Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Tries To Force Google To Unlock User's Android Phone

Posted by samzenpus on from the open-says-me dept.

Trailrunner7 writes "Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to 'provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory of cellular telephone.' The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he went back to his activities with the gang, according to the FBI's affidavit."

6 of 385 comments (clear)

  1. Ars Technica Lnk by DarkHelmet · · Score: 5, Informative

    http://arstechnica.com/tech-policy/news/2012/03/fbi-stumped-by-pimps-androids-pattern-lock-serves-warrant-on-google.ars

    The one thing I found amusing about the whole thing is that PhD supposedly stood for "Pimpin' Hoes Daily". Then I read this:

    Her $500 a night went straight to Dears, though, who "took care of her" in his own special way. As San Diego's Union Tribune reported, Dears found out the woman had spoken to a man who wanted to help her get off the streets. So Dears "beat her up in the back seat of his Cadillac and then forced her to get into the car's trunk, she testified. While in the trunk, she was driven from East Main Street in El Cajon to Hotel Circle in Mission Valley, she testified."

    Major league asshole. I hope he gets the book thrown at him.

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
    1. Re:Ars Technica Lnk by oakgrove · · Score: 5, Informative

      When you try and fail to unlock an Android device enough times and fail it just asks for your gmail password. I doubt Google will do anything more than give them that which would be pretty worthless against any other Android phone.

      --
      The soylentnews experiment has been a dismal failure.
    2. Re:Ars Technica Lnk by EdIII · · Score: 5, Informative

      It should not be that much of a problem for Google then.

      There lawyers could just have fun with it. A nice lunch with some IT guys and a hour or so later you have a well written response with supporting documentation on why the FBI are complete technology retards.

      They could have a few pages on how PUK and SIM actually work, and even being helpful, list contact information for the manufacturers.

      Judge would just love reading that the FBI was wasting the courts time because they could not even figure out who to serve a warrant to. :)

    3. Re:Ars Technica Lnk by Anonymous Coward · · Score: 5, Informative

      The PUK is also unnecessary since it's only used to unlock the phone's SIM card (and hence it's contacts.) If you fail too many times it self-destructs.

      The Wireless provider knows the PUK as it's based on the serial number of the sim card, so Google certainly wouldn't have it.

      Text messages are bit of a "maybe yes", while they are transmitted through the carrier, for billing purposes, the carrier has no way of reading them unless they've been stored. Having worked for AT&T, their customer service software, and all the support software doesn't let you read text messages, but it does let you send text messages anonymously to phones. If you're a technical staffer who can manually provision phones, you may have access to the SMS in-transit, but I don't think they're stored unless the FBI has been requiring it.

      The actual storage of SMS messages are on the phone/SIM if not deleted. It largely depends on what the phone's software is setup to do. On early Motorola and Nokia phones, all the contacts were stored on the SIM card, but on later models (post 2005) they are stored in the phone memory by default.

      So there's no need to get the SIM card PUK, It's just the easiest way to bypass the PIN password. If you remove the sim card and replace it with another one without a PIN, it will give you access to the phone and all it's data anyway. Depending on the device, you may have better luck simply syncing the device to a computer.

      As for what you can do with a stolen/lost phone, not a hell of a lot. If you're looking to wipe it so you can keep it, it's much easier to do that, than to use it for identity theft. As a golden rule, I never "save my password" on any device. I'd rather a lost device be wiped than someone using the data for nefarious purposes.

    4. Re:Ars Technica Lnk by swillden · · Score: 5, Informative

      To use google (ldap) directory sync with google apps, you need to use unsalted SHA1, or cleartext passwords in the directory you wish to sync.

      That doesn't mean Google stores unsalted hashes or cleartext, it just means that whatever Google stores is computable from those.

      (Disclaimer: I work for Google, on security stuff, but I don't know anything about how user passwords are stored. I will say that storing unsalted hashes or cleartext would be very out of character for Google. Google tends towards great caution when it comes to security, and employs a lot of serious security experts and cryptographers.)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. A warrant *is* enough, conditionally by dacarr · · Score: 5, Informative
    Picking through the details, it's pretty simple. The FBI served Google a warrant for a user.

    What they will get out of it is any information on the perpetrator that Google has in their control - so Gmail, Picasa, anything on their servers. This is what a warrant does, and any content provider such as Google will have this in their TOS.

    What they *might* get is a replacement account password to access the phone. That's unclear to me. It's in that respect that I don't know how Google will proceed.

    What they will NOT get, however, are unlocks, text messages (unless he backs those up into his Gmail account), device passwords, device unlock patterns, or anything that would be used to unlock the device. That's all up to the mobile carrier or (possibly) the device manufacturer - not Google.

    And for those who think Google made the device, no, they didn't. Somebody else did. May have been Motorola, LG, HTC, or Samsung, just to name the big four phone makers who put out Android off the top of my head. Google's support ends at the operating system development level, and whatever they have on their network. Demanding of Google whatever's on the mobile network or the device unto itself is like demanding an Amtrak schedule of Pepsico.

    --
    This sig no verb.