KRWG

Your Smartphone Is A Crucial Police Tool, If They Can Crack It

Mar 25, 2014
Originally published on March 25, 2014 5:28 pm

New software and gizmos are revolutionizing police work, with social media scanners, facial recognition and other high tech items. As it turns out, though, the single most valuable new police tool is your smartphone.

Rolf Norton, a homicide detective in Seattle, says when he's talking to a suspect, he keeps his eye open for the person's smartphone.

"I'm thinking there's probably a wealth of information that just got tucked into your pocket," Norton says. "Something that we'd like to get our hands on."

Your calls, your emails, your calendar, your photos — not to mention the GPS data embedded in those photos — could make a whole case, in one convenient package.

That wealth of information is also why more people now keep their phones locked with a PIN. Once he's seized a phone, Norton says, he often has to return to the owner to ask for help.

"Maybe you've established a rapport and you're getting along with this person," Norton says. "We'll reach out to that person and say, 'Hey, your phone's locked. We'd like to inspect it. We'll probably be getting a warrant. Would you give us your password?' "

Under the Fifth Amendment's protection against self-incrimination, you might have the right to refuse. But Jeffrey Fisher, a Stanford Law School professor, says the courts haven't settled that issue, so withholding your phone's password could prove risky.

"You can have anything from contempt of court to obstruction of justice," Fisher says. "All kinds of other problems."

Plus, there's a practical consideration: The police may be able to get around your password, anyway.

Companies such as Guidance Software and Cellebrite sell products to law enforcement that "image" smartphones. The products can pull data off in bulk for use as evidence. BrickHouse Security in New York sells products like this for iPhone and Android. CEO Todd Morris says the handset manufacturers don't support this, so it's a constant effort to keep the forensic software up to date.

"It's a collaboration. There's no way any one company can keep up with Apple or Google," Morris says. "You use programmers from all around the world and they share what they find."

These phone-copying systems rely heavily on what hackers call "exploits," or vulnerabilities in the phones' operating systems that can be used to get around the password or encryption.

Phones locked with a four-digit PIN are usually cracked with what's called a "brute force" attack: The software throws number combinations at the phone until one works, in a way that you couldn't do manually. That can take less than an hour, according to David Dunn.

Until last year, Dunn was a Seattle police detective specializing in digital forensics. He says the department got its first phone-copying kit in 2008 and handled only about 20 phones a year. By the time he left, the department was copying at least two phones a week.

As the phones became more important to police work, Dunn says they also became tougher to crack. The newer the phone is, the less likely it is the police can open it.

"In some cases, you'll have a handset that comes in, say, Jan. 1 of the year," he says. "Technology develops over the course of that year so you can get into it six or nine months later."

It's an arms race, and Dunn thinks the police are losing. The newest iPhones seem to be impervious to cracking and even when police send them to Apple (with a warrant), the extent of the encryption means the company can't always get everything.

"If you use the alphanumeric passcode, even Apple can't get in," says Will Strafach, a hacker who works with companies that make forensic tools for police. He's referring to the longer passwords that are optional on iPhones but also more cumbersome to use.

It's also a slow process. When the newest iPhones are sent to Apple, police may have to wait months for whatever data are recovered, Strafach says.

With Google's Android phones, things are looser. Encryption is optional and the basic screen passcode (or "pattern lock") operates more as a deterrent for the nosy. You can choose longer passwords, but any of them can be circumvented with the user's Google username and password. With a warrant, the police should be able to get those login credentials from Google.

Sophisticated users are locking things down more effectively. Take the example of Ashkan Soltani, a researcher and computer security consultant.

He uses the basic Android "pattern lock" to open the screen while his phone is in use, but he has modified his phone so that when he shuts it off, it requires a longer pass phrase to boot up again.

"If I'm traveling through customs or being pulled over, I would power off my phone," Soltani says. "And that PIN would be much longer to access on first boot."

The companies behind the phones have an interest in making them harder to crack, especially when they're marketing to corporate customers. It also reflects the tech world's growing distrust of government.

"At this point, I think it's very difficult to trust any policy-based solution," Moxie Marlinspike says. That's the pseudonym for a hacker well-known in Silicon Valley for his work on third-party encryption systems for smartphones. He says he cares about legal privacy protections. He says he doesn't want to rely on them.

"There's something empowering about not asking for that type of protection. There's something empowering about just providing it for ourselves," he says.

Still, technological fixes can backfire. Take the case of the new iPhone 5s. It comes with a fingerprint reader. Cryptographically, that's a lot more secure than a four-digit pin. But legally, it may be less secure. That's because while you may have a constitutional right to withhold your password, the Supreme Court has already said the police don't need a warrant to get access to your finger.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

AUDIE CORNISH, HOST:

The explosive pace of digital technology is changing police work. Over the past few weeks, we've reported on some new tools police are using; for example, Twitter scanners and license plate readers. Well, police will tell you that the most valuable tool is one they don't even own - your smartphone. Seized phones are now fundamental to every kind of investigation. And as NPR's Martin Kaste reports, police are finding those phones increasingly difficult to open.

MARTIN KASTE, BYLINE: Rolf Norton is a homicide detective in Seattle. If you ever run into him at a crime scene, he'll likely be watching to see if you own a smartphone.

ROLF NORTON: I'm thinking there's probably a wealth of information that just got tucked into your pocket, and something that we'd like to get our hands on.

KASTE: It's got your calls, your emails, your calendar, your photos, your maps. That could be his whole case, in one convenient package. That's also why more people now keep their phones locked, which means Norton sometimes has to turn on the charm.

NORTON: You know, maybe you've established a rapport and you're getting along with this person, and they have a reason to want you to get in there too, you know, maybe trying to back up their story or whatnot. We'll reach out to that person and say, hey, your phone's locked, you know, we'd like to inspect it. We're probably going to be getting a warrant, you know. Would you give us your password?

KASTE: But what if you refuse? Jeffrey Fisher is a law professor at Stanford, and he's arguing a smartphone case at the Supreme Court next month. He says the courts haven't really settled whether you have a right withhold the password.

JEFFREY FISHER: You're taking a risk that you can have anything from contempt of court to obstruction of justice, increased criminal punishment, for failing to cooperate - and all kinds of other problems.

KASTE: But forget about the legalities. There's a more practical consideration, here. It may be the cops can get around your password.

NIDIA COLON: So this software is pretty cool.

KASTE: Nidia Colon shows off a phone-copying system at a company called Brickhouse Security in Manhattan. I let her plug it into an iPhone of mine - an old one.

COLON: So as you see here, it's acquiring all the data in your phone; from messages, contacts, call history, all the way down to your recovery data, even your tracking history.

KASTE: This is just one of the phone-copying systems that are on the market. The police sometimes call these digital forensics kits. The CEO at Brickhouse is Todd Morris. He says the smartphone makers definitely do not support this kind of software; it relies instead on a kind of global group effort.

TODD MORRIS: It's a collaboration. There's no way that any one company can keep up with Apple or Google. You use programmers from all around the world, and they share what they find.

KASTE: Forensic software relies on hacks. The most basic is the brute-force attack. The software just throws pass codes at a phone until it opens. But that only really works on short, four-digit codes. With longer passwords, you need another way in, some kind of a security hole. When hackers find one of these, they pass it around and it eventually makes its way into the forensic kits. But that takes time.

Dave Dunn is a security consultant who used to copy phones for the Seattle Police Department.

DAVE DUNN: In some cases, you'll have a handset that comes in, say, Jan. 1st of the year, and you can't get into it. And technology actually develops over the course of that year so that you can get into it six or nine months later.

KASTE: He says the phones' manufacturers keep making their systems harder to crack, even by them. Dunn says the cops sometimes ship iPhones to Apple, and find there's a limit to what the company can recover.

DUNN: They are only able to extract information from apps that are currently open.

KASTE: That's because newer iPhones automatically encrypt information as it's saved. Security has become a selling point, especially on phones marketed to corporate customers. It also reflects the tech world's growing distrust of government, especially after the revelations about NSA spying.

MOXIE MARLINKSPIKE: You know, I think that, at this point, it's very difficult to trust any kind of policy-based solution.

KASTE: This is Moxie Marlinspike. That's the pseudonym for a hacker who helped to create an encryption system for smartphones, called Whisper. He's like a lot of tech people when he says he doesn't want to depend on the law to protect privacy.

MARLINKSPIKE: There's something empowering about not asking for that type of protection, you know; that there's, I think, something empowering about just providing it for ourselves.

KASTE: Still, technological fixes can backfire. Take the case of the iPhone 5s. It comes with a fingerprint reader. Cryptographically, that's a lot better than a four-digit pin but legally, maybe not. That's because you might be able to claim a constitutional right to withhold a password, but the Supreme Court has already said that the police don't need a warrant to get access to your finger.

Martin Kaste, NPR News.

(SOUNDBITE OF MUSIC)

CORNISH: On NPR.org, take a look at a more detailed list of some of the ways police can bypass the lock on Androids and iPhones.

(SOUNDBITE OF MUSIC)

ROBERT SIEGEL, HOST:

Stay with us. There's lots more to come on ALL THINGS CONSIDERED from NPR News. Transcript provided by NPR, Copyright NPR.