Imagine following day-to-day situation…
You are on a train on your way to work. Once the train arrives at your station, you leave the train. While the train leaves, you realize, that you left your bag at your place within the train.

These or similar situations happen every day and may have happened to one or the other of us.

With the loss of your bag there is loss in the form of material value and non-material value.

However, due to the ever-increasing integration of digital devices into the everyday life, it is very likely that there is another cause of damage:

The damage due to loss of data!

Your bag may contain your personal or business laptop, tablet, smartphone, USB stick or any other item with digital information. Each of these may contain sensible data. This can be vacation photos, chat histories, browser data, emails or documents or many more.

With the loss of your bag, these data can potentially be seen, or even misused by anyone. It is important to note that this is not necessarily a targeted attack against you as the owner of the bag. But a random finder of your personal bag might take a look at the stored data out of sheer interest. The impact of data access can range from minor disruption to the leak of confidential business data.

In recent years, there have been increasing reports of data loss in companies due to stolen or lost devices. Unfortunately, there are limited statistics available. However, no scientific research can be conducted. Nevertheless, this correlates with expectations, since the number of digital devices is rapidly increasing.

Since it is not hundred percent possible to conclusively prevent device loss, companies, as well as individuals, must address how to protect data in the event of a loss of devices. Specifically, this means that it must be ensured that data can only be accessed by the authorized individual, even if a potential attacker gains physical access to the device.

What can we do?
User passwords on computers or user PINs on smartphones are already widely used solutions for protecting data from access by unauthorized persons. This type of security measure ensures that when the device is switched on, a login must take place before access is granted to the stored data and the device’s functions. In this way, a user can protect himself from prying eyes if the device is unattended for a short time.

However, if an attacker has undisturbed physical access to a device, it is still possible to view or modify the data stored on such device. Technically, a user password or user PIN is a protective measure in which the installed operating system restricts access to the stored data. This measure can be circumvented by starting a different operating system or by removing and reading the hard drive on another computer.

It should be noted at this point that a user password or user PIN is by no means a superfluous security measure, but merely protects against a different attack scenario.

At first glance, booting another operating system may sound technically complex. In practice, it can be done by lay users within a very short time without any special tools. Appropriate instructions can be found easily after a short search on the Internet.

For the situation, described in this article, this means that it is very likely that a random finder, even without a technical background, tries to extract the information on that device.

Due to the small amount of effort involved, it is even quite realistic that this finder has no criminal intentions whatsoever but would like to look at the stored data out of pure interest or with the intention of finding out the owner of the device. But information found by chance could arouse other desires.

In the following articles, we will look at how you and companies can protect the data on mobile devices in the event of a device loss. We will look at the technical challenges and present methods and tools that can be used to protect your devices and data.

PART 2

In the first part, we introduced which risks can arise for the data on mobile devices if the devices are lost or stolen. We found out that reading out data is generally not a problem for anyone, even if they have little IT knowledge. Mistakenly, it is often assumed that user passwords protect against this attack.

To understand this fact, we need to look at how the authorization system of an operating system works. Imagine an archive of documents. Since some documents are sensitive, each document has a label indicating who is allowed to read the document. As soon as a visitor wants to read a document, he contacts the archivist and presents his ID card to prove his identity. Once the archivist has checked the identity, he checks the label on the document to find out if the visitor is authorized to read the document and in case of eligibility, he hands over the document.

The situation is comparable to the situation with computers: in addition to the actual data, each file and folder also contains an attribute that specifies which user is allowed to open the file or folder. To identify a physical person as a specific user, a user password is used, which only the owner knows. Once a user is logged in, he can now access the file or folder. Based on the attribute specifying the allowed user access, the operation is continued or denied.

If we look back at our analogy with the archive, we see that security is entirely dependent on the archivist. This person must be trustworthy and must adhere to the specifications of the label. The documents themselves are not physically protected, for example by being locked away.

And this is exactly the problem with user passwords. They are just there to allow the operating system to associate a physical person with a digital user. The security of the files now depends on whether the operating system allows access or not. The password itself does not protect a file but only the identity of a digital user!

But what happens if we bypass the archivist in our example by walking past him in an unnoticed moment? Well, we simply take the documents out of the rack and ignore the labels. And this is exactly what we can do in the technical field as well. We do not have to query the data from the installed operating system if we bypass the operating system. So, similar to the stickers, the attributes can simply be ignored, and the data can be viewed.

To achieve this, it is sufficient either to plug the hard disk into any other computer or to start another operating system on the computer, which is stored on a USB drive, for example. Back to our original scenario: if you lose a mobile device or if it is stolen, a third person has just to use one of these two possibilities to gain access to the stored data in a few minutes if only a user password is used.

So how do you protect yourself from this? In our analogy, the answer is simple: the archivist must lock the documents and no one else may have a key. So even if we achieved to bypass the archivist, we would stand in front of a locked door protecting the secret documents. This way, the archivist could make sure that we only receive the documents that we are allowed to see.

And that’s exactly the solution in the digital domain: we have to lock the files away when the operating system is not started. This way, the access control can no longer be bypassed if third parties want to gain access to the stored data.

In the technical realm, “locking away” is implemented through encryption. Data is not simply stored on the hard disk but is modified beforehand by mathematical methods in such way that a key is required to restore the original state. Since this key is only passed to the installed operating system when it is started, it is not possible to read the actual data via another computer or operating system. This protects us from third parties being able to read the stored data.

So, a user password only helps to connect a physical person with a digital user, but it does not protect the data itself. To protect ourselves from data access by third parties, it is necessary that we encrypt our data and only pass the key for decryption to the operating system at startup. This ensures that the operating system’s own authorization management can take effect.

In the next articles in this series, we’ll put this theory into practice. We will take a look at which programs can realize this encryption. We will also look at the advantages and disadvantages of the programs and what effects the use of encryption technology has on the user experience.

The next part will be released on September 22, 2022!

Der Beitrag VeraCrypt | Part 1/2 erschien zuerst auf e2 Security.