BurnBox Makes Hidden Files Look Like You’ve Deleted Them

Credit to Author: Louise Matsakis| Date: Tue, 31 Jul 2018 11:00:00 +0000

Imagine you're a human rights activist, pulling up to a border crossing. The on-duty customs agent requests that you hand over your phone and unlock it, without a warrant—an increasingly common practice for US Customs and Border Protection.

Your phone holds sensitive photographs documenting abuses abroad, but the agent can't find them. At most, he might notice that you've deleted some files recently. Once you're back on your way, you immediately call a colleague, who provides you with a special passcode. You then open your phone, enter the code into an app, and the photos you "deleted" have returned to the same cloud-storage folder where you last saw them.

That's the scenario enabled by BurnBox, a new prototype designed by researchers from Cornell University, Cornell Tech, and the University of Illinois Urbana-Champaign, which will be presented at the USENIX Security conference next month. Designed to work on top of existing cloud storage services like Dropbox, BurnBox is a form of what the researchers call "self-revocable encryption," which allows users to temporarily revoke access to some content on their device. While BurnBox is not a commercially available product and far from foolproof, it's a glimpse at how journalists, dissidents, and others who carry sensitive data might deal with situations like border crossings in the future.

"The basic idea of BurnBox is dealing with what happens when we are forced to give up access to our personal data," says Ian Miers, one of the coauthors of the paper and a postdoc at Cornell Tech. "You're dealing with a setting where not only does someone have access to your files and the key. In this setting, they have your actual computer and they have everything you've done with it."

BurnBox works essentially by making encrypted files whose keys have been revoked look indistinguishable from deleted ones, at least to a border crossing agent or similar adversary. In a fully working version, users would need to restart or turn off their device right before they cross, in order to wipe any relevant metadata from its memory. The key used to regain access to the files needs to be stored somewhere else entirely, like at home or with a trusted friend. The technology behind BurnBox theoretically can work on both mobiles phones and other devices like laptops.

"BurnBox is just one piece of this puzzle of a whole ecosystem of apps."

Nirvan Tyagi, Cornell University

You could also use BurnBox simply to delete files more securely. As the researchers point out, some cloud storage services have experienced problems in the past that prevented them from fully deleting items, and they also may be subject to government surveillance. Last year, for example, Dropbox acknowledged it suffered from a now-fixed bug that prevented some files and folders from being fully deleted from its services for years.

The technology behind BurnBox has a number of limitations, many of which have to do with how operating systems and the applications they run work. Revoking access to a file or deleting it does not, in many circumstances, also remove the associated metadata, like file size, when it was last accessed, and its name. That kind of information can be telling, especially in a high-stakes situation like crossing a border. An incriminating file name or an indication that something was recently deleted could raise the suspicions of a customs agent.

Miers likens the problem to a craft project. "You can clean up the things you actually made, but the glitter gets everywhere, it gets all over the place, and operating systems are not good at cleaning it up," he says.

For BurnBox to work fully as intended, operating systems and applications would likely need to be reimagined with stronger privacy protections. "BurnBox is just one piece of this puzzle of a whole ecosystem of apps," says Nirvan Tyagi, a PhD candidate at Cornell University and the lead author on the paper. "Here is this problem and we have a solution to one part of it."

Absent that broader buy-in, BurnBox would help most against someone going through your phone by hand, rather than a full forensic analysis. Although the mere presence of BurnBox on a device might raise the suspicions of a border control agent or similar adversary. In the current version, nothing conceals its existence, though a fully developed version could hide inside, say, inside a calculator app.

For now, the researchers have only developed a way for BurnBox to work for a single client. You couldn't use it on a Dropbox folder synced between multiple devices. "We have to have this model where you have two different devices and they keep in-sync about what's deleted and what's not," says Miers, but that poses technical hurdles that the team has not yet overcome.

At least one company has already launched a BurnBox-type product: password manager 1Password. Last year, the company released Travel Mode, a feature which allows users to temporarily remove sensitive passwords from their device and then reinstate them later when they've crossed the border. The feature is technologically different and less sophisticated, but it addresses similar kinds of threats.

"A lot of the ideas behind it are certainly usable," Jeffrey Goldberg, a security architect at 1Password, says of BurnBox. "I’m not going to rule out that we would try to build on it. On the other hand, we’re fairly happy with Travel Mode and its current threat model."

One difference between Travel Mode and BurnBox is where the keys to regain the data are located. A savvy border agent could simply compel you to open a browser, log into your 1Password account and turn Travel Mode off. BurnBox requires that you store the key to regain access to your revoked files somewhere not on your person as an added layer of security.

"A lot of the ideas behind it are certainly usable."

Jeffrey Goldberg, 1Password

A serious issue with BurnBox, Travel Mode, and other tools like them is that deceiving border officials can have serious consequences. If a sophisticated law enforcement official detects that you're lying in some way, it's possible you might get charged with obstructing justice or another crime. In the United Kingdom last year, the director of an activist organization was convicted of willfully obstructing justice after he refused to decrypt his phone and laptop, for example.

The researchers behind BurnBox, however, have considered some of these issues. They designed their system so that users wouldn't have to lie directly; they can honestly say that there's no way to regain access to a revoked file while in custody, since the key is meant to be stored in a safe place. Still, if the application were to be fully developed, it could raise a number of legal issues for those who use it. For now, BurnBox remains a cryptographic feat, but not yet a full security solution.

https://www.wired.com/category/security/feed/