The controversy over the use of encryption in iOS and Android smart devices was recently rekindled. First, Apple and Google argue that encryption is the main tool for users’ data protection, while government agencies claim that implementing a way to access these devices would represent a major step forward in combating criminal activities.
With the release of the iOS8 operating system, Apple began implementing encryption on all of its products to protect users, as they were too exposed to malicious hacking activity. An identical measure was implemented by Google soon after. Since then it began somewhat a race between US government agents trying to obtain information from these devices and the developer companies, which were increasingly implementing stringent security measures.
The dispute between the US government and these companies is far from be over; meanwhile, law enforcement agencies have found a third way to bypass encryption on these devices without violating data protection legislation. Cyrus Vance Jr., Manhattan district attorney, and the city’s Cybercrime Unit, created a kind of prison for a specific purpose: extracting information stored on some smart devices using brute force tactics before their owners delete this data, which could be useful in criminal investigations.
The entrance to this “prison” resembles that of a bunker. This installation consists of a radio frequency isolation chamber protected behind two hermetically sealed steel doors. On the walls of this camera are connected dozens of Apple devices (iPad/iPhone), which were confiscated during the commission of currently investigated crimes.
All devices found in these facilities are connected to a set of massive processing power computers, dedicated to generate random number sequences to try to decrypt the access codes to these confiscated devices. Researchers working here can even take advantage of other systems that aren’t used at night to create a local supercomputer network, mentions a review of the business magazine Fast Company.
During the interview, Steve Moran, director of the High Technology Analysis Unit, shows as an example of the work done in this lab an iPhone in which more than 10k possible combinations have been tested: “This would have been enough to decrypt a four-digit password. However, Apple has been using six-digit access codes for the last five years, which requires a million possible combinations to be tested,” he said.
In addition, data protection specialists point out that Apple restricts the number of times per minute an access code can be entered; this is where investigators of these possible crimes come in. “It is required to think about possible combinations. We need to know some facts: date of birth, wedding anniversary, birthday of wives or children, even the number of favorite baseball player can be helpful in reducing the number of attempts needed to unlock the devices of the suspects” , adds Moran.
This is not the only variable that affects the operations of this lab, because in addition to the huge number of combinations to test, researchers should also prioritize some specific devices. To this, Moran designed a workflow that evaluates the most urgent cases; there are currently more than 3,000 low-priority devices sheltered in these facilities.
As already mentioned, Apple and Google’s main argument for encryption is data protection, a position entirely justified considering that these companies cover almost 99% of the global smartphone market.
While companies claim that no one, not even their internal staff, can access a device with encryption, prosecutor Vance believes it highly likely that Apple will have some kind of secret backdoor. “Apple accesses our devices all the time: OS updates, SMS messages, external links, it’s all part of that invasive practice.” Despite these claims, shared by a considerable number of experts on the subject, the user privacy speech has prevailed over the demand for access to these files.
On the other hand, Vance considers that the request to remove encryption is not exaggerated or unfounded, as there are cases where information stored on smart devices recovered at crime scenes or raids has been instrumental to solve complex cases. An example is the arrest and conviction of Lamar Davenport for the murder of E’Dena Hines, granddaughter of actor Morgan Freeman. The prosecutor in charge of the case presented as evidence a video found on the defendant’s iPhone after months of investigation to access to the device. “Not only that; thanks to the activity of this laboratory we have found useful information to prove the innocence of at least 16 suspects in various crimes,” he adds.
Vance’s anti-encryption campaign has not been limited to his local environment. The prosecutor has met on several occasions with members of Europol, Interpol, besides publishing articles in all kinds of magazines, in addition to trying to establish contact with the representatives of the technology companies.
The International Institute of Cyber Security (IICS) points out that, before 2014, technology companies seemed to have no problem cooperating with law enforcement agencies, even noting that Apple’s collaboration was considered outstanding and effective. However, this cooperative work came to a breaking point after Edward Snowden’s revelations about the US National Security Agency’s espionage activity. While all of the tech companies mentioned by Snowden denied collaborating with the US government, Apple opted for a more vigorous demonstration of privacy engagement, launching the iOS 8 system, which included full encryption for the first time.
This laboratory is one of the main tools for the investigation of criminal cases in the city, as it has the most complex hardware resources available, in addition to specially developed software to apply brute force to these devices. However, with the emergence of new versions of mobile operating systems, the work of these researchers becomes increasingly complex. “At the beginning of this project, only 52% of the smartphones analyzed were locked, while the number of locked devices is currently 82%,” Moran says, so government agencies also bet on legislation on encryption on mobile devices streamlines this work.
Originally published at https://www.securitynewspaper.com on January 24, 2020.