UK Police Circumventing Cellphone Encryption By 'Mugging' Suspects While Their Phones Are Unlocked
from the snatch-and-grab dept
UK police are experimenting with a new brute force technique to defeat cellphone encryption:
Undercover surveillance officers trailed Yew and waited for him to unlock his phone to make a call – thereby disabling the encryption.
One officer then rushed in to seize the phone from Yew’s hand – just as would happen in a criminal mugging. As his colleagues restrained the suspect, the officer continually “swiped” through the phone’s screens to prevent it from locking before they had downloaded its data.
So, it’s come to this: lawful mugging. Still, it’s not a terrible solution to the problem. Sometimes the best methods are lo-tech, as anyone swinging a $5 Password Acquisition Tool can tell you.
This method will work in the UK. It may not in the US. UK law enforcement would likely find compelling a suspect to unlock a device a long and possibly fruitless endeavor, but there’s no Riley decision standing in the way of seizing/searching phones on the hoof (as it were).
Courts here in the US have interpreted the Supreme Court’s Riley decision in diverse ways, but a motion to suppress evidence might succeed if US law enforcement began engaging in this novel form of encryption circumvention. In one case, a judge found that simply opening a flip phone constituted a search under Riley. Keeping a phone “alive” until evidence can be retrieved from it might run afoul of the Fourth Amendment, even if the seizure itself is completely lawful.
It’s still a better idea than making encryption backdoors mandatory or requiring device manufacturers to make a second set of keys for the government. The solution isn’t elegant but it works. And it will only work in certain circumstances, so there’s not much potential for abuse. It might encourage rougher arrests than usual, if only to separate the cellphone from the suspect, but the small number of arrests where this process would work shouldn’t result in a sharp uptick in excessive force deployment.
This is a technique US law enforcement should definitely look into. While I’m sure most agencies would prefer a precedential court decision compelling decryption or a legislative mandate, this alternative would allow police officers to end up with fewer inaccessible phones.
There are other benefits as well — some that could positively affect community relations. The arrest of a suspect in conjunction with the seizure of potential evidence could make related searches far less destructive. With the suspect out of the way, searches of homes/places of business wouldn’t necessitate a barrage of flashbang grenades and the tearing of new entryholes by predawn raiding parties in SWAT gear. Sure, this less violent approach to serving search warrants won’t appeal to officers who find the real military too restrictive but still harbor a desire to carry a gun and pretend they’re participants in a war. But that’s actually a good thing.
In addition, arrests of suspects out in the open should lower the chance of violent resistance. People tend to expect the arrival of police officers at their residence — not so much when they’re going about their daily, noncriminal business.
If efforts to keep seized phones alive until a search warrant arrives (or: novel idea — get one first!) adhere to the Riley decision, the “going dark” problem isn’t quite as all-encompassing as it’s frequently been portrayed. (Even without this method, the “threat” of phone encryption has been greatly overstated.) It’s tough to believe “mugging” might be the lesser of law enforcement’s desired anti-encryption evils, but that’s the reality of the situation.
Filed Under: encryption, mugging, police, uk
Comments on “UK Police Circumventing Cellphone Encryption By 'Mugging' Suspects While Their Phones Are Unlocked”
GREAT IDEA!
This is GREAT idea!
I want to be the first person to patent (I know, evil word here) a bluetooth device that locks the phone automatically when the phone is moved more than X feet from the device.
Problem solved. Police come… grab your phone, it locks automatically as you are moved away!
Also, a new feature on the phone – the phone can no longer be unlocked by a fingerprint, but the finger must remain on the phone for it to remain unlocked.
Inconvenient, but enough of those measures start appearing and the legal mugging becomes mute.
Re: GREAT IDEA!
And I will patent an app that locks the phone when a sudden acceleration is detected.
Re: Re: GREAT IDEA!
too late, there is prior art
https://play.google.com/store/apps/details?id=net.syntaxblitz.plucklock
“The application will run in the background, constantly monitoring the accelerometer to determine if the phone has been taken from your hand.”
Re: Re: Re: GREAT IDEA!
Well I now have PluckLock on my phone. Thanks!
Re: Re: GREAT IDEA!
That’s a good idea; it works for locking the phone when you drive away too, so can be touted as a vehicle safety feature.
Re: Re: GREAT IDEA!
Or, a basic “opposite of lift to talk” setting – if the phone departs from vertical by more than 45 degrees sideways or backward, it locks.
Re: Re: Re: GREAT IDEA!
Or locks after 10 seconds during phone calls after connected, so when you finish the call and want to use an app, you must unlock it.
Re: GREAT IDEA!
No need for that. Just make a button/pressure switch on the side of the phone, in a place where the user’s fingers would normally be while holding the phone. This button needs to be depressed to unlock the phone, and needs to remain pressed to use it. Take your finger off the button and the phone instantly locks itself.
Re: GREAT IDEA!
There are actually already apps to handle this situation. Solution I like was one that watched the sensors on the phone to detect a sudden acceleration, like when phone is snatched from you, and it locks the phone.
Pretty sure the idea was to stop those annoying friends that snatch your phone to read your latest text, but it would work just as well in this case.
Re: Re: GREAT IDEA!
We’ve come to that point in that old adage where you live long enough to see yourself become the villain. The line has been crossed.
Re: Re:
It was a Dark Knight when that happened.
So this conversation is now reallity:
– Heeey friend from another country. Did you hear? A police man just took someones phone while his friends held the guy back.
– Oh…. what has the world come to? That is pretty terrib…
– Terrific? Yes! Now they don’t have to destroy everyones digital security and our whole online infrastructure.
This is indeed a sad day when we find positive things in socalled “lawful mugging”. That silver lining is starting to look very thin.
Re: So this conversation is now reallity:
Why is this activity lawful?
None of this will stop until the police are treated as what they are – a criminal conspiracy.
Re: So this conversation is now reallity:
This.
Good point. Still disturbing, but a good point.
Re: Re: So this conversation is now reallity:
What I imagine is that cops will feel yet another need to unload a firearm at you if they think you are depressing the power button.
Lets look at what software alterations could do:
The phone automatically locks itself at the end of any phone call. Police snatch my phone while I’m on a call. The person I’m talking to thinks it’s a mugging and hangs up to call the police. Since the call ended, the phone is now locked.
Maybe a voice command to lock the phone. Call it an anti-mugging feature and have the voice command also dial 911 (or whatever your countries emergency services number is)
Or the phone has multiple levels of how locked it is. For example, there is very little data on the phone that I need to start a call. Once the call is connected, that data isn’t useful so can be locked away.
I don't see a problem with this, with a warrant
I don’t see any problem with this, when the police have an arrest warrant and a search warrant.
It could even be a regular part of an arrest warrant, if the investigators have probable cause that specific evidence related to the activity for which the warrant is issued is on the phone.
But this sounds as if the police are arresting someone in order to do a fishing expedition on everything the phone can access. They want not just the phone and text history, but unfettered access to all online accounts.
Re: I don't see a problem with this, with a warrant
The guy was already under investigation, likely they would have got a warrant. That seems wholly reasonable to me.
Re: Re: I don't see a problem with this, with a warrant
But is it necessary? This is the UK. If you unlock your phone in a public space, don’t they already have your password on several cameras?
Re: Re: Re: I don't see a problem with this, with a warrant
You’re assuming that security cameras have enough resolution to be able to record someone tipping a password on a tiny screen.
Re: I don't see a problem with this, with a warrant
I think its a bad idea. Dont the cops have to ID themselves? Screaming “we’re the cops” as they attach you will lead to a cop being killed. I would consider that as self defense for the perp.
Re: Re: I don't see a problem with this, with a warrant
Dont the cops have to ID themselves? Screaming "we’re the cops" as they attach you will lead to a cop being killed. I would consider that as self defense for the perp.
Probably not a problem in the (unarmed – even the police) UK where this happened.
Perhaps a big issue in the (armed to the teeth) US.
Re: I don't see a problem with this, with a warrant
This has already happened before; it’s how they got Ross Ulbrict, aka Dread Pirate Roberts. He was in a library with his laptop, a couple of federal agents made a huge racket that distracted him, and while he wasn’t looking another agent grabbed his laptop out of his hands.
Mabye...
“So, it’s come to this: lawful mugging. Still, it’s not a terrible solution to the problem.”
I don’t know about UK law, but what is up with the rhetoric?
Without exception, any seizure of property by government authority IS ALWAYS lawful mugging. But since it is lawful, we usually like to call it something else.
Here in America this is constitutional, so long as said officer has a warrant to do so. Any attempt to seize property outside of a warrant will remain unconstitutional regardless of how creative they try to get with fuzzy logic.
Re: Mabye...
It is lawful by definition only. It is still mugging, when you take into account, how many of those warrants are being obtained: Be a cop, go to the judge of your liking and the judge will just sign it without even reading. That’s probably not what the lawmaker intended.
So, instead of telling the police to do their legwork and to do their job properly, we are celebrating that now they are “legally mugging” people instead of wanting to break our encryption?
Shame on you.
Sorry, but I find nothing to celebrate in this. The “but they are going to break our encryption if they don’t do that”, doesn’t work on me.
In the end, it’s the same excuse as “if we don’t break your encryption, terrorists are going to break our country”, just that applied in a different way.
Btw, I guess that people will come up with solutions to that fast enough.
And it just would be an anti-theft measure, btw. I guess that criminals do that already (stealing your phone while you’re using it, then keeping it live so that it can’t get locked).
And if they don’t do it, they will learn from this to do the same, particularly now that phones are being used to pay shit and that.
Btw, this puts you at risk of being accused of resistance to authority. If I get caught by surprise by someone I think it’s mugging me, first thing I will do is resist with any means I have at hand, because I don’t fucking know who was the one who attacked me.
Until they identify themselves, at least.
And I guess that they are going to use this technique by default, whether they have a warrant or not.
And yet, you’re celebrating this…
Re: Re:
Conceptually, it’s not that different from how UK police would conduct a drugs bust; gather evidence that gives reasonable suspicion, get a warrant on said evidence, rock up at 5am when everyone’s in bed, loudly declare yourself to be police as you break the door down, then detain everyone before they have a chance to flush the gear down the toilet.
Re: Re:
Until they identify themselves, at least.
No
"Until they identify themselves to your satisfaction"
which is a much higher hurdle to get over.
Nothing wrong with this
As long as they get a warrant this is no different than other forms of raids and defeats encryption without backdoors.
Win win.
This is better than most tactics but I can easily see this being abused against the regular citizen. Mug first under ‘reasonable suspicion’, ask afterwards. I’m installing those motion apps for sure.
Well, it has the benefit of the suspect knowing that their device has been searched, anyway. And it can’t be used to decrypt phones en masse – the police have to carefully plan the operation and it takes actual manpower. And it’s probably safer for the cops to not try to arrest someone in his own home – when he’s distracted by his own phone would seem like a good time.
Riley wouldn’t be a problem if the police got a warrant for the phone beforehand, right? They should be doing that anyway, if they have actual reason to believe the phone is evidence. (As opposed to just taking the phone because it *might* have evidence.)
On the other hand, it’s probably a little more dangerous for the general public if the guy resists. And I’m not sure we should train the public that a bunch of plainclothes people mobbing a guy and taking his phone is typical police behavior, unless you want a sudden rash of violent phone-theft.
Aren’t Law Enforcement (at the very least) borderline organized crime as it is? Why should we expect petty theft to be exempt?
Better yet...
Someone make an app that wipes the phone when a certain finger’s fingerprint is used to “unlock” it instead of the normal one – say the left ring finger or pinky. If you want to try to avoid charges of destruction of evidence, make it only wipe certain records/contacts/logs instead of all of them.
Or you could make an app that geo-locates the phone itself and auto wipes when it is taken into certain locations like police stations.
Or make one that unlocks into a shell UI loaded with fake information – call logs to elected officials with their contact information, contacts for local VIPs and prostitutes, location tracking information for Topeka Kansas instead of locally, fun stuff like that.
Maybe one that executes on verbal command – “Siri – wipe!” 😀
Personally, I’ll just try to avoid breaking the law, but since that’s pretty impossible in the current surveillance/selective prosecution culture we have, it would be nice to have some level of privacy protection.
Use siri without unlocking to make the call.
Re: Re:
If you’re describing how to maintain your privacy, the instruction “Use Siri” should play no part in it.
Re: Re: Siri
Eh. I don’t use Siri. Or Cortana. Or the cloud. Or Facebook or Twitter. Location services off.
Doesn’t mean jack as long as I keep carrying around my own personal tracking device, but I try to minimize my exposure while realizing that it’s ultimately pointless.
Re: Re: Re:
If you want absolute privacy you should have no phone at all, but the idea is not to let whoever is taking you to have easy access to your data, to access siri’s data surely a warrant or a subpoena will be needed. Also you’ll be using it to make a single call whose number can easily be obtained even if you used a nokia.
How about 'NO'?
It’s tough to believe "mugging" might be the lesser of law enforcement’s desired anti-encryption evils, but that’s the reality of the situation.
Which is kinda like saying "Sure they could have shot you dead, but instead they only broke your leg, so progress!"
If they can’t force someone to unlock a device through legal means, then the correct response is not ‘Well have you tried mugging them?’, it’s ‘Too bad, guess you don’t get everything you want, now back to actually doing your job rather than expecting everyone else to do it for you.’
Their actions here are wrong, that it’s slightly better to have the cops mugging people rather than breaking encryption wholesale doesn’t make it any better.
At least in the United States, I think people arguing that physically taking a temporarily unprotected device = mugging misunderstand what rights they have and don’t have. You have a right to be free of unreasonable searches not supported by probable cause. In many, if not most circumstances, that will also require a search warrant. Once a search warrant is obtained, you lose the right to withhold physical access. The point of encryption is that it often implicates another right: the right against self-incrimination. Yes, you know the passcode and, arguably, compelling you to give it up is a requirement that you incriminate yourself. Whether that is true or not is an argument well worth having, but that is not the issue here. The issue here is whether steps you have taken to assure that you will have the ability to invoke that right have to be scrupulously honored, even when you have voluntarily, albeit unwittingly, surrendered them. Unfortunately, I do not think this is a battle that the “mugging” advocates are going to win. You’re really arguing about whether search warrants should be allowed and, if so, should even relatively minor levels of force be allowed in their execution. That’s not a strong position to start from and it’s worse when you consider the level of force routinely authorized for the execution of search warrants.
Re: Re:
Correct
Again with putting an emphasis on when police/government does it calling it lawful or routine in these types of articles.
Even if it is meant as satire just feels wrong to call it that.
Why not just call it a criminal act instead of putting the word “lawful” in front of it.
Been bothering me to see this lately. Almost legitamizes the act by not calling it for what it is. A crime.
This method will work in the UK. It may not in the US.
Why not?
If it does happen in the US, do you realistically expect the cops involved to be punished for it?
UK police committing crimes. Water is wet.
This is already legal in the US
They already did this when they arrested Ross Ulbricht (Dread Pirate Roberts)
http://arstechnica.com/tech-policy/2015/05/sunk-how-ross-ulbricht-ended-up-in-prison-for-life/
Already solved..
Plucklock:
https://f-droid.org/repository/browse/?fdfilter=plucklock&fdid=net.syntaxblitz.plucklock
has been around for years.. So this problem is solveed already.. People just need to protect themselves.