Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Android Iphone

How Law Enforcement Gets Around Your Smartphone's Encryption (arstechnica.com) 62

Long-time Slashdot reader SonicSpike shares a recent Wired.com article that purports to reveal "how law enforcement gets around your smartphone's encryption." Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS.

Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade's worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools...

once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone. Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, the researchers realized that this is how almost all smartphone access tools likely work right now. It's true that you need a specific type of operating system vulnerability to grab the keys — and both Apple and Google patch as many of those flaws as possible — but if you can find it, the keys are available, too...

Forensic tools exploiting the right vulnerability can grab even more decryption keys, and ultimately access even more data, on an Android phone.

The article notes the researchers shared their findings with the Android and iOS teams — who both pointed out the attacks require physical access to the target device (and that they're always patching vulnerabilities).
This discussion has been archived. No new comments can be posted.

How Law Enforcement Gets Around Your Smartphone's Encryption

Comments Filter:
  • How? (Score:5, Funny)

    by nospam007 ( 722110 ) * on Saturday January 23, 2021 @02:35PM (#60982890)

    2-3 hits with a hammer on your kneecap or a blowtorch to your balls, just like in the last millennium.

    • Re: How? (Score:2, Insightful)

      by saloomy ( 2817221 )
      There are lots of situations where this does not work, like the San Bernardino shooter who was killed.
    • Re: How? (Score:4, Interesting)

      by BAReFO0t ( 6240524 ) on Saturday January 23, 2021 @03:56PM (#60983160)

      Yeah, apart from the illegality of that in countries that at least appear to be civilized . . .

      When I use a physical key and a password, if I destroy the physical key, you can have the password and it will do exactly nothing for you.
      Of course that is why they usually surprise-tackle you, before you can destroy it. Which can be circumvented with a dead man switch in some cases. (Sleeping not being such a case.)

      Of course it always comes down to plausibe deniability.
      Who's to say you don't have a second portable disk stashed, a fourth physical key and an eight password, behind what you already gave them and turned out to be destroyed or useless?
      If they lust for it, they can beat you up, even if they *know* you don't own any smartphone or social media accounts at all. Just out of frustration and being enforcers.

      And if they can beat you up without repercussions, why exactly should they not keeo doing it, even after you gave them everything and they gained access?

      _ _ _ _You should also not use Randall Munroe as a security advisor. He is not a security expert, and his knowledge generally is questionable and half thought through at best. (E.g. his "What if..." series seems very thorough, but on the way makes some blatant errors due to lack of knowledge or more often pure ideology, usually in the form of assumptions, that his fans usually can't spot, and if they do, they get banned from the forums quickly for their insolence.)
      I don't say this out of hate or anything. He clearly wants to do something good. He's just a high level case of the Dunning-Kruger effect. Arrogance.

      • Mr. Munroe does not claim to be a security expert.

        On the other hand, I've spent the last 25 years studying and working in the field. I've exploited and/or most any software you can name. That would include bypassing the Android lock screen.

        I haven't read EVERYTHING Munroe has written, but everything I've seen from him about security has been dead-on, though simplified for a general audience.

        I'm aware of one case five years in which Schneier tried to refute something Munroe said in order to promote/defend

      • Yeah, apart from the illegality of that in countries that at least appear to be civilized . . .

        They don't have to literally hit you with a hammer.
        There are lots of other ways of putting pressure on you,
        such as offering a plea deal, threatening to put you
        in a bad jail (where the inmates will beat you every day),
        freezing your assets,"investigating" your family, etc.

    • Re:How? (Score:5, Insightful)

      by newbie_fantod ( 514871 ) on Saturday January 23, 2021 @04:04PM (#60983196)

      In some places, yes, the rubber hose works, but in healthy democracies the evidence of torture negates any evidence of crime... If that ceases to be true your democracy is in danger.

  • by account_deleted ( 4530225 ) on Saturday January 23, 2021 @02:36PM (#60982894)
    Comment removed based on user account deletion
  • Reboot and log into a dummy profile only. Your main remains locked and "hidden"
    • by AmiMoJo ( 196126 )

      If the police get near you, keep your finger on the power button. On most phones if you hold it down for 5 seconds the phone turns off and is properly locked again.

      • But if forced to turn it on and unlock, you have plausible deniability with the secondary profile
    • Reboot and log into a dummy profile only. Your main remains locked and "hidden"

      Rebooting your phone is sufficient. iOS also has a button sequence you can hold that wipes the keys from memory as if you had not logged in. Unsure if that is actually as effective as a reboot, but it takes seconds.

  • Nothing is private (Score:5, Informative)

    by jmccue ( 834797 ) on Saturday January 23, 2021 @02:49PM (#60982928) Homepage
    Nothing on any Cell Phone is private, end of story. So if you care about privacy in communicating with others, find another platform, there are a few out there but requires reading docs (*gasp*) and a bit of work.
    • Nothing on any Cell Phone is private, end of story. So if you care about privacy in communicating with others, find another platform, there are a few out there but requires reading docs (*gasp*) and a bit of work.

      Like or not slashdotters - this is truth. Don't have anything incriminating on your phone if you plan on doing crime.

      Indeed, it apparently doesn't matter today, as people apparently post their crimes on social media and even livestream them.

      The intertoobz should be considered public space. Because it just about is.

      • Indeed, it apparently doesn't matter today, as people apparently post their crimes on social media and even livestream them.

        It especially doesn't matter in California, where many former felonies have been redefined down to misdemeanors, crooks can't be arrested, only cited, if they steal less than a threshold (I think it's $950) while police departments, even when still funded adequately, have their own, often higher, thresholds below which they don't bother to respond.

        Not to mention that the undocumented a

        • Indeed, it apparently doesn't matter today, as people apparently post their crimes on social media and even livestream them.

          It especially doesn't matter in California, where many former felonies have been redefined down to misdemeanors, crooks can't be arrested, only cited, if they steal less than a threshold (I think it's $950)

          That might be - as I'm not in California, but my point is that anyone who thinks a phone is in any way secure is pretty dumb.

    • Try GrapheneOS on a Google Pixel.

  • Law enforcement needs to actually have your phone, and hope there's a zero-day exploit for the underlying OS. In other breaking news, water is wet.
  • thanks for publishing this to the general public, now the bad guys know it too and you know what they are going to use it for
  • by ytene ( 4376651 ) on Saturday January 23, 2021 @03:21PM (#60983032)
    From the article:

    “It just really shocked me, because I came into this project thinking that these phones are really protecting user data well,” says Johns Hopkins cryptographer Matthew Green, who oversaw the research. “Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?”

    One possible answer... Because if dumb criminals believe the hype - believe that particularly "soft" devices are somehow secure, they won't be concerned about using that technology whilst committing crime. Which means that it becomes easier for federal and local agencies to crack the devices and get access to supposedly confidential data.

    During the Iraqi Invasion of Kuwait before what became the First Gulf War, well after Iraq had forces at large inside Kuwait, the US government made a public comment that they were concerned that they had "just discovered" that there was a consignment of "high security" communications units in a warehouse somewhere in Kuwait... and the US military were concerned that because this technology was "uncrackable", the Iraqi forces might capture and then use it.

    After the war ended, there was scuttlebut [I never did see an actual confirmation] that this entire story was a ruse - and that the "secure communications equipment" in Kuwait city had actually been planted there by US Special Forces, with the specific intention of allowing it to fall into Iraqi hands, in the hope they would be stupid enough to use it. All the devices were not only easily penetrated by US SigInt, they had built-in GPS location/senders and a bunch of other stuff to make them particularly helpful to the allies. The thinking was that if the Iraqis took the bait, they would distribute the handsets among commanders and senior staff and use them for passing orders or communications - which meant that the US could listen in to all of it.

    This constant bleating by law enforcement just doesn't stand up to scrutiny when we learn that frikkin *schools* are buying phone-cracking technology to spy on students [techdirt.com]. It just doesn't stand reasonable scrutiny to believe that law enforcement can't crack any phone they wan't in a matter of hours.

    It's also worth bearing in mind that competent investigators are unlikely to need access to the contents of a phone at all. They're much more interested in the meta-data: contacts, dates, times and duration of calls; the relationship between receiving and propagating messages, that sort of thing. Fantastic and fairly well-known example of how to apply meta-data techniques can be found here. [kieranhealy.org].
    • Given Google discovered really hard flaws in Intels processors, it has to be intentional that sensitive cache is inadequately protected, or that forensic firms with a few logic analyzers found the factory bypass protocols and codes, besides the leaks in the countries who actually made the devices. If High school kiddies are getting in, then someone is not credible. Now if only this knowledge caused the reputational damage equal to what is known (and not CVE'ed) in a timely manner.
      • by ytene ( 4376651 )
        Just to clarify, my comment about phone security being defeated in schools was not meant to imply this was being achieved by students. As the link shows, school districts are now buying technology to let them defeat phone security.

        The original story didn’t go in to much in the way of detail, but there are implications reported elsewhere that schools are using them either to investigate complaints of student misconduct (the benefit-of-the-doubt answer) or to find evidence of something the school cou
  • Yes, backdoors... a feature, not a bug

  • Comment removed based on user account deletion
    • Comment removed based on user account deletion
    • This it the main problem foreigners of the entire planet have with Germans.

      They *obsess* over rule obedience. Completely regardless of right and wrong, harm and good.
      They are the type of people who as pedestrians stand at a crossing on a perfectly straight road with no car literally as far as the eye can see, at 3AM, and will scold you for crossing it. "Because it is dangerous!" "You're a bad example for our kids!" ... Yeah... Thinking for yourself.. What a horrible example I am! --.--
      And this literally hap

      • by djp2204 ( 713741 )
        I remember a thread was posted here last year about a group of Europeans starting to develop an EU-centric cloud to compete with Azure/AWS/Google/etc. Where did they start? Not with performance, features, architecture, etc but RULES!!! Sometime in 2045 they will have it up and running.
        • I remember a thread was posted here last year about a group of Europeans starting to develop an EU-centric cloud to compete with Azure/AWS/Google/etc. Where did they start? Not with performance, features, architecture, etc but RULES!!! Sometime in 2045 they will have it up and running.

          The EU does not develop - it waits from someone else to develop, then fines them.

      • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      Cops generally have a rigid world-view ("the law must be obeyed") and no understanding how things actually work or what their real role is. There are some exceptions to this rule, but people with some real insight into reality generally do not go into law enforcement. Hence the reach of law enforcement must be carefully limited otherwise society devolves. Limiting what laws regulate is also a good idea, but since the general public does not get it, hard to do.

      • Law enforcement completely destroyed their arguments this year. You can't claim the law is the law and there's no choice but to enforce it while explicitly declaring their refusal to enforce or obey mask laws and gun laws.
  • While I doubt that Apple and Google introduced this intentionally, it is no accident that the weakness is still there.

    Cell phone manufacturer to customers "Your data is private"

    Cell phone manufacturer to LEOs "no, it's not"

    If you don't believe this, re-read the original post.

    "Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google"
    • This research could at least put some pressure on them to make keys more properly guarded - by hardware protection.

      • Nobody gives up their phone, email service, social media account, web browser, or search engine because they are being monetized and manipulated so why would they care about this? Most people currently are not targeted (obviously) by law enforcement so why should they care in concrete terms?
  • +++ Including keys stored on the same system as the encrypted text, just like with DRM. +++ News at 11! +++

  • In a western country with some idea of civil rights, a LEO will get a court order and ship your device off to a lab. They will image the phone, load it into a virtual machine, and brute force it until it unlocks. If the image self destructs, they will reload it and continue. A more likely scenario is that they will get metadata and investigative information from the phone company and their own observations (surveillance is a thing!) and use that to talk you into a confession of a crime.

    In a dictatorial coun
  • Governments can pretty much cut off & destroy a company with goofy regulations if they don't get their way. I'm sure there are already back doors in MOST of the devices anyway. Anyone thinking they have privacy these days must live off the grid on an island somewhere.
    • by gweihir ( 88907 )

      I have privacy: Phones in a metal box or battery removed, computer off, doors closed.
      Or at least nobody that can still get in under those circumstances admits it.

    • by mi ( 197448 )

      I'm sure there are already back doors in MOST of the devices anyway

      They wouldn't be bothering to shut down Parler [slashdot.org] and Telegram [firstpost.com], if this were true.

      It may be heading in that direction, but we're not there yet...

  • That is basically asking for it. Sure, if smartphones where a mature technology with very high security assurances, things would be different. But they are not.

  • Contacts (They can get your call history from your provider) SMS and Voice ? NSA probably already has it Browsing history ? Google has it somewhere. Emails ? Same I guess they want your SELFIES !
  • Just the other day had noticed in a change history Google is allowing apps to access keychain before the device is even unlocked.

    Selling insanity as a new feature, can't ask for anything better than that.

  • So, do they or don't they or is this all just speculation?

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...