Slashdot Mirror
FBI Tries To Force Google To Unlock User's Android Phone
Trailrunner7 writes "Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to 'provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory of cellular telephone.' The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he went back to his activities with the gang, according to the FBI's affidavit."
is becoming ever more important. In fact, it will soon replace the constitution as the thing you can always depend upon.
H.
...to avoid dependence on "free" information services.
http://arstechnica.com/tech-policy/news/2012/03/fbi-stumped-by-pimps-androids-pattern-lock-serves-warrant-on-google.ars
The one thing I found amusing about the whole thing is that PhD supposedly stood for "Pimpin' Hoes Daily". Then I read this:
Major league asshole. I hope he gets the book thrown at him.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
If they have enough probable cause to suspect there's even more evidence on the phone and are going through the proper procedures of obtaining a warrant, then I don't have a problem with this. If they were not in the middle of a trial case, however, I'd think this would fall under "unreasonable searches and seizures."
Occasionally living proof of the Ballmer peak.
Can you say whoops.... "The FBI special agent who wrote the affidavit also requested that Dears not be told about the information request, however the search warrant and affidavit were not sealed." Pretty sure the whole planet knows now dood...
Push here, Dummy.
If his credentials are being properly stored as SHA2 hashes, I don't think Google could comply with this anyways. This is the whole point in using hashes over encryption.
Called Celebrite. I thought it was supposed to be able to read all data off of SIMS and such. http://ebongeek.com/2011/04/20/the-cellebrite-ufed-allows-law-enforcement-to-download-all-your-smart-phone-data/ I would think that a search warrant covering the phone would be enough for the FBI to run such a program - am I missing something here? Or is this due to some possibly technology-ignorant FBI possible boomer crying that Google doesn't automatically hand them everything they want through the magical power of the interwebs?
The Invisible Hand of the Free Market is what punches workers in the nuts.
It works only on selected handsets and I believe it still depends on user compliance. I read as much data as I could find on the topic and I'm under the impression it works on a phone which is not currently locked. In other words, if you hand over your phone and comply with their request to unlock it they can then access pretty much everything on a supported model. Including stuff you deleted. If you refuse to unlock it, I don't think that device will do much.
I'm surprised the FBI can't just dump the flash and brute force it. There are only about 100,000 possible patterns.
Assuming you can get all that through the usb port. Having dealt with the FBI they are in general technology challenged. My favorite was the computer forensics expert they could not get a .tgz open.
No sir I dont like it.
it can only read what is stored on the sim, if the data is encrypted on the phone reading even the RAM module will just get you an encrypted block, that reader works on blackberry phones too as long as you don't need to be able to READ the data, just copy the block
Snowden and Manning are heroes.
Which part of " FBI officials have requested a search warrant" do you think isn't about getting a warrant?
It's also called RTFA, or in this case, RTFS...
Are you telling me that you can't unlock one of these phones, without a PhD?
"Flyin' in just a sweet place,
Never been known to fail..."
Passwords are a stupid way of securing a device. The "password" on the device should be a passphrase for a key on the phone's encryption system. Both Apple and Google are making the same security mistake. iTunes could be a million times safer if they used public key authentication instead of their awful password system.
Which part of " FBI officials have requested a search warrant" do you think isn't about getting a warrant?
Which brings up the question... WTF is this newsworthy?
Sheesh, evil *and* a jerk. -- Jade
Why don't they ask Apple - they own swipe to unlock
THAT article basically changes it from "google, unlock this phone!" to "google, please tell us what you about this account". Being specific is good when you are doing improv comedy, but not when you want to provoke discussion.
This issue is a bit more complicated than you think.
It seems to be pretty weak investigative work if the stone of truth depends solely on a cell phone record. Sure the guy is a scum ball, but if its so evident then there has to be a way to prove it that doesn't involve hacking into a computer device. As smartphones become databanks of personal information here also comes the advent of lazy detective work which would rather usurp expected privacy as the norm instead of hitting the streets to get their gumshoes dirty.
Work for Pay and Pay for Freedom
With all the talk of not keeping things on phones. Maybe it is time to debate if these devices could fall under an external human memory that should have the same considerations to the contents of your mind. They can't just request the content's of your brain. 5th amendment. As more technology invades our lives the more these devices are turned into surveilance sources. Should they not be totaly encrypted and carry the same protections as or your brain. Just a thought, maybe wrong about it.
Why would Google have his SSN?
Unlock the phone, and prove to all Android users that Android's "security" is weak and/or has a back door.
Tell Law Enforcement they can't help with their warrant, and piss off Law Enforcement for future requests against google.
I'm glad I'm not Google.
What they will get out of it is any information on the perpetrator that Google has in their control - so Gmail, Picasa, anything on their servers. This is what a warrant does, and any content provider such as Google will have this in their TOS.
What they *might* get is a replacement account password to access the phone. That's unclear to me. It's in that respect that I don't know how Google will proceed.
What they will NOT get, however, are unlocks, text messages (unless he backs those up into his Gmail account), device passwords, device unlock patterns, or anything that would be used to unlock the device. That's all up to the mobile carrier or (possibly) the device manufacturer - not Google.
And for those who think Google made the device, no, they didn't. Somebody else did. May have been Motorola, LG, HTC, or Samsung, just to name the big four phone makers who put out Android off the top of my head. Google's support ends at the operating system development level, and whatever they have on their network. Demanding of Google whatever's on the mobile network or the device unto itself is like demanding an Amtrak schedule of Pepsico.
This sig no verb.
That the warrant is being served potentially on someone with no interest in the case.
It's an end-run around the password issue to serve google. It sidesteps the issues of the password case that was of recent concern, but raises new ones, thus is interesting.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
If they truly want any information on the guy, just have FBI officials disguse themselves as reps from an advertising firm. Google would gladly sell every piece of information available on the suspect.
Setting aside the serious legal implications of this case, I'm amused that the authorities are stymied by a gesture code, because those are ridiculously insecure. They're even easier to pick up than PINs via over-the-shoulder observation (even watching someone do it with the screen away from hem, an observer can narrow it down to a feasible number of alternatives to try), and furthermore the gestures leave telltale smudges that can often be observed after taking the device from the user. I do front-line tech support, and I've had people hand me their phones after unlocking them, and on several occasions I was able to guess their gesture code just from those clues.
http://alternatives.rzero.com/
I did not know hooking it up to your USB port and looking at the file system was considered "hacking." That would sure has come down a bit...
This is not a technical case. It's a legal one.
They want to be able to hack the phone the "legally", so the alleged proof can be use in court.
on your phone, in your house, on your computer, on physical media, on your person, in your car, in your work place....damn it...where should we keep our incriminating stuff?
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
If you make less than $500 a night as an IT Contractor...you should try working days....much easier on the soul.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
You know the FBI on your tv shows aren't real, right?
The Kruger Dunning explains most post on
Probably why he had mentioned the expert he knew couldn't even execute a simple tar command properly
I got nuthin
If the only way they can bust a "human trafficker" is by getting into his cellular phone, maybe they need to do a little more police work.
The criminal justice system allows a hell of a lot of latitude to law enforcement. Legal wire taps, surveillance, search warrants. Informants, RICO, DNA evidence, even tax evasion investigations.
I've seen The Wire and The Shield, Kojak, Columbo and even Mannix. There are plenty of ways to take down a perp, and if all else fails, you put a couple in his noggin, drop a throw-down piece on him and say he drew down on you. Then you go home and sleep like a baby.
But they tell us the only way they can lock up a gang leader involved in human trafficking is by checking his Angry Birds high score.
Just sayin'...
You are welcome on my lawn.
No, the story says the phone in question is a seized phone. It's evidence in their possession. They just can't read it.
The original article says Google may not have the tools to force the phone to unlock.
That's extremely unlikely. And if it's true, it's inexplicable. What company wouldn't build a foolproof mechanism to unlock its operating system if it gets into a bad state?
Technicians apparently mis-entered the pattern enough times to lock the phone, which could only be unlocked using the phone owner's Google account credentials.
Why they were even bothering with the unlock screen rather than just slurping up all the data on the phone with a UFED is beyond me.
FSB android locks-up user!
This sig is not paradoxical or ironic.
"Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he realized his felony conviction prevented him from everything from gainful employment to food stamps and voting.
Upon applying to several minimum wage jobs only to be turned down, he also realized that credit and felony checks performed by apartments and landlords would also preclude him from securing affordable housing without a large security deposit.
defeated, frustrated, and with little prospect of ever reintegrating into society, he went back to his activities with the gang.
perhaps he learned the value of human life in jail, perhaps a newfound respect for his fellow human,
but he would never know life outside of the only institution to provide for him, the gang.
Good people go to bed earlier.
Why can't they use jtag or flash a tiny spy rom that does nothing but download contents of flash? Heck I would bet there is a diagnostic tool that already does that.
Asking google seems foolish. If they can do it and they use the capability that capability is degraded.
To be fair, .tgz is super obscure. I mean, not even WinZip is able to handle tgz.
Why they were even bothering with the unlock screen rather than just slurping up all the data on the phone with a UFED is beyond me.
Because cops are idiots and the only reason the system works is because criminals are usually even dumber ?
If all else fails, immortality can always be assured by spectacular error.
1) Flash a rooted kernel and CWM recovery with ODIN (all Samsung phones allow this)
2) boot into recovery
3) connect to the phone using ADB
4) Using sqlite, update the settings database and disable security
You're welcome.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
And even if that thing were for some reason not to work, I'm sure you could just rip out the NAND chips and copy /data/ off with a reader of some kind - it's pretty unlikely that this would be out of reach for the government.
I wonder if they've bothered to check for root and a custom ROM... it may be as simple as booting the phone into an already installed custom recovery and just copying the files off using ADB and a MicroUSB cable.
Do these forensic extraction devices really work on an arbitrary phone, or only if the phone is configured to go into usb debug mode as soon as a usb cable is plugged in?
My Android phone defaults to "usb charge only". I find it difficult to believe that a special usb host would be able to take control over the phone.
Avantslash: low-bandwidth mobile slashdot.
maybe it didn't work.
if the forensics device promises more than the guys in chinatown can get you, there's a chance it's horseshit. you need to open the device to enable adb/mtp/whatever protocol it is that it uses for file transfers, not all devices have manufacturer modes to slurp everything out either(and that's no good if they're actually after the online accounts the phone has access to). it's easy to do the things ufed promises on most devices which have adb enabled, but if you don't have that enabled then it gets trickier, the bootloader would need to have some special dump everything mode.
or maybe they can't use it because they've accepted the eula on some device at some point in their life.
it's a bit silly asking for google for this information though, but maybe the phone manufacturer said that they got nothing to do with it - or the phone manufacturer isn't american whilst google is. another thing to ask is.. do they even know the google account the phone is tied to?
it's pretty certain that they are NOT after the sms's or call history - they have that from the phone company. they want the rest, which means they're actually after his email accounts which he probably used since he probably knew that the sms/calls would leave a log that would be used against him in court.
world was created 5 seconds before this post as it is.
So is it encrypted? If not, I'm sure the techies can work around it without Google's help. If it is, then Google can't help anyway
Because according to the link you provided Android support is not included on this UFED thingy?
---
"The chances of a demonic possession spreading are remote -- relax."
Interesting rant but maybe a little off key. The key sentence is"perceived need". Since in fact it is not needed - "https://www.google.com/search?q=warterboard" works just fine, it's that other story about your privacy being worth 60 cents.
I'm tend to think all that junk in there is tracking junk.
More to the point you want "refine and improve", it works for cars, just less nicely for information.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The guy has a lock up and is arrested and accused of human trafficking, drug dealing and so on, or indeed anything else.
The FBI find out about it.
Don't you think they'd get a search warrant? I don't see why a locked phone or PC is any different. Your right to privacy is severely restricted as soon as you are arrested or even under investigation, because a jury needs to have all of the facts of the case.
In fact if they serve you with a subpoena you pretty much have to comply with it or risk being found in contempt of court. Even Nixon had to hand over his tapes when he was hit with a subpoena and he was POTUS at the time. In the physical lock up case I think they could subpoena the key or combination to a lock, assuming they couldn't just get a search warrant and pay someone to break in.
And if you destroyed evidence in response to a search warrant or subpoena that would itself be illegal.
I think if you're relying on the fact that you've got 4096 bit encryption and/or self destruct mechanisms to nuke data to get out of criminal charges you're doing it wrong.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
"Plausible Deniability" only matters when you're guilty, or when you are railroaded. There's been no accusation of railroading here. "alleged human trafficker" usually means "human trafficker." Which means "slave trader."
And human traffickers are just about the lowest form of life known to man. It is often about a thousand times worse even than the *production* of child pornography, if it is possible to compare things that bad on a moral level. The production of child pornography only happens to a child once. When a child is sold into slavery, that slavery is ongoing.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
They could always use the cheap, efficient pipewrench decryption algorithm. Works every time.
In the olde days, a Google search would produce the same results for the same search term. Not so anymore. If I search for "waterboarding" I get Wikipedia, NPR, and a number of human-rights activist sites. If Dick Cheney searches for the same term, he gets "Waterboarding magazine", "50 fun ways of torturing a PoW", and newamericancentury.org
So to be re-usable the URL must include lots of information about the person who did the search, like age, religion, political beliefs, sex (with whom, how often), and so on. I'm actually impressed they can fit all that in 250 characters.
+1 Agree. Im worried that the most obvious next step is a new 'feature' for search that would let me specify "Show Dick Cheney's Results". Dont get me wrong, that could be Fun & Useful, but presumably Dick Cheney would be clicking on "Show RenderSeven's Results". Or "Show Everyone That Clicked On This Result". Its not hard to imagine the FBI and DHS automating a lot of enemy lists based on mining this data. "Do No Evil" doesnt enter into it: its as simple as that if someone collects that data then its a given someone will use it, and not necessarily for its intended purpose.
I take it you're assuming that based on Android not being specifically mentioned in the second link? Because according the the manufacturer, Android is definitely supported.
Yea work in hosting for awhile you will get to talk to the FBI etc, so far the secret service have been the most technically competent.
And yes IRL not on TV.
No sir I dont like it.
Why they were even bothering with the unlock screen rather than just slurping up all the data on the phone with a UFED is beyond me.
Because cops are idiots and the only reason the system works is because criminals are usually even dumber ?
What makes you think that the system is working?
I'm a minority race. Save your vitriol for white people.