FBI Tries To Force Google To Unlock User's Android Phone

Trailrunner7 writes "Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to 'provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory of cellular telephone.' The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he went back to his activities with the gang, according to the FBI's affidavit."

Ars Technica Lnk

[DarkHelmet]

http://arstechnica.com/tech-policy/news/2012/03/fbi-stumped-by-pimps-androids-pattern-lock-serves-warrant-on-google.ars

The one thing I found amusing about the whole thing is that PhD supposedly stood for "Pimpin' Hoes Daily". Then I read this:

Her $500 a night went straight to Dears, though, who "took care of her" in his own special way. As San Diego's Union Tribune reported, Dears found out the woman had spoken to a man who wanted to help her get off the streets. So Dears "beat her up in the back seat of his Cadillac and then forced her to get into the car's trunk, she testified. While in the trunk, she was driven from East Main Street in El Cajon to Hotel Circle in Mission Valley, she testified."

Major league asshole. I hope he gets the book thrown at him.

Re:Ars Technica Lnk

[yurtinus]

I wonder how much rage we'll see in the discussion on this article... Now, not that I'm a lawyer or anything, but it looks like a properly served warrant for access to a specific device. Pretty much exactly what I would expect (and want!!) law enforcement to do while investigating a crime. I suppose it remains to be seen if the information they get allows them to unlock an arbitrary Android device or just this one.

Re:Ars Technica Lnk

[oakgrove]

When you try and fail to unlock an Android device enough times and fail it just asks for your gmail password. I doubt Google will do anything more than give them that which would be pretty worthless against any other Android phone.

Re:Ars Technica Lnk

[russotto]

Now, not that I'm a lawyer or anything, but it looks like a properly served warrant for access to a specific device.

Well, first of all, it's a rubber stamped warrant. Literally.

Second, Google is unlikely to have some of the information requested; the PUK of the SIM would be known by the SIM manufacturer, not the maker of the phone's operating system. Same goes for text messaging; it goes through the carrier, not Google.

Third, the records are unlikely to be physically at Google Legal Investigations Support.

Fourth, some of the "items requested" amount to a fishing expedition -- so much for "particular" descriptions of the places to be searched or items seized.

Re:Ars Technica Lnk

[amiga3D]

Exactly! This is how law enforcement is supposed to act. They have a suspect, they provide reasons to a judge, get a warrant and Google opens the device. If you're involved in crime don't keep anything incriminating on your phone. I mean really, these are the kinds of assholes law enforcement should be locking up.

Re:Ars Technica Lnk

Silly me - here I was thinking it was a failure of Mr. Dears to behave in a socially responsible adult manner, instead of engaging in petty crime and preying on the weak.

Society doesn't owe him a $500 a night job. Society doesn't owe him a cushy life free of any bad luck.

Re:Ars Technica Lnk

[EdIII]

It should not be that much of a problem for Google then.

There lawyers could just have fun with it. A nice lunch with some IT guys and a hour or so later you have a well written response with supporting documentation on why the FBI are complete technology retards.

They could have a few pages on how PUK and SIM actually work, and even being helpful, list contact information for the manufacturers.

Judge would just love reading that the FBI was wasting the courts time because they could not even figure out who to serve a warrant to. :)

Re:Ars Technica Lnk

I would hope that Google doesn't know my gmail password. I hope they use some security system that is similar to a salted one way hash. For example with Windows, the password is not known by the domain controller and it cannot be retrieved (short of doing dictionary hacks against the hashing function). I'd expect Google to be even more secure there and not have access to my password. Now, they could absolutely RESET my password. That's a different ball game than being able to produce my existing password on demand. One is scary. The other is just inevitable.

Re:Ars Technica Lnk

The PUK is also unnecessary since it's only used to unlock the phone's SIM card (and hence it's contacts.) If you fail too many times it self-destructs.

The Wireless provider knows the PUK as it's based on the serial number of the sim card, so Google certainly wouldn't have it.

Text messages are bit of a "maybe yes", while they are transmitted through the carrier, for billing purposes, the carrier has no way of reading them unless they've been stored. Having worked for AT&T, their customer service software, and all the support software doesn't let you read text messages, but it does let you send text messages anonymously to phones. If you're a technical staffer who can manually provision phones, you may have access to the SMS in-transit, but I don't think they're stored unless the FBI has been requiring it.

The actual storage of SMS messages are on the phone/SIM if not deleted. It largely depends on what the phone's software is setup to do. On early Motorola and Nokia phones, all the contacts were stored on the SIM card, but on later models (post 2005) they are stored in the phone memory by default.

So there's no need to get the SIM card PUK, It's just the easiest way to bypass the PIN password. If you remove the sim card and replace it with another one without a PIN, it will give you access to the phone and all it's data anyway. Depending on the device, you may have better luck simply syncing the device to a computer.

As for what you can do with a stolen/lost phone, not a hell of a lot. If you're looking to wipe it so you can keep it, it's much easier to do that, than to use it for identity theft. As a golden rule, I never "save my password" on any device. I'd rather a lost device be wiped than someone using the data for nefarious purposes.

Re:Ars Technica Lnk

[Kalriath]

One question: are your private prison operators paid on a per capita basis per incarcerated person, or on a performance basis per rehabilitated person? Ours are paid per rehabilitated person. Et tu?

Re:Ars Technica Lnk

[Ethanol-fueled]

Bullshit. The middlemen (pimps) would be taken out of the equation entirely because prostitutes would be empowered to have total control over their enterprise, as they do on craigslist and other sites.

Legalizing prostitution increases profits (not having to pay a pimp), allowing women or men to "vet" their dates in advance(the high-class prostitutes are frequently grad students who target single and successful dorks like you for $400 per session) and eliminates violence and urban blight by shifting the acts to private residences.

But like the lazy, brutish, and entirely misguided crackdowns on Marijuana; legalized prostitution ain't gonna fly in Ammurika anytime soon, especially with loonies like Santorum seriously considered candidates for president.

Re:Ars Technica Lnk

[swillden]

To use google (ldap) directory sync with google apps, you need to use unsalted SHA1, or cleartext passwords in the directory you wish to sync.

That doesn't mean Google stores unsalted hashes or cleartext, it just means that whatever Google stores is computable from those.

(Disclaimer: I work for Google, on security stuff, but I don't know anything about how user passwords are stored. I will say that storing unsalted hashes or cleartext would be very out of character for Google. Google tends towards great caution when it comes to security, and employs a lot of serious security experts and cryptographers.)

Re:Ars Technica Lnk

[plover]

He's already guilty of the crimes he committed before, and he has not yet completed his sentence for those crimes. He's on parole after being released early from prison. Actually, he's on parole for a second time, after having violated the terms of his parole earlier and going back to prison for an additional year and a hafl.

One of the terms of his parole is that he must not have a mobile phone. Another one of the terms is that any passwords, encryption, to any information whatsoever that he has, he will immediately provide the means to access that data upon demand of his parole officer. He denied to his parole officer that he had a mobile phone, but his parole officer found it and seized it. The parole officer had every right to do so under the terms of his parole. He's also refused to provide the account and password information to access it, even though he agreed to provide it as a condition of his early release. So he's already in violation of two of the terms of his parole, and for that alone he gets to go back to prison. There is no additional trial needed -- he has already been found guilty of his original crimes. The terms of parole have nothing to do with "innocent until proven guilty." That bit of justice ended with his verdict. He is guilty.

As far as these new allegations and crimes go, he needs to stand trial for them. But he's already a convicted felon who was let loose from prison too early, twice. "Wholly innocent" is not a factual statement one uses to describe this felon.

This should be interesting

[amginenigma]

Can you say whoops.... "The FBI special agent who wrote the affidavit also requested that Dears not be told about the information request, however the search warrant and affidavit were not sealed." Pretty sure the whole planet knows now dood...

A warrant *is* enough, conditionally

[dacarr]

Picking through the details, it's pretty simple. The FBI served Google a warrant for a user.

What they will get out of it is any information on the perpetrator that Google has in their control - so Gmail, Picasa, anything on their servers. This is what a warrant does, and any content provider such as Google will have this in their TOS.

What they *might* get is a replacement account password to access the phone. That's unclear to me. It's in that respect that I don't know how Google will proceed.

What they will NOT get, however, are unlocks, text messages (unless he backs those up into his Gmail account), device passwords, device unlock patterns, or anything that would be used to unlock the device. That's all up to the mobile carrier or (possibly) the device manufacturer - not Google.

And for those who think Google made the device, no, they didn't. Somebody else did. May have been Motorola, LG, HTC, or Samsung, just to name the big four phone makers who put out Android off the top of my head. Google's support ends at the operating system development level, and whatever they have on their network. Demanding of Google whatever's on the mobile network or the device unto itself is like demanding an Amtrak schedule of Pepsico.

Re:Plausible deniability...

[Charliemopps]

I think that one thing we can agree on is that statistics are total horseshit. Sure, if done by a totally impartial party (which doesn't exist) they might be useful. But in something as divisive as race, crime, punishment, slavery, social equality, who is really impartial? Ask yourself a few questions and you soon realize how pointless these statistics are...

1. Who is black? Most blacks have a large part of their genetics made up of Caucasian genes. Look at our president. I'm white, my son is adopted from the heart of Africa, 100% African genes. Is he black? Certainly... but how does he fall into these statistics? He's going to have the up-bringing of any white-middle class child.

2. Who's collecting these statistics? The judicial system? The judicial system has been proven prejudice by hundreds of studies over the years. They convict more minorities of crimes, they give them longer sentences, they charge them with more infractions. They pull over a white kid with a pocket knife and they call his parents, they get a black kid with the same knife and he's getting charged with a felony. Are blacks really twice as likely to commit a crime with a knife? Or are they just twice as likely to get convicted?

3. The AC poster is clearly a troll and probably doesn't even believe in what he's saying. So there's that.

Re:Plausible deniability...

[Kjella]

That's all well and nice, but people act on indicators not causation. To take an example I'm a male and most rapists are male and most rape victims are female. So if I happen to be walking in the same direction as a woman late at night she's got far more reason to fear that I'll drag her into the bushes and rape her than I got reason to fear that she'll drag me into the bushes and rape me. None of this has of course anything do to with causation, unless you're the kind who thinks women are "asking for it". Is it sexist or just good threat assessment? Now repeat the same with a potential mugger and a potential mugging victim, are you then a racist if you fear the black guy more than the white guy?

Of course we're all individuals, and I'm not guilty of anything because someone else who shares some physical or other characteristic with me commit crimes but you can't tell that from looking at me. Prejudice you can cure through knowledge, but what of statistical "truths"? Say you have two possible hires, practically identical resumes and interviews but you know one belongs to a group you know that's generally known to worker harder and complain less, which do you pick? Here in Norway we've had companies now pretty plainly state that they prefer Swedes for bars and restaurants and Poles for construction and industry and somehow that's not discrimination based on nationality - I guess it helps we're all white. But if someone were to say something of Somalis or Iraqis or Afghans, they'd be burned at the stake as racists.

In short my impression is that you get plenty discrimination, but only certain groups in certain situations gets to call foul and say it's racism. We're all equals but as usual some are more equal than others, the rest of us are just supposed to take it when we're being discriminated against. Why am I supposed to take blanket statements about us when I can't make the same kind of blanket statements about others? Same with our department of equality, you'd have to search long and hard to find a case where men were discriminated rather than women, sexism is another one-way street. But if you point that out it's STFU you're a white male, you got nothing to complain about - as if that wasn't the most racist, sexist remark of them all.

Re:Brute force?

[swillden]

Which has always been a problem, and which is why we should be getting things right with smart phones.

Google Wallet stores the credit card number and other sensitive information in the "secure element", a special-purpose high-security chip that is separate from the main system, with its own CPU, it's own OS and it's own storage. The secure element (SE) is actually a smart card chip, which has the benefit of almost 30 years of evolution, as attacks were created and countermeasures added. Nothing is 100% secure, but smart cards are pretty darned good.

Among other things, they wrap the storage in cladding layers which are physically bonded and chemically similar, so peeling or dissolving the cladding to be able to get to the EEPROM is extremely difficult, and highly likely to destroy the EEPROM. They're also careful to expose no leads which can be used to directly manipulate the memory, etc.

There have been some minor weaknesses found in Google Wallet, which Google has fixed or is fixing, but nothing that would expose the credit card number, because it's locked securely in the SE. We are getting things right with smart phones; at least Google is. I imagine ISIS is also.

(Disclaimer: I work for Google, and have even done some work around Google Wallet, though that's not my primary job. However, everything I stated above is public knowledge, filtered through 10+ years of experience working with smart cards and SEs while at IBM.)

Re:No, don't Google it.

[Sqr(twg)]

In the olde days, a Google search would produce the same results for the same search term. Not so anymore. If I search for "waterboarding" I get Wikipedia, NPR, and a number of human-rights activist sites. If Dick Cheney searches for the same term, he gets "Waterboarding magazine", "50 fun ways of torturing a PoW", and newamericancentury.org
So to be re-usable the URL must include lots of information about the person who did the search, like age, religion, political beliefs, sex (with whom, how often), and so on. I'm actually impressed they can fit all that in 250 characters.