[moduspol]

All of these are based on the assumption that the attacker has physical access to the unlocked phone, right?

I'm trying to understand the risk profile here.

I guess I see the value for, e.g., a border crossing, where they can inconvenience you and ask you to unlock your phone, but instead of flicking through your messages briefly, they authorize a pairing and quickly backup your entire disk content. You expected a quick perusal by a human, but unknowingly gave them a lot more. If you've blocked pairing, they can't get nearly as much data as quickly.

But if you're being investigated for committing a crime, everything we think we know about device unlocking is still true, right? They'd need me to unlock it before it'd trust a new device to pair to, and they'd need a court order to get me to unlock it for them. Five quick taps of the power button and biometric unlocks are off--now they need my passcode.

Perhaps there's still value, even in that case, in that if I were compelled via court order to give my passcode, they still can't quickly / easily dump the disk contents from a device pairing. Although I imagine if you have the passcode there's probably many other ways of accomplishing the same result.

[carstenhag]

> unlocked phone

Well, mostly yes, that's considering Cellebrite doesn't have 0-days or other exploits which can send a SMS to the device or similar things. Using Cellebrite's software you can also send silent SMS, so it's not far off either.

A german Cellebrite ambassador showed me and colleagues the mentioned tools of the blog post and told us he participates at Law Enforcement raids. At 6 in the morning they raid the houses of the suspects, detain them and immediately ask for PINs and passwords. He said that surprisingly often it works and no further decryption tries have to be performed.

[d110af5ccf]

> if I were compelled via court order to give my passcode

In the US that won't work if unlocking the device requires a password or pin. In practice, you can't be compelled to provide that unless you openly admit that you know it. (Even then, the 5th amendment might afford you some protection.) YMMV, IANAL, etc.

[moduspol]

IANAL but AFAIK you can be held in contempt of court if you don't provide it when asked if they're already convinced it's yours and has incriminating evidence on it. Article below, although it looks like fairly recent (not super established) jurisprudence.

[1] https://goldsteinmehta.com/blog/can-the-police-force-you-to-...

[d110af5ccf]

At issue there is the "foregone conclusion" exception to the 5th amendment. As far as I understand things you've lost the case by that point anyway.

Even then, I believe there would still be the additional issue of demonstrating that the defendant actually knows the password. Which is why I previously mentioned that if you openly admit to knowing the password then you likely have a problem. (This came up in a case where the defendant admitted to the FBI that he was capable of decrypting an external hard drive but refused to do so because "we both know what's on there".)

[moduspol]

> At issue there is the "foregone conclusion" exception to the 5th amendment.

The unclear part seems to be how strong the evidence needs to be that the device is yours and that the evidence is on there. In this case, his sister testified to both. But would it be strong enough with forensic evidence alone? Unclear.

> As far as I understand things you've lost the case by that point anyway.

Perhaps, but there may still be significance to what's on that drive. There may be incriminating evidence there for other crimes for which you're not yet being prosecuted.

> Even then, I believe there would still be the additional issue of demonstrating that the defendant actually knows the password.

They're saying the sister's testimony was sufficient to prove that he knew the passwords previously.

Proving present-day capability to decrypt doesn't seem to be necessary, at least in the article I linked.

> The federal court denied the Motion to Quash and directed Doe to unlock the devices for the investigators. Doe did not appeal, but he refused to unlock some of the devices, claiming that he had forgotten the passwords. He was eventually held in contempt by the District Court, and the Court ordered that he remain in federal custody until he was willing to unlock the devices.

The accused claimed he could not decrypt the hard drive because he had forgotten the passwords, but he was still being held in contempt.

[dodobirdlord]

> The unclear part seems to be how strong the evidence needs to be that the device is yours and that the evidence is on there.

The 5th amendment protects you from having to testify against yourself, but it doesn't protect you from having to turn over incriminating evidence against yourself. The 4th amendment protects your stuff, but only up to the point of requiring probable cause for a warrant.

At issue in these sorts of encrypted storage scenarios is whether you would be incriminating yourself by demonstrating that you know the password. Knowing the password for an encrypted device basically proves that it's your device, so forcing you to decrypt a device would amount to forcing you to testify against yourself in the event that there is doubt about whether the device is yours.

So to force you to decrypt a device there needs to be a warrant for the contents, and it needs to be no doubt about the fact that it is indeed your device. So it needs to be a foregone conclusion that the device is yours, but only requires probable cause to believe that something specific and illegal is stored on the device.

[moduspol]

Thanks. That helps a lot to clarify.