57 comments

[ 3.0 ms ] story [ 108 ms ] thread
I have to wonder why mobile phones aren't better protected against this kind of attack. It doesn't seem like the default should be to allow an unauthenticated device to plug in and read/image the phone.
Because consumers don't demand it. They want Facebook and pretty colors and high megapixel cameras.

The people who do ask for it are obviously criminals.

> The people who do ask for it are obviously criminals.

You're being sarcastic, but we're moving in the direction of "police need unlimited power to investigate, so let's make it illegal to ask for privacy". And yes, we're a long way off from that scenario (at least in the USA) but I can see it on the horizon.

The thing that really scares me is the UK system -- CCTV cameras on every corner explicitly built for surveillance. We have a lot of cameras in the US (traffic, ATM, etc) but they generally belong to different entities and there is no comprehensive framework for getting (near)real-time footage from all of them.

I remember the UK when we only had the old fashioned - bombs on the streets of London - type terrorists.

Then we were supposed to not give into the terrorists, but with these new hidden internet terrorists it's vital that we hand over our lives to the police.

I don't think we're as far off from that as you think, in the US..
Customers demand the phone is backdoor-capable - and the customers are the telcos, not the end-users.
Well in reality they are. Phones are fucking hard to break into. PIN codes are pretty much critical for this sort of analysis :)
(comment deleted)
Most people would rather not have all of their data gone forever if they forget their password, so they give up absolute security for some convenience. Just like how most people want a secure lock on their front door and their car, but they still want to be able to call a locksmith who can pick the lock in a few seconds if they lose their keys.
Are there any quick, easy ways to destroy all the data on your phone to prevent this if you are arrested?

I currently have my passcode set the wipe the iPhone if it is entered incorrectly 10 times. So, if I was arrested and I could erase all my data quickly 'just' by tapping a number on the lock screen 40 times.

It would be cool if entering some special code erased everything but the contact info for your lawyer.

Maybe it could be better still. Send out some automated texts, erase everything but the number for your lawyer, and start recording audio and video and storing them on a remote server when possible.

Which is why you get handcuffed and not allowed to use your phone. You think you're being big and clever but if the phone contained evidence you'd be looking at attempting to pervert the course of justice (cf Rebecca Brooks right now). Pretty much every police van already has constantly running video, all the custody areas of police stations do. And unlike the US that video doesn't get "lost" if you make any complaint.
If they ask you for the password you could give them the one that erases all data :P.
Wiping your device is justification enough for them to subpoena the iCloud backups in most cases.
any historical case of that actually working?
Thanks to the USA PATRIOT Act, they don't even need a judge or a subpoena anymore. The FBI does this 50k+ times per year - no warrant, no oversight.
> I could erase all my data quickly 'just' by tapping a number on the lock screen 40 times

Doesn't work, there's a time-out of 15 minutes after the fifth try, if I recall correctly.

I didn't know that, thanks for pointing it out. I suppose it's an important feature (there would be a lot of drunk people wiping their phones otherwise). At least I can now avoid an awkward situation if I am ever arrested :)
There's an app for jailbroken iphones that does something along these lines, basically a self-destruct button that would try to wipe everything if it was ever activated. Can't remember the name of it though, unfortunately.
Make sure your sdcard is wiped too. Test this scenario. Under Android the wipe external storage sometimes does not work.
Jebus. Ok, I need to look into disk encryption (and maybe TrueCrypt) for my phone. AFAIK, there is nothing incriminating on it, but the cops can always find something if they really want to.
Everyone has done/is doing/will do something illegal. The question is if we or someone in charge cares.

As told to me by some friendly police officers I would chat with.

It doesn't even need to be illegal - just something Murdoch's papers are interested in. Remember who 'owns' the met!
Show me the man and I'll find you the crime. --Lavrentiy Beria
Android 3.0+ has it as an option; I believe iOS does it automatically if you set a pass code. Can't speak to the actual security of either though.

PS: this does nothing against phone numbers and text messages stored on your SIM (the vast majority of smartphones no longer do this, AFAIK)

> but the cops can always find something if they really want to.

Forensic analyst here :)

Genuinely the vast majority of cops don't. And indeed IMO sending this sort of thing off to contractors is the necessary sort of separation to make sure that dirty cops can't incriminate you.

So on one hand I defend my profession; which I have always found to be supremely ethical and approach cases from the perspective of innocence.

And on the other hand I entirely agree; this move removes an important separation of evidence retrieval that means it could well be abused.

What would happen if the police retain the data, presumably on a hard drive, then don't follow properly dispose of the equipment after a hardware upgrade? It would be possible for criminals to acquire the information somehow, right?
It's easier than that, a copy of a celebs phone records was about £10-25 so a dump of their smart phone should be yours for a pony
> Under the new system, content will be extracted using purpose built terminals in police stations.

So the device in the screenshot is a Radio Tactics Aceso, there is one sat across the room from my desk. It has been around for quite a while.

They are pretty good pieces of kit; but there is something of a limit in terms of the information they can extract (i.e. because phones are so "proprietary" it's only logical data they can easily recover).

> Until now, officers had to send mobiles off for forensic examination in order to gather and store data, a process which took several weeks.

Hilarious.

Anyway:

In a sense this is very old news (over the stuff HN is likely to be interested in); before if your tech was seized and sent of for analysis the data would be retained, no matter what the outcome. I can't remember the exact length of time but it is measured in years.

This appears to be extending the technical ability to "acquire" mobile phones down to the police station level. My thoughts:

* Despite how simplistic (and the Aceso is brain dead simple to use) they make it, there will still be mass confusion

* No one at police station level will understand how to secure digital evidence effectively (no matter how much training they hand out - it took me several years to get to grips with the minutae), I hope they have a plan to mitigate this.

* This is all part of the govt. plan to in-source as much of their forensics as possible. Which just ends up putting the technical stuff in the hands of people ill-trained to handle it, and risks more people being convicted

* It's not discussed, but I would be interested to see if this means they will be acquiring more data than usual. i.e. does this mean every phone will be analysed, or will they only do it for phones they could (in the past) justify sending off for detailed examination.

* In the former case (acquiring everything) how, legally, are they justifying it.

As a forensic analyst this whole thing seems to verge on violating every ethical and moral rule I would ascribe too. It increases the chances of abuse by many factors and reduces the effectiveness of forensic mobile phone work.

> The cost of leasing the 16 terminals for 12 months and training the officers will be £50,000, the Met said.

They are being ridiculously fleeced. I am unsure of the exact volume of phones they might process, but I suspect they could sub-contract it to actual experts for much less. I could process 10's of phones a week, for example. Mostly this is a Radio Tactics press release.

Even in the best case scenario they are reducing effectiveness, increasing error rate and costing themselves more money. From my side of the fence this is not the first idiotic thing I have seen the public forces do in recent months - and it won't be the last. As a member of the public I don't feel paranoia and insecurity, but I am certainly cautious about the way this is going.

(disclaimer; this sort of thing is what is making my profession redundant)

p.s. put a PIN code on your SIM and phone. From a practical perspective that basically renders Aceso useless (they can try and make you give up the PIN of course).

In theory it's only if they think the phone has been used in crime. In practice that'll mean everytime someone is in a station.
Well, not really. Lots of people get detained.

I have to admit I was pretty drunk once and woke up in a police cell. Would that count?

Many people are genuinely detained but later found not to have been involved.

What if you were arrested for killing someone whilst drunk driving, is your phone of relevance?

At the moment "everytime someone is in a station" doesn't mean your phone is of interest. I hope that won't change in the future, but there is no clarification of this in the article.

In theory, no. In practice, yes. Until it goes to court, and then they'll push it for as long as they can. See also DNA retention; human body parts; etc etc.
I'm not entirely sure what exactly you are trying to say; are you saying that now they have this easy method of extracting phone data they will push for the requirements for extracting that data to be lowered (ala DNA)?
No. I think what he is saying is that they will extract the data anyway. Whether they are allowed to or not. If it's that simple they will do it. Better be safe than sorry.
In practise this is just going to be used for intelligence gathering about activist groups.

Best advice: If going to a demo, use a burner.

(comment deleted)
If you are familiar with this device. Do you know where to get a list of devices that can be read out with it?
> It's not discussed, but I would be interested to see if this means they will be acquiring more data than usual. i.e. does this mean every phone will be analysed, or will they only do it for phones they could (in the past) justify sending off for detailed examination.

Initially and officially, no, but eventually in practice, yes---once the capability is close, cheap(/already paid), and easy, they'll use it more.

It's like Tasers, which supposedly save lives because they're way less lethal than bullets; if they really only used them when they previously would have fired a gun, then the only people who die from tasering would presumably have died without the taser as well. Except that someone with a taser is much more likely to fire (because it's "nonlethal") than someone who only has a gun....

In the case of the mobile data, "is it worth bothering" will get much more frequent "yes" answers when the kiosk is across the office than when the lab is across the country and requires days of waiting.

> (they can try and make you give up the PIN of course)

In Britain, it's a crime to withhold your passwords from law enforcement.

At this point, it's almost easier to enumerate the things that are not yet criminal offenses in Britain.
This is incorrect. It's a crime to withhold passwords when a court order has been obtained requiring you to reveal encryption passwords/keys.

Without a court order there is no specific power to force you to reveal your passwords.

How feasible would it be to have a device that looks like a smartphone and can interface with this police device which would produce enough current/power/voltage/whatever to fry the police device?
Hah! I like that idea :) It would have to be pretty convincing because you have to boot the device up to acquire it with the Aceso (as phones are such proprietary tech) so it would need to pass the "boots up and looks like a mobile device".

In theory, I suppose, it would be possible to fry the thing when connected. It's just a standard PC packaged in a special case (with touch screen) and you connect the phone via USB.

If that becomes common, putting a fuse or some defense against "frying" would probably be an easy response.
Or a bomb which uses USB as the trigger.. (not condoning, only thinking out loud! best be careful..)
Well this is probably become the standard in the USA within a few years.

Also I could imagine the rise of planted phones - take a drug dealer's prepaid phone and plant it in your car if they want to frame you and make your life hell even if a conviction is eventually overturned.

With the amount of risqué pictures teens are sending each-other these days, I bet this becomes the worlds largest kiddie porn database.

Oh, law enforcement. Gonna be a lot of pervy police officers getting exactly what they want. Not dissimilar to the airport Body-Scanner pictures that TSA agents were caught taking home.

Same as a DNA samples then. We Brits let them get away with that one, why would we be bothered by mere phone data? The battle is well and truly over. Well, I say over, it never really started. I really don't know why we don't just have random home searches, you know, just in case, and of course, what have we got to hide?

What I would like to know is what will the tipping point be? When will the general public say no, enough is enough?

I don't think there is a tipping point. People are already trained to give up their data to Google, Microsoft, Facebook, etc. Governments will share this data eventually and amass a great deal of its own curated data. People in general don't care and I don't foresee a time where they will. The surveillance era is here and it's not going away.
Looks like a great attack vector to get into a system that has other people's personal information.
It is worth pointing out this merely enables you to get your phone back quicker in cases where the police could already seize your phone. It won't be a case of everyone who gets arrested having it scanned. Firstly there isn't any authority to do so, secondly it isn't worth it time wise. I used to be a cop in Scotland and I never arrested anyone where there was a need to do anything with their phone other than try and work out how to turn the damn thing off...
How well do these devices work against encryption (like that on the iPhone)?
It's ironic that the Met Police, fresh out of a phone hacking scandal have proposed making things easier.