How Law Enforcement Gets Around Your Smartphone's Encryption:
Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS.
Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade's worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools. The researchers have dug into the current mobile privacy state of affairs, and provided technical recommendations for how the two major mobile operating systems can continue to improve their protections.
"It just really shocked me, because I came into this project thinking that these phones are really protecting user data well," says Johns Hopkins cryptographer Matthew Green, who oversaw the research. "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?"
Before you delete all your data and throw your phone out the window, though, it's important to understand the types of privacy and security violations the researchers were specifically looking at. When you lock your phone with a passcode, fingerprint lock, or face recognition lock, it encrypts the contents of the device. Even if someone stole your phone and pulled the data off it, they would only see gibberish. Decoding all the data would require a key that only regenerates when you unlock your phone with a passcode, or face or finger recognition. And smartphones today offer multiple layers of these protections and different encryption keys for different levels of sensitive data. Many keys are tied to unlocking the device, but the most sensitive require additional authentication. The operating system and some special hardware are in charge of managing all of those keys and access levels so that, for the most part, you never even have to think about it.
With all of that in mind, the researchers assumed it would be extremely difficult for an attacker to unearth any of those keys and unlock some amount of data. But that's not what they found.
[...] The main difference between Complete Protection and AFU [(After First Use)] relates to how quick and easy it is for applications to access the keys to decrypt data. When data is in the Complete Protection state, the keys to decrypt it are stored deep within the operating system and encrypted themselves. But once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone.
[...] The researchers shared their findings with the Android and iOS teams ahead of publication. An Apple spokesperson told WIRED that the company's security work is focused on protecting users from hackers, thieves, and criminals looking to steal personal information. The types of attacks the researchers are looking at are very costly to develop, the spokesperson pointed out; they require physical access to the target device and only work until Apple patches the vulnerabilities they exploit. Apple also stressed that its goal with iOS is to balance security and convenience.
[...] Similarly, Google stressed that these Android attacks depend on physical access and the existence of the right type of exploitable flaws. "We work to patch these vulnerabilities on a monthly basis and continually harden the platform so that bugs and vulnerabilities do not become exploitable in the first place," a spokesperson said in a statement. "You can expect to see additional hardening in the next release of Android."
[...] As long as mainstream mobile operating systems have these privacy weaknesses, though, it's even more difficult to explain why governments around the world—including the US, UK, Australia, and India—have mounted major calls for tech companies to undermine the encryption in their products.
(Score: -1, Offtopic) by Anonymous Coward on Sunday January 24 2021, @03:59AM
who dat at mah door?
(Score: 3, Insightful) by multistrand on Sunday January 24 2021, @04:47AM (24 children)
Everything about phones gets increasingly annoying. We pay for the hardware. Then we pay for a plan. Then we pay with our personal data so that ads can be targeted. And last, because the end user is less of a customer and more a product, we can pay with our freedoms to any moderately sophisticated government in the world.
(Score: 0, Troll) by Anonymous Coward on Sunday January 24 2021, @05:05AM (22 children)
My phone is out of my control the last few days. It keeps having me follow the White House on insta even though I've blocked it 5 times. Every morning I wake up and it is resubscribed. All the comments there are people saying they are forced to follow it too.
(Score: 3, Funny) by aristarchus on Sunday January 24 2021, @05:16AM (20 children)
No wonder, if you are stupid enough to own an iPhone! Walled Garden much? Do you even know who Parler is leaking your location to?
(Score: 2, Interesting) by Anonymous Coward on Sunday January 24 2021, @05:21AM (14 children)
Are you suggesting it's our fault we are being abused? Forcing people to follow an account so they seem more popular is literally slavery. And most people this is happening to are PoCs. It is scary shit.
You are a victim-blaming fascist beast.
(Score: 0, Funny) by Anonymous Coward on Sunday January 24 2021, @05:35AM (4 children)
Nonsense. Libertarians everywhere recognize that cell phones are a luxury. For example, the government has no business picking winners and funding cell phones for homeless and low-income people. If you think you can design a better cell phone, then why aren't you doing it? It sounds like it could make you rich. Instead here you are pissing and moaning about it. No wonder you're not rich. Opportunity stares you right in the face and you whinge "waaaaa but its not faaaaare"!
(Score: -1, Flamebait) by Anonymous Coward on Sunday January 24 2021, @05:41AM (1 child)
You are another victim blaming piece of shit that doesn't care about literal enslavement of PoCs in front of your eyes.
Here is your chance to help some people by fighting authoritarians and you instead write BS about irrelevant crap? Fuck off.
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @05:47AM
so #salty
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @07:26AM (1 child)
Nonsense. Conservatards everywhere falsely believe that cell phones are a luxury. For example, the government, by definition, should be funding cell phones for homeless and low-income people. If you think you can design a better cell phone, then why aren't you doing it? It sounds like it could make you rich. Instead here you are pissing and moaning about the "wrong people" getting cell phones. No wonder you're not rich. Opportunity stares you right in the face and you whine "waaaaa but its not faaaaare"!
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @08:32AM
Could you summarize this video into bullet points please?
Thanks in advance!
(Score: 3, Interesting) by Runaway1956 on Sunday January 24 2021, @06:05AM (8 children)
Why, yes. If GP didn't suggest it, then I will. Didn't you run out, and plop down good money for your status symbol? You pay for the "privilege" of staying in touch with - whatever? Did you buy into Apple's walled garden, or did you buy into Google's slightly-less-walled garder? Don't you have that Facebook account? Which entity, exactly, is "forcing" you to follow the White House? Which social media account is doing it? Or, which telco is doing it?
You're paying for the abuse, so you can stop whining. If a workmate pays a dominatrix to abuse him, I'm not going to listen to him whine about how harsh she was on him. Fuck off, Bubba. If you don't like the service, vote with your feet, vote with your wallet.
Do you need a little help getting out of your abusive relationship(s)? Try these resources:
https://en.wikipedia.org/wiki/List_of_open-source_mobile_phones [wikipedia.org]
https://itsfoss.com/open-source-alternatives-android/ [itsfoss.com]
https://www.pine64.org/pinephone/ [pine64.org]
https://puri.sm/products/librem-5/ [puri.sm]
https://linuxsmartphones.com/ [linuxsmartphones.com]
If none of those are the solution you need, they should at least point you in a direction that you should find useful.
Toss the NSA monitoring device, break off your relation with whoever, and start life afresh.
Or - just toss the damned cell phone. Millions of Americans still survive without a cell phone. Toss it, if you find it to be abusive. Stop paying to be abused. If you won't stop paying, then just stop complaining about being abused. Your dominatrix must be providing a better service than you are willing to admit to yourself. In which case, you need to admit that you like those welts across your ass, and own them.
Abortion is the number one killed of children in the United States.
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @06:19AM (5 children)
Which is forcing us? Instagram. Probably paid by the government to do it.
Did you read the post?
The rest of your response is the same as telling people it is their own fault they are enslaved since they could just die instead so that is their own choice.
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @07:43AM (2 children)
Um. Here's a thought:
STOP. USING. INSTAGRAM.
(Or just keep using it and bitching about it since you seem to like being abused so much. I think I know which choice you'll make...)
But I'm just some dumb AC that isn't getting abused by instagram so what the hell do I know? *shrugs*
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @07:58AM
That is why I moved to Tiktok!
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @08:00AM
If you delete your account they know they can just create a chatbot account with your name. Better to have at least some control over it.
https://www.independent.co.uk/life-style/gadgets-and-tech/microsoft-chatbot-patent-dead-b1789979.html [independent.co.uk]
(Score: 2) by Runaway1956 on Sunday January 24 2021, @09:01AM (1 child)
People who are actually enslaved probably don't enslave themselves. OK, maybe some of them put themselves into that situation through their own stupid decisions. Not really likely, though.
You bought the phone? You pay the monthly charges? You probably buy the new shiny after 2, 3, 4 years of use? If you are "enslaved", you have chosen to enslave yourself. I offered some alternatives above.
Keep whining. I do enjoy librul tears. I could grow to like Instagram whiner's tears. Or whichever software you choose to cry about next. Google, Facebook, Twitter, or you can single out the abusive shit installed by your telco, it doesn't matter. Your "smart phone" keeps you under surveillance, all day, every day. Your smart phone records data on you to benefit dozens of corporations, while at the same time, collecting evidence so the police can convict you of any future crimes you might commit.
/sarcasm But, you're forced to carry that phone. You're enslaved. I feel so sorry for you! /sarcasm
Abortion is the number one killed of children in the United States.
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @11:10AM
I think you misspelled the QAnons tears
(Score: 2) by JoeMerchant on Sunday January 24 2021, @09:59PM
Oblig: https://xkcd.com/538/ [xkcd.com]
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 1, Insightful) by Anonymous Coward on Monday January 25 2021, @02:14AM
Reeaaaal easy to keep a job and rent shelter without a cellphone in today's world, bub. Reaaaal easy. /s
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @05:29AM (2 children)
Yeah, Android phones are famous for being kept up-to-date and for security of personal information by design. (rolls eyes)
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @04:34PM
Android updates are more granular. The play store is continually updating modular parts of the software. It is not a 'taa daa here is something totally new' process like Apple promotes on their gadgets.
(Score: 2) by janrinok on Monday January 25 2021, @01:49PM
That appears to be a local problem for you.
My Android is updated regularly - at least monthly. I have switched off / removed numerous default apps and have tied down the permissions that the remaining apps have access to. And I don't use it for any social media.
(Score: 4, Informative) by stretch611 on Sunday January 24 2021, @06:27PM (1 child)
Well, right now, Parler is leaking your location to the Russian government.
After all, their new web host has links to the Ruskies.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 1, Insightful) by Anonymous Coward on Monday January 25 2021, @12:10PM
Not that I use Parler, but so what? I, and I'm guessing most people on this site, don't live in Russia, don't plan to go to Russia and start criticizing their government on Parler, and as such this is without downside for non-Russians. Anyway, the NSA has the capability to track at least 90%+ of the population reliably, even if they don't necessarily know or care who everyone is all the time.
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @05:27AM
#salty tears
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @05:30AM
Then stop buying them.
(Score: -1, Troll) by Ethanol-fueled on Sunday January 24 2021, @05:41AM
JHU.edu is a big-time DARPA collaborator similarly to the Bolshevik shitbags at MIT. If they're pretending to give a shit about Android/iOS security, it means some combination of two things: (1) they know for certain that the bugs they injected have already been identified by foreigners they don't like and/or (2) They no longer have a use for bug insertion when deep state-run "secure" apps like Signal are selling everything off to the DIA, 5 eyes, or the Jews anyway. The devil you know vs the devil you don't etc. Also:
Oy Vey, I'm shocked, totally shocked! Now we'll have to collaborate with China to make some new exploits!
(Score: 1, Insightful) by Anonymous Coward on Sunday January 24 2021, @11:53AM (6 children)
Me: The government is out there spying on me
You: If you have nothing to fear then you have nothing to hide
Me: I fear they are wasting my taxpayer money.
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @11:58AM (5 children)
I guess if they hired unpaid volunteers to spy on everyone then I wouldn't really mind. Or if private corporations were the ones paying for it.
Also I speak two other languages. I imagine most of the 'government spies' are monolingual. So that means they have to hire a translator every time I am speaking to someone in another language which, I fear, is an even bigger waste of my taxpayer money. Why should I have to confine myself to English only just to make their spying cheaper on me.
(Score: -1, Troll) by Anonymous Coward on Sunday January 24 2021, @12:40PM (2 children)
Right now the government is talking about implementing a huge surveillance spy program against 'political extremists' such as 'libertarians' and while these people are not really breaking any laws and they are probably among the most boring people to spy on my question is who is going to pay for all of this spying? Why should I have to pay for it?
Perhaps they can manage to convince unpaid volunteers that this somehow looks good on their resume. I'm sure there are some people out there dumb enough to believe this. Heck, it might not even be that dumb on the part of job applicants, there might be employers out there dumb enough to consider such volunteers a plus on a resume depending on how you list it. But I don't feel like I should have to pay for this.
(Score: -1, Troll) by Anonymous Coward on Sunday January 24 2021, @07:08PM (1 child)
Except that libertarians are, generally, intending to break any and every law that inconveniences them regardless of its fairness or necessity. If you're looking for lawbreakers or incipient insurrectionists, it's really low-hanging fruit. Trotskyists at least believe in government, but that its priorities are wack for now. Ethics, look it up.
(Score: 0) by Anonymous Coward on Monday January 25 2021, @03:10AM
Because anyone you disagree with should be considered guilty until proven innocent.
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @01:03PM (1 child)
They're going to have to hire people that can interpret the texts of half-literates and emoji-addicts. And spanglish, various vernaculars, acronyms, jargon, etc.
(Score: 0) by Anonymous Coward on Monday January 25 2021, @02:55PM
I can't think of a better use of my taxpayer money!!!! (sarcasm of course for government officials that think I'm actually being serious). Where do I sign up to get paid for this?
(Score: 0) by Anonymous Coward on Sunday January 24 2021, @12:57PM
TFS seems to state pretty clearly that this only applies to situations in which you lose physical access to the device. In that situation, it should always be assumed that you will be compromised, regardless of encryption methods. The main security focus for the smartphone OS vendors should be protecting against remote attacks, NFC/bluetooth/wifi/usb exploits etc, because those are the type that will be encountered by the vast majority of their customers. If you have sensitive information that must be protected, you should already know better.
(Score: 2) by Username on Sunday January 24 2021, @03:14PM
And if the target doesn't align with their politics, then they will grant you access.
(Score: 5, Informative) by srobert on Sunday January 24 2021, @04:44PM
"So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?"
You don't. But by asking for one you create the illusion that you would need it. With the objective being that "the bad guys" will be overly confident that their communications are already sufficiently secure.