So you committed a crime and the police have a warrant to search your phone. Now what?
Under certain circumstances, law-enforcement agencies can use a variety of software to break in, view and copy data from a device. The companies that build that are closely watching the controversy unfold between Apple and the FBI, which could have big implications for the future of phone security.
According to experts in mobile forensics here’s how some investigators get into phones, how they find pertinent information and what the Apple controversy could mean for your data.
Opening a phone
When a phone is locked with a passcode, companies can run “brute force” applications to open it. Irvine, Calif.-based Susteen, for example, has an “SV Strike” program that can uncover passcodes and pattern locks on iPhones or Android phones by running combinations until the right one is identified. But, Susteen director of sales Jeremy Kirby admits, the process can take some time.
“It can take days for law enforcement to get into the phone,” he said.
Using Susteen’s system, he said, most phones take under nine hours since the software is programmed with the most popular passcodes.
iPhones running newer operating systems have a security feature that allows users to turn on a feature called “Erase Data,” which erases all data on a phone after 10 failed passcode attempts.
Companies can also use “exploits” that help them get through operating system vulnerabilities on a particular phone make and model. But while earlier versions of iOS had “tons of ways to bypass,” encryption has improved with each new version, said Katie Strzempka, Oak Park, Ill.-based NowSecure’s Director of Mobile Services. Exploits are “very, very, very difficult on iOS nowadays,” she said.
What investigators can find inside a phone
Once a phone is unlocked, companies can uncover a wealth of data. That’s because people tend to have a presumption of security when they use their own phone and act freely, experts said.
But your phone knows more about you than you might think. Software can uncover what a phone owner was doing on their device during a specified chunk of time, find geotags where photos were taken and even decode app data from Facebook or Snapchat.
Some people “literally take pictures of them holding the murder weapon and on top of that, then they’ll take a picture of the murder weapon but they’ll leave their geotags on it — it basically puts the GPS coordinates back to the scene of the crime with them holding the murder weapon. You don’t get more cut and dried than that,” Kirby said.
Both companies allow investigators to see the data that would be most pertinent to an investigation.
NowSecure’s forensic software, for example, acquires data from a device, then parses the data and displays it to an analyst in a “user-friendly” way, Strzempka said. An analyst could see the phone number a text was sent to, whether it was sent or received and a timestamp in an easy-to-read format. That functionality is available for all standard apps on a phone, as well as common third-party apps.
When is data encrypted?
Pulling encrypted data results in coded information that looks like “gibberish,” Bill Lidinsky, director of the Computer Security and Forensics Laboratory at the Illinois Institute of Technology said.
Investigators can’t pull data off locked Apple phones running iOS 8 and above — though they might be able to retrieve iCloud backups depending on user settings.
According to a privacy statement on Apple’s website, “For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”
That makes things interesting for people trying to access those locked, encrypted phones.
“If (phones) aren’t encrypted, you can basically get everything off them,” Lidinsky said. “If they’re encrypted, then of course, the story becomes very different.”
The scrambled data require a “key” to unscramble the data. But finding a key isn’t simple.
“If somebody with experience gets access to that key, then they could decrypt it,” Strzempka said. “But generally, it’s very difficult on Apple devices, if not impossible in some cases, to decrypt or gain access to the data that (are) stored.”
People can choose to further encrypt their data using third-party apps that keep some data scrambled even when a phone is unlocked.
A post-iOS 8 future
Because users can set up their phones to erase all data after 10 failed attempts to open it, companies that have helped corporations and law enforcement extract iPhone data for years face an interesting challenge.
Strzempka said NowSecure’s forensic software still will be able to help its corporate, government or law enforcement clients for cases in which a phone’s owner is cooperating, doesn’t have a passcode or whose phone is already jailbroken or “rooted.”
For clients with phones that meet those cases, “I think we’ll always be able to offer something,” she said. But in the meantime, “We’ll continue to try and come up with ways to bypass” phones with more advanced encryption.
And Apple’s news that it may create an “unhackable” phone could be a sign that all phones might one day be less secure, Lidinsky said.
“If you have cellphones that are uncrackable … legislatures and governments might be tempted to pass a law that says companies are required to put in a back door — which would be the worst of all worlds,” Lidinsky said.
California and New York have mulled legislation that would require phone companies to implement a way law enforcement agencies could access all devices, which many call a “back door.” Some believe those “back doors” could create an opportunity for hackers or other ill-intentioned individuals to exploit that vulnerability.
“From my point of view, the issue with what the FBI is requesting is something that is going to compromise things on a security basis permanently,” Lidinsky said. “If there are back doors, people will find them. … It may take a few months, it may even take a year, but it will happen.”
And one day, we might live in a world where we no longer treat our phones as a safe place, he said.
“There is a tendency to have your life on your cellphone today,” Lidinsky said. “People may just have to understand that they’re vulnerable if they do that.”
