All Tech Considered
9:54 am
Tue March 25, 2014

Your Smartphone Is A Crucial Police Tool, If They Can Crack It

Originally published on Tue March 25, 2014 2:28 pm

New software and gizmos are revolutionizing police work, with social media scanners, facial recognition and other high tech items. As it turns out, though, the single most valuable new police tool is your smartphone.

Rolf Norton, a homicide detective in Seattle, says when he's talking to a suspect, he keeps his eye open for the person's smartphone.

"I'm thinking there's probably a wealth of information that just got tucked into your pocket," Norton says. "Something that we'd like to get our hands on."

Your calls, your emails, your calendar, your photos — not to mention the GPS data embedded in those photos — could make a whole case, in one convenient package.

That wealth of information is also why more people now keep their phones locked with a PIN. Once he's seized a phone, Norton says, he often has to return to the owner to ask for help.

"Maybe you've established a rapport and you're getting along with this person," Norton says. "We'll reach out to that person and say, 'Hey, your phone's locked. We'd like to inspect it. We'll probably be getting a warrant. Would you give us your password?' "

Under the Fifth Amendment's protection against self-incrimination, you might have the right to refuse. But Jeffrey Fisher, a Stanford Law School professor, says the courts haven't settled that issue, so withholding your phone's password could prove risky.

"You can have anything from contempt of court to obstruction of justice," Fisher says. "All kinds of other problems."

Plus, there's a practical consideration: The police may be able to get around your password, anyway.

Companies such as Guidance Software and Cellebrite sell products to law enforcement that "image" smartphones. The products can pull data off in bulk for use as evidence. BrickHouse Security in New York sells products like this for iPhone and Android. CEO Todd Morris says the handset manufacturers don't support this, so it's a constant effort to keep the forensic software up to date.

"It's a collaboration. There's no way any one company can keep up with Apple or Google," Morris says. "You use programmers from all around the world and they share what they find."

These phone-copying systems rely heavily on what hackers call "exploits," or vulnerabilities in the phones' operating systems that can be used to get around the password or encryption.

Phones locked with a four-digit PIN are usually cracked with what's called a "brute force" attack: The software throws number combinations at the phone until one works, in a way that you couldn't do manually. That can take less than an hour, according to David Dunn.

Until last year, Dunn was a Seattle police detective specializing in digital forensics. He says the department got its first phone-copying kit in 2008 and handled only about 20 phones a year. By the time he left, the department was copying at least two phones a week.

As the phones became more important to police work, Dunn says they also became tougher to crack. The newer the phone is, the less likely it is the police can open it.

"In some cases, you'll have a handset that comes in, say, Jan. 1 of the year," he says. "Technology develops over the course of that year so you can get into it six or nine months later."

It's an arms race, and Dunn thinks the police are losing. The newest iPhones seem to be impervious to cracking and even when police send them to Apple (with a warrant), the extent of the encryption means the company can't always get everything.

"If you use the alphanumeric passcode, even Apple can't get in," says Will Strafach, a hacker who works with companies that make forensic tools for police. He's referring to the longer passwords that are optional on iPhones but also more cumbersome to use.

It's also a slow process. When the newest iPhones are sent to Apple, police may have to wait months for whatever data are recovered, Strafach says.

With Google's Android phones, things are looser. Encryption is optional and the basic screen passcode (or "pattern lock") operates more as a deterrent for the nosy. You can choose longer passwords, but any of them can be circumvented with the user's Google username and password. With a warrant, the police should be able to get those login credentials from Google.

Sophisticated users are locking things down more effectively. Take the example of Ashkan Soltani, a researcher and computer security consultant.

He uses the basic Android "pattern lock" to open the screen while his phone is in use, but he has modified his phone so that when he shuts it off, it requires a longer pass phrase to boot up again.

"If I'm traveling through customs or being pulled over, I would power off my phone," Soltani says. "And that PIN would be much longer to access on first boot."

The companies behind the phones have an interest in making them harder to crack, especially when they're marketing to corporate customers. It also reflects the tech world's growing distrust of government.

"At this point, I think it's very difficult to trust any policy-based solution," Moxie Marlinspike says. That's the pseudonym for a hacker well-known in Silicon Valley for his work on third-party encryption systems for smartphones. He says he cares about legal privacy protections. He says he doesn't want to rely on them.

"There's something empowering about not asking for that type of protection. There's something empowering about just providing it for ourselves," he says.

Still, technological fixes can backfire. Take the case of the new iPhone 5s. It comes with a fingerprint reader. Cryptographically, that's a lot more secure than a four-digit pin. But legally, it may be less secure. That's because while you may have a constitutional right to withhold your password, the Supreme Court has already said the police don't need a warrant to get access to your finger.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.