Friday, February 10, 2017

Protecting Your Data at a Border Crossing

Jonathan Zdziarski:

Obviously, you want all of your devices encrypted and powered off at the border. There are plenty of ways to access content on devices (even locked ones) if the encryption is already unlocked in memory.

[…]

To lock down 2FA at a border crossing, you’ll need to disable your own capabilities to access the resources you’ll be compelled to surrender. For example, if your 2FA sends you an SMS message when you log in, either discard or mail yourself the SIM for that number, and bring a prepaid SIM with you through the border crossing; one with a different number. If you are forced to provide your password, you can do so, however you can’t produce the 2FA token required in order to log in.

[…]

I’ve written about Pair Locking extensively in the past. It’s an MDM feature that Apple provides allowing you to provision a device in such a way that it cannot be synced with iTunes. It’s intended for large business enterprises, but because forensics software uses the same interfaces that iTunes does, this also effectively breaks every mainstream forensics acquisition tool on the market as well. While a border agent may gain access to your handset’s GUI, this will prevent them from dumping all of the data – including deleted content – from it. It’s easy to justify it too as a corporate policy you have to have installed.

3 Comments RSS · Twitter


The compartmentalization strategy aspect of the (interesting) linked post is partially why I saw FileVault 2 as a subtle downgrade from FileVault 1 in certain respects.

Back with FileVault 1, the individually encrypted user accounts allowed you to set up a dummy main account you could log into upon request while your actual user account was hidden from the GUI, and thus easily practice total compartmentalization by obscurity at customs.

(Of course, forensics tools could conceivably discover and note the hidden user account to the customs agent in real time, but that seems somewhat unlikely to me in practice for a few reasons.)


Any account can be hidden from the Login Window - we do this routinely with our admin accounts on the Macs we manage. I'm not on my work laptop at the moment so don't recall the exact defaults command offhand, but I can get it if anyone wants.


"Any account can be hidden from the Login Window"

Sure. But with FileVault 2, merely hiding an account from the Login Window no longer leaves it encrypted if you are compelled to enter your password for a dummy main account.

Back in the FileVault 1 days, hiding an account from the Login Window had actual practical usefulness in such situations.

Leave a Comment