Skip to content

Duress & Scorched Earth

In high-threat environments, an operative may be forced to unlock their device under physical coercion (the "$5 Wrench Attack"). Standard encryption is useless if the user is forced to provide the password.

Room 39 solves this via the Duress PIN Protocol.

The Mechanism

The user configures two separate PINs during setup: 1. Access PIN: Decrypts the vault and grants access to the secure messenger. 2. Duress PIN: A separate code (e.g., 9999) that appears to work but triggers a catastrophic cleanup.

Sequence of Events

When the Duress PIN is entered into the calculator interface:

1. Scorched Earth (Data Wipe)

The application instantly executes a background deletion process: * Remote Keys: API calls are fired to the server to delete the user's Public Keys and identity markers. * Local Keys: The localStorage and sessionStorage containing the Private Key material are overwritten and purged. * Database: Local cached messages and posts are deleted.

2. The Mirage Protocol (Decoy Mode)

Instead of showing an "Error" or "Empty App" (which would alert the attacker that a duress code was used), Room 39 loads a Decoy Ecosystem.

  • Fake Data: The app populates with procedurally generated "safe" conversations, fake posts, and bot interactions.
  • Illusion of Access: The interface looks identical to the real app.
  • Plausibility: Timestamps are generated relative to the current time, making it appear as if the user has been using this "clean" account for days.

Recovery

There is no recovery from a Duress Trigger. Once the protocol is executed, the cryptographic keys are destroyed. Neither the user nor Room 39 administrators can recover the deleted data. This is a design feature, not a bug.