Ask Slashdot: Would You Use A Cellphone With A Kill Code?

Slashdot reader gordo3000 writes: Given all the recent headlines about border patrol getting up close and personal with phones, I've been wondering why phone manufacturers don't offer a second emergency pin that you can enter that wipes all private information on the phone? In theory, it should be pretty easy to just input a different pin (or unlock pattern) that opens up a factory reset screen on the phone and in the background begins deleting all personal information.

I'd expect that same code could also lock out the USB port until it is finished deleting the data, to help prevent many of the tools they now have to copy out everything on your phone. This nicely prevents you from having to back up and wipe your phone before every trip but leaves you with a safety measure if you get harassed at the border.
It could be built into the operating system, added by the manufacturer, or perhaps sideloaded as a custom mod -- but that begs the question of whether it'd really be a popular feature. So leave your own thoughts in the comments. Would you use a cellphone with a kill code?

Mandatory

Yes.

Re:Mandatory

[michelcolman]

There's no need to lock any ports, though: wiping an encrypted phone can be done in less than a millisecond. All you need to do is destroy the encryption key. That's what iPhones do when you enter the wrong pin multiple times, and the effect is instant and irreversible. It would be trivial for Apple to add a feature that wipes the phone for a specific pin chosen by the user.

Law enforcement can sometimes retrieve a password. But that password only serves to decode the actual decryption key, which is a random sequence of bits. If that key is gone, it would take billions of years to decode the device.

Re: Mandatory

[v1]

1. Duress codes are a dumb idea that sounds cool. Why ? By definition you almost never use them .

Let me just throw out a few other "dumb ideas" you almost never use... Airbags. Fire Extinguishers. Life insurance. Parachutes. Seatbelts. Fire Departments. Just because they're an extreme response and you don't use them very often doesn't make them a "dumb idea".

Home alarm systems don't have them any more for a reason.

Friend of mine proved you wrong last year. His wife got home after a craaazy day at work and put in the wrong PIN on her home alarm. 15 minutes later there's a knock on the door from a guy in a white coat and the entire backdrop is full of cops. "What is this? I disarmed my alarm?" "yes, m'am but you used the *duress code* to do it." "oh..." So a bunch of boys in blue came in and swept the entire house while she was outside talking with the cops. Yes there will be false alarms, but the feature serves a function. They had that option enabled because someone they knew a few years back had been forced to disarm their car alarm at knifepoint so they knew the risk was real.

2. On iPhone if you use TouchID, it's 4 taps to "erase all contents and settings". Any duress code would be longer to enter than that.

At first I thought you meant "four taps on the home button" but I don't find that feature anywhere. (link?) If you mean going into settings to erase it, I'm pretty sure any competent LEA will grab the phone out of your hands the instant they see you've finished unlocking the phone. You don't just leave volatile evidence in the hands of a suspect to meddle with before confiscating it. If you have touch id, they can actually use the federally-allowed fingerprints they took from you when you were booked to create a silicon finger and use THAT to unlock the phone, you never get near it again to nuke it. (and yes, there's been at least one documented case of that being done) I'd much rather have two fingers that unlock it and eight that nuke it, let them play routlette if they're feeling froggy. And there's no way a 4 digit nuke code takes any longer to enter than a 4 digit unlock code??

If you have your phone synced with your computer or cloud, if you accidentally erase it you can restore it from there. If they're THAT aggressively pursuing you that they will get search warrants for your house or cloud data, okay, you can have it. I think this discussion is more aimed at discouraging "fishing expeditions" of "We have just barely enough evidence to arrest them and take them to jail for an hour, lets see if we can find anything on their phone that will convince a judge to give us some search warrants..." To me anyway this is more about curbing illegal search and seizure than it is about trying to bypass the lawful search warrant process.

Re: Mandatory

[drewsup]

Why not use thumb for regular login, middle finger for wipe, seems apropo

Re: Mandatory

[PopeRatzo]

His wife got home after a craaazy day at work and put in the wrong PIN on her home alarm. 15 minutes later there's a knock on the door from a guy in a white coat and the entire backdrop is full of cops.

I love these letters to Penthouse Forum.

Re: Mandatory

When seconds count, the police are only minutes away.

Re: Mandatory

[Trailer+Trash]

My home security system has the same feature, and it's easy to remember the "panic" code. It's just one number less than your "real" code.

It's whatever the installer sets it to. The installers around here typically set it to your street address - the added bonus is a dumb robber might try that to disarm your alarm and it'll appear to work until the cops show up.

Re: Mandatory

[Known+Nutter]

It's whatever the installer sets it to. The installers around here typically set it to your street address - the added bonus is a dumb robber might try that to disarm your alarm and it'll appear to work until the cops show up.

Huh? If you're using an alarm system with codes that aren't end-user defined, then you're doing it WAY fucking wrong.

Re: Mandatory

[R3d+M3rcury]

Now try remembering that code you set up 3 years ago and never used [...]

1234.

Re: Mandatory

[Trailer+Trash]

It's whatever the installer sets it to. The installers around here typically set it to your street address - the added bonus is a dumb robber might try that to disarm your alarm and it'll appear to work until the cops show up.

Huh? If you're using an alarm system with codes that aren't end-user defined, then you're doing it WAY fucking wrong.

During installation, the installer can set the master code. What the guys around here do is call me over, type in the setup and then have me type my code in twice while they walk to the other side of the room and look away. Same thing with the duress code. They suggest the street address. I guess I should have been more specific about the exact steps taken. And, yes, I can change my master code at any time (of course, I have the installer code as well so I can change *anything*).

Why not a fake account?

[fredgiblet]

Why not have a second PIN that opens a sanitized, but seemingly fully normal, home page? Missing a few critical apps, or having versions signed into a different account.

Re:Why not a fake account?

[Gussington]

Why not have a second PIN that opens a sanitized, but seemingly fully normal, home page? Missing a few critical apps, or having versions signed into a different account.

Because if the device is confiscated, a simple dump of the memory will reveal everything.

Re:Why not a fake account?

[wierd_w]

What you really want is a "destroy adopted storage decryption key + zerofill SD card" option on the recovery menu.

At least for Android devices anyway.

Re:Why not a fake account?

[Duckman5]

Adopted storage is actually automatically encrypted with a 128 bit AES key. Assuming gp is using the correct terminology. Adoptable storage is the name that android gave to the ability to store entire apps on a specially formatted portion of the microSD card rather than the previous implementation of some developers allowing a small portion of the app to be moved to an encrypted container file on the card. I think it was meant to allow people to supplement those really tiny entry level phones that may only give you like 4 GB of storage for your apps.
It makes sense, though, that you could put all your sensitive apps/data on adoptable storage so you would end up with a seemingly innocuous phone if you erased/destroyed the SD card. In fact, you could mail the SD card, instead, so that you would have a fully functioning phone while traveling but none of your sensitive data would be available at your border "interview."

Re:Why not a fake account?

[torkus]

If the device is compromised in a technical sense.

Knox doesn't do anything at all for your password/PIN being compromised.

Why yes

[bytesex]

It would be *very* easy to have smartphones with adequate security from all sorts of perspectives. Secure key storage, secure storage, secure communications, secure boot, secure containers, secure remote management, secure (multiple factor) authentication, secure arbitration of what hardware can access what memory etc. The thing is: if your target audience is largely 15 year old girls, then you probably have commercial priorities elsewhere.

Re:Why yes

[geekmux]

It would be *very* easy to have smartphones with adequate security from all sorts of perspectives. Secure key storage, secure storage, secure communications, secure boot, secure containers, secure remote management, secure (multiple factor) authentication, secure arbitration of what hardware can access what memory etc.

It would be *very* easy for citizens to give a shit enough about their privacy to not carry around their entire lives in a cellular tracking device too.

Simple fact is, they don't give a shit, convenience trumps privacy every time, and it's gonna take a hell of a lot more than a dozen border patrol searches gone overboard to change human behavior.

The thing is: if your target audience is largely 15 year old girls, then you probably have commercial priorities elsewhere.

Yeah right. Everyone from 7 - 70 years old uses a cellular device these days, and the models are hardly different no matter who is using it. Governments rather enjoy insecure civilian communications and devices. They also know you will gladly surrender your Rights in exchange for giving back the precious confiscated cell phone. Addiction is often an easy exploit in order to enforce Control.

Re:Why yes

[GuB-42]

People don't want super-tight security.
They don't want to enter passwords everytime they need to use their phone, especially not long/string passwords.
They want to be able to recover their password in case they forget it.
They want their apps to communicate : share a picture in one click, have their contact book shared between multiple services.
Some want to be able to customize their device, add features, etc...

Securing a device while taking into account user needs for a general purpose computer (this is what smartphones are) is not easy at all.

No.

I'll just avoid travelling to the US.

Re:No.

This. In practically no other "modern western country" is this an issue except in the US (and to some extent in the UK either now or in the immediate future). Everyone knows this. Everyone knows how to avaoid it, and that makes it completely useless.

This won't fly.

[kaur]

People will accidentally wipe the phones.
There would be 10 legitimate use and 10,000,000 acciddental customers with lost data and liability claims.

I, as a phone / OS provider, would fight this feature.
I, as a phone user, would fight this feature.

Imagine a prankster or a drunk friend or a child getting your phone and trying this out.

Re:This won't fly.

[rtb61]

you would actually want three pin codes. One to open the phone, one to clear the phone and one to open the phone and call the police and leave the microphone open but shut down the speaker. Obviously the code for normal open would be the most complex but the other two codes could be simple and easy to remember and distinct eg 1235 and 0070.

If you wipe your phone - you're a suspect

[vsavkin]

Well, you wipe your phone when trying to enter - it means that you have something to hide and should be detained and not allowed in.

Re:Easy to do with an iPhone

[geekmux]

...Now, you'd be facing destruction of evidence of obstruction of justice charges but, that is probably better than what you would have been facing had the phone been unlocked.

Fucking seriously?

Unless you're engaged in some seriously illegal activity that you rather enjoy conducting on your smartphone, perhaps you should *really* sit and think about those charges before making such a statement. Gut feeling is a criminal record will impact you a hell of a lot more than your Facebook data being confiscated.

It can be improved

[LordHighExecutioner]

The most unsuspicious way would be to have the smartphone selfdestroy itself by shorting the battery or by executing code that overheats the CPU when the appropriate PIN code is entered. This is the reason why I always buy Samsung smartphones: nobody would blame me if "accidentally" it catches fire

Re:Easy to do with an iPhone

[0111+1110]

Index finger fingerprint = open phone. Middle finger fingerprint = delete or randomize encryption key. Maybe require a second fingerprint (middle finger on other hand) just to be sure.

Nice but useless

[tele]

Availability of this feature would result in new regulations which make it illegal to nuke your phone when asked to hand it over to a border agent/law enforcement officer. Add something like 1 year in prison etc and the functionality is practically useless.

Change your PIN

[GrokvL]

But don't memorize it, before crossing the border, and send it to yourself securely on another device not in your possession. That way you can swear that you don't know it and cannot obtain it. It becomes something you neither know or have. State that this is your standard travel policy for safety reasons.

This is getting ridiculous

[argee]

You are in a foreign country.
Upload your data to a foreign server.
I recommend a one-time key for encryption.
Erase it from your phone.
Enter the U.S.A.
Retrieve the data. Erase it from server.
End of problem.
Avoids border hassles.
All perfectly legal.

18 USC 1503

[tlambert]

18 USC 1503 : Federal Obstruction of Justice.

10 years in a Federal pound-you-in-the-ass prison.

Your new cellmate is named "Bubba".

Re:Easy to do with an iPhone

[AmiMoJo]

If you give me a phone unlocked by the hand of the most honest of men, I will find something in it which will hang him.

- Cardinal Richelieu

Kill Code will get you busted in USA

[RichardAFairchild]

Remember folks in the USA, you COULD then be charged with tampering with evidence or DESTROYING evidence if you use a kill code. A very slippery slope. Rather, you enter a code in that locks, the phone down, and the next time someone enters any other code than your rescind code, the phone wipes, that way YOU are not the one that wiped it, with L.E. did. However, I am sure they WILL still charge you with something as they will be P!ssed off!

It would be illegal

[Aurien]

In the United States if a border agent asks for your cellphone and you wipe it right there, you've just broken the law. You can now be charged with an obstruction of justice charge. Now if you wipe your phone on the flight or before you're interacting with the border agent, then you've done nothing. But once they ask for it, any actions you do to delete the information on that device is illegal.

Re:It would be illegal

[omnichad]

Either you have Constitutional rights and won't have to hand over your phone, or you're not under US law at the US border and there's no law to charge you with. There's no legitimate way to charge with a crime at the border like that.

Re:Easy to do with an iPhone

[lionchild]

I thought you were being detained and your phone searched without due process, because you're in one of those legal "grey zones" not technically in the US. If you can't be protected by the laws there, why would you be subject to charges?

Customs and boarder crossing is becoming more and more the a little mini US GITMO.

How about this instead?

[jenningsthecat]

Wouldn't it be better to start holding our governments accountable to us, the people who elected the leaders of said governments, and the people who ultimately pay all their salaries? Yeah, I know, corporations own the governments, you can't fight city hall, etc. But really, fuck this nonsense of either taking inconvenient, expensive, extraordinary, and unreliable countermeasures to protect ourselves from our own elected and paid for governments, or taking it up the a** from same! It's time to start organizing and fighting for change, the way civil rights activists did decades ago. Our civil rights are being violated, and it's time to politely but firmly say "No!" to sitting at the back of our own goddamned bus!

Why not wipe it in advance?

[nine-times]

If you're worried about the border patrol, it seems pretty easy to know when you're approaching a border. You can just wipe the phone in advance using the built in feature to wipe the phone and return it to the factory settings.

The whole thing gets more complicated if we're assuming the police just start confiscating phones of random people without a warrant, but I'd imagine that would face a stronger 4th amendment challenge. And really, at that point, I don't think a kill switch would be good enough. I'd want manufacturers to rethink the whole security design, probably limiting the information stored on the phone in the first place.

No

[PPH]

Because I'd lose my Candy Crush high score.

Re:Easy to do with an iPhone

[Dread_ed]

Conveniently, this particular biosignature becomes inactive for 36-48 hours after an "enhanced" search.