SOCNET

Go Back   SOCNET: The Special Operations Community Network > General Topics > Law Enforcement

Reply
 
Thread Tools Display Modes
  #1  
Old 23 November 2018, 09:54
Fu King Lawyer Fu King Lawyer is offline
Been There Done That
 
Join Date: Jul 2009
Location: ...
Posts: 1,744
Cracking cell phones

Back in 2016 - we were still having trouble cracking into i-phone 8s and above. The "trouble" was more authenticating the data for later use in court, as opposed to getting into the device - but that was still very difficult.

I see now that Grayshift and Cellebrite are able to get in and the data gleaned is apparently reliable enough to use as trial evidence.

https://www.whio.com/news/local/loca...FsJmOJjO04TJK/

The retired FBI agent/attorney quoted for the article should remember that we have a federal criminal statute (18 USC 242) that will jam up any cop who fails to have probable cause/warrant to look at contents of communications stored in the device.

The whole thing reminds me of Cincinnati Microwave vs highway patrols and how traffic speed radars and Fuzzbuster detectors would leapfrog each other on a more or less annual basis. Agencies and drivers were constantly buying new equipment to keep ahead of the other's technology.
Reply With Quote
  #2  
Old 23 November 2018, 10:32
SHHINT's Avatar
SHHINT SHHINT is offline
Amaint de Merde
 
Join Date: Feb 2002
Location: CA, USA
Posts: 1,188
Regardless, I hate working mobile devices....pretty much defer to anyone else now.
Reply With Quote
  #3  
Old 23 November 2018, 18:03
Spinner's Avatar
Spinner Spinner is offline
Pele's Bucket of Fire?...never heard of it
 
Join Date: Nov 2003
Location: Chicagoland
Posts: 13,353
Lester Freamon made it all seem so easy on The Wire.
__________________
"This is supposed to be a happy occasion! Let's not bicker and argue over who killed who!"
Reply With Quote
  #4  
Old 24 November 2018, 08:35
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 15,184
I don't know how iPhones handle security as I am not a user. But all I saw in the article was a *powered on* phones' *passcode* being bypassed. 99.9% of the public is using a 4 digit passcode - not very difficult in today's times.

I'd like to see how it does from a powered off state, and with a 17 character full ascii password?

Fingerprints are stupid, don't use them - I think the iPhone requires a pass code initially, then you can add fingerprints - which means either one can be attacked.

I have a Nexus 5 I'll give to any LE agency to try to get into from a powered off state. It's pre-boot encrypted using LUKS with about a 42 character random string - the screen lock password is 17 characters random. Hit me up if you think you can get in.

Always power off - if you can. I realize you can be jumped as your using it, but power off if possible (which is more cumbersome to do with apple products IIRC, compared to Android).

Edit:
Quote:
Press and hold the Side button and either volume button until the slider appears.

Drag the slider to turn your device completely off.
__________________

WHO lauds lockdown-ignoring Sweden as a ‘model’ for countries going forward.

By Jackie Salo, NY Post

April 29, 2020 | 3:24pm

Next...

Reply With Quote
  #5  
Old 24 November 2018, 11:41
Xdeth's Avatar
Xdeth Xdeth is offline
Been There Done That
 
Join Date: Jun 2002
Location: Boston, MA <->Jacksonville, NC
Posts: 5,255
Quote:
Originally Posted by Polypro View Post
I don't know how iPhones handle security as I am not a user...
It handles it well but as usual, weakness is the user. You can choose long alphanumeric codes or something easy, six numbers I think is a default. Rate limiting has been the decisive feature they added so that even covering space of 20 bits takes years. I understand this is the mechanism under attack by newer approaches.
__________________
"First, decide who you would be. Then, do what you must do." -Epictetus
Reply With Quote
  #6  
Old 24 November 2018, 15:39
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,823
Hemming up a cop that doesn't get adequate probable cause still won't prevent the abuse in the first place. The article sums up the entire back and forth by stating this is an arms race. The only side that suffers though is the user/consumer. Privacy is a monster and is getting bigger. Europe is already lightyears ahead of the US, which is sad and ironic... considering we try to sell "Freedom".

I think your post FKL is more just a general conversation about cracking phones? It's a Coke/Pepsi debate, but I've seen more reverse engineers crush Android than iOS. It will continue to be the prime target of good and bad guys as folks use their phones for just about everything now.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #7  
Old 24 November 2018, 22:04
Fu King Lawyer Fu King Lawyer is offline
Been There Done That
 
Join Date: Jul 2009
Location: ...
Posts: 1,744
Quote:
Originally Posted by CV View Post
Hemming up a cop that doesn't get adequate probable cause still won't prevent the abuse in the first place. The article sums up the entire back and forth by stating this is an arms race. The only side that suffers though is the user/consumer. Privacy is a monster and is getting bigger. Europe is already lightyears ahead of the US, which is sad and ironic... considering we try to sell "Freedom".

I think your post FKL is more just a general conversation about cracking phones? It's a Coke/Pepsi debate, but I've seen more reverse engineers crush Android than iOS. It will continue to be the prime target of good and bad guys as folks use their phones for just about everything now.
Yes, Sir. It was a general comment, along with the fact that I was surprised that apparently it took 2 years to get to the point they were able to authenticate data mirrored from iOS 8 and up for use in court. Also, I agree with your comment, at least back in my time, Android always seemed more easy to get to.
Reply With Quote
  #8  
Old 25 November 2018, 09:57
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 15,184
Quote:
Originally Posted by Fu King Lawyer View Post
Android always seemed more easy to get to.
Some notes on Android: Up until very recently, Android wasn't encrypted by default - the user had to go into 'Security' and then 'Encrypt Phone'. 99.9% (the same percentage that uses '1234' as a Screen Lock on all platforms) - would never do that. Combined with the fact that Android, due to it being free, and able to run on *any* phone - it's no wonder that it seems like every Android was easily cracked.

The proper way would be for the user to immediately come up with a 17 character "random" (to everyone but you - you obviously have to able to store it in long term memory) ASCII string (letters, numbers, punctuation), to use as a screen unlock password. This in turn, is what is used to encrypt the SSD with pre-boot authentication. Due to user level limitations in Android, this is as long as the password can be, but 17 random is pretty good - thousands of years to brute force.

Nerds, on the other hand, would do as above, but then immediately install the app EncPassChanger, or CryptFS (or use Terminal commands) and then change that 17 character password that is being used for disk encryption - to one that is as long as you feel like typing in when booting from a power off state (Your Screen Unlock still stays at 17). You are now up to millions of years to brute force. Android is Linux - Linux uses LUKS for encryption - LUKS is really good encryption.

Like Xdeth said, if the end user is a nug, '1234' gets you owned no matter what phone/platform you have. I personally would choose LineageOS or a custom security build of Android on a Nexus 5 or 7 (those devices specifically have an app that will also let you lock/unlock the bootloader on the fly = more security) - if I was Dr. Evil and wanted LASER Beams on Sharks Heads. Linux is really powerful - if you know how to use it.
__________________

WHO lauds lockdown-ignoring Sweden as a ‘model’ for countries going forward.

By Jackie Salo, NY Post

April 29, 2020 | 3:24pm

Next...

Reply With Quote
  #9  
Old 25 November 2018, 19:24
Fu King Lawyer Fu King Lawyer is offline
Been There Done That
 
Join Date: Jul 2009
Location: ...
Posts: 1,744
Apple was also relatively easy to crack if you had the money and the political push - for instance, in the San Diego terrorist attack, rumor had it, that it was a million bucks.

https://www.npr.org/sections/alltech...-on-encryption

There were times when it was possible to get into the cell phone device through "favors", but nobody was willing afterwards to come into court and establish the equivalent of the "hash" (computer imaging)

https://www.forensicon.com/resources...drive-imaging/

and therein was the reason for my frustration, the data does very little good if you can't get the "image" in front of the jury and establish the admissibility of what you found. Lawyer shit, I know.....
Reply With Quote
  #10  
Old 25 November 2018, 19:47
Macka's Avatar
Macka Macka is offline
Confirmed User
 
Join Date: Sep 2001
Location: New England
Posts: 2,757
Quote:
Originally Posted by Polypro View Post
Like Xdeth said, if the end user is a nug, '1234' gets you owned no matter what phone/platform you have.
Or like my criminal mastermind from last summer who had two phones, one Apple, one Android. When we did a SW on his car and seized the phones (which were listed on the warrant) we discovered them both to be unlocked! Too easy.
__________________
Freedom costs a Buck 0-5
Reply With Quote
  #11  
Old 26 November 2018, 09:40
Zamir Zamir is offline
Looking for work...
 
Join Date: Jun 2008
Location: Midwest
Posts: 620
Quote:
Originally Posted by Fu King Lawyer View Post
Back in 2016 - we were still having trouble cracking into i-phone 8s and above. The "trouble" was more authenticating the data for later use in court, as opposed to getting into the device - but that was still very difficult.

I see now that Grayshift and Cellebrite are able to get in and the data gleaned is apparently reliable enough to use as trial evidence.

https://www.whio.com/news/local/loca...FsJmOJjO04TJK/

The retired FBI agent/attorney quoted for the article should remember that we have a federal criminal statute (18 USC 242) that will jam up any cop who fails to have probable cause/warrant to look at contents of communications stored in the device.

The whole thing reminds me of Cincinnati Microwave vs highway patrols and how traffic speed radars and Fuzzbuster detectors would leapfrog each other on a more or less annual basis. Agencies and drivers were constantly buying new equipment to keep ahead of the other's technology.
When I was in charge of CID...our guys used Cellebrite to crack phones all the time. If we ever ran into any issues, we could call a tech on the phone and he/she would help if he we hit a road block. The calls, content and people we spoke with were also documented in case they needed to be subpoenaed.

We had no issues with using intel we pulled from phones being admissible in court or used to obtain search/arrest warrants (along with other information, not just stand alone).
Reply With Quote
  #12  
Old 26 November 2018, 15:31
Fu King Lawyer Fu King Lawyer is offline
Been There Done That
 
Join Date: Jul 2009
Location: ...
Posts: 1,744
Quote:
Originally Posted by Zamir View Post
When I was in charge of CID...our guys used Cellebrite to crack phones all the time. If we ever ran into any issues, we could call a tech on the phone and he/she would help if he we hit a road block. The calls, content and people we spoke with were also documented in case they needed to be subpoenaed.

We had no issues with using intel we pulled from phones being admissible in court or used to obtain search/arrest warrants (along with other information, not just stand alone).
Zamir, Along with a couple others, we bought and used their products/services, too and as you mention they were good. The issue above centers on the encryption as each new operating system is released and the fact that the companies have to figure out a way through each new encryption. The companies that do the cracking first have to find a way to break the encryption. Then there is sort of a "gap" after that happens before the companies are able to provide evidence that the image is the same as the device and prove it is reliable. Per the links above, it appears it was about 2 years before they were able to push out to agencies the program to crack iOS 8 and above. With both the San Diego terrorist and his wife dead, apparently in that case the FBI felt the intel so valuable that even if inadmissible, it was worth paying for the crack. That is all that I was commenting upon. v/r fkl
Reply With Quote
  #13  
Old 26 November 2018, 16:46
Sharky's Avatar
Sharky Sharky is offline
Administrator
 
Join Date: Dec 1999
Location: SOCNET
Posts: 20,692
I used Cellebrite for years and know Jordan Jacobs well. Cellebrite and STRIKE used to be joined at the hip. Cellebrite works great on some phones and not so great on others. Celldek is another good platform.

Our issue was always time. We were working SSE on target mostly so if you couldn't get it fast you had to just go to the next one and let the JDEC play with it in the rear where time isn't an issue. Luckily, Hajji usually wasn't that security savvy most of the time.
__________________
I was born my papa's son
When I hit the ground I was on the run
I had one glad hand and the other behind
You can have yours, just give me mine
When the hound dog barkin' in the black of the night
Stick my hand in my pocket, everything's all right

-ZZ Top
Reply With Quote
  #14  
Old 26 November 2018, 23:42
just11b's Avatar
just11b just11b is offline
Authorized Personnel
 
Join Date: Mar 2011
Location: Mt. Wannahockaloogie
Posts: 2,241
Someone would be pretty disappointed to crack/hack my phone, and or computer. It would be more of that persons life wasted, than mine was when I heard of a singer called post malone. So, hack/crack/track, IDGAF anymore.
__________________
A real native is someone who is willing to die fighting for his country. There's nothing more to it.
William Poole
Reply With Quote
  #15  
Old 27 November 2018, 10:01
Sharky's Avatar
Sharky Sharky is offline
Administrator
 
Join Date: Dec 1999
Location: SOCNET
Posts: 20,692
Quote:
Originally Posted by just11b View Post
Someone would be pretty disappointed to crack/hack my phone, and or computer. It would be more of that persons life wasted, than mine was when I heard of a singer called post malone. So, hack/crack/track, IDGAF anymore.
It's not really something people do as a hobby.
__________________
I was born my papa's son
When I hit the ground I was on the run
I had one glad hand and the other behind
You can have yours, just give me mine
When the hound dog barkin' in the black of the night
Stick my hand in my pocket, everything's all right

-ZZ Top
Reply With Quote
  #16  
Old 27 November 2018, 18:34
Sado_1's Avatar
Sado_1 Sado_1 is offline
Cynical and Grumpy
 
Join Date: Mar 2016
Location: Anywhere, USA
Posts: 223
Quote:
Originally Posted by Fu King Lawyer View Post
Back in 2016 - we were still having trouble cracking into i-phone 8s and above. The "trouble" was more authenticating the data for later use in court, as opposed to getting into the device - but that was still very difficult.

I see now that Grayshift and Cellebrite are able to get in and the data gleaned is apparently reliable enough to use as trial evidence.

The retired FBI agent/attorney quoted for the article should remember that we have a federal criminal statute (18 USC 242) that will jam up any cop who fails to have probable cause/warrant to look at contents of communications stored in the device.
I work in investigations that require this process almost daily. Cellbrite is a bit outdated as a new software was launched in response to Apples heightened security via their new devices (8 series and later) and after the 11.0 update which affected our ability to bypass passwords. There was some general panic for a few months on apple specific devices for this until a forensic software company aided us in a specific method used to bypass this feature they developed. But in sum, yes..... we are constantly battling keeping up with the ages. In law enforcement with regards to digital forensics and such, my struggle has never been search warrants or the validity of the information or data I have retrieved rather, retrieving data from some of the so called encrypted apps available now who claim to have no storage servers to retrieve said data..... certain apps make our lives nightmares while others featured to be secure for a user, are not. Right now, we do possess the technology to bypass codes and even facial recognition security measures with the 10 series and such. It just means that you will probably never get your phone back and your phone will be destroyed in the process but it is possible and in most cases, highly probable. In response to some of the legal aspects..... I would never enter any device unless I had the PC to do it.....
generally I have a search warrant to take the device and to inspect its contents initially, and then once I find some things I am looking for, I obtain a second search warrant for the forensic processes. I use to do one massive search warrant also referred to as a hybrid, which included verbiage for every possible process that could be necessary from start to finish, but many judges are now moving away from that and requiring often several for the same devices as we go along to protect themselves.
__________________
"The space between life and death, that is where we are most alive"- Floki
Reply With Quote
  #17  
Old 27 November 2018, 20:11
Fu King Lawyer Fu King Lawyer is offline
Been There Done That
 
Join Date: Jul 2009
Location: ...
Posts: 1,744
"It just means that you will probably never get your phone back and your phone will be destroyed in the process"

Forgive me? When you know you are going to destroy a suspect's property during the execution of the Warrant, do you obtain a Court Order allowing you to do so? Just asking.....
Reply With Quote
  #18  
Old 28 November 2018, 00:02
Bakertaylor28 Bakertaylor28 is offline
On the Extract Bird
 
Join Date: Nov 2018
Location: Fort Worth, Texas
Posts: 5
None of this makes much of a difference in the first place- the warrant clause of the constitution is rather clearly established law at this point with respect to cell phones. Riley v. California, 573 U.S. __ (2014) was the first big case on the topic, with Carpenter v. United States, No. 16-402, 585 U.S. ____ (2018) being the last one. These cases rather have the implication that even if the police break into a phone without a warrant- they can't really use the data without having been caught doing it with a hefty 42 USC 1983 judgment to boot. That said, container encryption is a far easier bet than device encryption. Try hacking a .7z file for starters.
Reply With Quote
  #19  
Old 28 November 2018, 00:26
Silverbullet's Avatar
Silverbullet Silverbullet is offline
Administrator
 
Join Date: Aug 2000
Location: Bunker
Posts: 16,407
Dude, you're an annoying know it all.

Worse, you think we're unaware and need you to educate us.

Banned
Reply With Quote
  #20  
Old 28 November 2018, 08:42
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 15,184
Quote:
Originally Posted by Macka View Post
Or like my criminal mastermind from last summer who had two phones, one Apple, one Android. When we did a SW on his car and seized the phones (which were listed on the warrant) we discovered them both to be unlocked! Too easy.
Yup - criminals still got caught after gloves were invented
__________________

WHO lauds lockdown-ignoring Sweden as a ‘model’ for countries going forward.

By Jackie Salo, NY Post

April 29, 2020 | 3:24pm

Next...

Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 20:41.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.
Socnet.com All Rights Reserved
© SOCNET 1996-2020