Hacker News new | comments | show | ask | jobs | submit login
FBI, stumped by pimp's Android pattern lock, serves warrant on Google (arstechnica.com)
87 points by llambda 1625 days ago | hide | past | web | 75 comments | favorite

I'm okay with the method the FBI is pursuing. They clearly have a case (or enough of a case to take to court), they know exactly what data they need, and they have obtained a warrant for the information. I don't think wiretap laws should come into play on this unless they plan on intercepting communication beyond what is already stored on the phone. The case so far is exactly what the law intended and holds just as relevant today as it did in the 1700s.

Like drivebyacct2 mentioned, though, asking Google for the SSN of a user is kind of odd, and I really hope Google doesn't know that. It's possible the carrier might know, but Google shouldn't unless the suspect was receiving payment from AdWords or Google Checkout/Wallet (do they need SSN for tax reasons at that point?)

Here's my issue: Google could, in theory, provide them access to the device. But that's not what they're asking for. They're asking for usernames, passwords, SSN, etc. By all means, the FBI can submit a warrant to a lock manufacturer to open a lock. They can not, however, tell the lock manufacturer to give them the contents of whatever the lock is protecting. That's a separate warrant.

This is true, and you've just pointed out a big difference from old to new that I had forgotten about.

But what if the safe in the metaphor is owned by someone else and residing on their property, and contains multiple smaller safes inside? That's kind of like cloud-based apps that Android uses heavily. The Feds have enough reason to believe there is relevant information in email, text, and web searches to convince a court of this (difficulty level of convincing a court is debatable).

There also is generally a lot of shit the man pushes out with the knowledge they likely won't be given a response to, and they will accept that. It's a fishing expedition. It's not right, but it's common.

To quote the article:

> In it, the FBI asks for a warrant to be served on Google. It wants to know:

> The subscriber's name, address, Social Security number, account login and password

I would hope the FBI is bright enough to know that in all likelyhood Google stores their users passwords in hashed form. How would Google actually be able to comply with this request for the password?

What would happen if they can't comply (they can't)? Would this eventually lead to legislation that forces services to store passwords in plain text or reversible encryption (which is pretty much the same thing)?

Who cares whether the password is hashed or not. All other data related to X is not.

   select * from smses where login = ?
So if such a warrant will be issued Google absolutely can deliver.

The FBI apparently cares if they specifically asked for the users password. The article was specifically listing the users password amongst the items that were requested by the FBI, so my comment was about the password too.

Most of the other data they were requesting can easily be produced by Google - sure. I'm not denying that at all. I'm just saying that the (original, as set by the user in question) password is probably not retrievable and I'm also saying that the FBI should know that.

I agree, the password should be hashed and should be unrecoverable. That may or may not actually be true, however.

It may be the FBI intends to try the password elsewhere. Lots of people use the same password across multiple accounts of various different types.

Or maybe they intend to submit it as evidence if it's something like "masterpimp"

Quite. For whatever reason I was under the impression that the demanded information was on Google servers.

Unless the pimp is using Google Voice, why would Google have their text messages?

I used SMS as a placeholder for anything hold on Google servers.

Google can give you a new password if you forget yours. There is no technical barrier to giving the FBI access and clearly no requirement for plaintext passwords anywhere (setting aside how the request was expressed in the article as a request for a password).

That's assuming the device is associated with a Google account. It's not a requirement and losing the unlocking password/gesture may leave the phone completely unusable (except for 911 calls). Sadly, I speak from personal experience. I do not believe Google has a way of remotely associating a locked phone with a Google account to regain access.

You sure? I can't use my Android phone (Gingerbread) without a damn Google account - I have to use a throwaway one just to be able to use my smartphone...

They can even generate an application-specific password for the FBI, to be revoked after the time limit specified in the warrant is reached. (No idea if this is done or not, but in theory, there is no need to know the password in order to disclose one to the FBI. All they want to do is unlock the phone, but are too dumb to connect a USB cable and run adb.)

If the phone has a locked bootloader and USB debugging isn't turned on, which is most likely the case, then they can't do what you are suggesting.

OK. Open the mofo up and remove the flash chips. It's the government, they have the technology :)

> but are too dumb to connect a USB cable and run adb.

Or that would break the rules regarding forensic data retrieval, and make the information gleaned in that fashion inadmissible as evidence.

Physically unlocking the phone breaks the rules regarding forensic data retrieval as well, since the state of the phone has now been altered, how is the court to know that the FBI didn't plant the details.

This is why backup images are made first, which is not possible with phones when they are locked... the backup images are operated on when doing digital forensics, so that the result can be reproducible by a third party.

How does this violate the rules? He's already signed a waiver to his 4th amendment rights, so no court order is needed - he's essentially given them full control over his own property, including his phone (which I presume would include accessing the data via adb instead of the phone screen).

Because then the phone is no longer in the original state as when the defendant turned it over, and the FBI cannot prove it did not alter the contents of the phone (as images cannot be made while the phone is locked).

Even with the lock, how can they prove that? If they're able to get information off of it, they're able to modify it....

My initial thought was the same as the GP's then I read your statement. Then I thought about it for a moment.

I wonder. This is a subpoena, right? If so, it's not an order for Google to alter anything, just to give the FBI certain information that they have. It may very well be that Google cannot comply with the specific order as granted, but without the text of the order I can't be sure.

There is a difference between "Give us this user's password" and "Reset this user's password and provide the credentials to us."

Soghoian wonders about the legality of accessing a still-operational cell phone. ... But a US Magistrate Judge disagreed.

As a side note, I really dislike this style of reporting. I doubt the judge disagreed with Soghoian if Soghoian published his blog post after the judge published his opinion. The article makes it sound like a stupid judge made the wrong decision by not reading some expert opinion that was available to him. If the judge disagreed with anybody, it was defense counsel. But the article doesn't mention any objection by the defense. Perhaps, because as a lawyer, he is in a better position to know what's legal and what's not?

I noticed that too and agree entirely. There is absolutely nothing in the article that suggests this argument was actually made and rejected. At the end of the day, judges are people too and can't possibly have the entirety of all case law in their minds at all times. It is up to defense attorneys to research the case and bring up relevant arguments. I just can't see anything in the article that even suggests that the idea of a wiretap warrant being more appropriate was even discussed.

Pattern locks are notoriously vulnerable to visual analysis of fingertip grease marks on the screen. Don't count on this to protect your data.

Ah I just figured something out. So some people here are calling FBI's stupidity for mucking with the phone, as in trying patterns that eventually locked the device. In other words if phones are known to lock they shouldn't just randomly try patterns on it.

But I believe the attempts were not random. They probably did what you suggested, inspects trace of the fingertip grease and discovered a much more constrained set of possible possible patterns.

So they basically got an un-directed graph and now they thought they could figure out the most likely directed path in the graph that would unlock the phone.

Somebody probably made an educated (but eventually bad) guess about what the unlock path would be.

Our office security system has had the same 4-digit password for years, so much so that the keys for those digits are now worn out. 4! tries.

It's a pattern lock, so it must not be using disk encryption (only available on Ice Cream Sandwich with either PIN or password). Is there some reason they can't just open it up and see what's on it?

Text messages are on internal storage, which becomes unmountable when the device is locked.

Depending on the phone, they should be able to get into recovery mode and connect via adb. However, if it has a locked bootloader, they're SOL, and my schaudenfreude is without limit :)

The article states it's a Samsung phone, almost certainly a Galaxy S variant by market share. All Samsung phones I know honor a pre-bootloader protocol (accessible by a leaked tool named "Odin" or its reverse-engineered open source equivalent "Heimdall"). This can read out the contents of all partitions without ever running a Linux kernel. The mountable filesystems are all readable just fine on the host.

The FBI's forensics people are idiots, basically. They have what they want already, they never needed the PIN code.

don't forget that they have strict requirements they have to follow for the data gathered from their forensics to be admissible as evidence.

If those requirements are sane, then a non-invasive raw dump of the flash using only factory-installed firmware is surely more compliant.

Cost-benefit analysis: spend a few hours trying to translate a raw flash dump into a readable format (in addition to the normal forensic work of looking at the phone's drive's contents), or spend <1hr to see whether a pro forma subpoena makes all that work unneccessary?

This isn't a high-priority case, so the FBI will always go with the cheaper, quicker option.

Good grief: "mount -o loop raw_flash_dump /where/ever". I weep for the state of things that straightforward tasks like this seem "hard" not just to yahoos at the FBI but even to Javascript jockeys who frankly should know better.

Going to court harder than spending half an hour to dump the phone? Really?

Sorry, I'm not sure I understand - can you explain more? How does the OS making it unmountable when it's locked stop the FBI from physically removing the internal storage and looking at its contents via another device? I can see how it might require specialized forensics equipment depending on how obscure/proprietary the internal storage hardware is, but that seems like something the FBI would have access to or be able to obtain...

I would imagine that busting a pimp isn't exactly high up there on the FBI's list of priorities, at least not high enough to desolder a NAND chip (possibly destroying evidence) and reverse-engineer its raw access protocol. Far simpler to just make Google give them the password.

It's weird that they're accessing the device without using forensic "data preservation" techniques.

Surely anything they gather from the phone now will be useless in court?

I wonder if the FBI is aware of android issue 3006 - http://code.google.com/p/android/issues/detail?id=3006

Does this still exist? What an absolutely horrifying bug.

Do you know where in the source this is?

its still open, and works on my droid, but considering that there are so many handsets that are not updated, im sure this one would still work on most phones. I haven't looked through the code to pinpoint it.

They could have just come and asked here.

You must have already have root but since they mentioned it's a Samsung phone then all you do is find a CWM/Rooted kernel tar and flash via Odin then do the steps below.

adb -d shell

sqlite3 data/data/com.android.providers.settings/databases/settings.db

sqlite> update system set value=0 where name='lock_pattern_autolock'; sqlite> .exit


Reboot from there and the lockscreen is bypassed.

Remember kids, use this for good and not evil muahahhahaahhaah

(IANAL) Modifying anything on the phone would make the data inadmissible.

This is probably a tangent, but why would the FBI be involved in a prostitution case? Shouldn't that be state/local?

Minor victim and state-lines being crossed -- that would be my guess.

is MANN act state or Federal?

Maybe it was a interstate prostitution ring? Hell going between New York and New Jersey would qualify.

Can't all of this be gotten just by looking at the storage on the phone? Or talking to the wireless carrier?

I just assumed that they had search warrants allow this form of discovery for years now. It is funny to thing that an investigator tried one time too many pattern attempts and accidentally erased the phone contents. I'm going to go on record as haha'ing the slip up.

How could the FBI not know his SSN?!

They want to know the subscriber's SSN, the person who owns the phone. He said the phone belonged to his sister.

How should Google know that?

Seriously? Pattern locks are almost as easy as Face Unlock to get through.

Are you referring to smudge attacks on pattern locks?

Face unlock was even weaker since anyone who had access to your photo could unlock it.

"Face unlock was even weaker since anyone who had access to your photo could unlock it"

I thought that rumour was debunked by Google engineers within the first hour that it launched?

edit - The quote is "Responding to a Twitter message from someone who say Face Unlock could be hacked [with a picture of the person], Bray said, "Nope. Give us some credit.""

I was following that when it was launched. But it was still easily defeated. Here's TheNextWeb article where they show a video on how easy it is to break that: http://thenextweb.com/google/2011/11/11/android-4-0-face-unl...

how would they make it photo proof ? I mean any guesses on the algorithm they use.. my dart in the dark would be that a photo would be absolutely still while a real person's face might twitch, shake, bat eyelids etc..

Maybe they do something really clever and rely on faces being 3D and the phone not being held 100% still?

Yeah I was referring to that, but I just realized that there's probably some legal bs preventing them from doing it. So nevermind!

In the interest of adding context, a "Smudge Attack" paper was presented at USENIX 2010 (Aviv et al. 2010), linking it for those interested. I only read security papers as a layman but I did enjoy this one.

Paper link:


I'm confused, can't they just write a GUI in Visual Basic to track the perp's IP?

The FBI Forensics Lab mis-entered the pattern lock too many times? The FBI uses the same tactic as my little brother to get into peoples phones? At a forensics lab? And the stuff they want from google kind of blows my mind. "The times and duration of every webpage visited"... As far is I can see that's completely undeliverable by anyone but possibly the carrier. Who do they have working down there?

This is also super interesting: "His parole conditions prevented him from doing anything to hide or lock digital files."

So if convicted of a crime they can require you to not use basic personal and identity safety measures.

Not even the network carrier should be able to tell the duration of a web page visit. Only the browser (or tracking javascript) could record this, but that's still dubious. I've had some browser tabs open on my phone for months... but that doesn't mean I've been constantly looking at them for months. I doubt Android keeps a big database of every page you visit and how long it takes you to close the page or navigate away. I guess Google Analytics might have some of that data, but only for sites that use GA.

> So if convicted of a crime they can require you to not use basic personal and identity safety measures.

Not really a new concept, it's fairly similar to banning a paedophile from going near schools, banning someone on parole from leaving the country (or state), or enforcing a curfew, etc. Similar in that it's restricting what would normally be anybody's right.

I know that is not a new concept, but it seems troubling because of its scope. It would be like saying "You may not shred credit card statements."

But more to the point, so man computers now expect password-protection. I don't see how this amounts to something other than a ban on general computing and for reasons that are not distinctly related to the offence.

Completely agree with you. How amateurish! Lock pattern is saved on the device, not in the cloud. I am not a hacker myself but FBI not having one that downloads entire OS out of it and either cracks the pattern or disable "wait X seconds to retry" and run a cracking app on it makes me wonder. Especially this is not some rocket science we talking about -- his lock pattern most likely is max 5 pins.

I cannot speak for the FBI as I know little about them. But I have worked closely its equivalent in my country (Brazil). And one notorious fact that I learned is that the technical expertise of these guys is way behind what the public expects of them. People expect federal police and government investigation to be up to date with the newest technologies and hacker practices. They picture hollywoodian CIA command centrals with magical hackers that can do anything they want by typing a few matrix-like code on a command shell.

But in reality, technical government agents have very little incentive to do their job well done. They just wanna get over it and go back home. As a result you have highly untrained personnel, who doesn't keep up with latest technology and will do the bare minimum to just not get fired. Their methods are always amateurish and easy to avoid if you're actually trying.

I'd imagine the US is a bit better than my country in this regard. But I'd doubt that by much. I'm still sure that their technical skills are light years behind what the public perception is.

the technical expertise of these guys is way behind what the public expects of them.

And thank God, or we would be even more deeply fucked.

Some of the things they're asking for are beyond absurd. How does someone work at the FBI and not realize that asking Google for a user's SS# or detailed browsing logs not realistic?

IANAL, but I'm assuming Google doesn't have to hand over anything that's not explicitly listed in the warrant. If you're the FBI, you might as well ask for the world and see what you get back.

Often enough if someone is smart enough to even realize such things they wouldn't be working for the government. And if you deal with the government you start seeing this kind of stupidity quite often. I am sure you'll see in any large bureaucratic structure (private too) it is just the govt is the largest one of all.

It's not about being realistic, it's about finding out what sort of information Google retains about its users. Low-profile cases are the best times to test these sorts of fishing expeditions because attention and resistance to teh subpoena will be low. (In contrast, in a high-profile case, the defendant is likely to vigorously oppose any such attempt.)

In other words: The FBI doesn't care if they actually get the information in this case; they want to know if they'll be able to get such information in future, more important cases.

the implications at the end are really lame. "the phone may have received sms after the judge issued the order"

like that would be held in court for anything? let's thing analogically: would a mob king be freed if a judge authorized a safe with evidence to be opened on the 4th but it was only opened on the 7th, and new evidence was put into the safe by other agents on the 6th?

It's not a matter of new evidence becoming available, but private data becoming visible unlawfully.

how it's different from the safe example?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact