/p/boot-unlocker-
gnex/](https://code.google.com/p/boot-unlocker-gnex/)

