GrapheneOS: Duress Pin/Password
43 points by davikr 5 days ago | 21 comments
  • garciansmith 4 days ago |
    Should be https://grapheneos.org/features#duress to get to the proper section.
    • mitchbob 4 days ago |
      The Duress PIN/Password section is

      https://grapheneos.org/features#duress

      HN automatically uses canonical links for submitted pages when it can find them, and when it does the # and what follows in submission URLs aren't included. So to provide the full URL, you need to include it in a comment.

  • yndoendo 4 days ago |
    For people that don't know.

    Duress PIN is a feature started by security systems. Entering the dress code would seam as if the security system was disabled while in the background it would contact the security company to send in the police.

    • rendaw 4 days ago |
      Maybe generally, but in this case it seems like it just wipes the device.
    • dtm987654123 4 days ago |
      I wonder if being able to block access to/hide specific apps, e.g. banking apps or whatever could be a good idea here?
  • rendaw 4 days ago |
    I've heard that duress pins/passwords and false roots and the like aren't actually helpful. IIRC the argument was that if they're familiar with your OS they're familiar with the duress pin capabilities.

    But even if that's the case, there's no way to tell if a duress pin was used, right? And if you're in a place with weak legal processes and they decide possibility=guilty, then the duress pin doesn't make things worse, right? I.e. if they wanted to do something to you, then "lack of evidence due to duress pin" is no different than just "lack of evidence" i.e. the pin at least doesn't make things worse...

    • stevefan1999 4 days ago |
      Simple, "if you try to enter the duress pin, you and your family and your friends, will be beaten to death, and I will make you watch them die one by one, unless you tell me the real pin, and then kill you next"

      Increasing the extreme and cruelty of violence. It always works. That also means the "investment" of each action will have higher stake, though.

      It is not an intimidating thought experiment, it is being used in the 2026 Iranian Protest by the IRGC

      • MemesAndBooze 4 days ago |
        Source?
      • rendaw 4 days ago |
        Okay I'm IRGC, and I think this guy has some information. So I threaten him. He gives me his PIN. I get into his device, and can't find the information.

        Did he wipe his device? Or did I get the wrong guy? I'm convinced he had the information, so whether he used the duress PIN or not I'm going to go through with the torture...

        Also, even if you're right, then that would mean that the duress PIN is useful in places that aren't Iran right? Like the US? Canada?

        • avra 4 days ago |
          Is the wiping functionality implemented so inconspicuously that you can't tell the device has been wiped?
          • rendaw 4 days ago |
            Well, it doesn't sound like it haha... AFAICT it just wipes it, so I assume you'd get a blank OS when you logged in? Or maybe it wipes it and just doesn't log in.

            Actually I just watched this video and it sounds like it actually says "Wrong PIN" before deleting the OS entirely. There's a comment https://www.youtube.com/watch?v=41xbhw8N7NE&lc=UgzwdYjkLuGIb...

            > could have simply unlocked the device without giving access to anything, and in the meantime, deleted everything. Instead, freezes up in a super obvious way and says it’s loading a different operating system; basically making it obvious that you’re trying to erase all the evidence

            A reply said

            > I've checked their forums, and I'm not really into their arguments against it.

            Now I'm curious... the GrapheneOS guy has strong opinions strongly held so I'm surprised he'd agree to half-implement something.

      • piaste 4 days ago |
        Even in that scenario, having the duress pin option does not make things worse. It's functionally equivalent to smashing the phone, just easier to do with one hand.

        i.e. whatever they do to you if you wiped the phone via duress PIN, they would already do to you if you managed to smash the phone.

      • dangus 4 days ago |
        It’s just an optional feature that could be used in a much less extreme situation.

        It could be used in a situation where that infinite escalation of violence isn’t likely to happen.

        E.g., a petty thief who says “gimme your pin”

        Once they have the phone unlocked they don’t care that it’s wiped.

      • rexpop 4 days ago |
        These kinds of threats should, really, only strengthen our resolve. After all, they clearly demonstrate the opposition's danger should they succeed.
  • wps 4 days ago |
    The main critique I’ve seen of the duress pin is that it causes undue trouble. The obvious counter argument is that if you genuinely have the need for a duress pin, it’s worth its weight in gold. If the severity of the charge or physical punishment (in countries without due process) would in any way be less by NOT having xyz data on your phone, then it’s helped. Say, the difference between 10 years for destruction of evidence and 80 years for espionage.
    • dangus 4 days ago |
      It also doesn’t have to be used against a government.
      • wps 4 days ago |
        For sure, but these LARP situations are mostly based on defending against a highly motivated and powerful entity like the government.

        But other situations like against thievery, domestic abuse, or brute force deterrent (ie: setting a simple duress code that is likely to be triggered, say 1111), it has the potential to work well.

        Graphene brings out some of the best of android. Profiles are first class citizens, private spaces within the owner profile (I think all profiles can have them now?), and app pinning are great.

      • microtonal 3 days ago |
        Even when used against a government, there are a lot of different gradations. E.g., my government is not very hostile, but people who get arrested at a demonstration might still want to erase their phone. There are some countries where someone is not required to give their PIN, but the police is allowed to investigate a phone if they can unlock it by other means (Cellebrite, face unlock, etc.).

        By the way, another way GrapheneOS protects against this is by allowing automatic reboot after a period without unlocking, which can be set to a very short period. This puts the phone in BFU (before first unlock), where fingerprint and face unlock do not work, and the phone is much harder to hack with tools like Cellebrite.

  • throawayonthe 4 days ago |
    uncropped link to the duress pin blurb: https://grapheneos.org/features#duress
  • Royce-CMR 3 days ago |
    If you need this, it’s a useful function.

    For me, a expanded duress feature would be unlocking into a fake home screen/instance where my banking apps or messenger apps are not available, but otherwise the phone works. Or even unlocking into a mostly empty phone.. but wiping the main instance in parallel.

    As someone who had their passport forcibly taken away while on foreign soil, when you are at the mercy of deranged people every option has its value. The key is to have those options… better than none at all.

  • metalman 3 days ago |
    Graphene sounds like a LOT of work. There is no pin or password on my phone, and no apps that access personal or financial info. Sign in every time.Ditched online banking, and subscribe only to web hosting. I am probably carrying a bunch of cash at any given time, and if ,as some have, there is a wrench(or hammer) waving in my face then that's just fine. Whats wrong with people?, stand up to the shit birds!, most people in desperate situations realy just want to be SEEN, and the cunning calculating types, wont risk a real fight. Perhaps I am spoiled, living in an area with the vestages of plain civilisation, but in any case I refuse to give into the FUD machine and more than other types of extortion.