guardianproject/haven

How would you bypass Haven?

Open

#171 opened on Dec 31, 2017

View on GitHub
 (8 comments) (2 reactions) (0 assignees)Java (6,509 stars) (747 forks)batch import
help wantedhigh-priorityquestion

Description

As a companion to #62 ("What, if anything, can we do, to combat evil uses of Haven?"), I think there may be some value in considering/brainstorming practical attacks on Haven-equipped devices. Doing so may lead to refinements in the program's operation or design to improve its effectiveness.

So you're an evil maid. It's 3 am. While your target is out all night drinking, their laptop is in back in the hotel room on a desk, closed. A plugged-in phone, older model, is resting there on the shut lid. The phone is attached to the wall via a microUSB cable. You strongly suspect it's running Haven, and that it's running with all sensors and features enabled.

You do not have the phone # of the Haven device or any info about its SIM card (if it has one) or software running (including Android version, though you can assume latest stock) or any accounts that may be logged in. But you DO have access to the hotel wifi network.

You want to image the laptop and modify the hardware before the owner returns in 5 hours. The goal is to NOT warn the owner that anything untoward happened. You do not want them to receive any texts, SMS, or other notifications during the attack. Nor do you want to leave any physical or digital evidence, including pictures, sounds, warnings, logs, notifications, or scorch marks on the Haven device when the target returns. They should have no clue you were ever there.

Hmmm

What do you do?

Let's say you're unable to completely take out the local wifi for the whole hotel (...but maybe you can jam it for just a few seconds-- it might be interesting to think about how Haven might behave then... should it log connectivity dropouts or failed connections for example? Should it expect some kind of unspoofable confirmation that the notification SMS/SIgnal message has been received?)

If you can think of an attack, what might Haven developers or the device owner need to do to counter it? Is there a software solution? Is there a placement of the Haven device that might make it less (or more) vulnerable?

I'll start with some dumb ideas: 1. adb connect to the device IP to see if it was mistakenly left on to shut it off remotely (does Haven log & notify the owner on startup and shutdown?). 2. Maybe try a wifi exploit. 3. Magic EMP gun to reset only the phone while leaving the laptop intact and untouched. 4. Remove the haven device and replace it an identical Haven device.

Your turn. Stupid ideas are encouraged. Bonus points for somehow involving dry ice. File new issues as necessary.

Contributor guide

Tech stack
java
Domain
mobilesecurity
Issue type
research
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
understanding of security conceptsfamiliarity with Haven
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
This issue is a brainstorming discussion about potential attacks on Haven enabled devices. The discussion should consider practical attacks such as WiFi exploits, physical access, and device removal. Contributors should propose attack vectors and countermeasures, referencing the Haven app's architecture and sensor usage. The goal is to identify software or physical defenses. No specific code changes are proposed; this is a design exploration.