FBI failed to access 7,000 encrypted mobile devices
Agents at the US Federal Bureau of Investigation (FBI) have been unable to extract data from nearly 7,000 mobile devices they have tried to access, the agency's director has said.
Christopher Wray said encryption on devices was "a huge, huge problem" for FBI investigations. The agency had failed to access more than half of the devices it targeted in an 11-month period, he said.
One cyber-security expert said such encryption was now a "fact of life". Many smartphones encrypt their contents when locked, as standard - a security feature that often prevents even the phones' manufacturers from accessing data. Such encryption is different to end-to-end encryption, which prevents interception of communications on a large scale.
Cyber-security expert Prof Alan Woodward at the University of Surrey said device encryption was clearly frustrating criminal investigations but it would be impractical and insecure to develop "back doors" or weakened security.
In a time when the government is committing criminal acts, is it not advisable for citizens to do what they can to protect themselves from that crime?
Related Stories
The new FBI Director Christopher Wray has been repeating the broken rhetoric of the Crypto Wars:
In recent testimony before Congress, the director of the FBI has again highlighted what the government sees as the problem of easy-to-use, on-by-default, strong encryption.
In prepared remarks from last Thursday, FBI Director Christopher Wray said that encryption presents a "significant challenge to conducting lawful court-ordered access," he said, again using the longstanding government moniker "Going Dark."
The statement was just one portion of his testimony about the agency's priorities for the coming year.
The FBI and its parent agency, the Department of Justice, have recently stepped up public rhetoric about the so-called dangers of "Going Dark." In recent months, both Wray and Deputy Attorney General Rod Rosenstein have given numerous public statements about this issue.
Remember to use encryption irresponsibly, and stay salty, my FBI friends.
Previously: FBI Chief Calls for National Talk Over Encryption vs. Safety
Federal Court Rules That the FBI Does Not Have to Disclose Name of iPhone Hacking Vendor
PureVPN Logs Helped FBI Net Alleged Cyberstalker
FBI Failed to Access 7,000 Encrypted Mobile Devices
Great, Now There's "Responsible Encryption"
FBI Bemoans Phone Encryption After Texas Shooting, but Refuses Apple's Help
DOJ: Strong Encryption That We Don't Have Access to is "Unreasonable"
The Washington Post has a story which says:
FBI Director Christopher A. Wray on Tuesday renewed a call for tech companies to help law enforcement officials gain access to encrypted smartphones, describing it as a "major public safety issue."
Wray said the bureau was unable to gain access to the content of 7,775 devices in fiscal 2017 — more than half of all the smartphones it tried to crack in that time period — despite having a warrant from a judge.
"Being unable to access nearly 7,800 devices in a single year is a major public safety issue," he said, taking up a theme that was a signature issue of his predecessor, James B. Comey.
Wray was then quoted as saying:
"We're not interested in the millions of devices of everyday citizens," he said in New York at Fordham University's International Conference on Cyber Security. "We're interested in those devices that have been used to plan or execute terrorist or criminal activities."
He then went on to promote the long-disparaged idea of key escrow:
As an example of a possible compromise, Wray cited a case from New York several years ago. Four major banks, he said, were using a chat messaging platform called Symphony, which was marketed as offering "guaranteed data deletion." State financial regulators became concerned that the chat platform would hamper investigations of Wall Street.
"In response," Wray said, "the four banks reached an agreement with the regulators to ensure responsible use" of Symphony. They agreed to keep a copy of their communications sent through the app for seven years and to store duplicate copies of their encryption keys with independent custodians not controlled by the banks, he said.
To me this is more of the utter nonsense the government has spouted. When will they understand that key escrow only works when one trusts the government and the keeper of the keys?
FBI: End-to-End Encryption Is an Infectious Problem
Just in case there were any lingering doubts about U.S. law enforcement's stance on end-to-end encryption, which prevents information from being read by anyone but its intended recipient, FBI executive assistant director Amy Hess told the Wall Street Journal this week that its use "is a problem that infects law enforcement and the intelligence community more and more so every day."
The quote was published in a piece about efforts from the UK, Australia and India to undermine end-to-end encryption. All three countries have passed or proposed legislation that compels tech companies to supply certain information to government agencies. The laws vary in their specifics, including restrictions on to what information law enforcement can request access, but the gist is that they don't want any data to be completely inaccessible.
Related: FBI Chief Calls for National Talk Over Encryption vs. Safety
FBI Failed to Access 7,000 Encrypted Mobile Devices
DOJ: Strong Encryption That We Don't Have Access to is "Unreasonable"
Five Eyes Governments Get Even Tougher on Encryption
Apple Speaks Out Against Australian Anti-Encryption Law; Police Advised Not to Trigger Face ID
Australia Set to Pass Controversial Encryption Law
Split Key Cryptography is Back... Again – Why Government Back Doors Don't Work
(Score: 4, Funny) by MichaelDavidCrawford on Monday October 23 2017, @10:16PM (4 children)
I disabled the login password on my iPhone 7. Now it opens right up to the desktop - is it called "desktop" on iOS devices?
My setting is as G-d and Nature intended.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Freeman on Monday October 23 2017, @10:26PM
It's a "Home Screen" as desktop doesn't really fit the nature of the beast. The reason for the password, isn't to restrict your "Freedom". It's to restrict a thief's "Freedom" to access your information. I have read your stances on the topic and I'm pretty sure you already know all the arguments against it. I'm also glad that No password is an option.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Monday October 23 2017, @11:54PM (1 child)
I donated. Anyone else able to chip in? Any other Soylent ACs able to help the one, the only MDC?
(Score: 3, Insightful) by MichaelDavidCrawford on Tuesday October 24 2017, @02:28AM
... for November and cover the copays on my Happy pills.
I'll set up crypto, PayPal and amazon donations when I get home.
I don't get paid until my driver reaches beta There are some difficult bugs i must fix.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @06:47PM
Could 2017 be the year of desktop on the iPhone?
(Score: 5, Insightful) by Freeman on Monday October 23 2017, @10:18PM (7 children)
Security isn't security, if only the "good guys" have the keys to the kingdom. The bad guys would get them about a second after the good guys have them. Plus, who's to say the "good guys" are good?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Funny) by bob_super on Monday October 23 2017, @11:09PM (1 child)
> who's to say the "good guys" are good?
That's easy: They write songs about being good, make movies about being good and Bad Guys losing, write articles and novels about being good, and make their children recite poems about being good.
Obviously, only good people would go through all that trouble.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @07:16PM
Here's a song about the Dear Leader [youtube.com]. Enjoy!
(Score: 5, Insightful) by frojack on Tuesday October 24 2017, @02:05AM (3 children)
Speaking of "bad guys"...
So by rough calcs the FBI seized somewhere north of 14000 phones and tried to crack them.
Are there 14000 kidnappings where a child's life is on the line?
Has the FBI really arrested 14000 people for interstate drugs or human trafficking in 11 months?
That's a huge number.
It looks like they are going after phone for even little crimes the FBI would be involved in rather than just the big ones.
Or maybe they are doing it as a service to every tin star sheriff.
No, you are mistaken. I've always had this sig.
(Score: 5, Insightful) by Runaway1956 on Tuesday October 24 2017, @02:43AM (2 children)
I think, basically, the FBI wants your phone to incriminate you for SOMETHING, ANYTHING, so that they don't have to do real investigative work. Investigating can be hard, you know? If they can just grab some device with which you record alll of the intimate parts of your life, they can find SOMETHING with which to threaten you. If you were an agent, why would you prefer to *work* for a conviction, if instead, you can just get a person's detailed journal/diary containing incriminating evidence? But, worse than a mere journal, the damned device keeps detailed logs. You connected to a site once, and so did Al Jazawi Howie - guilt by association. The phone and the telco never forget which sites you connected to, of course. It doesn't matter that you did a search, that random site came up, you clicked, and the material was entirely irrelevant to your purposes. The fact is, you've used the same site that Howie did, so you're a terrorist.
Yeah, we all want backdoors into our devices. Being patriotic citizens, none of us wants an FBI agent to actually WORK for a conviction. We need to make those agent's lives as easy as possible!
(Score: 5, Insightful) by Whoever on Tuesday October 24 2017, @03:11AM
Disputed, but still:
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @07:29PM
exactly. these pigs are looking for leverage and/or planting evidence. they are lazy, kid killing scum. fuck them.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @06:51PM
The Good Guys [wikipedia.org] are long gone. The bad guys [soylentnews.org] are still around.
(Score: 5, Insightful) by edIII on Monday October 23 2017, @10:29PM (3 children)
Part of me is very skeptical. The NSA did have a bunch of their top secret tools stolen, but I suspect they have more. Or other governments do.
Maybe the FBI wants us to think our whole device/drive encryption is secure? There was a recent article about how some TPM was compromised. That's all it takes, and side channel attacks are a bitch. I'm reminded of the security concept that once you've lost physical security, you've lost all security. There is only one exception, and that is data at rest, and that is only as long as the encryption keys are irretrievable or not present in the device hardware at any level we can adequately measure and process.
It's wonderful news, but sounds too good to be true.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @12:41AM (2 children)
I knew someone would say something like that. Do you have any actual evidence that stories like these are just an attempt to give people a false sense of security, or is this just mostly baseless speculation?
(Score: 5, Informative) by takyon on Tuesday October 24 2017, @01:02AM (1 child)
The FBI doesn't want their methods to be known [zdnet.com]. So I would not expect them to tell the whole story when complaining about encryption.
They have been complaining about this stuff for years [vox.com] but have demonstrated a willingness to use spyware and vulnerabilities to infiltrate systems, especially those of Tor users. And they have used vulnerabilities to bypass phone encryption before.
Is there evidence that they have a vulnerability good enough for them to get past recently developed encrypted phones with lock screens? No. And that's the point. By lying and using shady methods, the FBI, NSA, and other agencies have eroded all trust in them. You won't know what they are exploiting until years later when it leaks or they are forced to acknowledge it. But you do know the policy: they break into systems using unreleased vulnerabilities, and believe that Congress and the courts give them the power to do so legally.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by urza9814 on Wednesday October 25 2017, @01:30PM
Not telling the whole story is exactly what I was thinking. They don't even have to be lying -- they're only saying they couldn't get into the phones, they aren't saying how hard they tried. "Tried to access" could be an agent hitting the unlock button and seeing if they get a password prompt.
Are these phones that couldn't be accessed by their top IT security experts, or are these phones that couldn't be accessed by the field agent making the arrest? It's not like every single agent is an expert in cryptography. So how many do they bother to send for analysis? Probably not 100%. Maybe the 50% that get unlocked? Maybe only 1%, and 49% just have no security at all? Without that information this headline means nothing.
(Score: 2, Funny) by Anonymous Coward on Monday October 23 2017, @10:43PM
Did you mean "yuuuge, yuuuge problem"?
(Score: 5, Insightful) by Justin Case on Monday October 23 2017, @10:52PM (2 children)
Yeah, sure, blame BBC not the submitter, but...
is actually
"Spin" like this is part of how we've had fake news since forever. Media lapdogs always side with the biggest thug on the block.
(Score: 2) by meustrus on Tuesday October 24 2017, @05:03PM
Absolutely! Headlines like these are definitely an example of the problematic bias in our news media.
Just don't think that this attaches "pro-FBI" to the political bias you may already believe exists. It's political, sure, but not left vs right. This one is pretty clearly rich vs poor, in which the rich like having powerful law enforcement (which they can control).
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by DeathMonkey on Tuesday October 24 2017, @06:09PM
Both statements are factually correct, and therefore, not fake.
Just because certain people want to create a false equivalency regarding "fake news" doesn't mean we should let them.
(Score: 5, Insightful) by MrGuy on Monday October 23 2017, @11:09PM (3 children)
Note how carefully this is worded. The 7,000 number is the number of devices the FBI tried to access.
Where is the number for the devices where there was reasonable suspicion that a search of the device would yield meaningful evidence of a crime?
Where is the number for the devices where there was reasonable suspicion that a search of the device would yield meaningful evidence of the SPECIFIC crime being investigated?
Where is the number for the devices for which a search warrant was obtained?
It's in the FBI's interest to inflate as much as possible the number of devices that it "targeted."
There's a world of difference between "we picked this guy up on an outstanding federal warrant, and we wanted to take a look at his phone just in case he said or texted something incriminating" and "we know this particular phone was used to communicate with a hitman about a murder for hire, and we need to look at the call history to help us identify the suspect." One is a completely speculative reason to look at the phone, one is a search with probable cause.
(Score: 5, Interesting) by bob_super on Monday October 23 2017, @11:11PM
> The agency had failed to access more than half of the devices it targeted in an 11-month period
Note that this implies that thousands of devices were successfully targeted...
(Score: 2) by DannyB on Tuesday October 24 2017, @02:54PM
You know what the next step will be?
Management Engines.
Hey, it worked on Intel and AMD processors used in billions of desktop, laptop and server PCs. Compromise baked right into your microprocessor. You pay for it. You don't want it. And nobody asked you. One can only speculate why that wasn't listed as a major feature on the box when it was introduced.
Now the TLAs need to get management engines forced to be in the design of British / Japanese ARM chips. Of course, they only license their IP, as I understand it. Others take the IP, design their own concrete chip implementations, and then fabricate their chips. So it might be just a wee bit harder to forcibly corrupt the hardware.
Drat! those two billion smartphones with ARM chips!
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @04:59PM
No, it's not. Examining your quote even carefullier:
That implies to me that they have tried to access 14,000 devices, half of which they were able to access succesfully. That still doesn't say how much of those were lawful targetings, but it's still twice as much as you assumed.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @03:32AM (1 child)
The next decryption law is probably stuck on a encrypted phone.
In other news: government is goin' all-in on non transparent and non accountable goverence with un decypherable devices for a civil servants.
(Score: 2, Insightful) by Anonymous Coward on Tuesday October 24 2017, @04:13AM
Can't wait for govt employees to switch to encrypted messaging to get around public records laws.
(Score: 5, Insightful) by hemocyanin on Tuesday October 24 2017, @05:06AM (3 children)
Which brands did they fail to access? That's what I want to know.
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 24 2017, @07:27AM (1 child)
Sorry that information can not be revealed because it would help the terrorists and gangbanger pedophiles on PCP win.
You can't withhold secrets from the government but they can sure withhold secrets from you.
(Score: 3, Funny) by DannyB on Tuesday October 24 2017, @02:43PM
Did you mean PHP? Oh, wait. Nevermind.
The lower I set my standards the more accomplishments I have.
(Score: 2) by urza9814 on Wednesday October 25 2017, @01:37PM
The ones they decided weren't worth the cost/effort of full analysis.
7,000 phones that they "failed to access" could mean nothing more than a field agent hitting the unlock button, getting a password prompt, and deciding they didn't have enough evidence for a warrant or they had enough to lock the person up already and it therefore wasn't worth paying for their crypto experts to fully analyze that phone.
(Score: 3, Interesting) by Anonymous Coward on Tuesday October 24 2017, @06:10AM (3 children)
Bill Clinton banned the export of cryptographic techniques, on the basis that they were "arms". So, on the basis that I have the right to bear arms, I am encrypting everything.
(Score: 2) by DannyB on Tuesday October 24 2017, @02:48PM (1 child)
An interesting problem that resulted was that you could leave the country with textbooks about encryption. These textbooks even had source code for some algorithms. Technically that was in violation of export laws. Because these textbooks were arms. But apparently the US didn't want to get into the business of stopping people carrying textbooks. At least in the early 90's. Not sure about today. That textbook might get you shot. Or at least beaten up.
The lower I set my standards the more accomplishments I have.
(Score: 2) by Freeman on Tuesday October 24 2017, @04:27PM
Life imitates art? Or is MIB not older than that?
https://s-media-cache-ak0.pinimg.com/736x/69/e3/96/69e396b96f19f598aceefa8fb1141c92.jpg/ [pinimg.com]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by DeathMonkey on Tuesday October 24 2017, @06:15PM
Whenever you see the name "Clinton" on an internet forum you should take any statements of fact with a grain of salt.
Bill Clinton banned the export of cryptographic techniques, on the basis that they were "arms". So, on the basis that I have the right to bear arms, I am encrypting everything.
Surprise, you're wrong! [wikipedia.org]
Since World War II, many governments, including the U.S. and its NATO allies, have regulated the export of cryptography for national security reasons, and, as late as 1992, cryptography was on the U.S. Munitions List as an Auxiliary Military Equipment.[2]
Legal challenges by Peter Junger and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President Bill Clinton signing the Executive order 13026[7] transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, "the software shall not be considered or treated as 'technology'" in the sense of Export Administration Regulations. The Commodity Jurisdiction process was replaced with a Commodity Classification process, and a provision was added to allow export of 56-bit encryption if the exporter promised to add "key recovery" backdoors by the end of 1998. In 1999, the EAR was changed to allow 56-bit encryption and 1024-bit RSA to be exported without any backdoors, and new SSL cipher suites were introduced to support this (RSA_EXPORT1024 with 56-bit RC4 or DES). In 2000, the Department of Commerce implemented rules that greatly simplified the export of commercial and open source software containing cryptography, including allowing the key length restrictions to be removed after going through the Commodity Classification process.[8]
(Score: 2) by DannyB on Tuesday October 24 2017, @02:42PM
If those silicone valley geeks can create perpetual motion machines and faster than light drives, why can't they develop an encryption system that is perfectly secure until the moment when a judge signs a warrant? That doesn't seem like too much to ask for. They could do it if they would only put their minds to it.
(do I need an /s tag for that?)
The lower I set my standards the more accomplishments I have.
(Score: 3, Insightful) by meustrus on Tuesday October 24 2017, @05:00PM (1 child)
Sure, but doesn't this belong in a comment? With it in the summary, comments are less likely to respond to this statement directly, which means the statement itself is a skewed version of the real commentary happening here.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by Phoenix666 on Tuesday October 24 2017, @07:35PM
Maybe. But then, I'm only half-Vulcan, dammit!
Washington DC delenda est.