GrapheneOS implements a destructive PIN code feature

One PIN to unlock the device, the other to wipe it clean – instantly.

The latest update of GrapheneOS, version 2024053100, has introduced an emergency data-wiping feature. Users can now set an additional password and PIN code, which, when entered, will erase all keys stored in hardware, including those used for drive encryption, clear the eSIM, and shut down the device.

This feature ensures that entering the designated PIN will irreversibly block access to all data when the user is under duress or if the device is at risk of falling into unauthorized hands.

Added support for setting a duress password and PIN for quickly wiping all hardware keystore keys including keys used as part of deriving the key encryption keys for disk encryption to make all OS data unrecoverable followed by wiping eSIMs and then shutting down.

GrapheneOS

In their own words, “GrapheneOS provides users with the ability to set a duress PIN/Password that will irreversibly wipe the device (along with any installed eSIMs) once entered anywhere where the device credentials are requested (on the lockscreen, along with any such prompt in the OS). The wipe does not require a reboot and cannot be interrupted.”.

For individuals at risk, such as journalists, activists, or those living under oppressive regimes, this feature could be seen as a means for protecting sensitive information and ensuring personal safety.

However, wiping your GrapheneOS phone clean while under criminal investigation is unlikely to help much.

In some jurisdictions, deliberately destroying data relevant to legal investigations is a crime. The use of a duress PIN could lead to charges of obstruction of justice or destruction of evidence, particularly if it is employed during an active investigation. Legal authorities might interpret the use of this feature as an intentional effort to obstruct justice, especially if the erased data is critical to criminal cases or ongoing investigations.

What is GrapheneOS?

GrapheneOS is a secure mobile platform built on a modified Android Open Source Project (AOSP) version. It is designed to enhance security and privacy and officially supports most current Google Pixel devices (Pixel 4/5/6/7/8, Pixel Fold, Pixel Tablet). The project’s code is distributed under the MIT license and includes numerous experimental technologies to improve application isolation and granular access control and mitigate common vulnerabilities and exploits.

For instance, GrapheneOS features a custom implementation of malloc and a modified version of libc to guard against memory corruption, alongside a stricter division of process address spaces. Instead of the Just-In-Time (JIT) compilation, the Android Runtime employs only Ahead-Of-Time (AOT) compilation. The Linux kernel is optimized with additional protection mechanisms, such as canary tags in slub to prevent buffer overflows.

Users can selectively grant individual applications access to network operations, sensors, address books, and peripheral devices like USB and cameras. By default, access to hardware identifiers such as IMEI, MAC addresses, and SIM card serial numbers is restricted.

Clipboard reading is limited to applications with a current input focus. Additional measures have been implemented to isolate Wi-Fi and Bluetooth processes, preventing data leaks from wireless activities. Many of these security improvements have been integrated into the main Android codebase.

Many upstream changes in AOSP such as removing app access to low-level process, network, timing and profiling information originated in the GrapheneOS project.

GrapheneOS employs cryptographic verification of load components and advanced data encryption at the file system level (ext4 and f2fs). Data is encrypted using AES-256-XTS, and file names are encrypted with AES-256-CTS, utilizing HKDF-SHA512 to generate unique keys for each file. This encryption is applied directly to the files rather than the block device.

System partition data and each user profile are encrypted with distinct keys, leveraging available hardware capabilities to accelerate encryption processes. The lock screen includes a session end button that, when activated, resets decryption keys and renders the vault inactive. Additionally, there is a setting to prevent the installation of new applications in selected user profiles. To guard against password guessing, the system imposes delays based on the number of failed attempts, ranging from 30 seconds to 1 day.

GrapheneOS does not include Google applications and services or alternative implementations like microG. However, users can install Google Play services in a separate, isolated environment without special privileges. The project is also developing its own suite of applications focused on security and privacy. These include the Vanadium browser (based on Chromium), a modified WebView engine, a secure PDF viewer, a firewall, the Auditor app for device verification and intrusion detection, a privacy-focused camera app, and an encrypted backup system named Seedvault.

Note: After publishing, a small correction was made to clarify that the phone won’t be rebooted but shut down. Matchboxbananasynergy on Mastodon, a community manager for GrapheneOS, pointed this out.