from Hacker News

Cell Phone OPSEC for Border Crossings

by sipofwater on 4/2/25, 11:29 AM with 36 comments

  • by yamrzou on 4/5/25, 9:38 AM

    GrapheneOS offers good OPSEC against Cellebrite: https://discuss.grapheneos.org/d/14344-cellebrite-premium-ju...

    This comment, at the end of the thread, is particularly interesting:

    My Pixel 6 was confiscated by the German police after a political rally. I was recently able to pick it up again. From an inquiry with my lawyer, the following emerged: The authorities tried to read the device with both UFED4PC and Cellebrite Premium Touch. In addition, software from other forensic providers was used without success. The software did not succeed in breaking the system. The device was in BFU mode and had a 30-digit PIN. USB port was deactivated. As of March 2025, I can therefore say that it is not possible for Cellebrite to break a secured GrapheneOS.

  • by dhsysusbsjsi on 4/5/25, 8:53 AM

    If you have a modern iPhone and don’t want the crazy hacks, a very very simple but effective tip is to power off your iPhone when exiting the aircraft. When the device powers up it is in “before first unlock” mode and is severely restricted in what it can do. The attack surface area is significantly reduced. They’re not going to burn one of their $100,000 per install exploits on your BFU phone the same way they do with a full physical access unlocked paid exploit.

    Also lockdown mode to reduce attack surface area.

  • by mvdwoord on 4/5/25, 9:05 AM

    This kind of article makes me sad, as why should we live in a world where we (or at least some people) need to even think about this.. maybe I woke up this morning in a foul mood, but honestly, the idea of even having to think about burner phones and "opsec" for traveling (or even just living) depresses me to the point where I will probably not do it at all, and if things go sour, I just accept my fate. Similar to the prepping advice currently given by the scaremongering news in the EU... (Have water, and an emergency radio!!).

    Anyone else feel like this? I simply do not have any desire to live in a world where this kind of behavior is required.

  • by actionfromafar on 4/2/25, 11:36 AM

    Another take is to nurture a "tamagotchi" or "pet" phone (iPhone) at home, with some innocuous memes, following sports accounts and such. Bring that when crossing any border. Leave the "real" or "business" phone at home at all times. Of course, it's not a realistic solution for many people.

    Bringing anything non-standard can be misinterpreted as, or worse, construed as something malicious.

    The problem with an empty "burner phone" is, that can also look suspicious. Even if you have a receipt with you, they may wonder why you bought a new phone just for the trip. Lockdown mode seems even more suspicious.

    Just don't stick out is unfortunately probably the best answer.

  • by j16sdiz on 4/5/25, 7:53 AM

    > Does resetting a phone to factory defaults erase data, or is it still recoverable?

    This is a easy one.

    Both ios and android does the same thing -- the filesystem is always encrypted, factory reset discards the decryption key.

    On macOS and windows, that's encryption by default. (yes, bitlocker is the default now)

    This is pretty standard nowadays.

    Linux, otoh, don't usually do the encrpytion.

  • by decimalenough on 4/5/25, 9:09 AM

    I think the question and the answer conflate two very different threat models.

    Back in the day, everything of interest was on the device, and to be search-resistant, it was necessary to encrypt and hide it well. And most answers still seem to assume this is the case.

    Nowadays, though, almost everything of interest is stored in the cloud and what the cops/CBP/three-letter agencies want is the credentials to access those. Sure, you can make their life a bit harder by logging out of everything, so access is not completely trivial, but they can still stick you in detention (or worse) until you cough up your passwords, regardless of what is or is not on your device. And the only way around this is to never show up on their radar in the first place.

  • by 1oooqooq on 4/5/25, 11:19 AM

    the normalization of "in soviet russia" jokes. what sorry state we live in.

  • by vanschelven on 4/2/25, 11:42 AM

    The (sad) answer would seem to be: if you don't understand it, don't attempt it.

    Given the authority of the author of the post this approach would seem to be necessary for almost everybody.