Recording devices: how an attacker could know your password/passphrase
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi
I think the VeraCrypt documentation could advise users to switch off their computer's microphone when it's not needed and NEVER verbally reveal their password to others around recording devices e.g. Alexa, smart phones. Amazon has been known to secretly record private conversations from online Alexa devices - and I'm sure other 'smart' devices record your data and send it to a remote server; it has been known for smart televisions to also do this.
If at any time you verbally reveal the VeraCrypt password in the vicinity of a smart device (and if the smart device secretly sends this data to a remote server), it may be possible for the attacker to gain access to this data in future.
Last edit: Dave 2019-07-02
Fair enough, but if you ask me, anyone who is careful and smart enough to use VeraCrypt and then decides to even own a device like this deserves what they get. A note in the documentation is not going to save people from this.
Such devices are very common. Not everyone will know this. Never assume that people know things that appear obvious. Anything (like this) that can undermine VeraCrypt security is worth mentioning in the documentation under Security Requirements and Precautions.
Is it possible for someone to update the VeraCrypt documentation to include this?
Here's an idea of what could be added to the VeraCrypt documentation:
Title: Keep your password secure
Never reveal your VeraCrypt password (or passphrase) verbally (or reveal it in any other way). Microphones and recording devices, such as voice-controlled smart devices, have been known to record conversations and store them on a remote server. If an attacker gains access to this data and you revealed the password in the captured conversation, VeraCrypt will no longer be able to secure data on your device.
An adversary could be secretly recording your conversations!
If you created a hidden volume or hidden operating system, under no circumstances must you reveal anything about it. It is your responsibility to keep your VeraCrypt passwords/passphrases and hidden volume/hidden operating system secret (if used).
Last edit: Dave 2019-10-18
@daver4: Thank you for contributing this text. Like @kfitzner, my first impression would be to think that this is an obvious risk that doesn't worth mentionning but actually some recent events made me think that this risk is somehow neglected and can lead to serious security breach.
The one event that I'm thinking of is not linked to voice recording but rather to video recording through CCTV. In this case, it was possible to guess the password used for VeraCrypt encryption by analyzing the office internal CCTV recording of the person typing the password in his keyboard.
Thus, I agree to add a paragraph in the documentation about the risk of leaking the password that would mention the issue of recording devices, being it audio like what you wrote or video like CCTV cameras.
Is it possible for you to update your text to also mention the video recording in addition to audio recording?
@idrassi
I’m happy to mention CCTV. This text is only a rough idea and will probably need a lot of editing or rewording in many places.
Title: Keep your password secure
Never reveal your VeraCrypt password (or passphrase) verbally (or reveal it in any other way). Microphones and recording devices, such as voice-controlled smart devices, have been known to record conversations and store them on a remote server. If an attacker gains access to this data and you revealed the password in the captured conversation, VeraCrypt will no longer be able to secure data on your device.
An adversary could be secretly recording your conversations! Avoid typing your password anywhere that video and/or audio recording systems are in use, such as CCTV in offices, public places, home security devices, smart devices etc.
If you created a hidden volume or hidden operating system, under no circumstances must you reveal anything about it. It is your responsibility to keep your VeraCrypt passwords/passphrases and hidden volume/hidden operating system secret (if used).
Warning! If an adversary has access to the premises with the VeraCrypt device (or he/she has accessed the premises in the past), the adversary could have installed a hidden recording device. You should avoid using the computer with VeraCrypt installed. If you must use the computer with VeraCrypt installed, do not access any hidden volume or hidden operating system.
Last edit: Dave 2019-10-18
I've edited my previous post a few times to make it easier for the reader to understand. Like I say, it will probably need more editing and rewording before being included in the documentation.