Data Hiding at the Airport
According to the EFF blog, customs has taken to randomly searching electronic devices for suspicious data. It is somewhat mysterious what they are searching them for — given only a few minutes and a technically unskilled border guard doing the searching, it’s hard to imagine them actually finding anything better hidden than a file on the desktop labeled “terroristic threats.doc” and a hyperlink to the Al-Qaeda Homepage.
Thus, from a security perspective, this just isn’t a good idea. There’s a large tradeoff in inconvenience, delay, and civil liberties violation for a miniscule increase in security. However, it does get me thinking about an interesting problem — how does one hide data from people inclined to search your electronic devices for it?
A legal search is a totally different kind of threat from a hacker attack. With a hacker attack, you simply have to keep them out of the data — with a legal attack, you have to hide the existence of the data, as the legal system has at their disposal an additional channel for getting the data — they can subpoena it and demand you disable any protective measures and hand over the data. Thus, encryption — the primary defense against data disclosure to hackers — is of limited use against a legal attack. (And note that a “legal attack” doesn’t just mean law enforcement or other rightful authorities — it also means attack via lawsuit. Abuse of the legal system is not limited to the political administration — competitors and other adversaries can and do use the legal system to get at things they shouldn’t have. In other words, this information isn’t of value only to criminals — there are a lot of perfectly legitimate reasons to hide data.)
The EFF points out a few possible ways of avoiding scrutiny from customs:
- Create multiple accounts on the machine, and just log in with an account with nothing sensitive in it when asked to log in. This is basically taking advantage of the lack of technical expertise on the part of the searcher.
- Take only the data you need on the trip — just minimize what there is to find. This is a good idea anyway, but probably unsatisfactory if you are carrying, say, diplomatic communications.
- Bring no data at all, and when you arrive at your destination, retrieve the information via VPN. Before flying back, VPN the data back and delete it.
- For sensitive business communications, have the data encrypted by someone else who provides the key only when you arrive at your destination. This would work to protect the data, but it also means that, being unable to comply with an order to reveal the data, you may just have to miss your flight.
I have two more that they didn’t mention:
- Encrypt the data onto something that is not an “electronic device” subject to search, like a CD-ROM, USB key, or whatever. It no longer falls under the search provision. Obviously it could be searched if you were actually arrested or sued, but it gets around this particular issue.
- Use TrueCrypt Hidden Volumes. Merely hiding an encrypted file on a disk will not hide it from a skilled attacker, because cryptographic data is distinctive. Statistically, it has a uniform distribution, which makes it look unlike any other kind of data except white noise (random numbers.) Essentially, it looks so bland and generic that it stands out — because no real data is that essentially devoid of information. Since nobody keeps a hard disk full of random noise files, if one exists, it must be encrypted data — which means you can be subpoenaed for the key. TrueCrypt’s hidden volume feature gets around this in a novel way, which I’ll discuss below.
Hidden volumes take advantage of the similarity between random noise & encrypted files. A section of disk is reserved for an encrypted virtual disk. When this is created, it is filled with random noise, which is replaced by encrypted data as needed. The trick is that you can create another encrypted virtual disk inside the first one. So long as some data is in the “outer” volume (as no one would have a huge encrypted file on their hard drive with nothing in it — it’s not plausible), there is no evidence that the “inner” volume even exists unless you have the key. The inner volume’s encrypted data blends into the outer volume’s white noise. Thus, you put slightly-secret data in the outer volume, and really-secret data in the inner volume. When asked to reveal the key, you reveal the key to the outer volume only, and have plausible deniability of the inner volume’s existence.
As with any countermeasure, though, there are limits. If you’re hiding from the NSA or some foreign government’s equivalent, just putting a couple TrueCrypt volumes on your laptop’s hard disk will not do the job. The problem is that the operating system and the applications you use may leave traces that reveal the existence of the inner volume (e.g. Word’s file history notes that you opened a file on Drive F:, when your laptop doesn’t have an F:…) For extremely sensitive data, it would be necessary to not only put it in a hidden inner volume, but also to only ever access that inner volume from an ephemeral operating system (e.g. a LiveCD, or an OS you boot off a USB key and load into a RAMdisk.) If the OS you use never makes any changes to the disk outside the encrypted volume, evidence of the volume remains hidden. You would of course want a normal OS and outer volume to be present and used, for plausible deniability to be present (as, once again, it’s not reasonable to have a laptop with only random noise on the hard drive.) You would also want to access the outer volume with the laptop’s native OS after any session in which you accessed the inner volume (as otherwise the access date on the encrypted file could be newer than the last boot date on the OS, once again leaving a breadcrumb trail.)
And all this makes me wonder once again what the government plans to get out of casually searching the data on laptop hard disks. The only people whose data will be discovered are those with nothing to hide.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Very interesting article. I am using TrueCrypt for crypting, I think its the bes freeware program (ant open source) that makes very hard job
After reading this post I thought about the reasoning behind randomly scanning for information. Its obvious that the chance of ever finding suspiscous data is significantly low, howver it provides a great front for a good way to search a device that, given its mobility, most likely has connectivity or internet capability. Most people know about the ominous “big brother” rumors, yet this random scanning can provide a great way for the system to show how it “actually” gets its information. Arrest a suspect here, throw a few threads in the news there, all with reference of how a middle class working american found plans to destory the american dream on a palm pilot at LAX, when the REAL data comes from network intrusions, snooping software, and Virtual Private networks that the government can scan at will from miles away.