Authorities Don't Need To Break Phone Encryption in Most Cases, Because Modern Phone Encryption Sort of Sucks.

Matthew Green, a cryptographer and professor at Johns Hopkins University, shares in a series of tweets: My students Max and Tushar Jois spent most of the summer going through every piece of public documentation, forensics report, and legal document we could find to figure out how police were "breaking phone encryption." This was prompted by a claim from someone knowledgeable, who claimed that forensics companies no longer had the ability to break the Apple Secure Enclave Processor, which would make it very hard to crack the password of a locked, recent iPhone. We wrote an enormous report -- a draft of which you can read here (PDF) about what we found, which we'll release after the holidays. The TL;DR is kind of depressing: Authorities don't need to break phone encryption in most cases, because modern phone encryption sort of sucks.

I'll focus on Apple here but Android is very similar. The top-level is that, to break encryption on an Apple phone you need to get the encryption keys. Since these are derived from the user's passcode, you either need to guess that -- or you need the user to have entered it. Guessing the password is hard on recent iPhones because there's (at most) a 10-guess limit enforced by the Secure Enclave Processor (SEP). There's good evidence that at one point in 2018 a company called GrayKey had a SEP exploit that did this for the X. See photo. There is really no solid evidence that this exploit still works on recent-model iPhones, after 2018. If anything, the evidence is against it. So if they can't crack the passcode, how is law enforcement still breaking into iPhones (because they definitely are)? The boring answer very likely is that police aren't guessing suspects' passcodes. They're relying on the fact that the owner probably typed it in. Not after the phone is seized, in most cases. Beforehand. The full thread on Twitter here.

Encryption good, people bad

[MooseTick]

So basically, people give police their passwords. No encryption can beat that.

Re:Encryption good, people bad

[ShadowRangerRIT]

No... People unlock their phones first the first time after power on (unlocking many encryption keys in memory), then lock them, but the second "lock" really only locks a single key covering a tiny subset of the files; the encryption keys for everything else stay in memory (because any app that wants to do stuff in the background while locked needs those keys). Any exploit that can achieve execution on the phone will have access to those keys (the tiny set of stuff protected by the keys actually dropped on "soft lock" rather than reboot is meaningless to law enforcement). It reduces it to a simple exercise in running code, not breaking encryption.

Re:Encryption good, people bad

[currently_awake]

So we need more fine grained control over phone encryption. The user would choose what gets encrypted and what can run in the background while locked. Also don't allow software updates while locked.

Re:

[LostMyAccount]

This seems reasonable and almost like something they could bolt right into the existing privacy settings.

They should also consider dumping all in-memory keys whenever any hardware device is connected.

Re:

[dmt0]

It's more like we have to make app developers figure out how to do their background tasks without having to access any/most data, which would stay encrypted and unavailable to the app while the phone is locked.

Re:

[taustin]

That would be contrary to the very point of a lot of apps, which is to collect as much info on you as possible to sell to advertisers.

Re: Encryption good, people bad

[BAReFO0t]

That is neither very realistic, nor very much better.

Actually, the flaws are much more fundamental.

You are running chips designed by an NSA partner, manufactured by a partner of Chinese autorities, and assembled by slaves that would assemble different stuff in there for a buck.
You run an OS designed by a hostile advertisment company or a, let's face it, jewelry company. That gets updated from you don't know what server. "Secured" by a set of keys from "certificate authorities" nobody actually verified.

There

Re:Encryption good, people bad

[ctilsie242]

There is a lot phone makers can do:

1: Have protected keys and PINs for individual apps. That way, a mail app or an app that has two factor auth codes would be protected, even if the general phone is completely unlocked.

2: Have a duress code. Phone pretends to unlock and drops to the Launcher or Springboard, but if an app runs, it crashes, while the phone quietly does a nuke on all user data, then just hard locks up, requiring a re-ROM or DFU update.

3: Have separate compartments, especially with multi-SIM phones, all encrypted, all using different startup keys and PINs. For example, the e-SIM might be one's home number. Another SIM may be one's work stuff. A third SIM may be someone's vacation/private/burner line. That way, if someone is on a trip, they can just have the one relevant compartment available, and if brute force attempts are done on the others, they are quietly erased. Perhaps an ideal would be a hypervisor. This also would let people have a place so they can have full ownership on their phone, where they could run an open Linux distro or whatnot, especially if the phone supported a desktop OS mode (a la the Motorola Atrix)

4: Have a third party cloud backup system that can back up by image and file... and has clientside encryption, so nothing is stored on the cloud provider that can be easily used. Problem with phones is that iOS is all or nothing... And Android has nothing that really works (in my experience), and stuff like Titanium Backup used to be good, but root requires so many hurdles that that is hard to obtain. It also wouldn't hurt to have the ability to back the phone up using USB To Go or similar, so one could dump the phone every so often to a USB flash drive. This isn't new technology... my Palm V had an external device that could back the entire thing up and restore it with a button press.

It would really be nice if iOS and Android could offer an API to third parties could back up and restore data on the phones, so someone can archive a game they don't play, and then reload it after a few years. Even if the data file is signed before leaving the phone to deter hex-editing of values, or encrypted via some key stored on the phone to allow an app to be reloaded, even if the app is long since pulled from the store. Yes, this API will have to have some security to keep users from allowing malicious apps to dump their phone's data, but backup programs have been around since the dawn of computing, and it can be done.

5: Have the OS drop keys or quit apps that flag themselves as such when a hardware device is attached, just to ward off DMA attacks.

6: Have the ability to geofence a phone, and if it goes outside a certain area, prompt for a second PIN.

Phone makers can do a lot more than they are doing to secure devices. They can do a lot more to protect user data as well.

Re: Encryption good, people bad

[brooklynwry]

Iâ(TM)ll first say I havenâ(TM)t read the report and I might be mistaken. But, Iâ(TM)m a developer on Apple platforms, and if Iâ(TM)m making the correct association here, the issue hinges on a choice made by app developers, who are the ones that elect the encryption policy for data held in their appâ(TM)s respective sandbox. The default is âoefirst unlockâ. But the developer can very easy elect a more stringent policy, although it carries implications (such as inability to

Re:Encryption good, people bad

[ShanghaiBill]

If your phone is turned on, law enforcement can use forensic tools to scan the RAM.

When you are going through customs or airport security, power-down your devices.

Re:Encryption good, people bad

[fustakrakich]

They are known to "ask" you to power them up

Re:

[GameboyRMH]

Which is fine as long as you don't also enter your passcode.

Re:

[cusco]

Sorry, my battery is dead.

Re:

[ShanghaiBill]

Sorry, my battery is dead.

Do not say that. Lying to a federal agent is a serious crime.

They can see if your battery is dead. They don't need your password to turn on your phone.

Re:

[ShanghaiBill]

They are known to "ask" you to power them up

If they are really just asking, you can politely say "No."

You can also turn a device on without logging in.

TSA has limited authority to search devices. CBE is a bigger problem. They can confiscate your devices or put you on a plane back home if you refuse to provide passwords.

DHS policy on passwords [papersplease.org].

Re:

[fustakrakich]

They always "just ask". Your compliance will speed things up considerably.. sir..

Re:

[AmiMoJo]

Borders are lawless places. The only effective protection is to wipe the phone and restore it at your destination.

Re:

[fustakrakich]

Not necessary. Just get a cheap burner for traveling. In fact, you should never carry a phone with personal info around with you.

Re:

[AmiMoJo]

Is the place you live so bad that you shouldn't carry a phone with personal info on it?

I mean yeah, if you are protesting or something, but just everyday ordinary stuff?

Re:

[fustakrakich]

You merely have to fit a profile [twimg.com]

Re:

[fish_sauce]

My smartphone rarely leave my home but it's not because it contains personal info, it doesn't unless pictures of my mom's cats count as that. A smartphone is expensive so I try to take as good care of it as all other stuff I own and it's also required on some sites for login, you can't do it via a desktop program. Which means I'm required to take good care of it too or I'll be locked out of some sites until I get a new smartphone. Sites that require a smartphone is my bank and my pharmacy account. Very infu

Re: Encryption good, people bad

[BAReFO0t]

Protip: RAM is always turned on, unless you actually shut down before power off. And protip 2: RAM doesn't lose its contents nearly as quickly as you think. Often there's still enough in there after hours!

Re:

[Xylantiel]

I think anyone here would consider the phone security inherently broken if you can "achieve execution status" while the phone is locked. Also anyone with a clue would know that a soft-locked object is largely only secure if you can't compromise the software. I always go through customs with my phone and laptop powered off for exactly this reason. (Not because I have anything illegal, but because I have things subject to privacy laws with required reporting of inadvertent disclosure.) Seems like there is

Re:

[ctilsie242]

This is similar with Android. The first bootup, the first PIN or password unlocks dm-crypt for the /data filesystem. From there, that is stored in RAM. Some Android phones offer to have you have a longer bootup PIN than your screen lock, ensuring that if the device is off, an attacker would have to deal with something that isn't just the usual 4-6 numbers. Newer Android phones used a TPM to add key strengthening and to mitigate brute force attacks.

If the phone is on, different story, as all it takes is

Re:Encryption good, people bad

[kot-begemot-uk]

No, just different arrest procedures.

Google it - there was a description of how UK anti-terrorism squad does that. They tail the suspect until he unlocks the phone them rugby tackle him and grab the phone before it locks again.

Re:

[GameboyRMH]

See also: The plan to use a helicopter to bust down a 2nd-story wall and then "ninja-kick" an unlocked laptop out of Ross Ulbricht's hands.

(they actually made a distraction in a library and snatched it from him)

Re:

[fish_sauce]

I was thinking about that. A modern phone have accelerometers so it would be fairly simple to write an app that auto lock the phone if it detects that the phone is dropped or that the user is physically attacked.
My phone always knows when I pick it up or slide it out of the way. So they are sensitive enough.
You could also implement that if you shake the phone it will auto lock or shut down or wipe it.

Re:Encryption good, people bad

[Cochonou]

No, Slashdot summary bad. The interesting bits are not in the summary.

When you lock your iPhone (or press the button on the side, or leave it alone until the screen goes blank), exactly *one* set of keys gets “evicted”, ie erased from memory. Those keys are gone until you enter your passcode or use FaceID. All of the other keys stay in memory. The key that gets evicted on lock is used to decrypt a subset of the files on the filesystem, namely the ones that have a specific protection class (NSComplete). The keys that don’t get evicted can be used to decrypt all the other files. So the upshot of this is that, if police can capture your phone in the After First Unlock state (yours is almost certainly in that state for 99% of its existence) *and* they have a software exploit that allows them to bypass the OS security measures, they can get most of the files.

Re:

[stikves]

Mod the parent up!

"Warm" vs "cold" attacks have been known for a long while. The police will bring in a special UPS with a reverse plug, for example, so that they can take your desktop PC while it is still running. The really interested parties will deep freeze RAM in cryogenic temperatures to that the information will not discharge. They will hotwire components to hack running systems.

Thanks for pointing to the actual content!

Re:

[Bengie]

Part of the reason why AMD does full memory encryption that the key is generated and stored in a way that the rest of the CPU cannot access and it just acts as transparent encryption anyway. There are also research systems attempting per virtual memory encryption keys. Essentially have a single securely generated key that is used by the CPU's virtual memory system to lookup a VM's secret key. Since this is all encrypted, nothing else on the chip can access the real data even if they gained access to the mem

Re:

[uncqual]

And that is one reason you should have a motion sensor inside your desktop PC case that initiates a memory wipe if there's too much motion/vibration and also does so if the case is opened (making sure that getting to the cord or either end of it requires the requisite motion to trip the sensor). Of course, the real reason for this is not to subvert the police but to subvert actions of corporate spies, blackmailers, and burglars with a eye to ID theft :)

A regression compared to Blackberry

[martynhare]

Old BB classic phones had the ability to set a high security mode where new messages and data could be received but old data was inaccessible while locked. It did mean that if you chose to optionally encrypt contact data that also meant you couldn’t see the names of people calling you while the phone was locked either... but hey, it was the best possible security available.

Re:Encryption good, people bad

[Graymalkin]

Importantly on the iPhone if you press the lock button 5 times in succession it goes into emergency mode. It will sound an alarm and call your locale's emergency number. But it also evicts all the decryption keys so TouchID/FaceID will no longer unlock the phone. You need to re-enter your passcode to unlock it.

Even if you cancel the emergency call the keys are evicted and you need to re-enter your passcode. It's been a feature for at least the past three iOS versions, maybe longer.

Re: Encryption good, people bad

[brooklynwry]

The app developer picks the protection level (complete vs. first unlock) for its sandbox. Certainly many many things fall into the latter category because it is appropriate or the developer is lazy. One could reasonably intuit, however, and indeed verify in a specific case where an app might deal in personal or privileged information, that such app uses complete protection.

Re:

[gweihir]

So basically, people give police their passwords. No encryption can beat that.

Well, as with most things in security, encryption requires you to do competent risk management in order to work well. The current set of crises should make it amply clear that most people are incapable of that.

TL;DR: background use means no encryption

[mveloso]

The phone isn't locked down because it would be impossible for background things to run if everything was locked down.

Re:TL;DR: background use means no encryption

[ShadowRangerRIT]

And importantly, apps could opt in to using the secure encryption keys that are wiped when the phone is "soft locked" (as opposed to rebooted so it loads in a "hard locked" state), but since doing so would prevent it from doing background stuff on the file system, basically no apps actually opt in.

Re: TL;DR: background use means no encryption

[brooklynwry]

This isnâ(TM)t entirely true. In most cases if there is deemed an actual benefit to using complete protection (eg, a Signal type app), itâ(TM)s entirely possible to architect it in such a way that certain background operations can continue (although of course, they cannot act on any of the encrypted data in this state, and may not be of much value). This brings me to my next point, that in iOS at least, I donâ(TM)t think background operations are actually as wide spread as one might assume, t

Obligatory xkcd

[kot-begemot-uk]

https://xkcd.com/538/ [xkcd.com]

No need to say more

Re: Obligatory xkcd

[BAReFO0t]

Obligatoty mention of Randall being a very smug one-eyed that's cheered on by the blind.

Nobody goes around from person to person with a damn wrench.

Look at the Snowden leaks. They *brag* about having been the first, to spy on ALL the data, to a point, where it takes more effort, to add a rule to *not* spy on a certain person.
Auotmation enables the former "nerd" scenario to be a zero-action thing that your software toolkit does automatically by default.
Randall should stick to his stick figures and leave the

P.S.:

[BAReFO0t]

And I should stop typing comments on a phone's touch screen keyboard in the middle of the night. ;)

I've been on Slashdot too long

[Voyager529]

...You know you've been here for too long when you don't even need to click the link and know that this is the "beat 'em with the $5 wrench" comic.

Twitter is a joke

[nyet]

lol at having to split up a technical discussion into discrete, twitter length limited messages.

twitter really is a medium for idiots

Re:

[Rhipf]

lol having a technical discussion on Twitter.

Re: Twitter is a joke

[BAReFO0t]

lol at wasting your good time posting complaints about Twats* in Twitter-sized comments.

(* that's what they're called, right?)

Re:

[K. S. Kyosuke]

twitter really is a medium for idiots

Or Perl golfers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

TL;DR if your phone is locked and they happen to have a zero day exploit that hasn't been patched they can access the files on it.

We knew that. They make some interesting suggestions, but nothing that hasn't been thought of before.

Re: Here's the relevant paper

[cthulhu11]

The prevalence of such exploits is pretty low, isnâ(TM)t it? After reading through the thread I still donâ(TM)t understand how data can be extracted from a locked phone.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ceoyoyo]

If you remove "Phones" it sounds like a pretty good summary of security in general.

OMG

[nospam007]

"Since these are derived from the user's passcode, you either need to guess that -- or you need the user to have entered it."

So you're saying that stupid users who use their face or thumb to lock their phone don't need decrypting by the Police?

That's hardly news, Captain Obvious.

Re:

[bn-7bc]

Well if the police needs to access data on my phone to do their job, they are welcome to it, I’ve got nothing to hide

You mean ye olde RAM scrapers?

[BAReFO0t]

Since phone RAM is always-on, and the passcode is likely in there if they didn't use all of it and just checked something quickly.
Maybe with RAM stored in permanent memory too, since those OSes are designed to stop apps at *any* time without warning.

But I am disappointed that this "article" is basically guesswork by a few Twats saying "I must be, because we cannot believe otherwise."
That is not news. That is trucker bar talk at 3am on a weekend.

Unrolled Twitter thread

[Whispered_Name]

The unrolled Twitter thread is here: https://threadreaderapp.com/th... [threadreaderapp.com]

Preferable to outlawing encryption

[sinij]

We all knew Government would never allow us to keep unbreakable encryption, so they put pressure on Big Tech to make its use less effective. This leaves the option for people that must have it and know how to do it in place while unwashed masses now have always-on GPS tracker on them at all times.

what about lockdown?

[jbmartin6]

I'm too lazy to read the paper, did anyone note (or know) if the Android lockdown option reverts to the more encrypted state?