How Law Enforcement Get Past Phone Encryption
by Anthony W. Accurso
Reporting from Wired shows how researchers at Johns Hopkins University looked into vulnerabilities in Apple and Android phones and how they can be exploited by groups like law enforcement and other government actors.
Cryptographers at Johns Hopkins analyzed the current state of encryption, the technology used to keep data on our phones safe, and how Apple and Google implement this technology in ways that can be circumvented. They also conducted a retrospective study of vulnerabilities discovered in the last decade, including how those vulnerabilities were exploited by various government agencies.
This study is important because government agencies, most notably the FBI, keep pushing for tools to entirely circumvent phone encryption, claiming this is necessary to keep the public safe from criminals and terrorists.
Both types of phones have defaults that protect user data through encryption. This can be seen as a set of “keys” that lock and unlock personal data as needed by software running on the phone any time a user provides their face, fingerprint, or password. In most cases, this means that someone trying to copy data from a phone will see only the operating system files, but any user data will look like random gibberish.
These keys are stored in a protected space in the device’s memory, making them difficult to access. However, on both Apple and Android, many of these keys are moved to unprotected (or less protected) areas after the phone has been unlocked for the first time after rebooting. This can be verified by having a friend call your phone after you reboot it. Before you unlock your phone the first time after the reboot, only the contact’s number—but not their name—will be displayed. That’s because the contact list is protected until after the first unlock.
Once these keys have been moved out of protected memory, it is much easier for a software researcher to identify and exploit a vulnerability that will pull private data from the phone.
Apple does have an option for developers to place the keys back into protected mode—say for a banking app—but this isn’t always implemented in the software. Things are more complicated on Android because it is run on so many different devices, and this includes older phone models that no longer receive security updates.
Both Apple and Google stressed that these exploits are constantly being identified and fixed and that they are committed to protecting user data. It appears that the easiest trick to make it more difficult for law enforcement to access your phone is the simplest one: turn off your phone. As long as it does not get unlocked again after being rebooted, it will be significantly more difficult for law enforcement to access your data (though nothing is guaranteed).
Since users rarely turn their phones off, it means law enforcement can usually get access to the data—if they really want to. The study found nearly 50,000 examples, encompassing all 50 states, where law enforcement accessed encrypted phone data between 2015 and 2019. Researchers also warned that automated tools are proliferating, and user data may be vulnerable in other settings such as schools and at the country’s borders.
“It just really shocked me, because I came into this project thinking that these phones are really protecting user data well,” said John Hopkins researcher Matthew Green. “Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections these phones actually offer are so bad?”
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login