Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors - VICE

Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors - VICE

Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors - VICE

Posted: 28 Jan 2020 06:23 AM PST

The US government is once again reviving its campaign against strong encryption, demanding that tech companies build backdoors into smartphones and give law enforcement easy, universal access to the data inside them.

At least two companies that sell phone-cracking tools to agencies like the FBI have proven they can defeat encryption and security measures on some of the most advanced phones on the market. And a series of recent tests conducted by the National Institute of Standards and Technology (NIST) reveal that, while there remain a number of blind spots, the purveyors of these tools have become experts at reverse engineering smartphones in order to extract troves of information off the devices and the apps installed on them.

Asked whether the NIST test results have any bearing on the public debate about backdoors for police, Barbara Guttman, who oversees the Computer Forensic Tool Testing program for NIST told Motherboard, "None at all."

"This is a completely different question. That's a policy question," she said, adding that NIST's only purpose is to ensure that "If you're acquiring the phone [data], you should acquire it correctly."

But the demonstrated ability of phone cracking tools to break into and extract data from the latest phones is further proof that the government is perfectly capable of getting into terrorists' devices, Andres Arrieta, the director of consumer privacy engineering at the Electronic Frontier Foundation, told Motherboard.

"When it comes to the capabilities from law enforcement, I think these documents show they're quite capable," he said. "In the San Bernardino case, they claimed they didn't have the capabilities and they made a big circus out of it, and it turned out they did. They've proven consistently that they have the tools."

The never-ending public debate over smartphone security has focused on backdoors for law enforcement to bypass device encryption—and more recently, Apple features that erase all data after 10 failed password attempts or block data extraction through lightning ports. But accessing a phone is only part of the battle; once inside, digital forensic investigators have to understand the complicated data structures they find and translate them into a format that meets the high accuracy standards for evidence, using acquisition tools from companies like Cellebrite, Grayshift, and MSAB.

1580221279355-Screen-Shot-2020-01-28-at-92025-AM

Results from an NIST test of Cellebrite found that it largely works as expected.

In a series of reports published over the last year, NIST's Computer Forensic Tool Testing program documented how well the latest tools perform that task on dozens of different smartphones and apps. The tests paint a picture of an industry trying to keep pace with the constantly changing smartphones and social media landscape—with mixed results.

"Let's say you can get into the phone, you can defeat the encryption. Now you have a blob of ones and zeros," Bob Osgood, a veteran FBI agent who is now the director of digital forensics at George Mason University, told Motherboard. Smartphones contain millions of lines of code, the structures of which differ between every device and can change with every OS or app update. Cracking a phone's encryption doesn't necessarily mean an investigator can access the code on it, including deleted and hidden files, hence the need for the tools tested by NIST. "In the digital forensics world, the state of complete Nirvana is to get a complete image of the phone," Osgood said. "The amount of technical know-how it takes to actually do this stuff—reverse engineer, beat the encryption, get data itself—is massive. There are a million moving targets."

Take Cellebrite, the Israeli company whose Universal Forensic Extraction Device (UFED) is a favorite of police departments and the FBI. In June, the company announced that its new premium tool could crack the encryption on any iOS device and many top-end Androids—a major win for law enforcement agencies that had been complaining about built-in encryption.

The company's current UFED 4PC software is then capable of accurately extracting the vast majority of important device information—GPS data, messages, call logs, contacts—from an iPhone X and most previous models, according to a NIST test from April. It was able to partially extract data from Twitter, LinkedIn, Instagram, Pinterest, and Snapchat as well. NIST did not test the extraction ability for other apps, like Signal.

UFED 4PC could not extract email data from newer iPhone models, but police can gain access to cloud email services like Gmail with a warrant.

1580221360612-Screen-Shot-2020-01-28-at-92226-AM

Results from Cellebrite on Android phones

Cellebrite was less successful with phones running Android and other operating systems, though. The UFED tool was unable to properly extract any social media, internet browsing, or GPS data from devices like the Google Pixel 2 and Samsung Galaxy S9 or messages and call logs from the Ellipsis 8 and Galaxy Tab S2 tablets. It got absolutely nothing from Huawei's P20 Pro phone.

"Some of the newer operating systems are harder to get data from than others. I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones ... under the guise of consumer privacy," Detective Rex Kiser, who conducts digital forensic examinations for the Fort Worth Police Department, told Motherboard. "Right now, we're getting into iPhones. A year ago we couldn't get into iPhones, but we could get into all the Androids. Now we can't get into a lot of the Androids."

Cellebrite, which did not respond to requests for comment, frequently updates its products to address the failures discovered in testing and in the field, experts said, so the weaknesses NIST identified may no longer exist. Previous NIST testing data, though, shows that many blindspots can last for years.

It is important to note that just because a cracking tool can't successfully extract data doesn't mean a forensic investigator can't eventually get to it. The process just becomes much longer, and requires significant expertise.

Kiser said that Cellebrite is currently the industry leader for most devices. The exception is iPhones, where Grayshift, an Atlanta-based company that counts an ex-Apple security engineer among its top staff, has taken the lead.

Like Cellebrite, Grayshift claims that its GrayKey tool—which it sells to police for between $15,000 and $30,000—can also crack the encryption on any iPhone. And once inside, NIST test results show that GrayKey can completely extract every piece of data off an iPhone X, with the exception of Pinterest data, where the tool achieved partial extraction.

Grayshift did not respond to a request for comment.

Other products, like Virginia-based Paraben's E3:DS or Swedish MSAB's XRY displayed weaknesses in acquiring social media, internet browsing, and GPS data for several phones. Some of those tests, though, are older than the recent results for Cellebrite and Grayshift.

In the NIST tests, both Cellebrite and Grayshift devices were able to extract nearly all the data from an iPhone 7—one of the phones used by the Pensacola naval air station shooter. That incident prompted the Department of Justice's latest call for phone manufacturers to create encryption backdoors, despite ample evidence that hacking tools can break into the latest, most privacy conscious phones, like the iPhone 11 Pro Max.

"This whole thing with the new terrorists and [the FBI] can't get into their phones, that's complete BS," Jerry Grant, a private New York digital forensic examiner who uses Cellebrite tools, told Motherboard.

The Android 10 Privacy and Security Upgrades You Should Know About - WIRED

Posted: 22 Aug 2019 12:00 AM PDT

Google has long grappled with data privacy gaffes and internal instability, but through it all the company has consistently improved the security and privacy of Android. Given the operating system's 2.5 billion users, that's no small task. With the release of Android 10 in just a few weeks, the new iteration of data and privacy features is coming into even sharper focus.

The privacy and security tools new to Android 10—Google has finally ditched the dessert-themed names—aren't the most outwardly flashy. The Android team has focused instead on labor-intensive technical changes and upgrades that will have an outsized effect. And the improvements touch numerous parts of the system, from how it deploys encryption to how settings are organized and applications are quarantined from each other.

"I don't think security and privacy are a new theme just in Android 10," says Charmaine D'Silva, an Android product manager who works on privacy. "But when we thought about planning for the release we definitely thought that we should focus more on the space as we get more mature as a product."

Privacy Maze

What you'll notice most: Android 10's attempts to give you more control over your data. As an open source platform, Android can usually be implemented in whatever way manufacturers want, with few requirements about how the user interface looks or functions. But with Android 10, Google will mandate across all manufacturers that the Privacy and Location menus are in the same place in the Android Settings menu no matter what Android smartphone you're on. This way, users of any Android 10 device can always find these options in the same digital location, instead of navigating through confusing, unfamiliar menus.

Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.

Android 10 introduces other requirements as well, like requiring that apps request permissions and re-check your choices more often for things like accessing your location. And Android 10 will similarly also introduce geofencing features where instead of just turning that type of location-tracking on or off, you can select an option where geofencing only works when an app is actively open on your screen.

Seeking to improve its stance on another controversial topic, Android 10 also incorporates new restrictions on an app's ability to access unchangeable device identifiers, like device serial numbers or other industry IDs. Instead, Google will now require developers to use resettable identifiers to keep track of users. That way, if these digital fingerprints are ever compromised, or if you want to wipe your digital slate clean, there's a mechanism to do that.

The topic is especially relevant thanks to increased awareness about user tracking for ad targeting, but the industry has been debating the threat of collecting permanent device identifiers for nearly a decade. Android has a changeable "Advertising ID" and Apple's iOS offers a similar "Identifier for Advertisers." Apple started requiring that advertisers use only the IDFA in 2013, and Google began mandating advertiser use of its AAID in 2014.

Now those measures are increasingly expanding outside of advertising. In Android 10, developers still have relatively persistent ID options—so you can't, say, claim a promotion in an app, delete the app, re-install it, and instantly claim it again—but the goal is to strike more of a balance between a developer's ability to keep track of users and a user's ability to take back some control. "We wanted to allow users to reset them when they don't want to be tracked," Android's D'Silva says.

Many changes in Android 10 highlight the tension between creating a platform to be as flexible and open as possible, while still upholding some security and privacy requirements. D'Silva emphasizes that the transition to resettable IDs involved extensive collaboration with manufacturers and developers. Similarly, Android 10 places new restrictions on apps' ability to move from running in the background to asserting themselves in the foreground for users. In the case of, say, an alarm clock app, developers will still have the option to alert you that an alarm is going off, but will no longer be able to take over the whole screen if you're doing something else. The goal is to reduce interruptions and, particularly, unexpected surprises. But for developers, such changes can feel like an erosion of Android's open source roots.
-

Comments

Post a Comment

Popular Posts

Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian

Image
Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Posted: 13 Oct 2019 06:58 AM PDT Anne Sacoolas, the wife of a US intelligence official who was involved in the road collision that killed 19-year-old Harry Dunn, has agreed to meet with his grieving parents and cooperate with a British police inquiry. But amid continuing questions over her right to diplomatic immunity, it is not clear if she will return to the UK to fulfil a promise to answer police questions about her role in the car crash. The reversal of position on a meeting appears to have come after lawyers specialising in diplomatic immunity started to advise Dunn's parents last week, leading them to say they would pursue Sacoolas in the US courts for a civil claim. Mark Stephens, one of the legal specialists advising the parents, told the Guar...
Read more

Top 100 cool tech gadgets you can't miss - Queensland Times

Image
Top 100 cool tech gadgets you can't miss - Queensland Times Top 100 cool tech gadgets you can't miss - Queensland Times Posted: 21 Nov 2020 08:22 PM PST From 5G smartphones and next-gen consoles to gadgets designed to listen to your heart, straighten your hair, light up in your hand, capture your memories and keep you connected, technology is playing a bigger role in our lives than ever this year. Analysts say the trend is likely to continue under the Christmas tree with a bumper list of shiny new devices launched mere weeks before the big day, and some so popular they are selling out in record time (good luck, PlayStation 5 buyers). To take the pain out of finding the best devices for your friends, family and yourself, we've rounded up the top 100 tech gifts to add to your cart in 2020, ranging from what you'll need in 2021 to gadgets that will just make life a bit more entertaining. SMARTPHONES SAMSUNG GALAX...
Read more

VPN browser extensions: Why you shouldn't use then - Tech Advisor

VPN browser extensions: Why you shouldn't use then - Tech Advisor VPN browser extensions: Why you shouldn't use then - Tech Advisor Google Fi calls between Android subscribers will soon be end-to-end encrypted - 9to5Google How to encrypt your computer (and why you should) - Mashable How to encrypt and decrypt a folder on Android with SSE Universal Encryption - TechRepublic 4 ways to send encrypted messages on Android - TechRepublic WhatsApp “end-to-end encrypted” messages aren’t that private after all - Ars Technica ciphertext feedback (CFB) - TechTarget What Is the Windows Encrypting File System (EFS) and How Do You Enable or Disable It? - MUO - MakeUseOf Encrypting your online life is important - Telangana Today Keeper Password Manager Review – Forbes Advisor - Forbes [Update: Screenshot] Google Messages preparing end-to-end encryption for RCS messages - 9to5Google T...
Read more