Hacker News new | past | comments | ask | show | jobs | submit login
A database of over 500 iPhones cops have tried to unlock (vice.com)
122 points by colinprince on March 12, 2020 | hide | past | favorite | 63 comments

serious question: all of the reporting around the FBI and its intentions focuses on iPhones. There is not much reporting about android phones, though. Is this because they are generally not as airtight in design as iphones are? Is it because iPhones are more likely to be up-to-date in terms of patches and security updates, and hence android is easier to crack? Is it because Samsung, Google, etc, have been more willing to play ball, so the FBI has not had to wage a public battle?

the article mentions it but not much detail:

> Android devices, on the other hand, end up having large variations in the security of devices from different manufacturers, which may have their own vulnerabilities or may have difficulty distributing security and Android operating system updates to phones quickly.

I was a cellebrite certified operator/analyst. The answer is a combination of "The iPhone is that secure" and "Androids usually aren't".

The tools that Cellebrite sells will handle all but the most recent iPhones and maybe the most recent Androids. The newer the iPhone, the less likely a law enforcement officer is gonna have the tools to get into it. Cellebrite offers a service where you can ship them the phone and let their techs go at it. Whether it is because of legitimate limitations in their technology, or purely a marketing/commercial limitation, is unknown.

In general, any non-i{hone is Android. Most Androids are garbage phones that are sold by the dozen in the bottom of a bin at a gas station. Security isn't something its creator or buyer is really concerned about.

I have been out of the field for a few years, so things may have changed slightly in either direction, but I imagine its the same general concept. Newer is harder to break into, brand new iPhone model is probably impossible for now.

Using a throwaway. I was arrested and had technology devices raided. Cellebrite was able to bypass the login screen and encryption of my powered on seized Android cellphone, but they were not able to access a different Android phone that was powered down fully.

Nobody was able to access my Veracrypt computers.

Thanks for the post.

I'm curious, did they try to put any pressure on you to unlock the devices for them?

During my initial arrest they politely asked me once for the passwords, which I declined. Around 9 months later they asked my legal counsel for the passwords, which was declined.

I found a subsequent court case where my same prosecutor tried via the court system to get a different defendant to reveal their passwords and they failed. Oh well.

Reading their internal emails regarding encryption and their general tech capabilities was enlightening.

AMAA if you'd like.

Looking back, was there any opportunity you missed to shut off the powered-on phone?

Apparently they knocked for several minutes before letting themselves in. I had gone to sleep only a couple hours before due to a late night, and as a double whammy I took some melatonin so I was completely out of it.

Obviously I would never obstruct justice but in theory had I heard them knocking, there would have been plenty of time to do so.

Ironically half the "evidence" they recovered from the phone actually would have helped my case if it had gone to trial because it showed no criminal intent and no attempt to hide from law enforcement. In short, if they never gained access to that phone on their own it may have been in my interests to provide the passwords for that specific device but who knows.

> Reading their internal emails regarding encryption and their general tech capabilities was enlightening.

Please elaborate.

What aspects did you find enlightening about their encryption and general tech capabilities?

What were they looking for? I'd understand if you don't want to answer that.

They were looking for general evidence of guilt as I was accused of a purely technological crime. They were not looking for specific files or anything.

Did you have a strong (10+ character, alphanumeric) password on the device they were able to get into?

What did they suspect you did?

If I say the specifics it will be obvious who I am because it was front page news, not that I really mind too much I suppose but I'll refrain for now. Suffice to say the question wasn't whether I did the actions but whether it was illegal or not. Turns out it is not illegal in the USA according to their prosecutors and we'll never find out if it was illegal in Canada because it will never go to trial due to withdrawn charges. Some charges were however ruled not a crime during an early hearing by the judge and the remaining were dropped.

What country was that in?

I'm in Canada but the investigation was with both the FBI and RCMP. The FBI offered tech assistance with encryption matters as well according to emails between the two agencies.

A (still current) cellebrite ambassador told me in 2016-2017 that the most recent Samsung flagship back then, if encrypted, was safe from all attacks they had.

>Is this because they are generally not as airtight in design as iphones are?

>Is it because iPhones are more likely to be up-to-date in terms of patches and security updates, and hence android is easier to crack?

I don't want to make premature judgements without factual supporting evidence, but my personal anecdotal evidence suggests that these two guesses might be the correct ones. Me and some of my friends got S8+ a few years ago, back when it was Samsung's flagship smartphone. Among other things, we were all appalled by the update cadence. We were getting security updates, not even talking about major OS updates, about 3-6 months after Pixel phones were getting theirs. I cannot even imagine the horror show that non-flagship Android device owners have to go through in terms of updates.

the problem with Android fragmentation is as old as Android. If you're a journalist, activist or anyone who needs critical security on a phone you're better off not having one.

The options for anyone else is usually a) always use the latest iOS device or b) use a hardened Android, or c) use a dumb phone for all non-critical comms. I should repeat that: if you're worried about security consider using f2f interaction because the number of places you're likely to trip up are endless no matter what device.

Why does fragmentation have to be so bad on Android? Windows runs on millions of different hardware configurations, including custom home-built machines, and all Windows machines receive software updates at the same time.

As I commented in another article (https://news.ycombinator.com/item?id=22264553), every PC descends from the original IBM 5150 from the 1980s, which gives the PC a common base which phones never had.

Counterpoint: a bunch of bored teenagers hacked every single iPhone in Hollywood just to get some celebrity nudes.

I don't believe in "hardened Android" either, unless it's developed and maintained by nsa or gchq.

That was password stuffing against iCloud. Only mandatory 2FA would’ve prevented it - which Apple did with the next release of iOS.

The hackers could bypass 2FA, see my other comment.

It was silently fixed by apple once the story hit the mainstream news.

That was iCloud.

Does it matter? The data is out, and while the attack surface was not the iphone itself it was a service closely connected to it.

Right, but the exact same thing could have happened with Google Photos or whatever it's called these days if you don't have 2fa enabled.

Not really. Google has invested heavily in making its login process as secure as possible. Unless you had a very easily guessed password and were unlucky enough to live in the same region as your attacker, it'd be very unlikely for this to happen to a Google Photos user.

That said, nudes don't belong in any cloud.

The vulnerabilities that opened iCloud to these attacks were due to its iPhone integration (restoring device from backup to be more specific). It also allowed the attacker to bypass 2FA (probably in the name of user experience).

historically iphones have been better in terms of security. but the landscape has shifted since recent releases. Android security has come a long way. The problem is still that Android can't be compared with iphones due to fragmentation. The fragmentation has an unintended positive side-effect to offsec which is your Android exploits don't scale as well as for iphones due to monoculture.

this is a very good thread by thegrugq on ios vs android: https://twitter.com/thegrugq/status/1168981940462149644

edit: another thing that rubs me the wrong way about Apple recently is their stubborn stance against any outsider who might offer iOS introspection capabilities. this raises the bar for security researchers but is counterproductive to iOS security.

My understanding is iPhones enable full disk encryption when a pass-code is created, even if it's fairly weak (1112), you can't have a passcode or password and not have full disk encryption. Android Devices past 9 do not support full disk encryption and instead use file based encryption, and as far as I know just having a password doesn't necessarily mean FBE is turned on.

If you have a modern Google branded device (say, a Pixel) encryption is mandatory out of the box. Something older (and so insecure by default because it isn't receiving security updates) like the Nexus 10 tablet has an actual user interaction step to enable encryption.

It never works like this because then it would take hours to set your pincode. What actually happens is the disk or each file is encrypted and the key is protected or unprotected, depending on passcodes.

On iOS the files are encrypted so that some of them become available at boot, some the first time you unlock the device and some only while the device is locked.

On modern devices the key protection is managed by the security chip/Secure Enclave zo it can both attempt to limit attempts to a number of times and prevent people from brute forcing the key because only the chip can run attempts which are purposely made slow.

Typically Cellebrite like tools bypass the lockouts but still have brute forcing limited so it only practically works on short or poor pin or passcodes.

Still, it’s unlikely a device is going to remain safe for 15 years, if the adversary is patient it’ll eventually be unlocked; technology advances and bugs are found in everything.

iOS has essentially always used FBE and not FDE, you can see more about this in the iOS Security Guide [0], while yes, versions of Android up to 7.0 only allowed FDE. Google has since done away with FDE and it's no longer supported by AOSP in version 10 and above, where FBE is enforced.

Whether or not this is more or less secure really depends on your threat level. IMHO, turned on, the data is more secure if apps are configured properly with FBE. Turned off, data is more secure with FDE (assuming both scenarios the same key).

0. https://www.apple.com/business/docs/iOS_Security_Guide.pdf

So that's kinda weird now, because iPhones under APFS do File-Based encryption (each file gets it's own key) but the Full Disk is encrypted while Androids are now using Full Disk Encryption.

This is useful but it would also be helpful to have a similar database of the opposite cases too.

Having a list of the times when a warrant was served and a phone unlocked with details of which OS+version, which jurisdiction and which unlock method would balance out the research.

it would be incredibly difficult to get data on this. LE is on a budget, and they're not the NSA. In Switzerland for example LE (such as Europol) uses the lab facility from "Kudelski Security" to crack mobile devices and help with forensics. Outsourcing this to a consultancy allows them to hide things like invoices to offsec shops (FinFisher, HackingTeam et al). So this is like a poor-mans NSA where exploits get sold/brokered with these companies who then help compromise the device. Still the budget means that they're using tools which might do all sorts of things. e.g. if you sell off-sec tools you might offer a feature that allows LE to copy (read) things from the device memory/storage.

The problem is that these tools not only allow you to read but actually write to the device. ("if you're a dev working for HackingTeam why on earth would you limit the feature to reading when you can provide r/w access?")

The implication is that it's as easy to plant things on a device as it is to retrieve info. And if you know that the device has 99.9% child porn on it but end up not finding any why not plant something that gets you to court order you desperately need to convict the suspect?

What you're asking for is transparency in a world that is very much opposed to this because they consider themselves the good guys. And the response from them is always: "how dare you?!"

You build up a rather imposing strawman! Do you really think there are authorities planting evidence on phones?

if a device that is taken from me by whoever without my consent would automatically lead me to assume that it has been compromised. whether that's the case or not is beside the point. if you're only worried about surveillance-capitalism maybe it isn't in part of your threat model. for me it is. there are plenty of people in LE who overstep simply because they can.

> Do you really think there are authorities planting evidence on phones?

I don't think so I know it. please read the HackingTeam leaks and other OSINT sources. you'll find plenty of attempts in them making every effort to do so. You don't need a tinfoil hat, just travel to an area that is hostile to your passport.

> HackingTeam leaks and other OSINT sources

I would love to read more about this if you can point me in the direction of those leaks and sources.

Sure, can you provide some links?

All this talk of iPhones, but what about Android? Is it trivial (or possible) for a nation-state to access the data from an encrypted android device?

I think the "fragmentation" in Android land is actually helping security. It's not economical to maintain hundreds of exploits for different vendors, CPU architectures and OS and patch versions.

For iOS, you need 2-3 up to date exploits to cover 80% of all devices.

I use a long diceware password for my iPhone. It prevents police from bypassing the rate limiter and brute forcing your password quickly. There’s supposed to be a machine that allows them to do that.

Unlocking my phone throughout the day is done with Touch ID. If I think I’m going to encounter the police or be away from my phone, I press the lock button five times which disables Touch ID. I’ve been doing this for two years and it works great.

While I agree with you, it’s necessary but not sufficient. Police are just as willing to use rubber hose decryption.

Do you have a citation that police are as _equally willing_ to beat a password out of someone as they are to use existing tool to image a phone in compliance with a lawfully obtained and executed search warrant?

In 2015 I was detained at Heathrow by immigration for not willing to unlock my phone. I sat there for hours being told that somebody would be free to attend to me "shortly". 6 hours later I was told that it was a routine check. I was there for 14 hours, and missed my business appointments in London running a security workshop. They returned my phone after a few hours but I was still kept there waiting for somebody to attend to no avail. I called my lawyer after several threats that this will have legal consequences for them and was initially denied that request. When I got through to my lawyer I was advised to keep still until they charge me. After they let me go I threw the phone in the next bin I could find. I wish I had the brains and guts to take it home and RE this thing because I'm sure they bugged it. But I was too terrified at the time.

A close friend of mine is a cop in Ireland. I love him to bits but hate him for his bragging about how he loves to use his pepper spray after having his 5th Guinness.

Another brother of mine is actually a cop. He thinks that other cops are all corrupt. And he suffers a lot due to institutional racsim in the force and lack of promotion unless you agree to be a racist.

I grew up spending lot of time time riding a cop car with an old guy who really liked my gran and was with the criminal police. We walked our dogs together. I was 8 he was in his 50ies. One of the things I still remember vividly is when he exited the car to show me the power he had over people by stopping and questioning them and he also bragged about all the "dirty crooks" that he took shortcuts with to arrest them because he was the good guy and they were the bad ones.

My brother dated a girl who's ex was a cop with the criminal police in Bavaria. he (the cop) abused her and raped her over several years. He also loved to brag about what he would do to her and how he would fuck up her life if she ever left him. Covering his and his friends asses over speeding or parking tickets were the least of his crimes.

Seriously cops are just people. Fuck people. Fuck power. Fuck cops. If you think for 1 second that a cop has your interest in mind think again.

I 100% believe every anecdote you just presented. I'm sorry that those things happened, especially when unpunished. As you said, cops are just people. Most people are okay. Some are heros, some are monsters. Weeding out the monsters is notoriously difficult, especially when a profession like law enforcement has definite appeal to them. It also appeals to the heros.

I can give anecdotes about friends who are cops that risked their lives to save strangers, even the bad guys. I know more than 1 cop who arrested a guy, and had the suspects family thank them for how they saved their life in the process.

I can also bring up anecdotes about how people who were so passionate about security were also criminals hiding criminal deeds. I could assume, and assert, that since I've personally seen people use their phones' security to hide evidence of murder, and infant rape, that all people who care about their phones' security are the same.

But that'd be a disservice. It'd be a disservice to those who legitimately care about security for legitimate reasons, because freedom is important, and fragile. It'd be a disservice to others who aren't sold on either side of the discussion. And it'd be a disservice to myself in that it makes me seem very narrow minded and narrow viewed. Its letting fear overcome observation.

There are 700,000 cops in America alone. Undoubtedly some are unqualified garbage. Some are malicious monsters. Some are believe the ends justify the means. Some are paragons of truth and justice. Some aren't malicious, or dumb, but only care about their careers and are shortsighted with all else. We can't make sweeping statements either way, it does nothing to help.

There have undoubtedly been cases of cops using rubber hose decryption. There have been warrants falsified intentionally and unintentionally.

But cops wanting to be able to execute search warrants on phones isn't as simple as "We want more power, more control". There are countless legitimate cases of human trafficking, murder, and sadly worse. We, as a society, have to figure this stuff out. We have to find the balance between "Give us all your secrets" and "Do whatever you want without question".

But we can't have this conversation to find the balance, until we admit that we are on a scale.

Well, let’s get past and anecdotes to data. There are clear statistics that police target minorities and the “War on Drugs” became about “treating a disease” as soon as it started hitting “rural America”.

So given the choice between giving the police more power and less power, I would much rather they have less power.

I agree with all these points. I should have also brought some positive examples as you did to present my case more balanced (which there are plenty).

> But we can't have this conversation to find the balance, until we admit that we are on a scale.


Do I really need to list all of the cases of police corruption and brutality?

Or, for the academic version: http://imgs.xkcd.com/comics/security.png

For those who don't know, rubber hose decryption is basically coercion or torture.

See this very relevant xkcd: https://www.xkcd.com/538/

I've often heard this said, but my iPhone 8 doesn't operate like this at all. Touch ID still works regardless of how many times I press the lock button. Is there a setting I'm missing? I've looked around and couldn't find anything.

It ought to, this is an iOS 11 feature which is what the iPhone 8 shipped with.

I don’t see any option for it in the passcode settings either.

On my iPhone SE it takes me to a screen with power off, medical ID, and emergency SOS sliders. To get back to the home screen after that I need to enter my passcode.


>volume and lock buttons simultaneously

Aha, that does it!

You have to be on iOS 12.4 or later I believe.

In fact, when I just tried this on my iPhone XR (iOS 13.3.1) it started making an emergency call.

That’s part of it. Depending on your settings, it may also make an emergency call, but it will always lock Face ID and Touch ID.

Hold a volume button, lock button, and your home button at the same time

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact