Criminals Remote-Wiping Cell Phones

An anonymous reader writes "Crafty criminals are increasingly using the remote wipe feature on the Apple iPhone and other business handsets, such as RIM's BlackBerry, to destroy incriminating evidence, the head of the UK's Serious Fraud Office Keith Foggon has warned. Foggon told silicon.com that the move away from PCs towards using mobile phones was causing a headache for crime fighters who were struggling to keep up with the fast pace of new handsets and platforms churned out by the mobile industry."

Woah

I can wipe my blackberry to make data irretrievable? I can do it remotely too? HOW?

Re:Woah

[RiotingPacifist]

what do they mean by irretrievable:
destroying the filesystem table? (easy to get the data back)
writing all bits to zero? (still retrievable)
writing over all bits with (psuedo-)random data? (aparaently this can be retrieved)
writing over all bits repeatedly?

Re:Woah

on a hard disk you would be correct, try it with anything else and you get bupkis back.

Re:Woah

[blueg3]

You have to use something like squid, but it's because of magnetic hysteresis. (I could explain, but Wikipedia is pretty acccurate.)

It's possible in theory, but in practice, it's technology that law enforcement doesn't have access to.

Re:Woah

[khellendros1984]

Magnetism is an analog property used to store digital information. A bit can be wiped so that a standard detector would read it as a zero, but the bit may be legible by a more sensitive detector.

For instance, say that anything above "0.5" (half of the full possible theoretical strength of the magnetic field there) is a 1, and anything below is a 0. Maybe, the drive would actually write "0.9", which would be correctly interpreted as 1. If that number was blanked, maybe it becomes "0.3"....low enough to be a 0, but maybe another detector could tell the difference and know what the original value was.

Re:Woah

[Pfhor]

Remember, this is flash, not magnetic bits stored on a spinning metal platter were header drift and other things would theoretically allow you to retrieve data that has long been removed.

Recovering from (intentionally overwritten flash) may be considerably harder than a traditional drive. Most flash recovery apps for cameras, etc. are really just reading the stray bits, as the formatting, etc. does not actually wipe each sector (because flash is rated in number of write operations the individual bits can support before going bad, so you want to minimize that).

Overwriting a flash storage partition on an iphone or other device also makes this harder because you can't easily pop those things open and mount the custom flash chip into some universal adapter and read its filesystem like you can do with any old hard drive (they even make forensic, read only, hard drive enclosures).

So I zero out the data on my iphone, and well, there aren't any jailbroken or app store apps that you can run on the damn thing to do a low level recovery anyway, and I don't know of any target disk raw access mode to the device when attached to a computer that is available outside of apple's developer labs.

Re:Woah

[Constantine+XVI]

Go to Options-Security Options-General Settings. Enable password and content protection. Set the security timeout and password attempts to your preference. Now, when the timeout expires (X minutes after you stop hitting buttons) or you hook it to a PC, it asks for a password. If someone types in the wrong password Y times (10 is default, but you can go lower), it forces a reboot, and scrubs down the memory, which takes 20 minutes to an hour.

To force the scrub, go to Options-Security Options-General Settings. Click the menu button, select "Wipe Handheld", type blackberry.

Send me a PIN message at 244EB7DA if you need a hand.

Re:Woah

[Constantine+XVI]

PS: For remote wiping, you need to be on a BlackBerry Enterprise Server (BES), which usually means your BB is company-issued. If you need it nuked, call up your admin and ask him to trigger the remote wipe. Keep in mind that the BES can (and usually does) track anything and everything that happens on a BES-connected BB, so a wipe will do nothing to hide things from your company.

Re:Woah

[Rorschach1]

And there's probably a certain amount of hysteresis too, so maybe that 0.3 gets overwritten with a 1 to become 0.93, and then with another 0 to become 0.393, and you can recover previous values to a degree limited by the amount of hysteresis, sensitivity of the detector, and noise floor. Or at least that's the theory I've always heard on why you're supposed to overwrite hard drives multiple times... I've never actually heard of it being done, but the assumption has always been that 'they' have the ability to do it. Anyone care to provide more substantial information on the feasibility of this sort of recovery?

Re:Woah

[ColdWetDog]

Too late, I've got it....

Re:Woah

[lgw]

Modern hard drives pack bits *very* densely. The bits overlap by a large amount. The technology to determine whether a bit is 1 or 0 by calling everything above 0.5 a "1" is already necessary to read the bit *normally*. Writing random data to the drive is enough to make any active sectors unrecoverable.

However, modern drives have a huge count of spare sectors, and sectors get retired constantly, and there's no way to wipe those with normal reads and writes. So there's a random sampling of everything you've ever written stored in the retired sectors of a hard drive, and no in-band way to wipe those sectors.

The is why the government standard for hard drves that have ever contained classified information is to shred the hard drive so that the pieces fit through a 1mm sieve. Of course, in reality, the government is just as likely to sell the drives unwiped on Ebay, but that's bureaucracy for you.

Re:Woah

[Xanius]

When I took my computer forensics class they showed that you could use a hex editor on a zero wiped floppy disk and recover most of the data that was on it previously.
We had a guest speaker that told us some of what he does, he's a forensic analyst that pulls information from drives in criminal cases. He said that it takes somewhere around 72 hours to read a decent sized drive and costs around $10k to get it done.(It's been a few years so the details are fuzzy but that sounds about right)
But he wasn't too specific on what tools they use etc. Something around 10 full wipes is easy enough to recover the original data but if you write over it and delete actual data it becomes more corrupted and harder to get back than just all 1 then all 0.

Re:Woah

[Jah-Wren+Ryel]

However, modern drives have a huge count of spare sectors, and sectors get retired constantly, and there's no way to wipe those with normal reads and writes. So there's a random sampling of everything you've ever written stored in the retired sectors of a hard drive, and no in-band way to wipe those sectors.

Does anyone know, off-hand, a way to query a sata disk for at least a count of how many sectors have been re-allocated, if not an actual map of them?

Re:Woah

[piojo]

When I took my computer forensics class they showed that you could use a hex editor on a zero wiped floppy disk and recover most of the data that was on it previously.

Do you know how this is done? Because if one just uses a hex editor, wouldn't the hex editor simply see a disk full of nulls?

Re:Woah

[piojo]

Does anyone know, off-hand, a way to query a sata disk for at least a count of how many sectors have been re-allocated, if not an actual map of them?

In linux, you can use smartctl (from smartmontools, I think)--
smartctl --all /dev/sda, and look for "Reallocated_Sector_Ct" in the output.

Re:Woah

[v1]

I'd be willing to wager all it does is offer features like "clear addressbook" which just resets the addressbook database.

In other words, fairly trivial to undo.

Re:Woah

[v1]

the 7 pass random wipe is generally accepted as sufficient

Re:Woah

[v1]

any tool that accesses the drive's smart data can get this. the drive has to be directly connected to the computer, you cannot read smart via usb or firewire bridge. All drives track a small set of smart data including reallocated blocks. Most drives have additional smart parameters whose meaning varies.

Re:Woah

[v1]

you can't easily pop those things open and mount the custom flash chip into some universal adapter

Very very few devices use custom flash chips. The iPhone uses off the shelf standard flash memory chips. And in addition to readers that require the removal of the chip, there are units that have cables with clips that just attach right to the chip in the (powered off) device and can pull the data straight off.

And yes you can pop them open pretty easy. Some ipods are harder to open than an iPhone.

Re:Woah

[Piranhaa]

It is nice that RIM releases a free registration code to use with ONE blackberry. I have an Exchange setup here with BES tied in. It's nice how much you can actually do remotely. Everything from remote application install, to remote lock/change pin, remote wipe, etc.

Not that I ever lose my phone in bars like people do with theirs. like socks, but it's reassuring knowing all this can be done if it does ever get out of my reach.

Re:Woah

[jcuervo]

Two things.

First, ever had a magnet accidentally come into contact with your TV? Ever tried to fix it with another magnet, and deemed it "close enough"? There you go. You are a floating head. Your TV is a disk platter.

Second, hand in your geek card.

Re:Woah

[Dan541]

writing all bits to zero? (still retrievable)

How is that possible, I assume it's a hardware vulnerability?

Re:Woah

[MrZilla]

Indeed. I have not worked with iPhones, but I have been in contact with embedded flash chips from a variety of vendors.

Most use a PATA interface for their disks, and provide a complete layout of all the I/O pins. With this, it is easy enough to throw something together which can let you plug the chip into a regular 80-pin PATA connector, or CF reader if you have one of those laying around.

Re:Woah

[TheLink]

If I see a reallocated sector, I start thinking about replacing the drive, even if I can't get a warranty for it (the manufacturer will probably say it's still fine by their standards etc).

Re:Woah

[lgw]

Modern drives come with a huge number of spare sectors pre-allocated (nearly half for SCSI drives I think, giving them a longer life). Sectors fail in the normal operation of modern drives. Thanks to good error correction, this rarely results in data loss - less data loss than drives of 20 years ago, that you did want to toss on the first bad block.

The hard drive business is *very* competitive. The manufacturers go to extremes to increase density, including raming the density up so high that the failure rate is so high that you need half the space on the disk for spare sectors and redundant bits for ECC, because you still come out ahead on available drive space.

This is one reason I recommend quality tape over disk for long-term storage - the tape guys get to use actual compression, so they can play fewer dangerous games to increase capacity. This is also why SCSI is so much more expensive than SATA for the same capacity (and often the exact same hardware) - you significantly reduce the chance of bitwise data loss due to these games, because the vendors don't push the limits as much with the formatting.

Re:Woah

[Fulcrum+of+Evil]

Thermite is proof against HD forensics. Of course, you need some notice period if you want to avoid burning down your house.

Re:Woah

[TheLink]

I strongly doubt they allocate that much space (as you claim) for spare sectors.

From what I see it's a small percentage - maybe at most thousands of spare sectors for hundreds of million sectors.

Just a google for complaints shows that people are already in serious trouble when their drive starts using hundreds of spare sectors.

Thus I think my current policy is safer.

As for SCSI vs SATA there is evidence that the failure rates are not significantly different (at least for recent drives):

http://labs.google.com/papers/disk_failures.html

http://www.usenix.org/events/fast07/tech/schroeder/schroeder_html/index.html

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=disaster_recovery&articleId=9025380&taxonomyId=151&intsrc=kc_feat

It'll be interesting if you have evidence that says otherwise.

Re:Woah

[commodoresloat]

yeah that sounds like BS to me, I'd like to hear an explanation too. The magnetic explanations people have posted above are far more consistent with what I've heard about data recovery from wiped disks, which all involved hardware -- I've never heard of recovery through software alone, and it doesn't seem plausible. A hex editor would obviously be able to "undelete" data that had been "deleted" in the normal way, but I can't see how it would get to data that had been nulled.

Re:Woah

[commodoresloat]

Send me a PIN message at 244EB7DA if you need a hand.

I would, but I just wiped all my data and deleted the PIN...

Re:Woah

[commodoresloat]

so a wipe will do nothing to hide things from your company.

Plus it might seem just a little suspicious when you call the admin and ask them to wipe your machine.

Re:Woah

Just to confirm, you are only a floating head if your TV contains a CRT. If it's an LCD or Plasma, you just look silly.

Re:Woah

[Beale]

I believe drilling is the more common approach.

Re:Woah

[TheRaven64]

The technology to determine whether a bit is 1 or 0 by calling everything above 0.5 a "1" is already necessary to read the bit *normally*.

It's all about size. The drives pack data as close as something that can fit in the drive and be powered by a computer can do and still get an accurate threshold value while spinning the disk at 7.2KRPM. Now, take the platter out of the drive (in a vacuum, or clean-room environment) and hook it up to a STEM or similar. You'll find that the accuracy of the analogue signal improves a lot.

Often you can do well simply by replacing the controller. The thresholding is done in the ADC, which is on the bottom of most drives. If you spin the disk more slowly and put in a better ADC, then you can get back a range of digital values greater than 0-1 for every bit on the disk. This wouldn't help a normal drive. If you're now getting 0-3, then 0 means 0, 3 means 1, 1 means 0 but the last value was probably 1, and 2 means 1 but the last value was probably 0. Note the probably here - you can't accurately recover the data, but you might be lucky. If the person wiped with zeros instead of random data you get better results because every domain has had the same magnetic value applied (modulo leakage from surrounding domains).

Since this requires significant tampering with the drive, it's not admissible in a court, but it is useful in intelligence circles.

Re:Woah

[ale_ryu]

Then writing all the bits to one should do the trick, wouldn't it?

Re:Woah

[link-error]

    This is probably because most O/S's only erase the FAT entries but actually left the file intact on the disk. Browsing the low level sectors still showed the data. This is just from a simple delete, not a wipe process.

Re:Woah

[AlecC]

In a disk,the tracks have a physical size, and the heads don't always get to exactly the same position when they re-write the track. So if you write a data track, then overwrite it, the overwrite may be slightly to the left or right of the original, and a little bit of the original is not overwritten. If you then deliberately command the read to a small fraction out, you may get enough signal to pick up the deleted data.

To actually overwrite the data, I would guess you have to have one overwrite slightly to the left of the original write, and one slightly to the right. But since you cannot predict what is going to happen, because it is dues to minute and unrepeatable mechanical effects, you need to overwrite it multiple times using different patterns of seeks to get to the track.

Re:Woah

[AlecC]

One drive I studied had a policy of one spare sector per track plus one spare track per cylinder (this was a while back, when disks often had five platters). Which meant that performance fell sharply as the number of faults passed one per track.

Re:Woah

[AlecC]

You need to distinguish between sectors reallocated at manufacturing time, which are relatively benign, and those auto-replaced later. For the latter, I would mostly agree with you. One or two reallocations don't seem to be a problem, but as many as five have usually shown a drive on its last legs.

Re:Woah

[Hatta]

What does a caching proxy have to do with securely deleting files?

Re:Woah

[NeoSkandranon]

IIRC the iPhone's flash chips are fine pitch surface mount and soldered to a board--I don't know of any way you could feasibly attach leads to a chip like that without taking it off the board and putting it in some kind of specialized unit.

Re:Woah

[NeoSkandranon]

Whoops, "surface mount and soldered" -1 redundant

Re:Woah

[dougmc]

He probably got the details wrong. More likely is that the disk was erased via (quick) formatting (i.e. write a new FAT and not much else) and then the data was still found to be there with a hex editor.

Re:Woah

[dougmc]

In real world situations, once random will stop anybody who isn't ready to throw lots of money and time at the problem. Twice random will probably stop most of the rest. Three or four random passes will probably stop the NSA even if they have a million dollar budget to get your data.

Seven pass is just massive overkill, `just in case'. But since it only takes a little longer than twice as long as three overwrites, might as well, just to be _sure_.

Of course, this all assumes that the data is actually being overwritten. If your drive has a sector that was marked bad and remapped, it doesn't matter if your drive is written 1000 times with random data-- if this old sector isn't being rewritten, then it's still there for somebody with the right skills and equipment (who can bypass the remapping) to read.

Re:Woah

[blueg3]

The other squid -- a Superconducting Quantum Interference Device.

Re:Woah

[ChrisA90278]

You don't have the shred the entire drive. I've seen security guys disassemble the drive and place each platter on a belt sander. Simply removing the coating is enough. Welding torches do a good job too. the coating come off with enough heat too.

It all depends what's on the drive in most cases the over write the data 10 times with random data is "good enough" but with other types of data physical destruction is the only option. There are many, may agencies each with their own rules about this.

Re:Woah

[lgw]

If you have a *lot* of drives, it's easier and cheaper (per drive) to just buy an industrial metal shredder and be done with it. Think of the labor cost of disassembling a drive and belt-sanding it - that obviously doesn't scale.

Re:Woah

[lgw]

Yep, 1 wipe with random data will protect you against anything but the resoruces of a major government, and even then it's pretty good.

Re:Woah

[home-electro.com]

It's not that simple. I'm certain current drives already do not use just two levels to store bits at every position. It's more likely they use a lot more complex modulation scheme.

To say that one pass of random write can be easily recovered means that you can ALSO double the capacity of the drive, in which case it would have been done by the drive's manufacturer. And THAT in fact has already been done, so in all likelihood one pass of zeros will be enough to stop anyone from recovering data.

Re:Woah

[steelfood]

The key is that you're wiping them with all 0's and all 1's repeatedly. If you wipe a drive with random data followed by patterned data followed by random data, you're pretty safe. And if you hold a magnet to the exposed platters themselves, you're almost guaranteed to get a decent wipe, though you'll also get an unusable drive afterwards. I know the military mandates a wipe of every classified drive with a high-powered magnet, but that might be with the platters still inside the casing.

Re:Woah

[Michael+Hunt]

> When I took my computer forensics class they showed that you could use a hex editor on a zero wiped floppy disk and recover most of the data that was on it previously. (emphasis mine)

If it was zero wiped, you'd see a meg and a bit of 0s. That said, if it's a floppy disk you're trying to wipe, the best way to go about it is a traditional low-level format, in which the drive mechanics physically remagnetise the surface of the media (this is the process which defines tracks and sectors.)

Not a lot's going to survive that.

Re:Woah

[Michael+Hunt]

No, all that it infers is that doubling the capacity of the drive is physically possible, not that the requisite head assembly would be affordable (or, for that matter, fast) for a desktop disk. The sort of setup you need to do this level of disk forensics would get you several tens of petabytes of cheap SATA disk.

I can't be the only one on /....

[bistromath007]

...who took one look at this and thought "good."

Re:I can't be the only one on /....

No, I'm sure there are other criminals besides yourself on slashdot.

Re:I can't be the only one on /....

[kabocox]

...who took one look at this and thought "good."

I did. I thought hmm, I'd want all the data loaded from a CF card that would be set to wipe if either an incorrect or emergency password were entered. Heck, you could even have a secure CF card that was guaranteed to wipe once its emergency code was sent. Basically, you've got to reformat and copy from another card if you want to reuse it. Or if you really want to go scifi you could have the card and phone turn to dust once the emergency code is entered.

Heck, 8 GB flash cards should be more than enough to store all your average top secret spreadsheet/db files from whomever, unless you've got A/V that you need to protect. Then you've got to wait until 1 TB cards come out.

Re:I can't be the only one on /....

[Sockatume]

Yeah, after the bean burrito special I really wish I could wipe remotely too.

Re:I can't be the only one on /....

[iceborer]

Me and Vinny thinks it's great!

Sent from my iPh

Re:I can't be the only one on /....

[Constantine+XVI]

Actually, if you slot a microSD card in a BlackBerry, you can set it up to encrypt the card along with the rest of the device, and it's scrubbed along with everything else if too many wrong passwords are entered in*

*The password and encryption is done device-side, so it even works in Linux.

Re:I can't be the only one on /....

[nine-times]

Indeed. And this has very little to do with the remote wipe feature. If I have access to a laptop, I can wipe the data there, too. If police get access to my smartphone, they should be able to turn on "airplane mode" and prevent anyone from wiping it.

In fact, it might be a bit suspect for them not to disable the wireless connection as their first act. Imagine if they confiscated your laptop and then immediately connected it to the Internet and left it connected. How could they claim to have secured any data from tampering either way if it's connected to the Internet?

Re:I can't be the only one on /....

[Ilgaz]

Just days ago, I tried so hard to explain why insecure smart phone can be the most evil thing and one can simply own your real life, identity with it. That happens on a technical site. I just couldn't explain to iPhone owners why their data or simply the smart device itself matters.

There are also opposite camp of idiots who thinks running pirated antivirus with root access to their device is a security solution!

I think the "phone" in "smartphone" confuses people. If they understand it is a mini laptop with excellent communications abilities which aren't found on their laptops, things would be easier.

Since when did anyone pay $15.000 bill because their computer got infected by a virus? It is easy and possible on smart phones :) If one is fool/ignorant enough, it is even possible via WAP or J2ME!

Good.

[mactard]

That just means the police need to work a little harder to make a case. It doesn't make it impossible though. The next hope is that they don't outlaw these devices or something. The Brits are a bit jumpy.

News At 11

[CastrTroy]

Criminals destroy evidence that could be used against them. News At 11.

Re:News At 11

[Nymz]

Let's give the 11 o'clock news some credit. I'm sure they would realize this is computer crime, and use the more accurate and appropriate term. "Hackers destroy evidence that could be used against them."

Re:News At 11

[Spy+der+Mann]

And after commercial break: Criminals give new uses to existing technology! :(

Re:News At 11

[n3tcat]

Well, it's on a phone. Perhaps the age of phreaking returns?

photos

[bbdd]

Don't forget to view the photos. I thought the photos were more interesting than the article.

http://software.silicon.com/security/0,39024655,39270417,00.htm

Re:photos

[Samantha+Wright]

Wow! An electronic nose that can smell incriminating information. We could replace the entire detective industry with these.

"Has my wife been cheating on me, detective?"
"Let's find out!"
*waves electronic nose over computer*
"No—but you've been falsifying information on your tax returns! Consider yourself under arrest."

Re:photos

[Statecraftsman]

This is what I thought. Probably GB rather than TB but what's 3 orders of magnitude anyway. This is news!!

OTOH, maybe there's a series of tubes in there.

Well...

[Spazntwich]

If the only evidence the police have on said 'criminal' is a string of bits on his cell phone, they probably didn't have much of a case anyway, and likely shouldn't be arresting this criminal.

I genuinely hope small time 'criminals' continue getting these sorts of victories to the point that our police forces are forced to admit they have failed in the war on consensual acts between adults. The change certainly isn't going to come about while our various wars continue to make a tidy profit for those at the top.

Re:Well...

[Sockatume]

What about eBay scammers? Extortionists? Kidnappers? Somebody who just won't stop sending you a picture of their wang? In some cases communcations evidence can be very significant indeed.

Re:Well...

[Sockatume]

Heck, the article notes that smartphones are used by "enterprise", so that's corporate crime in there as well.

Re:Well...

[Rix]

I imagine police forces would have a lot more cooperation on those things if so many people weren't worried that they'd turn on them for smoking the wrong thing.

Re:Well...

[pitchpipe]

Somebody who just won't stop sending you a picture of their wang?

What's wrong with a good Wang?

Re:Well...

[indros13]

If the only evidence the police have on said 'criminal' is a string of bits on his cell phone, they probably didn't have much of a case anyway,

Unless, of course, that string of bits says something like "April 18: Murder ex-girlfriend, 6pm"

Criminals Destroy Evidence on iPhones?

[Dieppe]

...that could be used against them?

Honestly, if the only case the prosecution has is possible evidence on an iPhone, their case is pretty shaky to begin with. Do REAL WORLD investigation you Nazi-a-holes, not worry about virtual evidence that you might or might not be able to get to!

Re:Criminals Destroy Evidence on iPhones?

[commodoresloat]

Agreed; they make it sound like such a hardship and yet they can't even point to a single instance of a criminal ever actually doing this (plus they name an easy fix in the first few paragraphs of the article). Gee, guys, think how hard it must have been for investigators before iPhones, when they had to actually look for physical evidence and talk to complaining witnesses in order to document crimes.

Re:First POST

I'm glad these articles focus on the negative facts that police have trouble with, and not the USEFUL part of remote data wipe so that millions of customers data can be deleted when a device is lost, instead of having that information in the hands of people that could do some damage. I'll take a wipe of evidence for that security any day.

Laptops and cell phones for the paranoid

[davidwr]

If you are really paranoid, you'll want your laptop or cell phone to:

• encrypt everything but the bootstrap code
• store part of the encryption key off-device, such as on a memory stick
• store part of the encryption key on-device and destroy it after a certain number of failed access attempts or after a specified time period since the last authorized access
• the on-device key could not be copied without tampering with the device
• tamper-resistant, preferably destroying the on-device part of the key if the device is tampered with or the battery removed

With this, only experts will be able to copy your device much less decrypt it, and they will have a limited time window to do the copy.

Such a phone or laptop would be good for crossing national borders or any other place where it is subject to search or seizure. If the border guards take it and try to copy it, they may give you back a brick, but at least they won't have anything useful.

Of course, this means you should have your irreplaceable data someplace else for safe-keeping. Think of your phone or laptop as a "convenience copy."

Encryption

[Boogaroo]

Here's an interesting bit too. Looks like they try simple password protection breaking, but...

The team does not attempt to crack high-grade encryption, relying instead on the threat of a prison sentence for individuals refusing to hand over passwords or decrypted files.

Re:Encryption

[supernova_hq]

Sir, we require that you give us information about your device so as we may incarcerate you!
Nope, sorry, I plead the fifth.

Re:Encryption

[philipgar]

Uh, in the UK you can be forced to (http://yro.slashdot.org/article.pl?sid=07/10/02/1237215)

phil

Re:Encryption

[CodeBuster]

Except that a Vermont judge recently ruled that password(s) contained in one's head are protected under the 5th Amendment to the United States Constitution. just like any other information in your head. It was discussed right here on Slashdot.

As for threatening law enforcement officers: say nothing, know your rights, and keep your cool. The law enforcement officer is NOT your friend and you shouldn't speak to them or answer their questions. You have a right to remain silent and you should use it. BTW every attorney that I have ever heard opine on the subject has said that it is better to say nothing than to answer some of the questions but not others. Don't let them scare you into giving up your rights with their Gestapo crap. Remember, if they are questioning you, especially if they are threatening, then there is NO way that you are NOT going to be held (i.e. arrested) for a while anyway until the matter either goes before a judge or they have to let you go (48 hours max w/out cause before any attorney can force them to let you out), so don't be dumb and tip your hand right at the start. Also, remember that if you ever get your equipment back then you can never use it or those passwords again (who knows what bugs they may have planted before releasing it back to you). You basically have to wipe and start over on new hardware.

Disclaimer: IANAL so if you find yourself in a situation like the one above find yourself one that you can trust and let them do the talking, but remember that the police are NOT your friends.

Re:Encryption

[jimicus]

Here's an interesting bit too. Looks like they try simple password protection breaking, but...

The team does not attempt to crack high-grade encryption, relying instead on the threat of a prison sentence for individuals refusing to hand over passwords or decrypted files.

Yep, the Regulation of Investigatory Powers Act gives them that power. If they believe you know how to get access to something that they can't (eg. you know a password), you are obliged to tell them or you face 3 years in prison.

You'll note that the wording of the above paragraph turns "innocent until proven guilty" on its head. Furthermore, how on Earth can anyone prove that they have forgotten (or indeed never knew) a password?

There was another clause to the effect "tell anyone that you've been coerced under this act and 3 year in prison becomes 5 years in prison" - I'm not sure what the exact wording was or even if that clause got passed though.

Of course, if you're facing 3 years inside but giving the password would reveal evidence of crime which would get you 10 years inside, it's fairly obvious what the sensible course of action is.

Re:Encryption

[stewwy]

Except that a Vermont judge recently ruled that password(s) contained in one's head are protected under the 5th Amendment to the United States Constitution. just like any other information in your head. It was discussed right here on Slashdot.

As for threatening law enforcement officers: say nothing, know your rights, and keep your cool. The law enforcement officer is NOT your friend and you shouldn't speak to them or answer their questions. You have a right to remain silent and you should use it. BTW every attorney that I have ever heard opine on the subject has said that it is better to say nothing than to answer some of the questions but not others. Don't let them scare you into giving up your rights with their Gestapo crap. Remember, if they are questioning you, especially if they are threatening, then there is NO way that you are NOT going to be held (i.e. arrested) for a while anyway until the matter either goes before a judge or they have to let you go (48 hours max w/out cause before any attorney can force them to let you out), so don't be dumb and tip your hand right at the start. Also, remember that if you ever get your equipment back then you can never use it or those passwords again (who knows what bugs they may have planted before releasing it back to you). You basically have to wipe and start over on new hardware.

Disclaimer: IANAL so if you find yourself in a situation like the one above find yourself one that you can trust and let them do the talking, but remember that the police are NOT your friends.

yeah right but its not 48hours in the uk anymore.....you try keeping quiet for 42DAYS

Re:Encryption

[mr100percent]

Doesn't the UK have some sort of right against self-incrimination in testimony? Is it in the unwritten constitution?

Re:Encryption

[jonbryce]

Britain doesn't have a 5th Amendment. Instead it has the Regulation of Investigatory Powers Act, which requires you to tell the police your passwords etc under certain circumstances. And you are not allowed to tell anyone about it, not even your lawyer.

Re:Encryption

[jonbryce]

No.

And anyway, an unwritten constitution isn't worth the paper it's written on.

Communications crime

[Sockatume]

Given that we have crimes which are commited pretty much entirely via communications (eBay scams, 419 scams, harrasment, extortion, stock mischief, etc. etc.) should it be particularly surprising that some forensic scientists are interested in preserving the evidence that the communications took place?

Easily prevented

[Peter+Simpson]

With this...http://www.lessemf.com/fabric.html

Worked on a project to handle just this problem. Shielding fabric allows you to view and manipulate the phone, while preventing it from connecting to the network. A standard anti-static bag works pretty well, too...just make sure you get a good inside-to-inside seal.

Re:Easily prevented

[zygotic+mitosis]

Maybe the cops should store their electronic evidence in a big Faraday cage. They have existed for ~150 years. Your fabric seems more elegant, but still. This problem has a quick and effective fix, and it will damn sure be easier than getting the telcos to change their technology for you. Unless you're the CIA.

Time for the police to step up.

[supernova_hq]

Personally, I'm sick and tired of the government and the police agencies bitching and complaining that they can't keep up with all this technology stuff. The criminals seem to be figuring it out just fine and they usually don't have forensics training.

It's time for the police departments to start hiring some technology professionals to work on tech related crimes and evidence instead of simply trying to outlay any device they can't open up and read like a book.

Bottom Line: You guys are being paid by the people to know how to deal with this kind of stuff, so DEAL!

Re:Time for the police to step up.

[mandelbr0t]

Right. The same technology professionals that cause most of the problems to begin with are going to get a job training the people who would catch them. But one can hope...

Encryption-Constitution.

"Nope, sorry, I plead the fifth."

The UK doesn't have the fifth.

Re:Encryption-Constitution.

No fifth? Well give him a couple pints then, maybe they will loosen his tongue.

Re:First POST

[bigplrbear]

*file "First POST" has been deleted*

*have a nice day*

Re:First POST

[Lumpy]

if the cops had any brains they would shut off the phones (remove battery) the second they get it and then give it to forensics that should have the IQ to operate it in a faraday cage so that it cant be tampered with remotely. Do they take laptops and PC's they capture and hook them to the net and turn them on? Why do they connect phones to the network when they look at them?

Come on, I though they taught the police how to handle evidence. Are you telling me that CSI tv show is a LIE!!!!

Re:First POST

[MightyYar]

Not to mention right near the top of the ARTICLE ITSELF:

"Because we isolate the devices immediately, and never reconnect them to their network, the remote wiping capability does not present us with much of a problem," he noted.

Um, so the problem is? Talk about sensationalism.

Data Recovery Much?

[SoapBox17]

Are these guys terrible at their jobs, or do the iPhone and Blackberry come with a way to remotely execute "shred"? Most of the data that is remotely "wiped" should be perfectly salvageable....

Re:Data Recovery Much?

[BSDevil]

If you manually enable "Content Protection" on your BlackBerry, doing a Security Wipe will take on the order of hours, and will overwrite the data several times with different patterns to the point that it's not recoverable by anyone, even RIM (if you don't have that mode enabled, a Security Wipe will only erase user-specific information, and it would be relatively trivial to recover it).

If you're on a BES (meaning your BlackBerry was issued and is controlled by your workplace), your BlackBerry administrator can enable this setting without your input though an IT Policy, and can remotely initiate a Wipe/Shred from within the BES control panel.

Re:Data Recovery Much?

[AndrewNeo]

This reminds me of movies where a spy or the bad guy realizes they're noticed when their access gets locked out. Could you imagine working on your Blackberry, and all of the sudden, without notice, you're locked out for a security wipe? Hopefully your resume wasn't on it..

No different

[ArchieBunker]

Than leaving incriminating notes or phone numbers written in a book. Instead of flipping through pages they dump your sim card. If you're going to do illegal things then don't leave anything tangible.

Re:No different

[riceboy50]

I don't trust yours and the government's definition of incriminating.

Re:First POST

[Karlt1]

Yeah, that would be useful. How do you do that on an iPhone? I thought that the lack of that feature was one of it's problems for Enterprise.

It was added as part of the 2.0 firmware upgrade.

http://www.apple.com/iphone/enterprise/

eatures include:

        * Push email
        * Push contacts
        * Push calendar
        * Global Address List (GAL) support
        * Certificates and identities
        * WPA2/802.1X
        * Enforced security policies
        * Cisco logo More VPN protocols
        * Device configuration
        * Remote wipe

We remote wipe our data in hands of criminals

[Ilgaz]

Sorry it sounds like a "In Soviet Russia" thing but it is true.

Symbian/WinMobile smart phones have tools to lock the handset remotely or in case of new Kaspersky antivirus/security or other 3rd solutions, you can remotely instruct phone to delete all personal data irrecoverably and lock itself. I am almost sure Blackberry, being an enterprise focused device must have similar option.

Once the Apple decided not to allow background running processes, they lost that possible solution. Not just they don't allow anyone to implement it, they don't implement it themselves too.

It is a completely fool safe thing. User sends a previously set SMS to device, device locks itself. Or in Kaspersky case, it doesn't just lock itself, it wipes its data and optionally transforms itself to a white hat (for you) rootkit/trojan and sends the number of first SIM card plugged to device to previously set number.

Re:We remote wipe our data in hands of criminals

[nxtw]

Symbian/WinMobile smart phones have tools to lock the handset remotely or in case of new Kaspersky antivirus/security or other 3rd solutions, you can remotely instruct phone to delete all personal data irrecoverably and lock itself. I am almost sure Blackberry, being an enterprise focused device must have similar option.

Remote wipe is a feature of BlackBerry/BES and Windows Mobile/Exchange. No third-party software is needed, unless your phone isn't connected to a BES/Exchange server. When the phone receives the wipe signal, all data stored on the device will be wiped.

The iPhone has remote wipe, but I don't think it has encryption of any of the content stored on the device.

BlackBerry has content encryption and the latest Windows Mobile (6.1) has encryption for the entire user-writable storage area. The key is stored on the device, encrypted with a password. BlackBerry overwrites the key in RAM when the device is locked (that is, when the device is inactive for a certain amount of time or when it is placed in its holster); since WM's encryption operates at a lower level, the key does stay in memory while the device is powered on. Either way, cutting power to the RAM will erase the decrypted copy of the key. Both support encryption of storage cards as well.

As long as the device is set to automatically lock itself out and there is no way to bypass the lock screen, there's not a whole lot you can do to a fully encrypted WM6.1 device without resorting to a RAM attack or finding a weakness in the implementation. Since the BlackBerry will erase the unencrypted copy of the key when the device is not active, it's secure against searching for the key in RAM, too.

Re:We remote wipe our data in hands of criminals

[mlts]

I don't know about BES as much, but in Exchange, you can trigger the remote wipe function two ways. The user can do it by logging into Outlook Web Access (usually www.blarf.com/owa), hitting options, finding their device and selecting it to be wiped. The Exchange admin can also do it from the management console. You get a confirmation once the device is wiped, so you can delete the device from the "wipe as soon as it connects" list and repurpose if you recover it.

Exchange's wipe works because the device periodically hits the Exchange server over a SSL connection. Here, the Exchange server can tell the smartphone/PDA/PocketPC to wipe itself. For someone to make a fake remote wipe, it would take spoofing both the domain name and URL of the Exchange server, as well as either compromising the SSL key of the IIS service or one of the top level root CA keys.

Re:We remote wipe our data in hands of criminals

[Ilgaz]

"The US Army use iPhones and develop specific software for it.. you can bet it's encrypted and that remote wipe works."

So to get a secure iphone, you have to apply to marines and become a soldier?

That is my point. All animals must be equal. Every byte of data which isn't part of device ROM is very private data. It doesn't have to be military secret. Your home number is equally private too.

Next Step

[MRB+Constant]

The next step is to demand evidence of business activity -- just to make sure no laws have been broken.

I love my Treo

[Zorque]

I have a program on there that'll reformat the hard drive and zero everything else out, as well as disabling the SIM card, if I text it a certain phrase. Of course, it isn't all that helpful if whoever gets ahold of my phone just turns the radio off or removes the antenna so it can't receive that message, but I guess I have to count on criminals not knowing much about PalmOS since it's apparently a dying platform or something.

Re:I love my Treo

[tekrat]

What program is that? (Link please).
I love the idea of being able to program my phone to self destruct if needed.
This way if my phone is ever stolen, I can immediately brick it.

Re:First POST

[sootman]

No doubt. They should have said "Remote wipe is useful in situations such as..." and then link to all the stories we've seen about lost laptops in the last year.

not even as newsworthy as what you ridicule

[commodoresloat]

I actually RTFAd, and there's no evidence whatsoever in the article of criminals actually, you know, doing this sort of thing. It's a forensics expert saying that this cell phone feature "could be exploited by lawbreakers." Gee. And he even says it's not a big problem if it actually ever does happen as it's easily countered by any forensics shop: "He added the unit took precautions to guard against the feature being exploited. 'Because we isolate the devices immediately, and never reconnect them to their network, the remote wiping capability does not present us with much of a problem,' he noted." The whole story is pretty empty, a little bit of whining about how new technology is making their jobs tougher, but that's about it.... Welcome to the 21st century.

Though fucking noogies

[Pig+Hogger]

It seems that law enforcement sees itself as more and more godlike when it comes to assume power over mere mortals they are investigating. This arrogance has to be stopped dead, because if left to themselves, they will expect total compliance and disclosure upon request to anyone without any safeguard whatsoever against abuse.

We have to resist indomitably, in order to drive the point home that our information is not a plaything to be rummaged through at will; if the administration of justice suffers for it, better let a criminal escape than harass an innocent.

Re:Though fucking noogies

[hyades1]

Have you reached the point yet, as I have, where the next person who says, "If you aren't doing something wrong, what are you afraid of" is liable to get a quick kick in the arse in lieu of an extended lesson in civics, freedom, rights and responsibilities?

Re:Though fucking noogies

[Pig+Hogger]

For more than thirty years I have endured my sheep of parents getting shafted left and right, and whenever I wanted to point out they were shafted and that they happenned to have right, I was laughed-off.

Your phone is a honeypot.

[AHuxley]

A quick history lesson.
Most of the UK's 'cell' tech came from ex Government Communications Headquarters workers.
It was designed on the lessons learned by the UK gov in 1970's in Ireland.
Interception, tracking, impersonation.
The idea that the UK gov ever lost this 'network' is really lol.

The work and deaths of Adamo Bove, head of security at Telecom Italia
and Costas Tsalikides, Vodafone's network planning manager in Greece,
show that all aspects of cell phone use are wide open to all.

I wish I could've said it was erasable...

I worked at a high school that was administering standardized tests--standard procedure is that cameras and phones stay in backpacks to keep students from leaking the exams. Makes sense.

Turns out a few students are so phone addicted they put their phone in their pocket, ask to use the bathroom, and whip the phone out the second they enter the hall. The phones were quickly confiscated by a hall monitor.

Being the school's sysadmin, there was insistence that I check every one of these confiscated phones for evidence of trying to leak exam information--page pictures, text messages, etc. Of course, I found nothing.

I explained that, IF the students were in fact doing this, they could easily delete any evidence they were leaking information--picture archive and sent-messages folder. I was looked at as if I had grown a third nipple--I might as well have been speaking Farsi.

BTW, there's a feature I want in a camera phone. Upon pressing one key, the camera phone commits to taking a picture and immediately e-mailing it to a predetermined e-mail address. That way, should a person/police officer take the phone or swat it out of your hand, it's too late, unless they can physically break the phone or remove the battery within the 3 seconds the picture takes to send...

Re:First POST

[KGIII]

The idea made me curious. I just wrapped my phone (mobile) in a rather large ball of aluminum foil. I then called it. Err... It still rang. I don't have any scientific evidence to say why, how, or all that but it rang. I obviously couldn't answer it.

Oh noes! There goes my tinfoil hat industry!

[Mathinker]

And "Stainless steel mesh shielding fabric hat" just doesn't have the right ring to it; it sounds too woody, not tinny enough!

(More seriously, thanks for the link; I might buy some of this stuff when my passport gets chipped...)

Re:Good.-"/." on empty.

[KGIII]

Err... How about kiddy porn on their phone?

Re:First POST

[dougisfunny]

it used the ball of aluminum foil as an antenna?

Re:First POST

[dashesy]

Try a thicker foil (and make sure there exists no holes in it), at some point it would stop ringing because it should shield against the magnetic field.

Re:Serious Fraud Office

[meringuoid]

" The UK police's Serious Fraud Office" as opposed to the Humourous Fraud Office, which goes around nightclubs catching and prosecuting bad comedians.

The Humourous Fraud Office are mostly known as the people you call if you buy a pet which, when you get it home not half an hour later, turns out not to have been just resting at all, but in fact to be stone dead and nailed to the perch.

Does the iPhone us a HD? No, then your are an idio

[SmallFurryCreature]

Shred is for HD's, not flash. Learn the difference. It seems you are terrible at your job if you do not know the difference.

Re:First POST

[KGIII]

NOT A SCIENTIST... So... I was curious. The dimensions were *about* 8" across with the phone in the center. Since I have had people tell me to drill holes in it. I will try that next.

Re:First POST

[KGIII]

Will ground in the morning.

Re:First POST

[Z00L00K]

Removal of battery is feasible, since most of the information of interest is stored in flash, but it doesn't work for all phones since a few uses ordinary RAM and a backup capacitor, which effectively will wipe the phone completely if the battery is removed for too long.

So you have to know the phone to take the correct measures to allow the forensic team to have something to work with.

Re:First POST

[Lumpy]

The frequency you are using on your phone is very high, any tiny gaps in the foil will allow the signal in.

Carefully wrap the phone in foil, make all seams double folded, creased and taped and then wrap it again that way and try again.

Degaussing

[RogL]

Great example! A vivid (if slightly damaging) real-world example.

It's been a while since I learned about CRT deflection coils, and demonstrated my new-found knowledge to my siblings by making pretty patterns with a magnet held up to my parent's TV. I still remember the horror when I removed the magnet and the wild colors didn't go away...

And that's why you don't fix it with another magnet: you buy/beg/borrow/steal or build a degaussing coil and demagnetize it. Which may take a few tries if you've never done it before.

Re:First POST

[speculatrix]

yes, drilling holes in your phone would definitely stop it from connecting to the cell network.

Re:First POST

[smoker2]

A Faraday cage needs the cage and the object to be electrically separated. Otherwise, you just gave your device a big antenna.

Foil

[Joeyspecial]

The idea made me curious. I just wrapped my phone (mobile) in a rather large ball of aluminum foil. I then called it. Err... It still rang. I don't have any scientific evidence to say why, how, or all that but it rang. I obviously couldn't answer it.

No no no, you have it wrong. You are supposed to wear the tin foil hat on YOUR head.

Good, I'm tired of hearing cops complain

[gelfling]

that the world isn't completely a police state, yet. Let them figure out how to fix their 'problem'.

Re:First POST

[PMuse]

"Because we isolate the devices immediately, and never reconnect them to their network, the remote wiping capability does not present us with much of a problem," he noted.

So, law enforcement is deliberately keeping my company from protecting it's customers' data? Great. My customers will feel much more secure knowing that their data is safe in some random evidence locker in some random town than having it be gone.

Hmm - next feature set???

[GuyverDH]

Automatic wipe when certain *signals* aren't received periodically???

Maybe the crooks already thought of it...

If not - don't read this - my idea has been stored in printed form, in a sealed mason jar, under the front porch.

Re:First POST

[MightyYar]

I suppose if you are an organized crime syndicate, yes, they are interfering with your business plan. Perhaps you should inform all of your employees, er... henchmen, to please refrain from leaving their iPhone at any crime scenes they have created.

Highly specialized knowledge

[Minwee]

Foggon believes that the unit's years of experience in unearthing evidence from everything from 186s to MacBooks will mean it will have a key role to play in any central UK e-crime policing unit.

186s? That will come in very handy if they happen to catch a criminal mastermind happens to be carrying around a BBC Master 512, Tandy 2000 or Wang Office Assistant in his pocket.

Re:Highly specialized knowledge

[Hatta]

I've got a Wang Office Assistant in my pocket. Want to see?

Re:First POST

[lucifuge31337]

Show me how to easily take the battery out of an iPhone. Please.

Re:First POST

[dougmc]

If it's truly a proper Faraday cage for the frequencies involved, it doesn't matter if the object and the cage are electrically separated or not -- it'll still work. This is a function of Gauss's law.

In this case, either the aluminum foil wasn't thick enough, or the gaps in it were too large. A cell phone is generally pretty sensitive, so even if you reduce the signal by a factor of one million, it may still be able to pick it up.

White paper on date deleting & recovery

[BigGar']

Since every time something like this comes out all kinds of FUD pops up about data erasure, etc...
A classic paper on secure data deletion & recovery:
http://www.cs.cornell.edu/people/clarkson/secdg/papers.sp06/secure_deletion.pdf

Enjoy

Re:First POST

[ChrisA90278]

Your ball of foil was NOT a faraday cage. Or rather it was a very poorly constructed one. You need a fully conductive enclosure with very tight seems. In professionally constructed enclosures you will notice things like copper gaskets and closely spaced bolts, doors where a copper knife edge is forced by a cam into a narrow slot. Even after the enclosure is built it must be tested and small air-gaps found and repaired.

In your case, a foil to foil joint is likely not conductive. Oxide coating on the Al foil acts as an insulator and you get a few ohms of resistance, at least.

Try another test using copper or brass pipe. Put the phone inside a length of pipe and screw end caps over each end of the pipe. Tighten until the bare metal on metal threads from a gas tight seal.

Re:First POST

[pandrijeczko]

How about making the aluminium foil into a hat shape before putting the mobile phone in it? It works for me.

How?

[mr100percent]

That makes me curious, is there any way to remote wipe an iPhone without being part of the Enterprise program? (You can wipe it on the iPhone settings menu itself already)

Re:First POST

[An+ominous+Cow+art]

Or maybe THEY programmed you to spread that disinformation.

And according to the article...

[LittleMolar]

"Because we isolate the devices immediately, and never reconnect them to their network, the remote wiping capability does not present us with much of a problem"

Sounds like they have the problem under control. Still must be a slow news week.

Re:First POST

[AndrewNeo]

Don't most phones have an airplane mode, to turn off the radio...?

Re:First POST

[KGIII]

Wrapped carefully and it did not ring. :)

Re:First POST

[KGIII]

I wrapped it, instead of balling it up, and it didn't ring. It didn't ring in a microwave either. :)

Re:First POST

[KGIII]

Nope, didn't ring in the microwave. (Then I put a lightbulb in water into the microwave. That's another story for another day.) I also wrapped it carefully (not balled) and folded all the seams over that I could and it no longer rang. Yes, I have no life and my wife thinks I'm insane.

Re:First POST

[KGIII]

That worked just wonderfully - it didn't ring. Nor in a microwave either. Yeah... I really need a life.

Re:First POST

[jonbryce]

Interesting. I put mine in my Microwave (switched off obviously), and called it.

It rang.

It was on the glass turntable, so it couldn't have used the walls of the microwave as an antenna.