57

I was surprised to read in the responses to this popular question that it's considered nigh impossible to secure a computer system if intruders have physical access.

Does this apply to smartphones as well? Let's suppose I have done the most I can to secure my phone on a software level (e.g. encrypted storage, restricted app permissions ... whatever you consider "maximally secure"). Is physical access still game over?

This seems like an important issue, as there are many situations in most people's daily lives where they leave their cell phone on their desk as they take a break or what have you.

Technical answers are welcome, but I would personally appreciate responses that are legible to someone without a background in information security.

This question is related, but it deals more with surveillance technologies that might be built into a smartphone, not the options available to a malicious individual with physical access.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Max
  • 715
  • 1
  • 4
  • 7
  • 6
    It does. Even the most advanced anti-theft protection from Samsung can be bypassed and the latest phone models were recoverable and reusable. – Overmind May 04 '20 at 06:25
  • 11
    It depends on your definition of 'game over'. Do you mean that attackers can get into the device and bypass security measures to decrypt data? Or 'they can reset the phone and sell it'? In the first case: really depends on the security measures used. Assuming 'perfect crypto', your data is safe. Second case: There are many ways to factory reset or whipe a (stolen) phone. In this case physical access = game over. – roy.stultiens May 04 '20 at 06:42
  • 14
    @roy.stultiens: Another threat model would be tampering which is sufficiently hidden that a user proceeds to unlock the phone, but which then leaks encrypted data from the phone after it's unlocked. – supercat May 04 '20 at 16:15
  • 8
    Do people casually leave their smartphones behind? I only physically separate myself from my phone at home and at other places I may sleep. – Emilio M Bumachar May 04 '20 at 18:39
  • 1
    @supercat Ah yes, the evil maid! – Michael May 04 '20 at 23:19
  • 6
    @EmilioMBumachar : even people who never leave their phones behind, can be pickpocketed. Or mugged. – vsz May 05 '20 at 06:31
  • 1
    @vsz - There's a slight subtlety there. If pickpocketed or mugged, you know you've had a physical compromise. If you follow the procedure in software like Veracrypt, you would then never enter your passcode into that device. The thing with the "evil maid" attack is that you don't know your device was physically compromised. – paj28 May 05 '20 at 09:01
  • 1
    @EmilioMBumachar people make mistakes- leave it on the bus if you get distracted perhaps, there’s lots of ways! The question “do people lose their phones is an odd one” – Tim May 05 '20 at 15:04
  • From the hacker's point of view all computers, all half-way smart phones and anything like them fall into the same category: devices with operating systems. From that point of view yes, all can be hacked. – Robbie Goodwin May 05 '20 at 22:16
  • A quote from a famous hacker: "The only computer that is truly safe from hacking is disconnected from the network, powered down, unplugged, encased in concrete and put in an underground bunker with armed guards posted outside. Even then, I'd check on it every once in a while." – Cort Ammon May 07 '20 at 01:46

10 Answers10

47

"Physical access = game over" is an over-simplification. It absolutely boils down to the outcome of a threat assessment, or what the vendor needs to protect and to what level. The direct answer to your question is a great big 'it depends'.

Smartphones are no different than other devices to the extent that they are computers running an operating system of some description handling data of some kind that interact with other computers or people in some way via peripherals.

The class and range of attacks a device is susceptible to when physical access is possible is very different to the type of attacks it would be susceptible over a network. Conversely, the impact on the ecosystem is also quite different and it could be as impacting or worse on the network side.

Modern/recent operating systems and smartphone hardware have multiple methodologies that aim to secure user data from attackers, whether by means of physical attacks or otherwise. Even "physical attacks" can vary between occasional access (a few minutes, casual access) to unlimited time and expertise in micro-electronics in a lab (such as forensics investigations). But there are aspects that can defeat some (or all) of these features such as local configuration of the device, having weak passwords, guessable (or no) PIN codes, etc. Online backup services, cloud based accounts (Apple/Google) aid in these vectors since most of the data in a device ends up mirrored on the cloud in some way.

However, not all smartphone hardware is born in the same way and not all operating systems in the field are implemented to the same security strength, so there are attack vectors whereby full access is possible against certain hardware/software combinations provided physical access is possible.

This is a very short summary, there is scope to this matter to write books.

Max
  • 715
  • 1
  • 4
  • 7
Pedro
  • 3,931
  • 12
  • 25
  • 15
    *"Smartphones are no different to other devices"* - that's just plain wrong if we consider threat levels. With a PC, even relatively novice attackers can just insert a bootable USB drive or a CD, restart the computer, and they are in. Not so easy to do with a smartphone, especially if the timeslot is short (the target just went to the restroom and will be back in a couple of minutes) – vsz May 05 '20 at 06:35
  • 1
    *"Smartphones are no different to other devices"* - this is just wrong. See my answer below: https://security.stackexchange.com/a/231052/231817 – Alexander Fadeev May 05 '20 at 07:48
  • 8
    @vsz Which is why you have disabled by default, with a BIOS password so a casual attacker can't easily re-enable it. And as for a short timeslot, if you've only got a couple of minutes and you need to include time for two reboots, it isn't happening. Sorry, but that objection is plain wrong. – Graham May 05 '20 at 08:12
  • @Graham : All right, then you don't only have a couple of minutes, you have longer, but you don't own fancy lab equipment. – vsz May 05 '20 at 08:17
  • 9
    Smartphones *are* computers. With a known architecture, RAM and i/o. They run a known OS and interact with peripherals. This is factual. What is open to interpretation is how similar they are to workstations or laptops, and out of that you can consider how easier or more difficult it would be to hack a smartphone given physical access as opposed to a desktop computer. – Pedro May 05 '20 at 13:13
  • 4
    @vsz On computers that have full disk encryption enabled and configured correctly, a bootable USB isn't enough to compromise the system alone. There are still some attacks that may be feasible, but most of these are no longer in the realm of novice attackers. – James_pic May 05 '20 at 17:20
  • 1
    I think this answer could be copied to any other question on this website that mentions smartphones and remain equally useful. – the default. May 06 '20 at 05:25
22

As a general concept in information security, physical access is a rather severe attack vector.

Standard x86 PCs and servers are particularly vulnerable because they have little or even no mitigations against physical threats. Some things like disk encryption can help, but it is just not a significant design feature.

Smartphones treat the threat more seriously; being lost or stolen is a much more present hazard. Unlike commodity PC hardware, end-users do not anticipate being able to install hardware or run arbitrary software, allowing tighter more tamper-resistant casing and proprietary hardware with strict security features. Added snooping hardware would need to be quite small. Breaking into the device requires some real reverse engineering or even using an exploit. They are only countermeasures, and smartphones are vulnerable to several physical attacks, they just tend to require more time, skill, and dedication. It is part of a defense in depth strategy, where the first defense is physical security.

trognanders
  • 2,985
  • 1
  • 11
  • 12
  • 3
    "Added snooping hardware would need to be quite small." – Mhm, I can imagine a very simple transparent touchpad masquerading as a screen protector. It doesn't need to be as accurate as the real thing, and doesn't need to support multitouch. All you need to read the PIN is some basic touch detection with ~5mm accuracy. – Jörg W Mittag May 04 '20 at 21:38
  • 4
    @JörgWMittag The level of lateral thinking involved in security research is impressive. An interesting observation that a screen protector (or even case) might not seem out of place. Much more accessible than the inside of the phone as well. – trognanders May 04 '20 at 23:25
  • 2
    @JörgWMittag I would say that something small enough to masquerade as a screen protector is still very small. It's certainly very thin, at least compared to what you could credibly hide inside a desktop, laptop, or server. You might not notice something new in your m.2 port, even a new PCI Express device. – James_pic May 05 '20 at 17:25
18

TL;DR: the answer is yes, given enough (unrestricted) physical access, skills, motivation, and resources.

Long answer

Those laws are often very general laws that express general concepts in information security. In this case, the law says that the attacker generally needs unrestricted physical access. And when they say it's not your computer anymore, it means that it's very, very hard to defend against such attacks, or even impossible, depending on how unrestricted the access is. So the key here is the word unrestricted. Also, of course, as usual, it depends on the skills and resources of the attacker.

So, if the attacker is free to physically access your smartphone and has enough skills, motivation, and resources, is it "game over", meaning that "it's not your smartphone anymore", meaning that it is going to be extremely hard, even impossible, to prevent the attack? The answer is yes. All you would need is an advanced evil maid attack.

The attacker can check out your phone, what it looks like, what you need to unlock it. The attacker, given enough physical access to your environment, might even be able to collect some information about you (like how you use the phone, what apps you have, what settings are enabled, etc.), either directly (the attacker lives with you), or indirectly (the attacker has installed hidden cameras). Then they can steal your phone, and replace it with an identical copy, with special software installed, such that as soon as you unlock the copy the authentication info is sent to them. Your fingerprint? A representation of it can be sent as well. You have "find my phone and erase the data" enabled? It won't work, because the attacker is now working in a shielded basement, and your phone has no signal whatsoever.

As a thought experiment, I just thought that in theory you could even devise a method where the copy of the device has a modified OS that syncs with the stolen phone. It might be very slow at the beginning, while it is syncing for the first time and installing all the apps and importing all the settings, and this initial process might be hidden behind a fake OS update. But in the end you will end up having a fully functional copy of your phone, running on a modified OS that is controlled by the attacker. Then Business Process Compromise would become possible. Of course this isn't an attack you can expect from your girlfriend or your grandma. But if your threat model involved government agencies, then who knows what they are capable of. Hell, for all we know, the NSA might already have these handy phone copies. Or should I patent this invention? LoL

reed
  • 15,538
  • 6
  • 44
  • 65
  • 6
    Interesting interpretation of "game over". With that interpretation, if someone has enough skills, motivation and resources, isn't it already "game over" as they can use zero day exploits to compromise you without physical access? In any reasonable sense, "game over" means that an attacker with "normal" skill level can target you. – paj28 May 05 '20 at 08:59
  • 2
    @paj28 you are right, I guess to make it a better answer I should have said that on average smartphones are much more difficult to attack than laptops or desktop PCs, with nothing more than physical access. – reed May 05 '20 at 21:08
  • Instead of a shielded basement, wouldn't it be simpler to remove the SIM card? – Toby Bartels May 06 '20 at 19:57
  • @TobyBartels, I wouldn't trust modern mobile devices to stop transmitting and receiving data if you just remove the SIM card. There might be WIFI, GPS, BlueTooth, internal batteries that keep it alive, etc. – reed May 06 '20 at 20:45
11

To simplify and exemplify, it is a major issue of resources and determination by the attacker, and availability of hacking tools.

Historical fact: FBI hacked the "in"famous San Bernardino phone, as they had physical access and plenties of resources

Old-school computers and laptops, unlike smart or IoT devices, are bigger and characterized by a number of IO interfaces. They were also designed for easy replacement of components.

With a desktop or laptop computer in your physical availability, you can:

  • Try to extract the hard drive, make a cold copy, and then try to decrypt it somewhere else. It needs a screwdriver, a SATA adapter and another computer. Find them at you local store
  • Try to use a PCI device to hack into memory, bus, etc. There are documented tools to hack around the system. It takes a screwdriver to put a PCI device. You get the screwdriver at the local store, maybe the PCI hacking card is found on niche markets...
  • With the plenties of USB ports in such devices, try booting and see where you can continue. Or you can use a malicious USB adapter to sniff key presses and recover passwords. Found on online shops or in niche stores.

Vice versa, with a smartphone, your possibilities are reduced. Often you can't even service the battery!!!

  • Dumping the flash memory is harder. Not impossible, but probably you and me both don't have proper tools at hand
  • PCI is not available. There might be or not a debugging interface. And the tools can't just be found at the local Best Buy
  • Only one USB available and you surely can't boot your own Linux distro to hack around. And input is done via touchscreen. Yet, it's complex to replace a touch screen with a rogue one

Conclusion: if you are really determined into hacking into a phone and have proper skills, tools and know-how, you may realistically hack the device. But if you can choose between hacking a desktop PC and a mobile, the former is easier and cheaper

usr-local-ΕΨΗΕΛΩΝ
  • 5,361
  • 2
  • 18
  • 35
  • 3
    Regarding "PCI is a standard, there should be some tool available", here's a cool demo of such a tool (PCILeech) by Ulf Frisk https://www.youtube.com/watch?v=5DbQr3Zo-XY – Peteris May 06 '20 at 00:27
9

Let's suppose I have done the most I can to secure my phone on a software level (e.g. encrypted storage, restricted app permissions ... whatever you consider "maximally secure"). Is physical access still game over?

The Game Is Not Over

It is very trendy to say "everything can be hacked", but in your case the game is not over. Modern mobile OS enables much more security hardenings than PC:

  1. Secure OS (see ARM TrustZone) which runs concurrently to Android.
  2. Specialized security chips (see Secure Enclave).
  3. SELinux.
  4. No root.
  5. Containerization.
  6. Disk encryption.
  7. ASLR, KASLR.
  8. eSE chip.
  9. dm-verity.
  10. and much more...

And this is a baseline for iOS and Android in 2020. And all of this is not enabled on PC!

Let's consider a basic way how data is protected in a modern mobile OS:

  1. You set a password
  2. Password -> symmetric key
  3. Key -> encrypted storage

While reading this answer, please, consider the following formula which is actual on iOS and Android devices for the recent ~4-5 years at least (maybe more):

  1. Credentials == key
  2. No credentials == no key
  3. No key == no data

Considering you have done the most you can to secure your phone, there are 2 options to access your phone:

  1. brute-force your password (a guessed password means an access to your data)
  2. do a factory reset (you loose data, but data remains confidential)

Offline attack

Let's say, if operating system doesn't store your password on disk as a plain text, and your mobile device has been rebooted (so keys don't stay in memory): your data is safe. It means that offline attack on your data is almost impossible. (I said "almost" but it also means the game is not over yet).

Therefore to be sure about data confidentiality, be sure you do your best:

  1. Choose a difficult password/PIN
  2. Don't forget to lock your device with any kind of credentials

Real world positive cases

ATTENTION to "flashing bootloader, skipping decryption" guys: the following happens when you "flash bootloader" and "skip decryption".

Case #1

There are "magic tools" like dr.fone which claims to unlock any phone without a data loss. Now take a look at their guide with an iPhone 7 case:

Please note this unlocking process will also wipe the data on your iPhone/iPad. Honestly there is no solution to bypass iPhone/iPad lock screen without data loss for the moment in the market.

Why this happens: because device cannot "skip" decryption of encrypted data - device doesn't have a key until you enter a valid credentials which ARE the key. Without valid credentials any data is a trash which just can be wiped.

Case #2

Another case is that Android cannot decrypt files before you unlock it after reboot, because Android doesn't have a key physically: https://source.android.com/security/encryption#full-disk

Case #3

Not a "magic" phone with self destruction like in movies but an ordinary Samsung Galaxy S9 can be used for U.S. military: https://www.samsung.com/us/business/solutions/industries/government/tactical-edition/. "Tactical edition" has just slightly modified firmware with "military" features having the same basic firmware and other security hardenings.


Runtime attack with physical access

Here adversary have some options to win the game. I would say that runtime attack has much higher chances to be succeeded.

  1. If you forgot to lock you phone, having a short physical access adversary can jailbreak (root) your phone, install a back door, and later get everything he needs remotely.
  2. If operating system has not been shut down yet, then having theoretically unlimited resources, attacker can try to find encryption keys in memory (having physical access to a locked phone), and it would be OS vulnerability. A chain of vulnerabilities is needed depending on OS version and a state of security hardening.

To be sure you did everything to mitigate such types of attacks:

  1. Lock your phone.
  2. Update your OS (particularly do security updates).

"It depends on"

And yes, theoretically there is no absolute security: OS may just not encrypt files, or OS may leak encryption keys; even cryptography is based on a relative difficulty to solve a particular mathematical problem, or on difficulty to attack a particular cipher... But the game is not over.


Special update #1

for people saying "zero days, FBI, dark market, everything can be hacked" and for people who upvotes them.

You cannot just throw these words here and there. It means nothing out of concrete attack chain. TLS 1.3 is not easy to "hack" (that's why you use https), it's not easy to find a collision for SHA-256, it's not easy to exploit the collision, and "not easy" means an enormous time, from a several years to infinity, where CSI will "hack" you physically rather than hacking your phone. It's not easy to exploit a vulnerability on a system where this vulnerability was patched.

Questioner makes a precondition: a concrete case, hardened mobile phone, where he did everything he was able to do. It could be this phone, for example. Having this particular precondition I would propose to try to discuss very specific cases. But "it depends on" would be a pretty comfortable and universal answer, of course.

Special update #2

for "flashing bootloader, skipping decryption, hacking in the lab" guys.

Just see the "Real world positive cases" above. And shortly: you just need to know that the major part of the cases to "unlock the phone" are narrowing down to data wiping (factory reset). No key = no data. Easy.


Conclusion

Set up credentials, lock your phone, update OS, and cybersecurity professionals will try to do the rest.

Alexander Fadeev
  • 1,244
  • 4
  • 10
  • @paj28 Yeah, man, FUD is a really annoying trend in cybersecurity world nowadays. – Alexander Fadeev May 05 '20 at 09:23
  • 3
    I do not see anything different in your description of your security features on mobile phone than on my computer. Physical access will always mean you can do bad things to hardware regardless how good SW protection is. Comparing the above with unencrypted old windows is really not fair. – Jakuje May 05 '20 at 10:02
  • Yeah, sure, you can destroy the device, for instance, but it doesn't mean that confidentiality is compromised. And if the game is about data confidentiality, then the game is not over. – Alexander Fadeev May 05 '20 at 10:21
  • 3
    Thanks for actually trying to answer the question, instead of talking in generalities like the rest. But I think what you said is stlll just a start at answering this. – John Pankowicz May 05 '20 at 16:29
  • I think phones are like this because they assume most users are complete idiots. You can technically do everything a phone does on a computer, but most users are really idiots. – Nelson May 06 '20 at 08:52
  • 1
    @AlexanderFadeev Had to downvote as well, because 'physical access' does mean 'game over' from the point of view that you lose control of what happens (given the highest level threat model). To give a simple example, if you leave your phone on your desk an attacker gets their hands on it, replaces the screen with a screen with embedded touch logger and returns it to your desk. It's an extreme case, but that's the case the saying talks about. And yes, good encryption without the key is just random noise, whether on desktop or on a smartphone or anything else. – David Mulder May 06 '20 at 14:21
  • @DavidMulder Let me show you another extreme case then: you buy your phone, and your phone has a keylogger pre-installed on the factory. See, game over before the beginning. And why so difficult: with an ability to replace a screen the attacker could just eyesdropping the credentials. Still the screen forging can be detected, right, and it means that the game is not over. See, your cybersecurity glass is half empty, my friend. – Alexander Fadeev May 06 '20 at 14:35
  • "Mobile OS enables much more security hardenings than PC:" You haven't listed a single thing that isn't possible with a PC. The only real differences result from the side effects of disassembly. – Ben Voigt May 06 '20 at 20:11
  • @BenVoigt But you don't have it enabled right now, don't you? Do you even know what is TrustZone? Do you have a read-only system partition under dm-verity protection? Or maybe IMA is configured on your personal PC? You don't have `su` and `sudo` and a root user at all? You can't insert USB periphery? SELinux is properly configured (have you ever seen a book about SELinux which is hard to lift)? Have you verified that all secret keys are properly zeroized in your memory after disconnecting from WiFi? Let's talk again after you know all this stuff and enable on your personal PC. – Alexander Fadeev May 06 '20 at 20:52
  • @AlexanderFadeev, last time I visited a hardware reverse engineering lab, it was on the day when they were teaching the interns how to break a big-name vendor's secure boot implementation. Yes, there are more layers, but they're not impregnable. (That said, I will say that mobile chipset Secure Boot implementations -- at both firmware and software layers -- are generally better than the PC UEFI-based status quo). – Charles Duffy May 06 '20 at 23:05
  • You must also remember that it's quite easy to break an Android device. Boot to bootloader with key combo, flash custom recovery (Orange Fox in my example), skip decryption, go to modules, flash the 'Remove password' module, access to data. – David Wheatley May 06 '20 at 23:23
  • Thank you for your comments, guys, I constantly improve my answer. I've just added some clarification for "unlocking bootloader" and "skipping decryption" folks. Shortly, you cannot "skip decryption": flashing bootloader just leads to a data wiping in the end (factory reset). You've got device, but not the data. – Alexander Fadeev May 07 '20 at 02:00
  • Indeed, but if the encryption key is derived from a smartphone PIN, it's going to be amenable to a brute-force attack. Vendors have countermeasures to limit the number of attempts, but historically those countermeasures can be circumvented by a sufficiently sophisticated attacker. Remember, we aren't necessarily talking someone manually entering passwords; a sophisticated attacker can have their own hardware accessing the flash chips directly, and iterating through possible derived keys at a far higher speed. – Charles Duffy Jul 01 '20 at 13:52
7

No - This saying only applies to devices that are not designed to be secure in an untrusted physical environment.

For example, a traditional desktop computer without disk encryption is not secure against an attacker with physical access. They can remove the hard drive and access all the data. Such an attack is so easy, it is "game over".

Some devices are designed to be secure in an untrusted physical environment, at least in restricted circumstances, and a modern smartphone is an example of this. Your average script kiddie cannot steal data from a locked smartphone. In fact, your average cyber security expert cannot either; this is the realm of specialists. However, it is known that specialist companies and agencies like the FBI can extract data from locked smartphones.

"Game over" is not a precise term, but we need to interpret it sensibly. Personally, I would say that blocking everyone except specialists and the FBI is not "game over". Especially as such agents have other was to attack smartphones, such as browser zero days.

paj28
  • 32,906
  • 8
  • 93
  • 130
7

I'll dare it

Although objectionable if you are super pedantic, I am inclined to say "no", or "mostly no". It always depends on what you assume the attacker can do and will do, what's practical and what isn't. But when it comes to situations where one would say "yes", other problems are much more serious than someone unlocking your phone. Someone who can do this can also have you disappear entirely. Or, file a CLOUD warrant, for that matter.

Modern phones have specialized hardware which magically encrypts and decrypts your data, with the key never leaving the magic chip. That magic chip also has special provisions ("fuses") that physically destroy its ability to do so, given the right circumstances. Different manufacturers call their magic differently ("Secure Enclave", "Knox") but it is more or less all the same. Bottom line: Getting to the data is hard, very hard. Plus, you can always use Veracrypt in addition to the device's built-in security, which is more or less middle-finger-up towards anyone successfully unlocking the device and not knowing your decryption key (which isn't stored on the device).

What can someone with phsyical access to your device do?

Getting your "help"

Use a baseband exploit and gain root access, install spyware while you have the phone unlocked. Done, and thank you for your assistance.
Erm... alright, no physical access is necessary, so... I'm safe to say "no problem!" (in the context of the question).

The same goes for showing a fake error screen on a fraudulent web site, or making a phone call and telling you that our firewalls have detected a serious phone problem on your end which disturbs the internet in such a way that it requires me to reconfigure some servers at Apple to make it work again (this is what actual MS-PC scammers/extortioners claim, more or less verbatim, and people buy it!). So, to configure the Apple servers correctly, I need to know your password, and you need to follow a certain number of steps which I'll tell you. Physical access is not a prerequisite, stupidity is enough.

Steal the device, factory-reset it, and sell it on eBay.

There's not much of a defense against that. There's "find my device" and the like, and remote lock, and whatnot, but bleh. 99.999% certain you're not getting your phone back.
On the other hand side, in terms "Ow, my data!", this is a total non-issue.

Install a different firmware while you are getting your coffee

In theory, that's quite possible. In practice it's deep in the "yeah right, good luck" realm.

A factory reset (and firmware install) can usually be done without knowing the unlock password or having the correct finger attached to one's hand. Plugging in a cable and pressing the magic on/volume button sequence is enough. That's right.
There is however a small "but". First, doing so will erase all data. Second, doing so with a firmware that doesn't have what the phone considers a valid certificate issued by the phone's vendor kicks off the SE/Knox chip. Third, the process takes 15-20 minutes, so you need to have access to the device for quite some time. Do that, covertly, while hanging upside down from the ceiling as the target is getting a coffee? You should apply for the next Mission Impossible movie, you're certain to replace Tom Cruise. That's a more awesome stunt than the IMF break-in. And despite being an awesome stunt, it won't reveal the data!

Unlock the device bypassing biometrics

That may actually work, depending on how unaware or stupid the phone's owner is. If it happens, and if that is your only authentication, and you did not take other measures, then yes... you have lost. Seeing how you actually ask such a question, that's unlikely to be the case because apparently you have been thinking about the topic.

Facial recognition has been demonstrated to be rather not too safe, and the story with Samsung in-display scanners a year or two ago was a quite fun experience. In case you didn't know, there was a huge "security problem" with Samsung's in-display fingerprint scanners. Truth is, the scanners worked 100% correctly and did exactly what they should do, it was the users being too stupid. Users would put on a poorly manufactured, cheap protective gel screen protector from Mr.China on their $1000 phone, which necessarily had some recognizable, constant patterns. Thus, every time the user would lay a finger upon the scanner, the scanner recognized the finger, at different angles, and with different scale, pressure, ridge depth according to pressure, and the like... plus a recognizable pattern which was also always present.
So consequently, the AI learned -- of course, what else -- that this pattern is a valid part of the owner's fingerprint. Do it a few thousand times, and everybody can unlock your phone. No surprise there. That's stupidity though, not a defect.

Unlock the device by entering the PIN/Password

Well, hopefully, that is "Yeah, nice try", again it depends on how aware/unaware/stupid the user is. Your password/PIN isn't 0000 by any chance?
For a reasonable password, and with the "erase data after X failed logins" the practical risk is zero (yes it is not zero, but it is for all practical purposes it is). Oh darn it, I'm Sherlocked.

Replace the device

Replace the device with an identically looking one, and perform a relay attack, both with your fingerprint (... which they could get a million times easier, but not in a nearly as cool way) and the PIN and whatever. That, uh, is possible. Mission Impossible possible. Producing an identical phone with the same physical appearance and an identical-looking lock screen may be not that much trouble, but without already having had access to the device, getting the start screen and all to be exactly right is a real challenge. Oh darn it, I'm Sherlocked again, that one I didn't see coming.

Open the device and extract the key from the SE/Knox chip

Following that, decode the flash memory. Yes, this is possible. But it is, again deep in the "fucking heroic, Mission Impossible" realm. These chips are explicitly designed to make this a tough job. You will need to work with extreme care on a very small scale, read out a minimal electric charge, and even then there is a good chance you ruin it.
How do we know it's hard? Well because if it was actually doable by a reasonably educated and experienced lab assistant with decent tools, then the FBI wouldn't have made such a darn humiliating fuss about it (which Apple used very diligently for advertising) on that terror suspect phone a couple of years ago.

Bottom line

Realistically, it's mostly "no problem" for the "phone got stolen" issue, other than obviously you are lacking one phone and need to buy a new one.

Besides, the overwhelming majority of users stores their data on cloud services, both for backup and for sharing between devices, run by someone (possibly third parties, and likely affiliated with US-based firms) on servers in unknown locations, probably subject to regulations such as SCA and CLOUD, with unknown people having unknown levels of access. And, with unknown, if present, encryption.

Seeing how CLOUD has a "must" wording irrespective of physical location, the assumption "no encryption" is a very valid assumption. Otherwise there'd be no way for US companies that they could comply with the law.
Also, the fact that you can trivially, without hassle, share data between several devices kinda suggests that there can't be much of a secure encryption scheme in place, otherwise how would a different device that doesn't know the decryption key be able to use the data! You demonstrably don't need to transfer or know an encryption key or something, you just sign in (with OpenID if you like), and the data magically appears on your other phone (which now diligently encrypts the data in an unrecoverable way!).

I'd consider that much more worrysome, if the data on your phone is important.

Damon
  • 5,211
  • 1
  • 20
  • 26
5

It's probably fair to say that smartphone vendors are *attempting* to protect against attackers with physical access; the amount of effort being put in varies by vendor, and the effectiveness can be judged by google searching for terms like "lockscreen bypass".


iPhone

There was a famous case in 2015 / 2016 where the United States' FBI took Apple to court for assistance in breaking into unlocking the iPhone of a convicted criminal. Eventually the FBI dropped the case; and speculation is that they were able to purchase black-market tools or services and no longer needed Apple's cooperation. I'll let you form your own opinion about what that tells us about the amount of effort required to hack into an iPhone with a properly-configured lockscreen password.


Android

For Android the story is a bit weaker with, for example tools like dr.fone which claim to:

  • Remove 4 screen lock types: pattern, PIN, password & fingerprints.
  • Unlock some Samsung/LG phones without data loss.
  • Work for all mainstream Android brands like Samsung, Huawei, LG, Xiaomi, etc.

it looks like they work by rebooting the device into Recovery Mode and/or uploading a custom ROM to disable the lock screen.

While I have no personal experience with these tools, I would imagine your mileage will vary depending on how old / unpatched your Android is, and whether you are on a flagship device with dedicated secure-boot chips on the motherboard.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • It is a huge trendy oversimplification: there are magic tools which allows you to hack, and also FBI... Let take a look at "dr.fone": while unlocking the phone it erases all data. "Please note this unlocking process will also wipe the data on your iPhone/iPad. Honestly there is no solution to bypass iPhone/iPad lock screen without data loss for the moment in the market." – Alexander Fadeev May 05 '20 at 07:38
  • 2
    @AlexanderFadeev in the **open** market – paj28 May 05 '20 at 09:05
  • 1
    @paj28 Not exactly: imagine that you use a random 256-bit symmetric key, the storage is then encrypted on that symmetric key using AES256, then you reboot device, and drop it away. The only way at this world to "hack" your device is to brute force the key. There is no magic tool in CSI and FBI against that. That's happen on a modern mobile device.... But if you still remember the key, they will do thermorectal cryptanalysis :) – Alexander Fadeev May 05 '20 at 09:23
  • 1
    @AlexanderFadeev - Look I don't want to have a long conversation about this, but you do not enter a 256-bit key at boot, there's a kind of TPM that holds the key. – paj28 May 05 '20 at 09:31
  • @paj28 Only a limited capabilities are accessible in Android right after the boot: https://source.android.com/security/encryption#full-disk (almost everything doesn't work after the boot) – Alexander Fadeev May 05 '20 at 09:40
  • 1
    @AlexanderFadeev a few specialist companies like Cellebrite have such solutions available (https://www.cellebrite.com/en/ufed-premium/) which are known to work on up to date phones but they are not available to the *open market* - they sell the services (and often just the actual unlocking of particular devices by their people in their premises, not the actual software/knowhow/zerodays) to selected customers e.g. law enforcement and military/intelligence services. I mean, one should not be surprised that zerodays for phone OS exist; but they're quite expensive and usage risks "burning" them. – Peteris May 06 '20 at 00:37
  • 1
    @Peteris Maybe I will surprise you, but even they cannot hack everything. And military forces also uses mobile phones indeed. Some special secret military phones with self destruction from movies? No, it can be just, say, Samsung Galaxy S9: https://www.samsung.com/us/business/solutions/industries/government/ – Alexander Fadeev May 06 '20 at 08:02
  • @AlexanderFadeev they can't hack everything, they do need to have obained an unpatched zeroday, but those exist. Military forces using off-shelf phones does not imply that off-shelf phones are uncrackable, it is the whole reason why other military forces may want to buy such services for use in battlefield forensics. E.g. that Samsung Galaxy S9 was vulnerable to https://www.zdnet.com/article/samsung-patches-0-click-vulnerability-impacting-all-smartphones-sold-since-2014/ ; Cellebrite advertised that they can crack these models, so they may have bought that same vulnerability a year or two ago. – Peteris May 08 '20 at 08:55
  • @Peteris There is a difference between offline attack and runtime attack. If the questioner asked about ANY attack, "could I get pwned", it would be another discussion. Your example is a runtime attack against the unlocked phone which can be carried out remotely without physical access. Why would we discuss this case in this thread? With the same success we could consider just any phishing. Obviously apps have vulnerabilities, and even your example affects a single sandboxed application. You cannot just cast "zeroday" and "Celebrities" words here and there. – Alexander Fadeev May 08 '20 at 10:08
1

For Apple iOS devices like iPhones and iPads, generally yes they are protected from physical access attacks

Please correct me if I'm wrong, but to the best of my understanding it works like this: iOS encrypts user data. The encryption key is stored on a separate security chip which also handles pass code verification and the code produced from fingerprint ID. This is a proprietary chip that nobody knows much about. It is certainly possible that there is some kind of backdoor master pass code that can be used by organizations like the FBI. The fact that so many fake "unlock your iPhone using this special code" web pages exist suggests that they might be helping cover up any real master pass code if it ever did get leaked.

As far a resetting the device to reuse it, Apple has something called iCloud lock. Every iOS device has a unique identity, and every time iOS is reinstalled on the device iOS needs to be activated over the Internet. If the phone's unique identity is marked as locked, then the iOS setup program will require that the user log in to their Apple account using the correct email address and password before setup can continue. Currently, the only way for the general public to turn off iCloud lock is through an Apple store. They'll require proof of purchase or some other document. This is why iCloud locked devices are considered parts only devices that are unusable.

The Apple bootloader will only boot up signed versions of iOS. So you can't just install a custom operating system on it. There are some flaws however. Even on an iCloud locked device, it is still possible to bring up the browser using the captive portal interface, which is commonly used when signing on to public WiFi networks. This allows some functionality and it also opens the device up to potential browser attacks. In 2019 a bootrom exploit was released which affected all but the latest iOS devices. It is a ROM exploit that cannot be patched. This allows bypassing the signed iOS version only boot up requirement. The iOS device must be connected to USB each time it is turned on though if a non signed OS is to be loaded. The exploit on http://checkra.in/ uses this method to jailbreak the device. Even if this exploit were used to access a locked device, the user's data would still be encrypted. But the exploit could be used to install malware on the phone which would steal the user's data after they unlock it during normal use.

Alex Cannon
  • 402
  • 2
  • 7
0

The short(ish) answer for iPhone: There is no access without the passcode. There are protections that may be possible to overcome that should prevent brute force attacks. If these protections fail, then it takes a minimum of 80ms to check one passcode. So to be safe, you need a passcode that cannot be cracked at a rate of 12 tries per second, 750 per minute, 45,000 per hour, 1,080,000 per day.

A random 10 digit passcode will be safe, assuming an attacker can get around every single protection. But if you leave an unlocked iPhone lying around, that is obviously a lot less safe.

(There are also protections against factory reset, which are equally annoying to thieves, heirs of deceased iPhone owners, and companies where employees who leave return locked company phones).

gnasher729
  • 2,107
  • 11
  • 16
  • If you enter an incorrect pass code several times, it makes you wait up to 60 minutes before you can enter a new one! I assume this is enforced by the dedicated security chip and cannot be bypassed. Do you have a source for where the 80ms delay figure comes from? – Alex Cannon May 10 '20 at 15:12