• ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    25
    arrow-down
    1
    ·
    4 months ago

    I doubt it. That info is first party and not to be trusted since it is obviously marketing. Any third party article that backs up their claims?

    • SomeLemmyUser@discuss.tchncs.de
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      4 months ago

      Isn’t it an open secret that powerful entities (like spying institutions) can get into pretty much every system if they have physical access? Why is this not plausible

      • Todd Bonzalez@lemm.ee
        link
        fedilink
        arrow-up
        8
        ·
        4 months ago

        Because they would have to possess technology that doesn’t exist in order to circumvent actual encryption without a key.

        If I adequately encrypt my own data, and keep the keys a secret, I could hand my hard drive off to Microsoft and they could spend billions running all their AI clusters trying to crack it, and it would be a futile endeavor.

        If the government had the technology to bypass encryption or quickly and inexpensively crack it, they’d use it for a whole lot more than unlocking smartphones. They could basically control the flow of Bitcoin on a whim with such tech.

        • SomeLemmyUser@discuss.tchncs.de
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          edit-2
          4 months ago

          How high is the percentage of people using a 12 character key, not stored in the TPM but only in their mind to unlock their phones in your experience? I’m not arguing that Linux luks or aes-256 is not secure, I’m arguing that nearly nowhere it is implemented in a way where ONLY you hold the key ONLY in your mind.

          Encrypting something and putting the key on the storage is like locking the front door and put the key under the mat, if you have a TPM its like having it hidden somewhere on the property. Enough to keep your nosy aunt out, not enough to keep the police/mafia/big data out if they for some reason really want that information

        • SomeLemmyUser@discuss.tchncs.de
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          edit-2
          4 months ago

          I am aware that there are secure encryptions, but android isn’t hardware encrypted isn’t it? Haven’t used google android for a while, but no encryption was one of the reasons I moved away from it.

          No idea about apple, but longer startup times for storage encryption doesn’t seem like a very apple thing to do

          Also phones are so seldom turned off, and if the system is running storage encryption becomes less of a concern as the key is somewhere in the ram

          • ReversalHatchery@beehaw.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            4 months ago

            For a few years now Android has been encrypting storage. Not the SD card, and maybe not even the internal storage (which on android land means your files that you can access with a file manager without root) but I’m not sure about that part. The app’s main data is surely encrypted though, when the security menu in the settings says so.

            But, there’s a loophole. Or two.
            The parent commenter said, actual encryption can’t be broken without keys.
            First, the keys are in the black box TPM of the phone.
            Second, how do you verify that the phone uses an effective and unmodified encryption algorithm, and also that keys are never leaked anywhere?
            And now consider that popular brands have been bundling malware for years, some of which cannot really be uninstalled either.

            • SomeLemmyUser@discuss.tchncs.de
              link
              fedilink
              arrow-up
              0
              arrow-down
              1
              ·
              edit-2
              4 months ago

              Yeah TPM chip encryption is mostly not secure (at least not by simply existing, as an encryption with with a strong password that only exists in your head is) I’ve seen a german youtuber crack the bitlocker TPM encryption of a windows think pad, I have no doubt big companies can do this for the 3-4 most used TPM chips in android phones

              And if you got the device and can damage it, even if you couldn’t crack the chip, putting the silicia under an electron microscope is always an option (lots of actual manhours of actual experts needed, but you could charge the client heavily to compensate)

              • ShortN0te@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                4 months ago

                No. The TPM was not cracked. The communication was sniffed, which is unencrypted. This requires a Device to be modified and then successfully unlocked to get exploited also this does not affect devices where the tpm is integrated in the SoC.

                • SomeLemmyUser@discuss.tchncs.de
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  4 months ago

                  You are right in a sense of: If the TPM holding the keys were itself encrypted with a strong password, this would be still be considered secure. You are wrong in the sense of: lenovo sells a device, tells its users its encrypted, their data is safe. None can steal their data

                  in reality the data can easily be accessed, which could be considered as “cracking the device/bypassing the encryption” because what lenovo prevent was someone ripping your ssd l, but not just decrypt it because the encryption was not implemented securely.

                  I don’t want to debate the security of a luks Linux volume or veracrypt windows laptop, (even though even those are in theory vulnerable to highly targeted and skilled things like cleverly exploiting e.g the logofail bug)

                  My point isn’t that there are no ways to have a secure system, my point is that the percentage of truly secure systems is low

                  • ShortN0te@lemmy.ml
                    link
                    fedilink
                    arrow-up
                    0
                    ·
                    4 months ago

                    The device needs to be physically accessed and modified and then unlocked in order to exploit it.

                    Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.

                    Similar outcome.

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        0
        arrow-down
        1
        ·
        4 months ago

        No. You watch too many Movies. Yes there were attempts from state sponsored actors to weaken encryption algorithms. But is encryption easy to crack? No.

        • SomeLemmyUser@discuss.tchncs.de
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          4 months ago

          Dude what encryption are you talking about? Hardware storage encryption is just by now getting more widely adapted, the phone I used till a year ago didn’t even support any encryption.

          Sure, aes-256 with secure password only stored in your mind is quasi 100℅ safe, but that is not how most devices handle their “encryption”.

          If the key for the encryption is on the device, and either stored in an unencrypted TPM or unencrypted storage, its not a matter if breaking the encryption (quite impossible) but breaking the software/hardware (quite possible for someone with good enough forensics and skilled programmers)

          Also also: encryption only helps if the device is off, which is seldom the case with phones.

          • ShortN0te@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            4 months ago

            Isn’t it an open secret that powerful entities (like spying institutions) can get into pretty much every system if they have physical access? Why is this not plausible

            You stated in your original comment: “pretty much every system”. So no, any modern phone if android or iOS is by default encrypted.

            If the key for the encryption is on the device, and either stored in an unencrypted TPM or unencrypted storage, its not a matter if breaking the encryption (quite impossible) but breaking the software/hardware (quite possible for someone with good enough forensics and skilled programmers)

            TPMs are by design encrypted.

            Keys are not stored unencrypted at least not when you encrypt your storage with modern solutions and set it up reasonably. You use either your TPM to store the key or store it on the drive and have it encrypted by itself or use a KDF.

            Also also: encryption only helps if the device is off, which is seldom the case with phones.

            No this assumption is wrong. You still would need to circumvent the Login into the device which is mostly secured by a pin or password or biometrics.

            • SomeLemmyUser@discuss.tchncs.de
              link
              fedilink
              arrow-up
              1
              arrow-down
              2
              ·
              4 months ago

              If you think TPMs are always encrypted, a key can be encrypted “with itself” and still be any use to you and android system pin is secure you are right. Might also believe in santa

              • ShortN0te@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                4 months ago

                If you think TPMs are always encrypted, a key can be encrypted “with itself” and still be any use to you and android system pin is secure you are right. Might also believe in santa

                Not sure what you are rambling about the TPM.

                Then prove that the Lockscreen is insecure.