Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Device to Grab Data From Cell Phones

Posted by Soulskill on from the yoink dept.

what about writes "Apparently there is a quick, simple, and undetectable way to grab all of your cellphone data. CNet reports on the Cellular Seizure Investigation (CSI) Stick, developed for law enforcement but available to the public, which 'connects to the data/charging port and will seamlessly grab e-mails, instant messages, dialed numbers, phone books and anything else that is stored in memory. It will even retrieve deleted files that have not been overwritten. And there is no trace whatsoever that the information has been compromised, nor any risk of corruption. This may be especially troublesome for corporate employees and those that work for government agencies.' I use mobile knox, a secure storage application, for my important data, but I would be very upset if somebody grabbed my telephone list, SMS, or anything else from my locked phone."

43 of 161 comments (clear)

  1. This only works on SOME phones by davidwr · · Score: 5, Insightful

    Phones without a data port are immune.

    Phones whose firmware will not send a particular piece of data over the data port are immune as long as the firmware isn't updated. Updating the firmware leaves a trace.

    This goes to show that in many cases, physical access is ultimate access.

    I see a market for "secure" phones where the data part of the data/charging port is disabled unless you plug in a key or type in a code. Many companies will gladly pay for such a device.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:This only works on SOME phones by Anonymous Coward · · Score: 5, Informative

      I see a market for "secure" phones where the data part of the data/charging port is disabled unless you plug in a key or type in a code. Many companies will gladly pay for such a device.

      You know what those "secure" phones are called? Blackberries. Go buy one today!

      On a blackberry, you can have all content on the phone strongly encrypted with AES. If your company has a blackberry enterprise server, you can even make this mandatory and prevent the user from disabling content encryption.

      If content encryption is on, then the blackberry won't send data via the data port or bluetooth until the password is entered. Enter the wrong password 10 times and the blackberry securely wipes itself.

      Despite the proliferation of mobile phones & wireless email, no one comes close to the blackberry platform for features & security. Not iphone, not windows mobile, not nokia. Some very smart people at RIM have looked at wireless email from end-to-end. The blackberry platform has also been audited from end-to-end by many governments and tech experts. What RIM really needs is a good marketing campaign to establish themselves as a "cool" brand.

    2. Re:This only works on SOME phones by thetartanavenger · · Score: 2, Interesting

      Whilst this is getting better pretty damn rapidly with newer smartphones, I wouldn't have thought most phones would be able to handle that much encryption. Tis rather processor intensive, killing the battery. Although I guess they could add in extra hardware for the purpose, again killing the battery.

      For a lot of people phones should be basic things that make calls, send texts, and not die on them, enryption doesn't even enter their head. With the phone makers, it not about not allowing you to have strong encryption, it's encryption being too resource intensive. Of course not all phone makers have this issue and the likes of the jesus phone should be providing such critical function.

      I do agree with you though, so bring on the openmoko, or possibly android...

      --
      Who need's speling and grammar?
    3. Re:This only works on SOME phones by dotancohen · · Score: 2, Insightful

      I see a market for "secure" phones where the data part of the data/charging port is disabled unless you plug in a key or type in a code. Many companies will gladly pay for such a device.

      So long as the data port is not playing double duty as the charging port, take a screwdriver to it. That's what people in sensitive government jobs to the cameras in their cellphones. In Israel, it doesn't even void the warranty under most circumstances.

      --
      It is dangerous to be right when the government is wrong.
    4. Re:This only works on SOME phones by phoenix321 · · Score: 2, Insightful

      We're not talking about a stream cipher that encrypts megabytes of data per second but phone number, a string with a maximum of about 15 digits, maybe more.

      And then the contents of SMS, again 160 half-bytes at max. I mean, these phone CPUs can decrypt tiny videos at 15fps and not break a sweat, come on, they CAN encrypt less than a dozen kilobytes without killing the battery.

      Then again, I'd rather recharge the phone every fourth day instead of every fifth when I can be sure that no one can clone its contents when I look away for a second.

  2. How much? Where? by damn_registrars · · Score: 2, Interesting

    Anyone know where I could pick one up? It could be useful for backing up my phone. I occasionally move my SIM card between phones (or multiple cards between my phone, depending on the need) and some phones drop certain things when they detect a SIM card swap.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  3. Wait... "troublesome for corporate employees"? by DrEldarion · · Score: 2, Insightful

    If you're using your employer's phone, you really shouldn't expect the things you do on it to remain private.

    1. Re:Wait... "troublesome for corporate employees"? by andy1307 · · Score: 2, Insightful

      I think they're talking about other companies(in the case of corporate cellphones) and unauthorized people(in the case of govt. cell phones) getting access to the data.

    2. Re:Wait... "troublesome for corporate employees"? by Hyppy · · Score: 2, Insightful

      You want you data secured? Keep it on a secure server somewhere. Access it in a way that doesn't leave copies on your phone.

      So, how does one exactly go about dialing a number without leaving a trace on the phone?

    3. Re:Wait... "troublesome for corporate employees"? by mikiN · · Score: 3, Insightful

      Sign up with a dialing/switchboard service that uses voice recognition, maybe?

      suggestModerate(parent, -1, "D'oh");
      this.append(smiley);

      --
      The Hacker's Guide To The Kernel: Don't panic()!
    4. Re:Wait... "troublesome for corporate employees"? by EdIII · · Score: 4, Insightful

      You completely missed the point. This is not about the employee being able to keep their actions private from the world, or even their own employer. It is about the company being able to keep their actions private from the world, which obviously includes the actions of all of their employees.

      It is a completely reasonable expectation, and indeed quite desirous by corporations, that an employee be able to maintain some level of privacy (and security) from the rest of the world. So when the article mentions that it is "troublesome for corporate employees" it is really talking about the implications for security for the entire company.

    5. Re:Wait... "troublesome for corporate employees"? by dotancohen · · Score: 2, Funny

      So, how does one exactly go about dialing a number without leaving a trace on the phone?

      Maybe put on a glove?

      --
      It is dangerous to be right when the government is wrong.
  4. Security Cameras, Data Sucks, I'm Not Surprised by curmudgeon99 · · Score: 3, Insightful

    How can anyone feign surprise at having your entire electronic life be compromised. If you have a device smart enough to keep up with several email accounts and manage them all, of course you've also opened up a pig portal. If you want to have secrets, fill your world with post it notes under desks.

  5. Re:Non free is always this way. by Anonymous Coward · · Score: 3, Insightful

    I think its great. Theres now a way to copy DRM-laiden MP3s and ringtones from your phone.

  6. All phones? by gevreet · · Score: 2, Informative

    Seems to only support motorola/samsung (and I suspect usb only) http://csistick.com/models.html

  7. If they can make this by Anonymous Coward · · Score: 3, Insightful

    Then why is it so hard for me to sync my phone?!

  8. Plot Device Failure. by GNUChop · · Score: 3, Insightful

    This device will never be used to solve a real crime. Cell phone companies already keep the required records for billing. This will simply allow TSA and other would be snoops to dig into people's private business. I had to laugh when I saw this:

    The good news: the device should find wide acceptance by parents who want to monitor what their kids are doing with their phones, who they are talking to and text messaging, and where they are surfing. It could also be valuable in secure areas where employees need to be randomly monitored to insure that sensitive information is not compromised through the use of a cell phone as a memory device.

    These will be the real users of this kind of device. Free software for cell phones can not arrive fast enough.

    1. Re:Plot Device Failure. by Anachragnome · · Score: 4, Funny

      That is precisely the sort of crap they spooned out when Verichip tried to persuade parents it was a good idea to have their kids RFID chipped ("If your kid is lost or kidnapped, they can be located!").

      And that, my friends, was just the first salvo in the attempt to get people-chipping popularly accepted.

      As I once said, the day they start chipping people is the day I start offering my services to remove them and feed them to the migrating geese that pass through our area, in little balls of bread dough.

    2. Re:Plot Device Failure. by Anonymous Coward · · Score: 3, Interesting

      Posting anonymously because i'm about to bash a company that specializes in digital forensics products.

      I've used this device, physically. Had the csi sticks in the lab and attempted to seize cell phone information via this device...

      Your data is perfectly safe. It couldn't acquire data from any phones more recent than 3 years old and even then, a quick click through your cell phone would yield just as much results. (doesn't retrieve deleted items).

      Put your tinfoil hats away, I've had better methods to acquire cellphone information than this POS device that didn't work on new phones or even unlocked phones in general.

      The tech support is lacking and their programmers are all from the ukrane, which means that if I have to acquire a phone *right now!* and it won't work, it'll take a month and a half to patch the software to get the phone data.

      Moral of this story: Your data is perfectly safe, its a condensation of the tech that i've been using for years, except it doesn't work nearly as well.

      I returned it for a full refund, so at least i got THAT value back...

  9. Probable Cause and Warrants by Doc+Ruby · · Score: 3, Informative

    In the US, we used to have this requirement that the government protect our rights:

    Amendment IV
    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    Without probable cause and a legitimate warrant based on it, there is no reasonable search or seizure, no usable evidence. There's only an armed gang assaulting and violating their victim.

    A fancy new way to invade privacy is just an expensive and effective battering ram.

    --

    --
    make install -not war

    1. Re:Probable Cause and Warrants by noco80 · · Score: 3, Informative

      Actually, you should read up on your Supreme Court jurisprudence. The Court, led by Justice Thomas, has begun to read the text literally. If you notice, there is no requirement that a search be made after a warrant is granted. Instead, it protects people from unreasonable searches. WHEN a warrant is issued, that warrant must be based upon probable cause. Generally, it has been presumed that a search of an area where a person has a legitimate expectation of privacy is only reasonable when done pursuant to a warrant. This view, though, is not the only one. The Court has begun to evaluate a search as whether it is unreasonable - not merely if it was done pursuant to a warrant.

    2. Re:Probable Cause and Warrants by Doc+Ruby · · Score: 2, Insightful

      Like I said: we used to have requirements to protect our rights.

      Clarence Thomas, as everyone not blinded by Republican loyalty knows, isn't a "Constitutional" justice. He's a rightwing pawn.

      Which is why he and his Republican Supreme Courts have tended to throw out the requirements that the government protect our rights. Including the long-understood requirement that a warrant be produced from probably cause to be reasonable.

      But hey, if you want a "literal Constitution", let's finally dismiss that standing army and finally get the well-regulated militia instead, that the Constitution requires.

      Without due process, like reasonable cause producing warrants as the only legitimate search/seizure, the government can arbitrarily invade us. I bet King George III and his agents would have claimed all their searches and seizures were "reasonable". But that kind of "court" isn't the kind that we replaced with our Constitutional representative democracy.

      If you want a Court that operates like a cracker gang exploiting any possible vulnerability in the "operating system" to destroy our rights rather than protect them, well, Clarence Thomas is your kind of "justice".

      --

      --
      make install -not war

    3. Re:Probable Cause and Warrants by Doc+Ruby · · Score: 2, Interesting

      The border has always been an exception to enforcement of government protections of our rights, even when unjustified by any actual risk response. This decade has seen those exceptions turn extremely abusive, even on totally legitimate US citizens and visitors.

      We have to fix our border to protect us from both foreign threats and domestic abuses. And we especially must reverse the trend of finding any exception to protecting our rights as an excuse to violate them elsewhere.

      --

      --
      make install -not war

    4. Re:Probable Cause and Warrants by Xonstantine · · Score: 4, Insightful

      Clarence Thomas, as everyone not blinded by Republican loyalty knows, isn't a "Constitutional" justice. He's a rightwing pawn.

      Statements like this is why you're a commie stooge, Doc. Clarence Thomas has been on the side of individual rights far more often than Ginsburg, Souter, Stevens, or Breyer.

      Kelo vs Connecticut...who sided with government power and who sided with individual property rights?

      Heller vs DC...who sided with government police power and who sided with an individual's right to self defense?

      Raich vs US...who sided with personal growth and consumption of marijuana and who sided with the government's prosecution of such under the Commerce Clause?

      As for the expectation of privacy when crossing the border, there has NEVER been an implied or explicit right. The US government has always maintained the power to search your belongings on entry. Your allegation that Thomas is somehow throwing out the Constitution with this decision illustrates your basic ignorance on the Constitution, Constitutional law, and Clarence Thomas...in other words, par for the course for you.

    5. Re:Probable Cause and Warrants by daigu · · Score: 2, Informative

      I notice you failed to address cases that support the parent's argument, perhaps the most obvious was Clarence Thomas agreement with the Bush administration regarding executive authority in Hamdi v. Rumsfield. Please feel free to outline an argument that indicates Clarence Thomas was not acting as - what does the right wing call it - an "activist judge" promoting an ideology over law. Also, for extra credit, add in a comment or two about Clarence Thomas and stare decisis and what that means in a legal system that is normally thought of as common law. Since you paint yourself as so knowledgable on these topics, I eagerly await your response so that I might be better informed.

    6. Re:Probable Cause and Warrants by sgt_doom · · Score: 2, Informative
      Statements like this is why you're a commie stooge, Doc.

      Doc...a commie stooge???? Hilarious???

      Niggling points about Thomas are truly silly, as he is indeed a rightwing stooge, and the Justices, similarly to "our" senators and representatives, practice something known as "throwaway votes" (or decisions in this case), whereby the vote one way after ascertaining the way the majority is voting to appear to be politically rightwing, or leftwing or centrist. If your state has two senators of the same party - do a graph sometime to correlate their votes - and include all their votes - as the only votes they cast which truly count are those votes for leglislation which passes --- or those votes against legislation, which fails to pass.

      Remember, America - as this is what we're discussing in this thread - is a socialist plutocracy which has given plenty of military tech to a "communist" country of China (really just a totalitarian capitalist state). No commie stoogies here.....

  10. Synch vs snarf by ilovesymbian · · Score: 2, Interesting

    Umm, why is it easier for them to steal my data than its for me to synch my phone to my computer? :(

    --
    slashdot rocks
    1. Re:Synch vs snarf by russotto · · Score: 2, Funny

      Umm, why is it easier for them to steal my data than its for me to synch my phone to my computer?

      Because compliance with the government's requirements are enforced by large men with guns and the power to throw people in jail forever (ask Qwest's former CEO), and compliance with your requirements... isn't.

  11. why are you letting strangers have your phone by SuperKendall · · Score: 2, Interesting

    Of all the things you can worry about, this seems to be one of the sillier ones - a phone is one thing pretty much never out of sight or touch in public. How is anyone going to plug in anything without your permission?

    Look to your Bluetooth stack if you are concerned about data leakage.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  12. Re:oye! by plover · · Score: 4, Insightful

    I always knew that cell phones are vulnerable, but to know there is a device which can basically clone your data out, with NO trace, that's downright scary! Even when LOCKED? We should start reading our contracts and our EULAs on our phone, somehow, somewhere, there's got to be something to rely on legally, if this can happen.

    Such a device is called a "computer", and many people already own one. By means of a secondary device, called a "USB cable", one can attach a computer to a cell phone and read the contents from it.

    If you read the "instruction manual" that comes with your cell phone, you can see plainly that a cable can be connected between the phone and the computer and the contents read from it. No phone manual I have ever read says anything about authentication of the USB cable connection. Therefore you have already been informed of as much as you need to know, legally.

    --
    John
  13. Re:How much? Where? by EdIII · · Score: 2, Informative

    My thoughts exactly. It would be nice if it could also *write* to the phone though. Backing up without being able to restore isn't all that useful.

    It is a forensic product. Any product in that field that changes the evidence is worthless, therefore it is entirely appropriate that it does not write anything at all to the phones.

  14. Re:oye! by houbou · · Score: 2, Interesting

    Gee, I must have dumb written all over my forehead for you to write that, because, I know that IF I take MY OWN PHONE and I hook it up to my PC I can clone it. The article is about phones that can be cloned while locked. The lock feature isn't working as advertised, I believe that's the issue here. It can be easily overriden. There is software out there to do so, maybe that's what that original article was all about. My worries is that what's the point of locking your phone and someone can rip the data out of it regardless? Right? RIGHT?

  15. Re:Hmm... by EdIII · · Score: 2, Insightful

    Do you mean the product should be illegal, or the act of using the product as it is intended?

    This is being marketed as a forensic product. The primary user of this device is going to be a forensic technician in the field. That usually implies crime scenes, etc. There are no problems legally in that context as the technician clearly has rights to be there, or is working in a lab on evidence.

    So the product itself is legal as any use in a forensic capacity does not violate the 4th amendment. There are quite a number of products that could be used to violate someone's privacy, including a simple video recorder.

    Now law enforcement, including intelligence agencies, using this against suspects out in the field should absolutely be working with judicial oversight. I agree there.

    Since this is available to the public, most likely people will be using it in a clandestine fashion that would have legal implications. There is your biggest problem with respect to privacy, and it does not come from law enforcement.

  16. Re:unfortunately, I use a blackberry! by aristotle-dude · · Score: 2, Interesting

    Where all the content is strongly encrypted with AES. Maybe you shouldn't have bought that iphone if you were concerned about security!

    They have a model for the Blackberry in the works. Since this device is designed for forensic investigation by either law enforcement or corporate compliance investigators, I would not be surprised if it hooks into low level OS calls put in place for this purpose. The NSA has a back door into virtually all systems out there.

    --
    Jesus was a compassionate social conservative who called individuals to sin no more.
  17. Re:How much? Where? by barzok · · Score: 2, Informative

    Not all phones support all functions by plugging into the PC

    *cough*Anything from Verizon*cough*

  18. Re:Non free is always this way. by davolfman · · Score: 4, Insightful

    It's a failure of security through obscurity. The cell phone companies have concentrated so much on selling the syncing systems for absurd amounts that they never bothered to actually secure the interface.

  19. Re:How much? Where? by GodBlessTexas · · Score: 5, Informative

    Yeah, you can find it at csistick.com. Price is $299 for the hardware + Device Seizure Lite software to access the acquired data.

    I have a couple of these at work, since my job is as a forensics investigator, and they're nifty, but they're very limited in what you can do with them since they only support Motorola and Samsung. There are better tools out there:
    PDA Seizure, Cell Seizure, Pilot-Link (Open Source), BitPIM (Open Source), ForensicSIM, etc.

    --
    Remember the Alamo, and God Bless Texas...
  20. Re:Only Samsung and Motorola, so far by Tony+Hoyle · · Score: 2, Insightful

    Well it's missing the largest cellphone company in the world - Nokia - and within that the most popular phone in the world - the 3310.

    So no, they are not the most common ones. (You'd need Sony Erricson and LG in there as well for the popular ones, even if you limited it to phones in the last year or two).

    Possibly easiest to hack.

  21. A convenient list of phones not to buy by erroneus · · Score: 2, Informative

    http://csistick.com/models.html -- Remember, before buying or recommending a phone, check this list to be sure your phone is not on it.

  22. Re:oye! by houbou · · Score: 3, Insightful

    Uh.. gee, let's put imagination 101 to the test.. say for example, your phone is:

    1. locked, and
    2. lost or stolen..

    In real life, who the hell would locked their phone and maybe lose it uh? right? can't possible happen, that's way to fictional, going on sci-fi here..

    You would THINK your phone numbers and whatever else is stored, at least is somewhat safe, but wait.. not anymore.. if a company sells you a phone and says it's safe when it is locked, only for anyone with the right software to override the locked feature, I think there is something wrong with this picture. That's the problem as I see it, if I'm naive, so be it, but I think there is a point to this, so, call me naive here, but I think you forgot that part of the equation in your comment :)

  23. Re:Troll, mod down by TheRaven64 · · Score: 4, Insightful

    Yes it is. The contents of a mobile device should only ever be stored in persistent storage in an encrypted form, so that it's only accessible externally with the device's cooperation. The software on the device should only cooperate with properly authenticated external software. To avoid bricking the device, you might want to provide a mechanism for externally replacing the entire contents of the device's internal storage, but if you do this without first taking a backup (which you can't do without the device cooperating) then you can't install anything nasty on the device without the owner knowing the first time they try to access their data.

    --
    I am TheRaven on Soylent News
  24. Re:Enough with the overrated tag already by TheRaven64 · · Score: 2

    Your comment is probably marked overrated because pretty much every phone sold in the last five years comes with a cable for backing it up. Mine certainly did four years ago, although I've never used it, since I tend to sync via bluetooth, but it was one of the cheapest ones available back then (free with the cheapest contract on offer).

    --
    I am TheRaven on Soylent News
  25. you have it backwards by SuperBanana · · Score: 3, Insightful

    Despite the proliferation of mobile phones & wireless email, no one comes close to the blackberry platform for features & security. Not iphone, not windows mobile, not nokia. Some very smart people at RIM have looked at wireless email from end-to-end.

    Um- wrong. Blackberry wanted to get government contracts, so they went through all the government security requirements.

    You make it sound like this is some sort of rocket science. It's preposterous to suggest that only RIM has the talent to design a "secure" phone. It's not a matter of talent; it's a matter of whether or not the market demands it. We've seen it with the iPhone; after the initial crazy rush for v1.0, v2 has much more for enterprise users.

    What RIM really needs is a good marketing campaign to establish themselves as a "cool" brand.

    You incorrectly assume that RIM wants to compete in a "cool" market. Many companies purposefully restrict the market they target.

    --
    Please help metamoderate.