Targeted digital surveillance: Authentication bypass

Contents

Description
Mitigations
Used in repressive operations
- Repression of Lafarge factory sabotage
- Repression against Zündlumpen

Contents

Description
Mitigations
Used in repressive operations
- Repression of Lafarge factory sabotage
- Repression against Zündlumpen

Authentication bypass is the process by which an adversary bypasses the Full Disk Encryption that protects access to a digital device. An adversary can achieve authentication bypass through human error, weak passwords, or technical exploits.

An adversary can achieve authentication bypass through:

Accessing the device while it is turned on (and therefore its encryption is not effective).
Finding the encryption password written down somewhere.
Making the device owner provide the encryption password by using interrogation techniques including, in some contexts, extra-legal violence.
Visual interception: watching the device owner type the encryption password through a hidden camera or an infiltrator.
Brute force: guessing the password through repeated, automated authentication attempts.
Compromising the device either through remotely-installed malware or physical access.
Exploiting a flaw at the implementation level of the encryption process.

Used in tactics: Incrimination

Mitigations

Name	Description
Bug search	Before entering a password in a room where covert video surveillance devices may be present, you can conduct a bug search to locate such devices and eventually remove them.
Digital best practices	You can follow digital best practices, and in particular use security-oriented operating systems with Full Disk Encryption (FDE) and strong passwords, to make it harder for an adversary to bypass authentication on your digital devices. For example: On computers, you can use the Linux FDE called LUKS, which is used by many Linux systems, such as Debian^[1] and Tails^[2], and which the forensics department of the German federal police was unable to decrypt after a year of effort. On phones, you can use GrapheneOS, whose FDE makes it difficult for an adversary to guess the encryption password by brute force: after 140 failed attempts, each is delayed for a full day^[3].
Tamper-evident preparation	You can use tamper-evident preparation to detect when a device has been physically accessed. Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data.

Name

Description

Bug search

Before entering a password in a room where covert video surveillance devices may be present, you can conduct a bug search to locate such devices and eventually remove them.

Digital best practices

You can follow digital best practices, and in particular use security-oriented operating systems with Full Disk Encryption (FDE) and strong passwords, to make it harder for an adversary to bypass authentication on your digital devices. For example:

On computers, you can use the Linux FDE called LUKS, which is used by many Linux systems, such as Debian^[1] and Tails^[2], and which the forensics department of the German federal police was unable to decrypt after a year of effort.
On phones, you can use GrapheneOS, whose FDE makes it difficult for an adversary to guess the encryption password by brute force: after 140 failed attempts, each is delayed for a full day^[3].

Tamper-evident preparation

You can use tamper-evident preparation to detect when a device has been physically accessed.

Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data.

Used in repressive operations

Name	Description
Repression of Lafarge factory sabotage	Investigators recovered several encrypted smartphones in the raids and attempted to access their encrypted data, with varying results depending on the phone^[4]: For the iPhones that were recovered turned on, they exploited the security vulnerabilities that exist when they are turned on to bypass their encryption and access the encrypted data. For all Android phones (whether recovered on or off) and one iPhone recovered off, they extracted the phones' encrypted partitions and attempted to brute force them from a computer.
Repression against Zündlumpen	In some of the April 2022 raids, cops seized smartphones immediately after entering and plugged them into power banks, presumably to prevent them from shutting down and reverting to an encrypted state^[5].

Name

Description

Repression of Lafarge factory sabotage

Investigators recovered several encrypted smartphones in the raids and attempted to access their encrypted data, with varying results depending on the phone^[4]:

For the iPhones that were recovered turned on, they exploited the security vulnerabilities that exist when they are turned on to bypass their encryption and access the encrypted data.
For all Android phones (whether recovered on or off) and one iPhone recovered off, they extracted the phones' encrypted partitions and attempted to brute force them from a computer.

Repression against Zündlumpen

In some of the April 2022 raids, cops seized smartphones immediately after entering and plugged them into power banks, presumably to prevent them from shutting down and reverting to an encrypted state^[5].

References

https://debian.org

https://tails.net

https://grapheneos.org/faq#encryption

https://notrace.how/resources/index.html#affaire-lafarge-les-moyens-denquetes-utilises

https://zuendlappen.noblogs.org/post/2022/05/07/muenchen-ueber-razzien-und-ein-%c2%a7129-verfahren-gegen-anarchistinnen-und-den-raub-einer-druckerei