FBI boss worried iOS 8 and Android security hinders crime investigators, researcher proves otherwise

FBI boss worried iOS 8 and Android security hinders crime investigators, researcher proves otherwise
As the words "smartphones", "security", and "encryption" are being tossed in one sentence more often than ever, the FBI worries that all these anti-poking-around-your-phone measures are going to hinder its efforts to protect the world. James Comey, head of the agency, told reporters that the FBI has been discussing the matter with Apple and Google. 

The former implemented a file encryption scheme in iOS 8 which sees nor the company, nor the FBI being able to access user information - at least in a reasonably quick matter of time. Google will introduce similarly tight encryption in the upcoming Android L Version. Both security systems are enabled by default, and they render both companies unable to comply with official requests by the police to provide user data for crime investigation purposes - and getting away with this legally. In the eyes of Comey, these measures "allow people to place themselves beyond the law".

Reflecting on iOS 8 encryption in his blog, forensics researcher Jonathan Zdziarski argues that its existence "does not mean that your data is beyond law enforcement's reach". Instead of being encrypted with hardware-embedded keys as per the norm, the keys are derived from the user's PIN number or their passcode. According to Zdziarski, brute-forcing a PIN code is possible, but "not technically feasible". He says that the system removes Apple's legal obligation to provide file system data to the FBI, although both Apple and Google must give out cloud storage data upon request. Additionally, Apple has cut off services and loopholes in iOS 8 that let law enforcement agent access file system data with software forensics tools while completely bypassing encrypted passwords.

Zdziarski says that "this was a great start to better securing iOS 8, but not everything has been completely protected." He claims that services used by iTunes and XCode to exchange information between Apple mobile devices and computers or other handhelds while the Apple device is locked down, are still operational and allow detectives to "dump" users' photos, videos, recordings, iTunes media, and all third-party application data using existing commercial forensics tools. The researcher did this for himself using "private forensics tools" from his locked iPhone running iOS 8. The technique requires a pairing record from your personal computer that you pair with your smartphone.
If, say, police officers arrest you and confiscate both your iPhone and computer, they will be able to access all aforementioned data stored on the handset. 

Zdziarski explains that the computer pairing records contain a backup copy of the keys which can be used to decrypt the iPhone without a PIN number or passcode. iTunes, for example, relies on this service to communicate with the iPhone while it's locked. However, the "pairing vulnerability" works only if the iPhone was used after the last time it was rebooted. If one shuts their iPhone while going through security, customs and the like, officers won't be able to exploit this loophole. One can also encrypt the computers and keep them shut down so their RAM memory stays empty, as readily available forensics tools are capable of dumping the computer's memory and encryption keys contained within.

Zdziarski suggests that Apple break the loophole by giving users the option to explicitly authorize iTunes to access the iPhone when the device is locked by entering a password, or prevent the phone from being available to iTunes at all while it's locked down. The researcher also makes a point that manufacturers "shouldn't be required to weaken the strength of their products security just to make law enforcement forensics possible", as that could be "amounted to engineering back doors" for both detectives and hackers alike. What's your take on the matter?

FEATURED VIDEO

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless