Police Utilizing Private Companies, Exploits To Access Data From Suspects' Smartphones
from the brute-force-attacks-that-don't-involve-SWAT-members,-battering-rams dept
Law enforcement agencies really want to see your phone’s contents. I mean, they really want to. Martin Kaste at NPR has a story on law enforcement and smartphones which contains the following quote from a Rolf Norton, a Seattle homicide detective.
“I’m thinking there’s probably a wealth of information that just got tucked into your pocket,” Norton says. “Something that we’d like to get our hands on.”
Easy for law enforcement officers to say, but today’s phones have more in common with a personal computer than they do with, say, the contents of someone’s pants pockets, as the state of Texas memorably argued.
The courts have offered mixed opinions as to whether a warrant is needed to view the contents of someone’s phone. This lack of a “bright line” is increasingly problematic as smartphones have become a convenient, pocket-sized data center that can reveal plenty of information that wouldn’t normally be accessible without a warrant.
The NPR story deals only with access granted by warrants, but it does lead off with another Detective Norton quote which points out how officers will attempt to separate the ignorant from their (possibly incriminating) evidence.
Once he’s seized a phone, Norton says, he often has to return to the owner to ask for help.
“Maybe you’ve established a rapport and you’re getting along with this person,” Norton says. “We’ll reach out to that person and say, ‘Hey, your phone’s locked. We’d like to inspect it. We’ll probably be getting a warrant. Would you give us your password?’ “
Refusing to hand over a password shouldn’t seem to be a problem, but like the issue listed above, the courts have been unclear as to whether the Fifth Amendment’s protections against self-incrimination extends to passwords. This could lead to obstruction charges or contempt of court for the phone’s owner.
Just getting a warrant doesn’t necessarily make everything OK, either. There’s a ton of non-relevant data on any given smartphone, all of which can easily be accessed once the phone is unlocked. Narrowly-written warrants that set limits on what officers can and can’t look at are a partial solution, but one that few law enforcement agencies are likely to follow.
Blindly diving into the contents of someone’s smartphone exposes a whole lot of information, and if officers aren’t exactly sure where this incriminating data is located, they’ll probe around until they can find it. Armed with just enough “belief and information” to be dangerous, they’ll easily be able to make the case that all contents are “relevant” until proven otherwise. This obviously raises privacy concerns, but again, there’s no specific protection in place for these contents, which some courts have argued contain no “expectation of privacy” thanks to constant “checkins” with third party providers and services.
Not that the lack of a warrant or permission will necessarily prevent the phone from being searched. (That “problem” can always be dealt with later in the courtroom…)
Companies such as Guidance Software and Cellebrite sell products to law enforcement that “image” smartphones. The products can pull data off in bulk for use as evidence. BrickHouse Security in New York sells products like this for iPhone and Android. CEO Todd Morris says the handset manufacturers don’t support this, so it’s a constant effort to keep the forensic software up to date.
As Morris notes, cellphone companies aren’t cooperating in providing back doors for law enforcement to access phones without warrants. So, like our very own NSA, these companies use exploits to crack phones for curious cops.
These phone-copying systems rely heavily on what hackers call “exploits,” or vulnerabilities in the phones’ operating systems that can be used to get around the password or encryption.
All in all, Apple’s phones are more secure than Android handsets. But either way, having to go through the warrant process can mean weeks to months of waiting (if the handset needs to be returned to the manufacturer) for the release of “rescued” data. (Courts have been more reluctant to force defendants to turn over passwords, seeing this as more of a clear Fifth Amendment violation.) Not surprisingly, this turnaround time is considered unacceptable, hence the arms race of private company vs. private company to gain (and maintain) control of a smartphone’s contents.
Even considering the oft-abused Third Party Doctrine, it would seem that a warrantless search of a smartphone would be a Fourth Amendment violation. There’s just too much information stored on the average smartphone to be compared to anything found on a person during a normal search. And, as a New York law student recently asked Supreme Court Justice Antonin Scalia, isn’t searching someone’s computer roughly equivalent to their “effects,” Fourth Amendment-wise? For all intents and purposes, a smartphone is a portable computer, loaded with a person’s “effects” and creating a time/date/location “event” every time it pings a cell tower.
Considering how much info can be gathered from a single smartphone, It’s little wonder law enforcement wants to peek at arrestees’ smartphones, but the courts need to do a bit of catching up to today’s cellphone realities. And there needs to be more attention paid to the fact that law enforcement agencies are partnering with private companies to crack phones, apparently without asking for a warrant first.
Filed Under: fifth amendment, fourth amendment, law enforcement, mobile phones, passwords, police
Comments on “Police Utilizing Private Companies, Exploits To Access Data From Suspects' Smartphones”
Using exploits to bypass access controls on someone else’s device? Doesn’t that open them up to liability under both the DMCA and the CFAA? 😉
Re: Re:
Two sets of rules and no accountability, what could possibly go wrong?
Re: Re:
i’ll just leave this ‘historical’ snippet right here:
Amendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
i simply CAN NOT fathom how ANYONE -judge, jury, kop, citizen- can interpret this in any other way but that phones (read: small computers) fall under the 4th as ‘papers and effects’…
IF they try to aver that silicon is not ‘paper’, then fuck them, that is bullshit…
i understand how they WANNA make all the exceptions in the world to snatch OUR shit; but they want NO sort of similar accountability for THEIR shit…
this ‘diode justice’ (only works one way) is going to be their downfall… stupid shits
Giving up a password may enable a much wider search than the phone, as logging in could enable dropbox, Google drive and like accounts. It may also enable SSH into an employees system. This is why the police want access to the phone, it can give the access to a wide swathe of a persons life held in other systems.
Re: Re:
“logging in could enable dropbox, Google drive and like accounts. It may also enable SSH into an employees system.”
This is only possible because people are idiots. If your phone automatically logs you into any third party services, automatically fills in any passwords for you, or if you’re using the same password for multiple services, then you’re counting on a locked screen door to keep the bad guys out of your house, whether those bad guys are cops, identity thieves, or crackers.
Don’t do that.
Re: Re: Re:
What’s the alternative, keeping the passwords written down on a piece of paper in your wallet, which would have the same end result.
Re: Re: Re: Re:
A piece of paper in your wallet does not have the same result. It’s MUCH better than using the same password for everything, especially if your password list is encoded so it’s not obvious that it’s a list of passwords (could look like a shopping list) and you don’t write down what each password goes to.
Also, a good technique is to use passwords that you can compute. For example, passwords for web site logins could be of the form <site initials><random characters>
What I do is use a password keeper app to store my password list in an encrypted file. That is unlocked by a passphrase that is not used for anything else. I use my brain to remember passwords I use frequently, so those don’t have to be recorded anywhere at all.
Re: Re: Re:2 Re:
Bad edit… the <random characters> part is the same for all websites, and is the only part you need to memorize.
Re: Re: Re: Re:
“… keeping the passwords written down on a piece of paper in your wallet, which would have the same end result.”
Not necessarily. As Mr. Fenderson said, passwords written on paper can be encoded or obfuscated, such that what’s written is not, by necessity, what gets inputed to a computer. Please note that I am being intentionally vague and not offering examples on purpose. Use your imagination. 😉
Re: Re:
Isn’t divulging your password a violation of the terms of service?
And IIRC, that can lead to jail time.
Rock .. meet hard place
Re: Re: Re:
Divulging the password to your phone is certainly not a TOS violation. It might be a violation for certain websites, but that’s not an incredibly common prohibition.
I still have a dumb phone for everyday out of the house. What is so important that you HAVE TO HAVE a smartphone for being out and about. Phone numbers? Write them on a piece of paper. And I’ve been in tech for a long time, so I’m not a Luddite. Since when did we trust police? Not in my lifetime.
Re: Re:
Just off the top of my head, Google Maps. That little app in and of itself was worth the purchase price of the phone and more a while back when I found myself lost in an unfamiliar city I was visiting and the cheapo GPS the rental car company gave me broke down, while I was on the freeway! It enabled me to get to my destination and then back to my hotel safely and on time.
Re: Re: Re:
A paper map is a good substitute, and does not suffer from flat batteries. It is also better for getting a good overview of the area that panning a map on a small screen.
Re: Re: Re: Re:
It may not suffer from flat batteries, but it does suffer from several other major design limitations:
* It doesn’t have a built-in database of addresses (you have to already know where you’re going to find out how to get there)
* It doesn’t have a routing algorithm (even if you know where you are and where you’re going, it’s up to you to figure out how to get from point A to point B)
* It tends to show roads and political boundaries, but not things you’d actually be interested in such as final destinations. (If I’m trying to get to a hotel, it’s a lot easier to remember the name of the hotel than its address.)
* Once it’s printed, it’s set in stone (as it were). It can’t receive updates, either regarding new roads and final destinations or current traffic conditions.
* It can’t read itself to you. This is particularly significant when you don’t have a passenger along.
In light of all this, there’s really no good reason not to use a GPS these days.
Re: Re: Re:2 Re:
Print out the relevant bits, and at relevant scale from Google maps or OpenStreetMaps, and have an up to date paper backup, lacking only traffic conditions. If all else fails, it is usually possible to ask directions.
And pray there are not two or three of the same name in different parts of the same town.
Re: Re: Re:3 Re:
“Print out the relevant bits, and at relevant scale from Google maps or OpenStreetMaps”
If you’re getting your maps electronically, why not also carry them electronically? Printing them out seems like wasted time, effort, and trees.
“pray there are not two or three of the same name in different parts of the same town.”
This is not a problem, actually. I’ve used three different mapping services, and they all have done the same thing about this: if I search for something that exists in multiple places, I am presented with a list of all the possible matches and their addresses. I just select the one that I want.
Re: Re: Re:4 Re:
Paper still beats computer screens for resolution, and can be easily taped together to give a reasonably detailed view of the area surrounding at least a days travel. Further a sheet of A4, or Letter, can show much more information than a phone screen. It is also a more reliable back-up than a phone, as unless a map is preloaded, lack of signal, or a very slow connection could render it useless. A phone size screen become difficult to use when you need to look at all roads in a thirty plus mile radius to spot the detour to a place less than 5 miles away when the direct route is blocked, or the ferry canceled. (The west coast of Scotland is famed for such detours.)
Re: Re: Re: Re:
“A paper map is a good substitute”
No, it’s not. A paper map is a substitute for sure, and better than nothing, but it is highly inferior to the electronic versions.
Re: Re:
Nobody HAS TO carry a smartphone. On the other hand, citizens should be ABLE to carry a smartphone, even without any security at all, without having to fear unreasonable searches of them by the cops.
If security is your concern, you don’t have to carry a dumb phone to have it (and a dumb phone doesn’t protect you against some of the worst surveillance activities). It is possible to carry and use a smartphone without leaving yourself wide open to these types of intrusions. It’s all a matter of where on the convenience/security scale you are the most comfortable.
Re: Re: Re:
I thought I was the only one around with common sense! Great comment
“…there’s no specific protection in place for these contents, which some courts have argued contain no “expectation of privacy” thanks to constant “checkins” with third party providers and services.”
The is no expectation of privacy for things I do inside my home with the doors locked, lights off and shades drawn because I do other things in public.
Anything I tell my bank is also public knowledge, including my PIN. Because they’re a third-party provider or service.
Re: Re:
Not to mention that not all smartphones do constant checkins with any third parties at all (outside of the cell phone system itself). Mine doesn’t.
Re: Re:
Wanted to respond to this particular comment also.
Just because the applications on my phone might “checkin” with third party providers/services, doesn’t mean that the data on the phone shouldn’t be protected.
The mentality of the courts on that particular thing is just… wrong.
Re: Re:
yeah. based on this, if I tell my husband where I’m going, apparently that means that I have given up my rights to NOT tell everyone?
uhm. no.
smh
And this is exactly why everyone should have remote encrypted backups and remote wipe enabled.
Modify the phone?
Couldn’t you just modify the phone, and connect the data and power pins to thwart any connection to one of these devices?
Then just get two batteries for power and alternate between them, using a separate charger.
How many imaging machines will the police lose to short circuiting before they stop trying?
Just a thought. Not legal advice.
Re: Modify the phone?
You would also have to permanently disable Wi-Fi and cell tower access, at which point it ceases to be a phone.
This isn't just happening in the US
And that’s why if you’re a journalist, or an activist, or anyone that the police or border guards in ANY country might take an entry, there is no way in hell you should have a smart phone.
Of course many people will stubbornly and foolishly insist that because they run XYZ on their smartphone they’re immune to this. Bullshit. These sniffing/dissection/decryption devices are already massively capable and they’re not going to get worse.
I thought was mentioned
I thought that at BORDER locations and 200 miles inland they had the ability to COPY your phone data, directly..
BUT, you may need to understand something about this..
GOT any MP3 data?? GOT a few movies for the kids to watch??
Internet connections that CONNECT to such data??
I HOPE you have you can SHOW you PAID for that..
Got a 8gig Card in your phone/pad/??? FULL of music and video?? Going into CANADA..? they can erase it..its part of our IMPORT clause..even tho they are in SAME AREA 1..
Can someone tell me how to get around this CONVOLUTED bunch of Garbage laws??
With the laws and regs the way they are…you COULD be staying in jail longer then Carrying DRUGS..
Re: I thought was mentioned
“BORDER locations and 200 miles inland”
That used to be called the constitution free zone, but they have since just said the constitution no longer applies to them and the entire universe is subject to their whims.
When are they going to begin construction on the death star?
Re: I thought was mentioned
Pull the card prior to hitting the border.
“All in all, Apple’s phones are more secure than Android handsets”
Please do not believe this is so. While I’ll grant because carriers refuse to update Android OS on phones that they do become vulnerable, I also truly feel that this is actually criminal negligence on the carrier’s part. A properly updated Android phone may in fact be more secure than an iPhone, in that releases do occur more frequently to the repo than developer releases on Apple.
All in all, if you really have something to hide, buy a Nexus and use the developer repo to constantly update for flaws is probably your best bet.
Re: Re:
sigh Secure in the context of the article is not in the way you think it means.
Instead it means that Android devices are easier to access using third party forensic tools than Apple devices.
Though this is true in some instances I can guarantee you that I have more ability and ease of access with iOS devices than with the multitude of Android ones out there, mainly since iOS (in all its versions) is actually the same so the same process can basically be used for all its iterations.
Android devices (and this includes Windows phones.. though Win Phones have there own peculiarities) is sometimes dependent on the situations a LOT harder to access, image and analyse. In fact if someone has rooted there phone (which is becoming more and more common actually with criminal cases) they are more likely to add some non standard Rom like CyanogenMod which then using some of the new framework structures and ‘root’ apps allows complete and absolute control over all low level parts of the phone (bluetooth, access of apps to networks and caching etc) plus the ability to instantly wipe cache’s (including Dalvik cache) plus encrypt the whole or parts of any SD card plus its own internal storage.
Basically if someone doesn’t want you to access your phone without a LOT of effort and full warrants to search for SPECIFIC things they can now make life a LOT harder for most forensic investigations.
Or do what some are now doing.. Don’t use smart phones, use dumb Chinese digital phones that just… you know… Ring!
Seems like someone would have created an app to reset the phone to factory specs. Something that you could run when a situation is near, and would then wait for a screen tap to act.
Re: Re:
or someone could create a service that allows someone to find their phone (to nearest 30metres), change passwords, and even remotely completely Wipe all the data on phone & on some phones allow taking of picture using front camera.
oh wait… they did on android.. Google themselves call it “Android Device manager” .It’s actually quite good.. though there are other services that allow full low level wipes on rooted phones that basically destroy ALL data (internal, ROM, and external) doing complete zero fill or even DoD 5220.22-M Standard sanitation.
Luckily for my professional sanity Apple devices don’t have this ability (yet???) using there “Find My iPhone” service.
Re: Re: Re:
The problem with your scenario is that it assumes I have access to a computer, the internet, and my super-secret-squirrel password.
I have nothing to hide (ha!) but should I ever be arrested, or even detained, I doubt I’ll be able to ask for a connection to my confiscated phone so I can spoliate whatever evidence might be there.
Were I paranoid, I’d likely root my phone and install a mod that executes different routines, based on my screen unlock code:
1234 gives me access as me
5678 gives me access to a subset suitable for a child or friend
2468 performs a “factory reset” such that the phone isn’t damaged, but I can reinstall my apps and backed-up data
9753 performs a 5220-level wipe, then triggers some hardware exploit that leads to a melted phone.
In fact, if such a mod were available, I’d pay for it. Just because it would be nice to have. In case, you know, I need to carry some Scentsy across town, or stand with my buttocks clenched the wrong way.
Re: Re: Re: Re:
hells yeah. and if you FIND such a program, please let us all know. I’d GLADLY pay for it.
I’m not doing anything wrong, but the constitution allows me to not have to PROVE i’m doing nothing wrong… And it seems we’ve forgotten it. and too many are concerned that a bad guy might go loose, that they are happily giving up the rights of the rest of us…
And frankly, even the so-called bad guy has constitutional rights.
smh
Whatever happened to innocent until proven guilty?
My hubbs was telling me tonight about some encryption program that would at least slow them down…
because, you know, civil rights.
And he has already been told that I’m not giving up my phone OR my password and should I ever be requested to, he should make sure to have bail money… because I WILL take it as far as I can….
Re: Re:
My phone has this out of the box. I’ll bet yours does too. Check your system settings options.
keep a nifty little folder marked private filled with nasty little virus’s
Re: Re:
Why not just name every folder “Correspondence with Lawyer” and then sue them for invading attorney-client privilege when they open it?
CHEAP
CHEAP-
PHONE, PAD and cell…USe SD cards and PULL them near any location that could do anything..
JUST dont load the cards unless you KNOW you are in private..
Panic password. The cop types it and the phone kicks in an empty shell or wipes all data on-the-fly.
cellphone please
I imagine there some nuts out there that would like laws requiring cellphones at all times, sort of like papers.
Rather than “papers please”, it will be “cellphone please”.
Good article until...
You said apple are more secure than android!
All your credibility gonenin one swoop! Don’t get me wrong, neither are secure but that statement is beyond belief!
Police and Your Cell Phone
Early in the AM last year a tow truck “hooked-up” my F-350 (paid for and worth $45K) and towed it out of my driveway which is right outside my daughter’s window. She alerted me, called 911 and [luckily] the perp with my truck were stopped about 1 mile from my house. The tow truck was clearly marked with a large and prominent tow company name and the driver was an employee obviously on a moonlight sortie for himself. The arresting officers took his cell phone, called with last number on the phone and then able to break-up a serious auto/truck theft operation. The perps went to jail and the State was able to prevail WITHOUT a great deal of time and taxpayer’s money PLUS many other potential victims were saved the pain and financial discomfort associated with these kinds of loses. In this case, the cell phone was no different than a weapon when used in connection with a crime. In my state, use of a firearm during the commission of a felony = mandatory jail time. True, cells phones are not weapons per se BUT can effectively act as one, for instance in remotely setting off IEDs . . . granted, a stretch; however, as long as other non-pertinent (to the particular crime) information is not seized and then used against the perp, I see seizing the cell phone as vital in crime scene investigation and the chain of evidence. The operating phrase here is “pertinent to the crime”.
Re: Police and Your Cell Phone
Accessing a phone that most likely had no password to unlock it and then accessing REDIAL is in no way unusual and would constitute probable cause in certain situations.. Also the phone you are referring to was most likely an older non-smart phone with actual buttons where the “redial” is prominent and is easy to access.
Accessing a phone that instead is password protected and accessing, imaging (exact copying), then analysing at leisure ALL the information whether it is relevant to an investigation, or worse still ‘evidence fishing’, is an entirely different ultra vires matter than what you have described above.
Its interestingt hat you refer to the chain of evidence since that chain has to use procedurally compliant rule sets that a court ultimately oversees, whereas again in the example of the article. That is non existent and would absolutely break any evidence chain or if not give one a reliability and probity problem whenever the evidence was used in a court.
Re: Police and Your Cell Phone
uhm. no. we do NOT give up the rights of ALL THE PEOPLE HERE NOW AND FOREVER TO COME on the one in a million chance they’ll break up a chop shop.
That’s LUDICROUS.
Otherwise, how about we also search you bodily when you walk out of walmart because you might be a shoplifter. Let’s run you thru an xray machine as you walk into the bank in case your carrying a weapon, unless you live in Texas, where you’d only be letting the yahoos with guns know who to take as hostage…
If they can’t ask the person CARRYING A SEMI-AUTOMATIC WEAPON INTO CHURCH if they have a LICENSE for that weapon then they sure as sam HELL are not getting hold of my phone…
end. of. story.
The only thing to say to a police officer
I have nothing to say until I speak to my attorney, and then I will have nothing to say!
At first blush, I’m tempted to say that the contents of a smartphone’s file system should be valid for search unless it’s locked, in which case it should be treated as a small locked container full up of papers.
However, after more consideration, it occurs to me that it is impossible to give someone safe, reliable access to another individual’s phone’s file system in an adversarial setting (such as a cop taking and examining a phone at an arrest) without also giving them access to that person’s networked information–Which I have a hard time coming up with a 1700’s analogue for. The documents stored at home in a safe? Maybe, but you can’t access those while walking. Your thoughts?
Good thing I’m not a supreme court justice.
Big brother is watching. Cameras on every street corner,spying on your emails,facebook cellphone,tracking your GPS.Get use to it or move out to the middle of nowhere.