Last month the United Arab Emirates mobile operator Etisalat tried to sneak malware onto customers' BlackBerry handsets. But what pushed an operator to try such an underhand trick, and do so in such an inept manner? The snooping software was pushed out as an upgrade, authorised by the operator but almost certainly at the behest …
WTF is this?
The Register is telling us that phones *we* buy should be insecure by design? You know if they were easier to hack criminals would figure it out even before the plods. WTF? When I buy something I want it to work for me. And that includes unbreakable cryptographic security. I'm pissed - you suck - crap article.
As it should be
This is all exactly as it should be. Nobody should want a phone with backdoors in it:
1) It's rife for abuse. If it's costly and difficult to extract data, police will not go on fishing expeditions. If it's standardized and easy it's much more likely they will.
2) "Security through obscurity" may already be used on some phones, but if there were a standard, there would not even be security through security -- there would in fact be no security at all. Imagine how corps would feel about blackberries, for instance, if they knew there was just some pin or something floating around that'll decrypt and dump the contents of the phone.
3) I'm a libertarian, it's not the gov'ts business to snoop into everywhere and everything, and there's no reason for manufacturers to make it easier for them to do so. You guys in Britain might think this is normal, but believe me, it's not.
A *criminals* best friend?
People can communicate in private, why are you so afraid of what they might say?
... just put in place a consumer regulation that requires any manufacturer wishing to sell handsets in the country to provided necessary assistance to law enforcement at a nominal and reasonable cost? If Sony Erikson wants to sell a phone in the US or the UK, they would have to cough up the codes or the data.
Police codes to get into mobiles - the criminals' friend
Amazing! Some company actually achieves security for their customers, and the author wants that to be easily compromised? How trustworthy are the police in keeping people's information secure? The number of private investigators who have a "local contact" to get private/personal information already suggests that certain members of that private club that likes to dress in blue (badge numbers optional) are divulging more than they should.
If the information on how to get into a phone is available to the police, then it will soon be available to anyone - black hats included. As the author mentions, the modern mobile phone can contain a lot of very personal and private information - pin numbers to credit/debit cards, company vpn details and access passwords. How much more valuable will a robbery be if this info is easily retrievable from a person's phone?
So to sum up - to make plod's life slightly easier, you propose opening an attack vector against anyone who may use a mobile to store sensitive information.
The only thing I can think of on the author's side is if he has shares in Sony-Ericsson that he was doing a pump'n'dump on...
One thing can be sure...
...if the authorities have access then it will be abused rather sooner than later.
To this end I do not support this intrusion into outr privacy, because that is what it will become. From over-tall photographers to.."who've you been calling then, sonny?".
Can't trust them. Won't trust them. They've given ample demonstrations as to why.
Looks like the loons are out in force and you haven't properly read the article.
I'm pretty sure what Bill was saying was that in cases such as that of murder or even if someone dies of a heart attack while out on their own it should be possible for law enforcement to retrieve information to perhaps let next of kin know that their husband/wife/girlfriend/boyfriend/son/daughter or whoever has been killed and to aid in the detection of the crime or do you think we should let murders walk free and victims be buried anonymously?
Hmmm thought so.
While I'm definitely against mass surveillance I do think police should have access to devices in cases like this.
Here's hoping you never suffer such things.
Phew - Mobile Security....
almost an oxymoron - but not the issue really - is it?
Do you want the local council to be able to trivially access the contents (all of them) of your mobile phone because you's a month late with your council tax or put your wheelie bin in the wrong place?
There's a far bigger issue out there guys - just because you aren't paranoid doesn't mean they aren't out to get you :-)
The legitimate forensic examination of phones is acceptable - but most of the useful information would be accessible elsewhere - it's just that as ever - the peculating swine network operators make eye-watering paymernt demands for data as in £10 for a BT reverse number lookup and £100+ for the same on a mobile network.
Yet another epic fail for our public servants - network operators should have to provide these services free to law enforcement as a condition of their licensing of the PUBLIC airwaves - 0/10 for understanding and implementation - as usual.
Article sponsored by ACPO?
Sorry Mr Ray, but this article drops well below the usual standard of El Reg reporting on our surveillance society.
Gov.uk is constantly looking for excuses to monitor our every move - terrorism and child protection being the most emotive. Yet once in place, these extended powers are rarely used to combat the evils that "justified" them; abuse and function creep soon sets in.
Law enforcement is costly, but I'd rather pay for it with tax than with liberty.
"If Sony Erikson wants to sell a phone in the US or the UK, they would have to cough up the codes or the data."
If the rozzers think I'm a criminal why don't they come arrest me and get the data from *me*?
I just wonder how many of those millions of RIPA requests were just some rozzer on a fishing expedition, I wonder how many times RIPA requests result in no prosecution, showing the fishing expedition failed, I wonder how many are just plain malicious. Because I know with a million requests it just isn't being used for crime.
Then there's ANPR. I drive past a speed cam, snap, too fast, as a result my right to privacy is forfeit because I was speeding. I drive past an ANPR camera, in a stolen car, snap, I forfeit my right to privacy by being in a stolen car. I drive past an ANPR camera in my own car going about my innocent own business. Why do the rozzers keep that data for 2 years? What f**ing business is it of theirs?
Nobody in the free world holds up the UK as a symbol of freedom, it's shameful how much it declined. And it's shameful that even when ECHR tries to steer NuLabour back to something more civilised, they dodge around the ruling.
"but we understand that the police Phone Examination Units particularly dread receiving handsets from Sony Ericsson."
But as a phone hmmmmmmmm tech ;) i love "playing" with Sony Ericsson Phones... FFS if i can grab SIM ID's phone book, SMS etc etc etc via bluetooth why are the cops having trouble when they have the phones in there hands...
glad to see my taxes are being spent on people who know what they are doing LOL
Given how much RIPA has been abused
I want it to be hard for these comedians
"it should be possible for law enforcement to retrieve information to perhaps let next of kin know that their husband/wife/girlfriend/boyfriend/son/daughter or whoever has been killed"
You mean to say that before the mobile phone era, bodies were impossible to identify within reasonable time and with some little effort? How crucial is the advantage of reading their telephone book and call records outside criminal cases?
So, no it shouldn't be possible for government to retrieve information unless specifically made available. People are free to carry contact information, donor registrations,etc on them if they worry about this aspect.
Freedom and privacy has always been the criminal's friend. That's a *good* thing because one never knows when *you* become regarded as criminal or when you just try to hide things from criminal elements within law enforcements or criminals using their back doors.
Criminals of all ages ride the tailwinds of human achievements and rights. No reason to make a problem of that now, after a few thousand years.
boo hoo emo
So the cops have a hard time getting private information out of peoples phones?
well boo hoo emo to them. Maybe they should go do some real police work instead of fishing through databases and handsets looking for any dirt they can make stick.
If they actually did real police work these days identifying dead bodies wouldn't be hard, but all too often they just want their quick easy database fix so they can stop as many people as possible, fill their quota for doing so then take the rest of the day off. Maybe spend a few grand on their police credit cards.
"I didn't know I wasn't allowed to buy sex toys with public money"
"oh ok well just don't do it again"
What a joke.
I am all for ...
... robust investigation and evidential basis but so much of this stuff wreaks of psycho, freudian state sponsored snooping of a perverse and personal nature.
Are people getting kicks out of snooping?
re: Anonymous Coward Posted Saturday 22nd August 2009 17:30 GMT
So the cops have a hard time getting private information out of peoples phones?
well boo hoo emo to them. Maybe they should go do some real police work instead of fishing through databases and handsets looking for any dirt they can make stick.
Or perhaps your loved one(s) are lying on a slab in the morgue, killed by a texting driver who was far more concerned with what his mates were doing that night than driving
But he's locked the phone and the police have no way of accessing the data. So he's let off with a caution or maybe a careless driving ticket instead of causing death by dangerous driving
A few simple rules such as the codes can only goto a forensics lab after the request has been approved by a judge would be a start. and that the phone companies/handset makers have to give out such codes as a condition of being able to operate in the UK.
Naw f**k it, lets all be paranoid and assume everyone is out to get us
PS Why would someone store their credit card number on their phone when its on a plastic card in their pocket?
Who put you up to this?
Let's face it, Bill, any article that biased towards the interests of the spooks has to be sponsored by someone in authority. Or Authority, for that matter.
It is absolutely right and proper that governmental organisations, from law enforcement to covert services, should not be able to access private data without being put through significant inconvenience and cost. This is what provides us the remaining safeguards on our privacy - and that's a human right, in case you'd forgotten.
Would you be happy with a State that required you to leave copies of your house keys at the Police station, to keep them up to date, and which authorised the Police to enter your home at any time of the day or night, on any pretext or none (i.e. a "fishing expedition"), with unlimited rights to search? No, me neither. That's where the banal "Well, you won't have a problem if you've nothing to hide" argument shows its fallacy.
Privacy, and the integrity of our personal space, be it physical or informational, is the baseline. Any deviation from that baseline should require justification and frequent independent review, be in the face of considerable barriers, and be revoked the moment it is no longer justified or required.
So I ask again, who put you up to this?
They have no business with it
Nobody, including the government, has any business viewing information that I have encrypted unless I give them the password. MY data, MY encryption, MY device. If they want to be able to read what I write, they can pay for the device in the first place - then they have a right to it. I will assume that they do not, in which case the phone should work for nobody else but me.
Do fuck off. We did read the article - but maybe you didn't understand the issues involved.
Having some kind of backdoor might make it easier to identify murder victims but why can't the police simply ask the network operator for the phone records for the SIM? AFAIK, the police have this information available through direct online access. Of course, having a backdoor would also allow fishing expiditions, the sale of information to ex-colleagues now running their own detective agencies (e.g. court case last year) and similar kinds of assault on the privacy of the law abiding populace. The police and other parts of the public sector have shown themselves to be utterly irresponsilbe with almost any powers or data with which they are entrusted.
If the police want the contents of any device for an investigation into a serious crime, they can simply send the device to the manufacturers, who may even offer their assistance for free.
A very similar justification was used for the implementation of a variety of surveillance schemes allegedly designed to prevent terrorism.
The three justifications for any bad legal creation are:
It's for the sake of the children
It only affects a tiny minority
The innocent have nothing to fear
I am absolutely mystified by the attitude behind this idea. One of the reasons Microsoft is attacked so often is because its software makes it trivially easy for people to snoop about in your computer. Now we have an author on the Reg complaining about software that's been built in such a way that it doesn't have these problems? Make up your minds for god's sake!
At least BB is honest
I don't mind bigbrother watching my moves. What do I have to hide? Few playboy clips? My Girlfriend doesn't care so it's not a big deal. They only people who "whine" about privacy are those who with kiddies porn -- or married men having an affair with Miss Adam Apple.
Personally, I find it very sexy that tax payers money is being used to monitor my moves... I think like that -- I like that alot.
UAE did for whom?
It reminds of patriot act -- American government spying on its own people. Of course they pointed out that it's only religion extremist & white supremacist. Few years ago I read an article in Indian newspaper stating that on behalf of America Pakistani government will be spying on its civilians. I wouldn't be surprise if America have forced Arabian governments -- or even given them a "nod" to do something like this.
After all how can we be so sure otherwise? All in all I don't care if government is spying on me, cause I don't have anything to hide, nor I trust them enough they wouldn't be doing it. In fact I am happy to see them spending millions of dollars watching my every moves. Can we call it tacit sex?
After all can you think of a better way spending billions of dollar during recession?
So many things to be disturbed by
The police don't need to get into my locked phone. If I have been hit by a bus, and my phone still works, my immediate contacts are listed on the main info screen.
So if the Arab phone operator had been better at their job they could have installed any creepy piece of software?
I am obviously drunk, reading a Register article that is siding with lazy cops.
I'm on the train.....
I'm at the pub...
I'm at work...
I'm behind you..
That's all the plods will find as SMS messages on most mobiles...
In the nicest possible way...
...this would have been a really interesting article if it had been written in partnership with, say, Pinsent Masons, who already provide content to El Reg via Out-Law and should have a clue about English law. For instance, when ray says:
"But while a network operator will be subject to national laws, a handset manufacturer will likely be located outside such a jurisdiction."
I don't believe that's much of a problem for the UK - e.g. Nokia has a significant presence in the UK and I wouldn't have thought executing a court order on a handset manufacturer within the jurisdiction would be much of a problem. But IANAL and neither is Ray, so we'll never know if this whole article is based on a false premise. That's where some qualified and relevant opinion would come in useful.
And similarly, it would be nice to read something from Out-Law that isn't just a regurgitated press releases about a recent prosecution with some irrelevant commentary - recently there was a US judicial decision which seemed unusual or highly technical and the lawyer's comment was about what might have happened in England - well, so what? How does that help us understand the US decision???
You plan is flawed.
My mobile doesn't have a contact called "I'm dead This is my next of kin (yes *some* people have ICE). So what will they do, start at A and work their way through sending text saying "Found a bdy.txt us bck. Thx"
I've been murdered / dopped dead in my home, how will they know who I am?
I've dropped dead in the street, does it matter if they take an extra day or two to wait more a missing persons report that matches me? You may say yes, but better than randomly going round you phone book saying we've found a body, do you anybody that it may be?
Nope just another excuse to abuse their powers under the disguse of saving us from ourselves.
It's better for a few criminals to get away with it, than for law enforcement to have access to our phone calls. Beside which, there are plenty of other ways criminals could communicate. Spying on mobile phones won't help in that case.
After all, there's no guarantee that something fairly ordinary and innocuous that you do all the time won't become an offence one day.
You don't need to be able to see a complete call record to identify a dead body. You just need the company to tell you to whom that number is registered.
If you get to the address and the owner is still alive, then the phone was stolen and you can ask the owner (who's probably quite grateful at this point) for permission to go through the logs to find out where the phone has been and who it called.
A passing phase
The evolution is from "dumb" phones with local storage to smart phones and their ability (if not requirement) to hold data on a third party's system - whether that's gmail, office applications or whatever. In that situation, breaking into, hacking or cracking the phone becomes a futile activity -as the good stuff won't be held there anyway.
If all the police are interested in is finding the phone owner's identity, there are easier, faster and more reliable ways of doing it - such as DNA evidence or even looking in their wallet / handbag. However if that's merely a smokescreen to their real intentions of snooping in other peoples' affairs then I can't say I'm sorry if anyone makes that difficult for them.
Phone makers can and do substantially change the internals of the phone without telling you, that is without changing the model number. "Continuous improvement" and all that - and cost savings for them. So there may not be a single memory map document for a SoNokyson THX1138, without a lookup on the phone's unique serial number. The point is this: maintaining yet another correct document for external people about the internals of the phone can cost a lot of money, think of updates several times a month from every manufacturer, review process every time anything is changed in the manufacturing stream for a particular model, &c &c. It's not that the makers keep it "secret", it's that it's not a trivial job to keep such info accurate and up to date.
To the Author....
For the first time in my life I find myself wanting to post an Fail Icon and a Death of reporting icon.
I for one am GLAD that the rozzers can't easily hack my phone. This is for two reasons. Firstly they're a bunch of untrustworthy, fishing expedition embarking, lying, violent charlatans. Secondly, they're not very bright and anything they can do to your phone, some smart crook also is getting to do, and frankly, I like my privacy.
There, I've said it. I like privacy. Not because I'm a crook, not because I have anything to hide, more because I just don't see the need for world + mutt to know what I do and how I do it.
Your article seems to imply that the Police should be given easy access to any information they way for the sole reason that they want to go have a looksee. Why? Give me one good reason why they should be allowed to, and if the response contains either "nothing to fear nothing to hide" or "it's for the children" it's automatically disallowed as a reason. See, strip those two lame excuses away and you are left with no justifiable reason whatsoever.
You sir are the worst kind apologist I can imagine I can only hope El Reg stops signing your day release and sends you back to the NuLabour "Spies like us" Loonie bin from whence you came.
I don't get it
Why would I want my privacy to be compromised by design? I simply do not trust our govt and their agencies with my personal data, be it my DNA or my contacts list. They already snoop my calls and txts, track my car and poke around in my credit history and God-knows what else, why help them?
Right to privacy
If people want their privacy, they will want phones that can't be hacked/accessed easily, therefore creating a market that someone will fill.
God bless free market economics.
On the other hand, it's only a 'right' if you are prepared to pay* for it. 'Rights' are not free. If someone _gives_ you a 'right', it isn't a 'right' at all.
*In blood/loss of freedom etc.
Can we just blow the planet up already? I'm getting bored.
Failure of Legislation
This is one of the more spectacualar examples of a Reg reporter getting the wrong end of the stick, its not the manufacturers problem - its the Cops. Until there is a law the companies are doing nothing wrong.
I do not agree with the filth being able to have extra powers like these - it will be abused.
However should the rozzers have a good reason to have such powers then surely all that is necessary is for parliament to pass laws forcing all phones sold / used in the UK to have backdoors available to Knacker on demand.
Finally, regarding identification / next of kin through phones some people are not thinking this through properly. On one hand you should be able to identify the owner of a phone from the billing details (and one assumes from cards in their wallet, if they'd been robbed the phone would surely have gone also), however call logs will only show you numbers called, which may or may not be relatives - you can't just call them all up and ask them if they know the victim.
However I assume most of us have an entry in our phone's contacts of stuff like "Mum", "Dad" etc. which may be useful in identifying next of kin.
Saying that I am pretty damn sure plod can find this info easy enough without needing to break into your phone.
Ha ha ha ha ha
<i>In the UK a fairly comprehensive system exists to allow police to extract data from network operators, with some judicial oversight and budgetary considerations that prevent fishing expeditions.</i>
Does the authour actually believe that?
@Boris the Cockroach
In your contrived example, if someone had been hit and killed by a driver who was texting:
a) The driver would likely be found guilty of causing death by dangerous driving, or at least of manslaughter*. The 'texting' bit would surely be superfluous.
b) If the police wanted to show that the driver had been sending a text message at the time of the accident, surely they would ask the mobile operator to provide timings of text messages sent/received at around the time of the accident.
c) If access to the driver's phone were required, and it were locked, what is to stop the police getting a warrant to require the driver to unlock said phone? IIRC, it is an offence for someone to not do so.
d) What evidence would you expect to ACTUALLY find on a locked phone to PROVE that a driver was texting at the time of an accident.
If you ask me (which, of course you didn't, but I am somewhat opinionated), the police should not have de facto access to any mobile phone they should happen to pick up. They should, however, have some means of accessing data on a mobile device which the courts have deemed may be pertinent to their needs to investigate a given case. In such a case, the police officers in question should apply to a judge for a warrant. If there is nobody who can actually access the data on the device, if for example, it has been locked by someone who has subsequently become a murder victim, then the phone manufacturer should aid them where possible. If the phone uses any decent sort of encryption for its data (as it should in this day and age), then tough shit; go and do some proper police work. See how it works? The last thing we should be doing is giving those with little or no oversight more freedom to observe and control the private data of those who have committed no crime.
*IANAL of course.
If the police have the need to identify the owner of a mobile phone, it can be uniquely identified by the operator by both the IMEI and SIM numbers. Since the operator has to keep financial records, they can almost certainly tell you who the handset belongs to (IMEI) and who the calls are being billed to (SIM)*. AFAIK, these can also be tracked from cell to cell by the operator to provide the police with approximate locations of the phone, assuming these records are kept for any amount of time. And I bet you they are.
*These fall down for pay-as-you-go phones of course, but that is another issue.
Re Boris the Cockroach
If he was texting and locked the phone, you dont need to access the hand set, you need to ask the network operators for the call history. This they are already leagally obliged to supply so really there is no need for this.
I'm off to lob my C902 at a corpse and see how long it takes the filth to find me!
...that's the first time I've heard a compelling reason to buy a product from Sony Ericsson for a while.
"It reminds of patriot act -- American government spying on its own people. Of course they pointed out that it's only religion extremist & white supremacist."
I trust that such remarks come from the comfortable position of being a white Anglo-Saxon male, despite the incoherency of your English, Mr Dorland. It's a bit wearing to be pulled aside *all* the time by agents of the government, security people and general officialdom, supposedly at random but more likely because of the colour of one's skin, just so that those people can "make sure" that nothing evil is being planned by someone who, in their limited imagination, is "more likely" to be up to such bad things.
You should get out and talk to people who have to live with this kind of harassment - then you might have a clue about why "patriotic" surveillance isn't very nice.
No right to protect information on phones
If anyone thinks they've currently got the right to keep information on a mobile private, bear in mind that if you're subject to a stop and search, whether on the grounds of looking for weapons/stolen goods, evidence of a drugs offence or the oft misused anti-terrorism excuse, the police will inevitably be able to come up with a reason why they need to search your phone and refusing to assist them in this by unlocking it is likely to lead to it being seized and the data extracted using Cellebrite http://www.cellebrite.com/UFED-Standard-Kit.html back at the station, or if that didn't work, a section 49 notice being served requiring you to supply the password on pain of imprisonment.
Well that's what Liberty told me anyway: http://www.guardian.co.uk/commentisfree/libertycentral/2009/aug/04/liberty-clinic-stop-search-mobile
- Updated Hidden network packet sniffer in MILLIONS of iPhones, iPads – expert
- Students hack Tesla Model S, make all its doors pop open IN MOTION
- BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
- PROOF the Apple iPhone 6 rumor mill hype-gasm has reached its logical conclusion
- US judge: YES, cops or feds so can slurp an ENTIRE Gmail account