FBI boss worried iOS 8 and Android security hinders crime investigators, researcher proves otherwise

FBI boss worried iOS 8 and Android security hinders crime investigators, researcher proves otherwise
As the words "smartphones", "security", and "encryption" are being tossed in one sentence more often than ever, the FBI worries that all these anti-poking-around-your-phone measures are going to hinder its efforts to protect the world. James Comey, head of the agency, told reporters that the FBI has been discussing the matter with Apple and Google. 

The former implemented a file encryption scheme in iOS 8 which sees nor the company, nor the FBI being able to access user information - at least in a reasonably quick matter of time. Google will introduce similarly tight encryption in the upcoming Android L Version. Both security systems are enabled by default, and they render both companies unable to comply with official requests by the police to provide user data for crime investigation purposes - and getting away with this legally. In the eyes of Comey, these measures "allow people to place themselves beyond the law".

Reflecting on iOS 8 encryption in his blog, forensics researcher Jonathan Zdziarski argues that its existence "does not mean that your data is beyond law enforcement's reach". Instead of being encrypted with hardware-embedded keys as per the norm, the keys are derived from the user's PIN number or their passcode. According to Zdziarski, brute-forcing a PIN code is possible, but "not technically feasible". He says that the system removes Apple's legal obligation to provide file system data to the FBI, although both Apple and Google must give out cloud storage data upon request. Additionally, Apple has cut off services and loopholes in iOS 8 that let law enforcement agent access file system data with software forensics tools while completely bypassing encrypted passwords.

Zdziarski says that "this was a great start to better securing iOS 8, but not everything has been completely protected." He claims that services used by iTunes and XCode to exchange information between Apple mobile devices and computers or other handhelds while the Apple device is locked down, are still operational and allow detectives to "dump" users' photos, videos, recordings, iTunes media, and all third-party application data using existing commercial forensics tools. The researcher did this for himself using "private forensics tools" from his locked iPhone running iOS 8. The technique requires a pairing record from your personal computer that you pair with your smartphone.
If, say, police officers arrest you and confiscate both your iPhone and computer, they will be able to access all aforementioned data stored on the handset. 

Zdziarski explains that the computer pairing records contain a backup copy of the keys which can be used to decrypt the iPhone without a PIN number or passcode. iTunes, for example, relies on this service to communicate with the iPhone while it's locked. However, the "pairing vulnerability" works only if the iPhone was used after the last time it was rebooted. If one shuts their iPhone while going through security, customs and the like, officers won't be able to exploit this loophole. One can also encrypt the computers and keep them shut down so their RAM memory stays empty, as readily available forensics tools are capable of dumping the computer's memory and encryption keys contained within.

Zdziarski suggests that Apple break the loophole by giving users the option to explicitly authorize iTunes to access the iPhone when the device is locked by entering a password, or prevent the phone from being available to iTunes at all while it's locked down. The researcher also makes a point that manufacturers "shouldn't be required to weaken the strength of their products security just to make law enforcement forensics possible", as that could be "amounted to engineering back doors" for both detectives and hackers alike. What's your take on the matter?

FEATURED VIDEO

31 Comments

1. gazmatic

Posts: 807; Member since: Sep 06, 2012

Ie.... We are not able to obtain personal information from your phone so we are throwing a temper tantrum. Good for Apple.

2. Shatter

Posts: 2036; Member since: May 29, 2013

Android has had this as an optional for years...

7. DarkStar286

Posts: 229; Member since: Mar 18, 2014

Optional yes, but until it becomes the default option in Android L I doubt many users have it activated. Or even know that it's there....

9. Scott93274

Posts: 6031; Member since: Aug 06, 2013

In all honesty, I didn't even know it was there until about a week or two ago. I have it encrypted now though. lol

22. Hlorri

Posts: 40; Member since: May 07, 2008

As has BlackBerry OS, Symbian, and if memory serves me right, even the old Sony Ericsson feature phone platform.

3. Liveitup

Posts: 1798; Member since: Jan 07, 2014

This is a bit worrying, sinister groups who wanna hurt us will love this.

4. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

So we should be an open book to the government? They should be able to know any and everything about us if they want to? OK, fine. Then let's see them do the same. I'd bet good money that there same people in the government who want all this access to our stuff, are going to be the ones crying foul if the same thing happened to them.

11. Liveitup

Posts: 1798; Member since: Jan 07, 2014

No not at all i never implied that. What's needed is a compromise. 9/11 has taught us that we are not as safe as we would like to think. I think that the proper way to go about this is to encrypt the information but only release it to law enforcement with a warrant. Their has to be a valid reason to invading someone privacy.

15. gazmatic

Posts: 807; Member since: Sep 06, 2012

Hahaha... You actually believe that load of bull. You are no safer today than you were fifteen years ago. There is NEVER a valid reason to invade privacy. I hope you're not of voting age because it sounds like you would vote against your best interest and vote away your own rights. Talk about gullible. You probably believe that kerosene can melt concrete and steel

17. atlvideoguy

Posts: 73; Member since: Feb 24, 2012

you know the govt can still see what webpages your looking at with a warrant, they can still triangelate the location of your mobile devices, as well as read your emails and texts messages with a warrant, your cellular provider as well as ISP provider have to store this info about you for 2 years for law enforcement reasons. I really don't have much faith in privacy but I find it entertaining the FBI is making a public plea against this.

18. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

That's the way it's supposed to be, but since the Patriot Act, all they're supposed to need is a reasonable threat to national security to gain access. And most times that can be a little sketchy as well. You were worried because sinister groups who want to hurt us will love this. I'd guarantee the worst of those groups aren't relying on Google or Apple's data encryption, they most likely have something far better then anything that'll come preloaded, or they won't even use wireless or internet to communicate at all. Those are the ones to really be worried about, the ones who don't use technology at all to coordinate, they can be virtually untraceable.

26. jphillips63

Posts: 253; Member since: Jan 04, 2012

According to our higher powers who this they know what's gest for us Americans we all are terrorists in there eyes. If they think Isis is bad come snooping around my place and I'll make Isis look like angels.

5. DarkStar286

Posts: 229; Member since: Mar 18, 2014

There's no groups more sinister than the likes of the FBI, NSA, CIA or their equivalents in other countries. we need protecting from our own governments far more than we do from any terrorist or criminal organisations.

10. Augustine

Posts: 1043; Member since: Sep 28, 2013

Exactly. Just count how many people were killed by governments just in the last century and compare that with the number of victims of murderers throughout history, then figure out who's more dangerous to man.

27. Stuntman

Posts: 843; Member since: Aug 01, 2011

Some people don't trust government or law enforcement to only snoop around a person's phone only when they have a warrant or are justified.

6. johnbftl

Posts: 283; Member since: Jun 09, 2012

This is absolutely ridiculous. The FBI cannot force this issue. Data Encryption laws passed in the 90s for computers protect any computing device. People are legally allowed to encrypt their files, thus preventing anyone else, even law enforcement access.

8. DarkStar286

Posts: 229; Member since: Mar 18, 2014

Indeed, this really isn't any different than me using BitLocker on my PC. What they're really bothered about is it becoming the default setting, imagine how they'd react if it became the default on Windows as well!

12. jroc74

Posts: 6023; Member since: Dec 30, 2010

This is silly. If law enforcement cant get to the required data, they need better tools then. They just want to be able to do it as quick as possible. But that shouldnt matter if whatever electronic device they need to do this for will be safe in law enforcement custody. One thing I can think of where time is of the essence is kidnapping, abduction cases. "The former implemented a file encryption scheme in iOS 8 which sees nor the company, nor the FBI being able to access user information - at least in a reasonably quick matter of time" I am sure if its a serious enough case, Google, Apple, MS, etc would be more than willing to help.

14. Droid_X_Doug

Posts: 5993; Member since: Dec 22, 2010

They have helped. Comey is just throwing a tantrum because a court order is now required.

20. jroc74

Posts: 6023; Member since: Dec 30, 2010

Oh...this is a non issue then.

21. Droid_X_Doug

Posts: 5993; Member since: Dec 22, 2010

Well, it is an issue for Comey. Prior to iOS 8, the FBI could by-and-large bypass the log-in screen of an iOS device. It was an open book (Snowden published a slide that referred to iOS devices as Zombies, for example). Now, that vulnerability has been plugged. Comey is just wanting manufacturers to continue providing the open book scenario. Only problem is that open book is costing Apple and other manufacturers sales. One reason that China has banned iToys in its government agencies is because of the security holes. These are net lost sales to Apple. With iOS 8, the federales have to play by the rules and get a warrant. No federale wants to have to go through the paperwork to request a warrant. Open books are much more preferred to having to get a warrant.

13. jsdechavez

Posts: 791; Member since: Jul 20, 2012

If this means having to to sleep safe every night knowing there is a world to wake up to tomorrow, I wouldn't mind. Besides, I have nothing to hide from the government. What really bothers me are identity thieves. They could steal bank account info and personal info for whatever purposes.

16. gazmatic

Posts: 807; Member since: Sep 06, 2012

If you believe that the world would become an apocalyptic nightmare if the government can't spy on it's citizens and access private files then you deserve the government you get. It's scary that your version of government would be forced upon me.

19. infinitymurano2012

Posts: 26; Member since: Sep 13, 2014

Ok stop this non-sense please Libs, of course there has to be some sort of control over communications, where do you think you are living? Dream land? where everybody loves you? just look at how muslims these days are using the electronic communication for, if it weren't for the controls we would probably have several more 9/11 by now just like if it weren't for Hoover's disciplines back in 50' and 60' this country would probably be handed over to communists. And don't worry, nobody in the authorities care about your nude photos nor will have a wank over your wife's or gf's ones, just stop being a lib please, this country has suffered enough from liberals.

23. Droid_X_Doug

Posts: 5993; Member since: Dec 22, 2010

Actually, this country has suffered enough from Dickie-boy and his sidekick Rummie. The cost of Iraq continues with $588 million having been spent on the latest round of airstrikes to prop up their failed neocon adventure in Iraq. There is a reason why Poppie Bush didn't go to into Iraq in Gulf War 1. It is a shame the reason was lost on W. There would be 4,000+ places at the dinner table that wouldn't be empty if he had not listened to Dickie and company.

24. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

And you're not living in dreamland when you appear to believe that our government is altruistic and has no secret agendas? They want access to every part of our lives, yet they are as tight lipped about their activities as they could be. People today seem to forget that the government is there to serve us, NOT the other way around. Our founding fathers setup our government to try and keep that very thing from happening. But in the time since they've been chipping away at those protections to the point we're at now. Freedom means we may be open to attack, but should we give up freedom for a sense of security? Would you prefer the security a police state or dictatorship offers? IIRC, Benjamin Franklin said "People willing to trade their freedom for temporary security deserve neither and will lose both." Sorry, but I trust a founding member of our country who lived under tyranny to have my best interests at heart rather than the head of the FBI.

25. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

And actually, this country has suffered enough of liberals AND conservatives. Each side KNOWS they're right. And the problem is neither side is completely right about everything. I don't buy into either side because there are some things people should be liberal on, and some they should be conservative on. To take one side and make it your mantra for all things is ridiculous and short sighted.

28. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

I was reading an article on yahoo where the Chicago PD was saying the iPhone is now going to be the preferred phone for pedophiles because of the encryption. But the worst part was the comments section. Anyone who questioned the government or police agencies was labelled a pedophile. I always think I can't be surprised by how stupid people can be, then I go on the internet. Everyone here saying that the government would need a warrant to search your data, do you remember what came out in the Snowden leak? Secret courts rubber stamping warrants and the government getting millions of people's metadata who weren't even involved in their investigation. Trusting a government who's agencies have put a 10 year old on a terrorist no fly list is akin to trusting a bull to watch your China shop.

30. strudelz100

Posts: 646; Member since: Aug 20, 2014

There is no government dude. We live in a surveillance state where the Rich and corporations observe, note, react and direct public knowledge and trends with great accuracy using tools like Google (And Google Apps) and Facebook as a one-stop-shop for your daily interests, movements and conversations. The mob has no power if you can direct public opinion.

29. strudelz100

Posts: 646; Member since: Aug 20, 2014

Why would he be nervous about Android encryption when they still have SELinux "security enhancements" as a backdoor baked into Android years ago?

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.