Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Government Technology

The Police Can Probably Break Into Your Phone (nytimes.com) 96

At least 2,000 law enforcement agencies have tools to get into encrypted smartphones, according to new research, and they are using them far more than previously known. From a report: In a new Apple ad, a man on a city bus announces he has just shopped for divorce lawyers. Then a woman recites her credit card number through a megaphone in a park. "Some things shouldn't be shared," the ad says, "iPhone helps keep it that way." Apple has built complex encryption into iPhones and made the devices' security central to its marketing pitch. That, in turn, has angered law enforcement. Officials from the F.B.I. director to rural sheriffs have argued that encrypted phones stifle their work to catch and convict dangerous criminals. They have tried to force Apple and Google to unlock suspects' phones, but the companies say they can't. In response, the authorities have put their own marketing spin on the problem. Law enforcement, they say, is "going dark." Yet new data reveals a twist to the encryption debate that undercuts both sides: Law enforcement officials across the nation regularly break into encrypted smartphones.

That is because at least 2,000 law enforcement agencies in all 50 states now have tools to get into locked, encrypted phones and extract their data, according to years of public records collected in a report by Upturn, a Washington nonprofit that investigates how the police use technology. At least 49 of the 50 largest U.S. police departments have the tools, according to the records, as do the police and sheriffs in small towns and counties across the country, including Buckeye, Ariz.; Shaker Heights, Ohio; and Walla Walla, Wash. And local law enforcement agencies that don't have such tools can often send a locked phone to a state or federal crime lab that does. With more tools in their arsenal, the authorities have used them in an increasing range of cases, from homicides and rapes to drugs and shoplifting, according to the records, which were reviewed by The New York Times. Upturn researchers said the records suggested that U.S. authorities had searched hundreds of thousands of phones over the past five years. While the existence of such tools has been known for some time, the records show that the authorities break into phones far more than previously understood -- and that smartphones, with their vast troves of personal data, are not as impenetrable as Apple and Google have advertised. While many in law enforcement have argued that smartphones are often a roadblock to investigations, the findings indicate that they are instead one of the most important tools for prosecutions.

This discussion has been archived. No new comments can be posted.

The Police Can Probably Break Into Your Phone

Comments Filter:
  • Ok, then how? (Score:5, Interesting)

    by Anonymous Coward on Wednesday October 21, 2020 @11:07AM (#60631838)
    There's no way this many law enforcement agencies are enabled to do this without it being fairly obvious how they're doing it. Groups this large can't keep secrets. So the question is, how are they getting in, and how do we stop it?
    • by Tablizer ( 95088 )

      Hackers and crooks will eventually find or copy the same tricks. In fact, I suspect the cops learned of them from the shady side.

      Hackers and crooks can tap into the vast sources of cheap 3rd-world IT labor, something US cops will have a harder time getting approval for.

      • Re:Ok, then how? (Score:4, Informative)

        by WankerWeasel ( 875277 ) on Wednesday October 21, 2020 @12:09PM (#60632110)
        It's always a bit funny to hear this. The truth is that such tools have been widely available to law enforcement for over 10 years. For instance, in 2007 we began selling a tool to licensed law enforcement that when plugged into a suspect computer (Windows, Mac, or Linux), will automatically grab browsing history, emails, messages, network info and other system settings including previously connected wifi and other networks, and it will also pull their passwords (including the Apple Keychain). Phone backups are grabbed too. In addition, it can be set to copy any specific files or folders. Haven't seen such hit the hacker market but maybe I missed some thing. A number of tools similar to GreyKey have been available since 2008 but we have yet to see hackers produce such.
        • Comment removed based on user account deletion
          • by raymorris ( 2726007 ) on Wednesday October 21, 2020 @01:18PM (#60632338) Journal

            I'm not familiar with that particular product, though I've evaluated a similar product. (Or maybe it was that one, I don't recall).

            Anyway, what I have made is a USB key that blows right past " I didn't think any mainstream distros (at the time) would automount USB and run binaries on it". USB is the port you use to plug in a keyboard. A keyboard sends commands to the computer, which it executes.

            I popped open the case of a a USB flash storage thumb drive that had my company's logo on it and replaced the internal board with a $20 USB microcontroller board, which announced itself as a keyboard. It then began "pressing keys" to execute commands on the system.

            • by Herve5 ( 879674 )

              Well, this is why you use USG, between the key and your computer :
              https://github.com/robertfisk/... [github.com]
              Of course if you let someone else plug, you'd better suppress usb handling within your system entirely, which my company does in a way that I can cancel upon request...

            • Congratulations. You reinvented the Rubber Ducky. https://shop.hak5.org/products... [hak5.org]
            • It's a well known attack vector, which is why the truly paranoid among us disable USB ports by default. Sometimes physically.

              This of course won't save you from an attacker with a bit more than $20 at their disposal.

            • Comment removed based on user account deletion
              • Preferably the session should be locked. It may not be. If it is, then it's time for ctrl-alt-del reboot. Specifically, rebooting to the USB disk. Which then gives full access to all files on th hard drive, from an OS controlled by person doing the forensics.

                Some configurations of Bitlocker make this more difficult, if Bitlocker is fully up to date on security patches.

                • A malicious PCI-E device would have historically been enough in many cases to bypass TPM-only BitLocker. Thatâ(TM)s why Windows 10 now runs virtualised by default. The solution is to keep your PC off when you arenâ(TM)t using it and be sure to use TPM+PIN with a proper passphrase.

                  For smartphones, you need to take a similar approach. use a different passphrase for encryption to the unlock passphrase and always leave the device off with the battery removed when not in use. (So, you need a cheap
            • This is one thing I like about Qubes: USB devices are kept compartmentalized. A keyboard doesn't get to send keystrokes until authorized. That would be endlessly frustrating for many users, but for security conscious folks it's great.

              • Qubes is cool.

                It surprises me that they advertise their system by saying things like:
                --
                It's a place where you can click on links, open attachments, plug in devices, and install software free from worry. It's a place where you have control over your software, not the other way around.
                --

                That's irresponsible to say that. Particularly, opening attachments and clicking links in email means the page, which is potentially malicious, loads in the browser where you're already logged into your email. It's ripe for X

                • I agree, doing it right is harder than that. Qubes provides other tools which help, like disposable VMs - those are perfect for opening untrusted content. They make it fairly easy to do, but it's still harder than just clicking a link.

        • It's even longer than that. Louis Freeh was chanting the "going dark" mantra just under thirty years ago. They really need to switch the record at some point, that track must have been worn down to nothing by now.
    • I can personally attest to the ability for these groups to maintain secrets.
      • Computer forensic companies don't bother keeping it secret. They parade such capabilities at conferences all the time. It's WELL known within the industry and they even advertise such capabilities on their websites
    • by _xeno_ ( 155264 )

      Groups this large can't keep secrets.

      They can if they don't know the secret.

      It's not a secret that they have access to software that can break into phones. (For example: see this article.) How the software works and the exploits it uses is, however, a closely guarded trade secret by the vendors that make the software. In some cases, the vendor doesn't even allow law enforcement a local copy of the software, they send the device to them and get a data dump back.

      Eventually the exploits tend to either be rediscovered publicly or leak in some othe

    • So the question is, how are they getting in...?

      Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones [upturn.org]

      EFF:Street Level Surveillance [eff.org]

      The Intercept: Police Surveillance [theintercept.com]

      [A]nd how do we stop it?

      Participate in your democracy. Attend local government meetings to speak your piece. Write to your newspapers and your elected officials to inform them of your views and opinions. Donate your time and money to groups acting towards your societal goals. And absolutely, VOTE your personal preference in every election.

    • Been selling such tools to government agencies around the world since 2008. They're widely available. Yet it seems so many are in denial of the fact that such exists. The computer forensics market is far larger than folks seem to realize. They have access to far more tools than any of you seem to know or seem to be happy to delude themselves that such tech doesn't exist.
    • It's not a secret. It was reported here on Slashdot years ago that the FBI had contracted with an Israeli security firm (I forget the name) who had the capacity to crack half the iPhone models that were in circulation. This was around the time of that high-profile case where they were trying to decrypt the iPhone of that guy who shot up the gay club in Florida for Allah.

      There was a high-ranking Justice Department official who called a press conference along the lines of, "If Apple won't help us decrypt it,

    • So the question is, how are they getting in, and how do we stop it?

      They are hacking into it because Apple writes code with security flaws. They are doing it the same way jailbreakers do.

      The way to stop it is for Apple to start a program internally to encourage (and teach them how) all developers to take security seriously. Because any developer can write a security bug into the code.

    • Its easy, I saw it in NCIS last night after wheel of fortune. They just use the facial recognition unlock by holding your phone up to your face.

    • by tlhIngan ( 30335 )

      Look up GreyKey. It's a common enough device that pretty much every law enforcement department would have one. It's costs around $50,000 outright or $10,000 with a $500 pay-per-use. Add in a monthly subscription fee on that for updates as well.

      Access to it is strictly controlled, because Apple and Google themselves are wanting a unit to patch up flaws and thus extra effort is done to make sure they don't get it.

      Speaking of which, I believe iPhone X and below are permanently vulnerable because of a flaw in t

    • by jon3k ( 691256 )
      My understanding is that the tool provided isn't just software you run on a computer. It's a purpose built machine that you license or rent from companies like Cellebrite. It's a black box, you plug in the phone and then using a menu system you crack the device and export data. The details are completely obscured from the operator.

      Imagine this thing [ebay.com] (Cellebrite Touch 32GB Phone Data Transfer System) but with built in iOS and Android exploits.
    • Don't put any sensitive information on your phone. I sit behind a computer all day I am fine with going 'dark' when I am off work.
  • ...I was listening to podcaster and broadcaster Leo Laporte. He made a comment that the "best tracking device was in our pockets". This was before the Snowden revelations, and it sounded technically feasible but a bit paranoid and preposterous that anybody would do that.

    Fast forward and in 2020, it's not preposterous at all, it's our new way of life. We don't even think about the fact that a lot of what we've been doing is being carefully recorded by location and time, just for law enforcement or who knows

    • it sounded technically feasible but a bit paranoid and preposterous that anybody would do that.

      Police have been using cell phones to track/find people since the 90s. They've also been using things like Carnivore [wikipedia.org].

  • by AleRunner ( 4556245 ) on Wednesday October 21, 2020 @11:12AM (#60631850)

    So, they have the ability to get access when they need access, and yet Barr demands more access [arstechnica.com]. The obvious explanation is that it's not about access to the criminal's phones. What he wants is mass access to normal people's phones.

    • by Arthur, KBE ( 6444066 ) on Wednesday October 21, 2020 @11:24AM (#60631892)
      Yeah, exactly. The idea that 49/50 police agencies can get into most phones but the FBI is having trouble with this, doesn't pass the smell test.
    • by aitikin ( 909209 ) on Wednesday October 21, 2020 @11:26AM (#60631906)

      The obvious explanation is that it's not about access to the criminal's phones. What he wants is mass access to normal people's phones.

      Or to placate the general public into thinking they don't already have that access.

    • by taustin ( 171655 ) on Wednesday October 21, 2020 @11:55AM (#60632040) Homepage Journal

      They want to be able to access stuff without having to bother with a warrant, or even bother to get out of their chair. And to do so without having to spend any money (which can be tracked) or keep any audit trail (unless they need it for chain of custody).

      In short, what he, and other law enforcement want, is mostly to be able to be lazy.

      Also, this is conflating two separate issues, one of which is a subset of the other. Accessing phones is one thing, but Barr wants a back door in all encryption, which includes desktop programs, email systems (whether accessed on a phone or not), bank transactions, etc. No matter how easy it is to get into a phone, they still need a warrant to get into bank records, and they need to pay for that process. They'd rather be able to just log into the bank's computers directly while watching porn at their desk, with no audit trail, and nobody else knowing about it.

      • by sjames ( 1099 )

        In other words, law enforcement resents having to obey the law. They were rather hoping we'd let them go full on rogue.

    • by Rick Schumann ( 4662797 ) on Wednesday October 21, 2020 @11:57AM (#60632050) Journal
      The only way some people can feel like they aren't going to pee their pants due to anxiety is to have iron-fisted control over everything and everyone. This describes way too many 'law enforcement' types. They would never admit it, but they'd prefer that all us non-police live in prison-like conditions of constant surveillance and have immediate unfettered access to anything and everything they want, including our own private thoughts. Yet when I or anyone else says something like this we're still treated like we're conspiracy theorist nutjobs because people are still in denial about it. But it's true. Our so-called 'law enforcement', not only in this country but around the world, would wreck our civilization in their pathological quest to control EVERYTHING. The term 'police state' doesn't even begin to cover what the world would look like if these people had their way, 1984 would be closer but even politicians wouldn't be exempt from their surveillance and iron-fisted control.
    • That's always been the case. I can personally say that a number of three letter government agencies have had access to such since 2008. It's not about getting access to those particular phones. It's about them trying to get the phone makers like Apple to open things up to them in order to make it much easier to access any phone they want. It's a political play, not a technical one.
    • Bingo. I am fine with police having access to a suspect's phone, as long as the guy is a suspect, and normal rules in regard to search warrants and such have been observed. No sneak & peaks, no mass surveillance. Also, the police may try and break in using whatever method they have for that, but that doesn't mean mandatory back doors in phones. Child pornographers and terrorists notwithstanding.
    • by clodney ( 778910 )

      I have to admit that I am not terribly bothered by cops being able to break into a phone that they have physical possession of. That requires some level of effort for every individual phone. Just like cops can follow somebody around, but it takes a significant amount of labor to do so.

      The scary thing is if they can do it without requiring possession, or if the process becomes so trivial that every time you have an encounter with the police (traffic ticket, etc.) they break into your phone as a matter of c

  • by Sebby ( 238625 ) on Wednesday October 21, 2020 @11:24AM (#60631894)

    Officials from the F.B.I. director to rural sheriffs have argued that encrypted phones stifle their work to catch and convict dangerous criminals

    And the FBI people are some of those criminals, as they've proven themselves to be several times in the past already.

    Cute how they want us to trust them with information, when they've repeatedly proven themselves untrustworthy so many times in the past.

  • We've been funding them like a military, it's no surprise they have access to unlimited resources for such things or that having said resources they can use them.
  • ... who just takes it for granted that supposedly securely locking their device makes it actually secure from anyone trying to access it, even experts.

    But that's about it.

  • It's generally held that once an attacker has physical access to a device, the device is going to be cracked. So this is not a real surprise.

    It would be more interesting to see data on the cost/effort/time it takes for police to do so based on phone model, and also to plot how the cost/effort/time changes from year to year. (That is, how fast after a brand new phone is released does the situation go from "There's no tool available to break into this new model", to "We have a 90% chance of getting into the

  • Don’t fool yourself, of course they can, and they’ve spent your tax dollars to do so. The United States is the most watched, recorded, monitored, surveilled, and tracked civilization in the history of the planet – our Surveillance State would have made the N a z is giddy. You can’t use the word liberty living under this level of surveillance, that’s the relationship between a slave and a master.
    • by smooth wombat ( 796938 ) on Wednesday October 21, 2020 @11:35AM (#60631948) Journal
      The United States is the most watched, recorded, monitored, surveilled, and tracked civilization in the history of the planet

      Apparently China and Russia don't exist in your universe.
      • by Uberbah ( 647458 )

        Is it your sense of proportion or reading comprehension that is broken? No one comes close to the United States, or the NSA which wants to collect every communication from every person on the planet.

      • by dstwins ( 167742 )

        China is.. BUT China has never portrayed itself as any other..

        Russia is no where nearly as tracked.. but again, they never claimed otherwise.

        The US gets beaten about because they CLAIM publicly "Freedom" and "we don't spy on our citizens" and then do shit like this, basically LYING about their real position.. Its hypocrisy.. And THAT is the real crime.. not that China is watched/recorded/surveilled and tracked (and to a large degree, its really not the case.. Oh, they have a LOT of tools and use it.. but

      • by dryeo ( 100693 )

        The big difference is that as someone who is not American or living in America, the Americans likely have access to my communications, especially anything long distance (all cables are tapped) and has extradition treaty with my country and most countries in the world as well as a record for kidnapping people that they really want.
        Russia is to broke to even watch their own people and China is mostly concentrated on their own people.

    • No mate, that would be the City of London.

      • Is the UK govt recording every single phone call, gps coordinates, text, email message and online post that's searchable via a single interface where you type in a name and it retrieves all data?
        No, that was built under the authority of the Patriot Act. Every single phone call of US citizens have recorded since 2005.
      • Re:Most surveilled? (Score:5, Interesting)

        by sdinfoserv ( 1793266 ) on Wednesday October 21, 2020 @12:52PM (#60632280)
        Additionally, section 1021 of the 2012 Defense Authorization Act allows the US Govt to label citizens " "who was part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners", and anyone who commits a "belligerent act" against the United States or its coalition allies in aid of such enemy forces, under the law of war, "without trial, until the end of the hostilities authorized by the [AUMF]". The text authorizes trial by military tribunal, or "transfer to the custody or control of the person's country of origin", or transfer to "any other foreign country, or any other foreign entity"
        There is no legal definition of "belligerent act", and the US Govt can call any act belligerent therefore lock up any citizen, any time, completely stripped of all rights. It is in effect right now.
        https://en.wikipedia.org/wiki/... [wikipedia.org]
        If a "right" can be taken away, it's only a Privilege, therefore US Citizens have no rights any longer.
    • by eriks ( 31863 )

      I think Singapore might disagree, as a point of pride. Though the US is right up there in terms of pretending *not* to be a surveillance state, while actually being "all in".

  • by OrangeTide ( 124937 ) on Wednesday October 21, 2020 @11:32AM (#60631932) Homepage Journal

    If you have done nothing wrong, then you have nothing to hide.

    Also when the police kick down your door in the middle of the night and point guns in you and your girlfriends' face. That's just the good guys doing their job, and you need to be respectful of that.

    And finally, you need to peacefully protest from home. If you go into the streets you'll be considered part of the terroristic rioters and the good guys will use any amount of force against you they deem necessary.

    • Apparently if you protest against BLM protesters then it's ok.

      • by ebvwfbw ( 864834 )

        Apparently if you protest against BLM protesters then it's ok.

        Why in the world do you think that? Anytime someone does that they get in trouble. BLM can do whatever they want - Burn, Loot, even Murder and they get away with it. Even shooting black people, nothing happens.

        If it were ok to protest against them then things would be far different. Their graffiti would be eliminated for one. Everyone should be protesting them. In fact everyone should go after anyone supporting or donating to them. They're a marxist organization run by "Trained Marxist" lesbian biggots that

    • Comment removed based on user account deletion
    • If you have done nothing wrong, then you have nothing to hide.

      Also when the police kick down your door in the middle of the night and point guns in you and your girlfriends' face. That's just the good guys doing their job, and you need to be respectful of that.

      And finally, you need to peacefully protest from home. If you go into the streets you'll be considered part of the terroristic rioters and the good guys will use any amount of force against you they deem necessary.

      you must be hiding something if they need to kick down your door, you should be a nice citizen and leave it unlocked to make sure they can enter peacefully /sarcasm

  • Not quite (Score:5, Informative)

    by battingly ( 5065477 ) on Wednesday October 21, 2020 @11:36AM (#60631960)
    It says right in TFA: "His crime lab has spent hundreds of thousands of dollars on phone-hacking tools, he told lawmakers, yet remains locked out of roughly half of the iPhones it has warrants to search". They're probably only breaking into older or weakly protected phones.
    • So successful criminals always pack the latest edition iPhone?

      • Largely, yes.

        The 10 and earlier have a known security exploit that's used for jailbreaking. That vector can't be patched (hardware flaw), and it would be very surprising if the decryption vendors didn't use it.

      • Perhaps, but that only helps you right now. Police only need one exploit to get in, and that exploit doesn't necessarily need to have been discovered at the time they obtained the phone. A phone sitting in an evidence locker may be entirely unreadable today, but tomorrow will become an open book to investigators, thanks to the discovery of a new exploit.

        Really, it's more a matter of running out the clock on the statute of limitations before an exploit is discovered.

        • I get around this problem by (1) not breaking the law much (2) not putting anything incriminating on computing device.

          If I were in the business of breaking the law, I would still abide by number 2.

          • If I were in the business of breaking the law, I would still abide by number 2.

            As would anyone sane.

    • They said the same thing a number of years ago when they were trying to crack the phone of the guy that shot up the gay club in Florida. That they had the capacity to crack about half the iPhone models in circulation at that time.

      So there seems to be a pretty consistent pattern that the phones get cracked after they've been on the market for a year or so.

    • by hey! ( 33014 )

      Or phones with weak PINs. Secure enclave + strong PIN/password is a tough nut to crack.

      You can find YouTube videos of people using a data snooping product called Cellebrite; it works through the USB port of the phone and apparently by brute forcing the user's PIN. Once the PIN is recovered, you not only have full access to the device file system, you have access to the user's keychain as well. His life is an open book.

      According to security researchers, there's a big difference in vulnerability between PI

  • My phone isn't actually encrypted, but I say it's encrypted in such a way that it looks totally unencrypted -- checkmate. :-)

  • And here I thought the "right of the people to be secure in their persons, property, papers and effects against unreasonable search and seizure" was the Supreme Law of the Land.
  • Comment removed based on user account deletion
    • by Uberbah ( 647458 )

      Kinda hard to take privacy advocates seriously on their objections to "nothing to hide, nothing to fear" when there is a tacit admission that due process and other constitutional checks and balances still apply in full force.

      Then you're not listening to privacy advocates. Cops and prosecutors have convicted innocent people (or bullied them into signing plea deals to avoid draconian sentences) based on far less than cell phone metadata. It goes in with never talking to the cops [youtube.com] in general.

  • Yet Another Shit Slashdot Headline

    "The Police Can Probably Break Into Your Phone" has nothing to do with a story about how many police officers have some tools that can break into some phones.

    Do the "Editors" here make these posts by inventing a headline that will attract clicks and then find a story from the last few weeks that is vaguely linked to it?

    Or are they just very bad at their jobs?

  • Maybe the whole idea of security in this space is to give out a false sense of security. Obviously those that makes phones want you to think they are secure. It's a feature of the device. But likewise what if the government also wants you and J. Random Criminal to think the same thing. Put up a stink, complain that security is too strong so that J R Criminal will put their faith and trust that the device actually is secure.

    If the security really isn't that great after all, it's a win for the government the

  • Apple can afford to buy whatever exploits are out there, study them, and fix the holes if they want. They can afford to do this as long and as much as they want. It's just a matter of whether they are serious or not about their security claims.

    The important thing is to keep politicians and police off of their backs. Maybe if police and courts hadn't been so cavalier about the 4th amendment for decades, then there wouldn't be such a strong push from the people for unbreakable encryption. Oh well, no use

  • While I find these tools of great concern, I am more concerned if the law enforcement agencies are getting a warrant every time they do this. Probable cause to search a car during a routine traffic stop is bad enough. But it's not like they can smell you have a hit man's contact info on your phone when you get stopped.

    If they are getting a warrant, is it a specific warrant? Or a fishing expedition? Copying the entire contents of a phone because someone got caught shoplifting is insane. Unless you live in

  • Honestly, if they have a warrant, and are legitimately breaking into it, then that's fine. I would like if whatever vulnerability they're using was patched, but if they can get in then have at it. My issue is when they whine about wanting a backdoor so that they can always get in if they want. That's an issue because anything they can exploit others can too.

  • Its sad that 'law enforcement' folks need to hide vulnerabilities from manufacturers to keep security weak. Shouldn't they be helping to report known vulnerabilities rather than exploiting them? Merely being arrested does not give law enforcement authority to break my locks, physical or otherwise. They don't get to kick in my door and go through my house, why should my phone be different?

  • So what if they can? Who is stupid enough to put sensitive information on a mobile device anyway?
    • by ebvwfbw ( 864834 )

      So what if they can? Who is stupid enough to put sensitive information on a mobile device anyway?

      LOL. Plenty of people. We have one idiot that had child porn on his apple computer and sent it in for repairs. Then didn't pick it up because it had an $80 repair bill. Now it's the center of an international money laundering, child porn FBI investigation that implicates Joe Biden and a bunch of other democrats. What kind of a stupid idiot does that?

      Phones are a lot worse. Today everyone has very sensitive stuff on their phones. E-mail, contacts, etc. Some guys buy and trade stocks via phone. I'm talking tr

  • You spent all the cool points on the PRISM program and the like. Gonna have to earn them back first, and your current administration is not exactly doing you any favors.

  • Sure they can open it up, look at it but a landline is a landline!

news: gotcha

Working...