Physical security

I feel like there isn’t much emphasis on physical security. Here are couple of things I can think of:

1. Protection against phone snatching: if a phone is snatched while texting for example, all encryption and hardening of security features are rendered useless
2. Shoulder-surf: buy a private screen protector, turn on pin shuffle
3. Disable biometric unlock when going outside
4. Use dummy guest account to create deniability

What are your suggestions for enhancing physical security? Especially for phone snatching.

Related: Physical security - GrapheneOS Discussion Forum

1. Use app PIN/biometric authentication to limit risk
2. In addition to disabling biometric, you can also enable auto reboot.

Also be aware of an upstream bug that occasionally causes fingerprint sensor to appear even while it is disabled for screen unlock. It happens in secondary profiles only not main. Ive seen this pop up and so too have other users.

Kingston lock should also be recommended. It can be a life saved in situations like this:

Cool product, not sure if this is in-scope or not.

In the topic of physical security, tracking detection should also be added:

• AirTag Guard

And for people with higher threat models, maybe basic information on how to detect Bugging devices and trackers.

In the GOS discussion thread I attached, Privacy Lock was mentioned.

Any similar programs to it but for desktop?

I’ll second “Private Lock” for phones. It’s an unobtrusive application, and can be configured to lock down the phone in case of a physical shock. IE, with the phone in my pocket, it’s configurred to unlock with the less secure fingerprint unlock. However, in case of a physical shock / struggle / dropping the phone, it reverts to the more secure PIN screen, like when the phone has just rebooted. It’s a great balanace of usability and security. No need to have the phone auto reboot every few hours, as I’ve seen some discussions about here.

In terms of a desktop equivelant, I recommend USB Kill (GitHub - hephaest0s/usbkill: « usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.). It’s a small Linux application that monitors USB ports for any changes, and flushes encryption keys and shuts down the computer when a change is detected.

Your own threat model will determine how you impliment it, but for me, I have it configured to run when my screensaver kicks in. Any USB devices inserted or removed when the screen is locked will result in the system flushing keys and shutting down in seconds.

You can add the script to rc.local to have it running constantly, but that’s a bit too aggressive for my needs. With Debian, I’m able to invoke it only when the screen is locked and that suits my threat model fine. You can whitelist certain devices and configure it to your needs, hopefully find the right balance for your own model.

Not sure if there’s a Windows equivelant, but sure there must be something similar.

It looks like Private Lock hasn’t been updated since 2019, most likely won’t be adding anything that’s not currently supported. Had someone test it and it doesn’t work properly on Android 13.

Fair enough, I’m just sharing my experience with Private Lock on Graphene OS and a Pixel 7, which works fine. I’m surprised it’s not been updated or forked, as it’s a very good concept and works well on GOS / Pixel 7 - although as you say, it’s currently not being updated and doesn’t work on Android 13 (and likely other OS / hardware combos).