[guardian-dev] Android Emergency Wipe or Shutdown / PanicKit / PanicButton

[Peter Prockers]

Like any full disk encryption for linux and also android can only be really
effective if the device is shutdown. This is because:

- the disk encryption key is in RAM and can be extracted from there (see
cold boot attack - while I haven't heard about cold boot attacks against
android, it's better to be careful since an attacker could just keep the
android connected to power and shielded from any internet and it would
never shut down

- the bootup disk encryption password is probably a lot longer and more
complex than any lockscreen password for reasons of practicality

Before an Android is taken away there might be enough time for an emergency
procedure.

- For example a very long press of some physical key such as the off key
could result of the disk encryption masterkey (luks header) being wiped and
the device shut down. That would make any attempts to extract the key from
RAM as well as brute force attacks against the disk encryption futile. Of
course some safeguards against accidental wipe would be nice such as being
able to abort the procedure by having a configurable timeout of a few
seconds to enter a PIN which aborts.

- If one is forced to reveal an unlock PIN, one could reveal a PIN which
actually wipes the encryption masterkey (luks header) and shuts the device
down.

- A voice command for triggering the emergency procedure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20180814/d340d920/attachment.html>