this post was submitted on 16 Jul 2024
92 points (97.9% liked)

Privacy

31954 readers
616 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] ReversalHatchery@beehaw.org 5 points 4 months ago* (last edited 4 months ago) (1 children)

For a few years now Android has been encrypting storage. Not the SD card, and maybe not even the internal storage (which on android land means your files that you can access with a file manager without root) but I'm not sure about that part. The app's main data is surely encrypted though, when the security menu in the settings says so.

But, there's a loophole. Or two.
The parent commenter said, actual encryption can't be broken without keys.
First, the keys are in the black box TPM of the phone.
Second, how do you verify that the phone uses an effective and unmodified encryption algorithm, and also that keys are never leaked anywhere?
And now consider that popular brands have been bundling malware for years, some of which cannot really be uninstalled either.

[–] Jean_le_Flambeur@discuss.tchncs.de -1 points 4 months ago* (last edited 4 months ago) (1 children)

Yeah TPM chip encryption is mostly not secure (at least not by simply existing, as an encryption with with a strong password that only exists in your head is) I've seen a german youtuber crack the bitlocker TPM encryption of a windows think pad, I have no doubt big companies can do this for the 3-4 most used TPM chips in android phones

And if you got the device and can damage it, even if you couldn't crack the chip, putting the silicia under an electron microscope is always an option (lots of actual manhours of actual experts needed, but you could charge the client heavily to compensate)

[–] ShortN0te@lemmy.ml 3 points 4 months ago (1 children)

No. The TPM was not cracked. The communication was sniffed, which is unencrypted. This requires a Device to be modified and then successfully unlocked to get exploited also this does not affect devices where the tpm is integrated in the SoC.

[–] Jean_le_Flambeur@discuss.tchncs.de 0 points 4 months ago (1 children)

You are right in a sense of: If the TPM holding the keys were itself encrypted with a strong password, this would be still be considered secure. You are wrong in the sense of: lenovo sells a device, tells its users its encrypted, their data is safe. None can steal their data

in reality the data can easily be accessed, which could be considered as "cracking the device/bypassing the encryption" because what lenovo prevent was someone ripping your ssd l, but not just decrypt it because the encryption was not implemented securely.

I don't want to debate the security of a luks Linux volume or veracrypt windows laptop, (even though even those are in theory vulnerable to highly targeted and skilled things like cleverly exploiting e.g the logofail bug)

My point isn't that there are no ways to have a secure system, my point is that the percentage of truly secure systems is low

[–] ShortN0te@lemmy.ml 1 points 4 months ago (1 children)

The device needs to be physically accessed and modified and then unlocked in order to exploit it.

Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.

Similar outcome.

[–] Jean_le_Flambeur@discuss.tchncs.de 0 points 4 months ago* (last edited 4 months ago)

The device needs to be physically accessed and modified and then unlocked in order to exploit it.

Exactly the service the company offers

Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.

This is not a hot take at all!

Sure thing, it is equally hard to confiscate/steal a device (if the user notices you just shrug) and open it no user input required And Stealing the device without the user noticing Solder a keylogger, get it back to the user without them noticing and having them put in their password, then steal the device again so you can use said passwort

I totally agree