back to article Forensic snoops: It doesn't take a Genius to break into an iPhone

Forensic tools against smartphones allow basic 4-digit phone passcodes to be bypassed in minutes. However, more complex passcodes are far more difficult to defeat and might even leave some information of seized Androids or iPhones outside the range of many tools, according to computer forensics experts. A YouTube video – …

COMMENTS

This topic is closed for new posts.
  1. Shades

    Counter measures

    As these methods appear to require the device to be turned on then surely someone will come up will a startup app for jailbroken/rooted devices that will wipe the device if the user doesn't input a specific code within a specific time, or verify the existence/contents of some sort of valid "I've not been arrested/had my phone seized" key tucked away on a quiet server in a remote part of the internet?

    Well, thats what I'd do if I was stupid enough to feel the need to keep anything incriminating on my phone.

    1. Blofeld's Cat
      Boffin

      Re: Counter measures

      The counter-counter measure would presumably be to image the device ASAP, and then use an emulator.

      1. Danny 14

        Re: Counter measures

        Which you should always do anyway.

    2. frank ly
      Facepalm

      Re: Counter measures

      "...I was stupid enough to feel the need to keep anything incriminating on my phone."

      Exactly!!

  2. NogginTheNog

    Faraday bag

    I like that idea, pretty clever!

    1. Blofeld's Cat
      Facepalm

      Re: Faraday bag

      "I like that idea, pretty clever!"

      Unless, of course, the device is programmed to detonate wipe itself when it cannot access a remote server, or need to be pinged on a regular basis.

      1. Ru
        Unhappy

        Re: "Unless, of course..."

        You fancy privileged criminals with your perfect 3G coverage and 100% mobile service uptime.

        If my phone zapped its brains every time it couldn't get pinged for a short period of time, I'd be lucky to have it last a week.

      2. Anonymous Coward
        Paris Hilton

        Re: Faraday bag

        MY CAR PHONE IS IN ONE OF THOSE BAGS

    2. LinkOfHyrule
      Gimp

      Re: Faraday bag

      If I ever write the trashy novel about the Tory MP and the dominatrix, "Faraday Bags" is the character name I'm using for her!

  3. Chris Miller

    Proving once more

    that if an attacker can gain physical access, all the logical protection in the world is unlikely to be of much use.

    1. John H Woods Silver badge

      Re: Proving once more

      Yes - excepting good encryption of the content

      1. Mark 65

        Re: Proving once more

        Which leaves me wondering about how it works with a Blackberry? I thought these were supposed to be the one to get if you wanted a secure phone?

  4. Ross K Silver badge
    Thumb Up

    A Nokia 1616...

    and a disposable sim. Job done.

    Don't criminals watch 'The Wire'?

  5. Cliff

    Faraday bag?

    Sounds like a solution to a non-problem? Without a battery the phone won't be doing a lot of network access anyway, will it? Remote wipe and no-ping aside, processors revert to being fancy bits of sand without a dash of leccy.

    1. Blofeld's Cat
      Facepalm

      Re: Faraday bag?

      "Without a battery..."

      What if its an iPhone?

    2. Ru
      Boffin

      Re: Faraday bag?

      Quick question for you there Cliff... how easy is it to pop out the battery on an iPhone these days?

      Hint: you may well need a funny screwdriver and a soldering iron.

      1. Silverburn

        Re: Faraday bag?

        Memory serves that there was a theoretical exploit for the battery controller on some Apple gear - ah wait here it is:

        http://www.theregister.co.uk/2011/07/22/mac_battery_hack/

        Now if you were really clever you'd hook up a similar battery-frying BIOS hack into Find my iphone app - a kind of permanent wipe to appear under "wipe device". Or link it into the passcode failure routine when FMI is unreachable.

    3. Rich 30

      Re: Faraday bag?

      i'd have thought, to avoid 'contaminating evidence' the friendly policeman just pops the phone in a evidence bag as is, ie turned on. What if there is valuable forensic evidence under the battery cover that falls out when he take the batt out?

      Also, not so helpful for sealed phones, as so many people have said. Nokia N8, iPhones etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Faraday bag?

        If the 'friendly policeman' pops a mobile phone into an evidence bag, if a call comes in or a text, it could wipe data thats crucial to the crime in question. Thats why lots of police forces use the faraday bags to put the mobile phones in - to stop the evidence being 'tampered'.

        You should also take into consideration that the faraday bags also ensure that the remote wipe that you get on phones these days wont work - as the signal to start the remote wipe will not be able to get through to the phone in question.

    4. Anonymous Coward
      Anonymous Coward

      Re: Faraday bag?

      From an evidence perspective, the problem is between when the evidence is seized and investigated. If the phone battery is dead at the point of seizure, then you are absolutely correct. If however the phone is on, (which it generally will be), then its important to ensure that no-one tries to remote wipe the data and to stop further communication to that device as this goes against ACPO's prinicples.

  6. Khaptain Silver badge

    Easy Solution

    Rather than encrypt or obfuscate, wouldn't it be more subtle to fill your phone full of semi "false" information.

    For example, changing your friends names to "Judges names" or Police Chief names, having a couple of images of well known lawyers or politicians ( easily scanned from the web) why not photoshop yourself along with them ....

    you get the idea..

    1. Steve Renouf
      Black Helicopters

      Re: Easy Solution

      Hmm... Interesting... But why would you want to do that anyway - unless you actually DO have something to hide?

      1. Steven Roper
        Stop

        @Steve Renouf

        Considering how unjust the laws are these days and how our so-called "democracies" have somehow become corporate dictatorships there's plenty of things to hide that, while now illegal, are still within the realm of basic human rights - which our legislators are increasingly ignoring.

        Just because lawmakers have become corporate puppets doesn't mean the public has given up its right of resistance.

    2. Anonymous Coward
      Anonymous Coward

      Re: Easy Solution

      I think this solution falls squarely into the category of, "Make things as difficult as possible for yourself on the off chance it might be mildly inconvenient to someone else in some unlikely event they obtain your phone and are actually interested in its contents". A bit like shoving a swarm of angry hornets down your pants as an anti-molestation mechanism.

  7. Spoonsinger
    Holmes

    And the no shit sherlock award goes to....

    (Mind boggles).

  8. Anonymous Coward
    Anonymous Coward

    this thumb drive will self destruct in....

    should be using one of these then

    http://www.thinkgeek.com/gadgets/security/99f1/

  9. Anonymous Coward
    Black Helicopters

    Secret Agent wannabe, 101

    * Use a password instead of a pin no.

    * Jailbreak the phone and set up SSH access

    * Change default 'root' and 'mobile' [user account] passwords

    * or... turn off SSH password logins and use key pairs

    * SSH in and hide 'stuff' amongst the filesystem, where it's not visible through the GUI

    OK. It won't stop someone with the necessary time and resources from waterboarding you 'til you sing using their forensic skills to gain access, but it will stop YouTube script kiddies in their tracks.

  10. Cuddles
    FAIL

    "Mike Dickinson, Micro Systemation’s marketing director, explained that his clients didn't want the capabilities of the technology to be common knowledge."

    "...so we posted it on YouTube and then published an article about it in one of the most famous magazines in the world."

    Yep, certainly no geniuses involved here.

  11. Anonymous Coward
    Anonymous Coward

    Re "if I was stupid enough to feel the need to keep anything incriminating on my phone"

    It doesn't necesarily have to be about that - maintaining phone security also prevents the police using the information on the phone to make the 'suspect' fit the crime and the prosecution using it to change their court room approach to make the innocent appear guilty.

  12. Anonymous Coward
    Anonymous Coward

    waste of time in UK

    Just get a court order to reveal the password or the "perp" gets two years inside.

  13. Steve Evans

    In the UK we have another solution...

    Not providing a password/access when demanded by the UK plod is a criminal offence in itself, so even if they can't get in they can prosecute you for that.

    1. stanimir

      Re: In the UK we have another solution...

      feels so trivial - it just takes a password for wipe and grant access.

    2. Ross K Silver badge

      Re: In the UK we have another solution...

      If was looking at a ten (or even five) stretch, I'd keep my mouth shut and take the two years.

      Surely with crowded prisons/good behaviour/etc one would be out in no time anyway?

      Or do you keep going back to court and getting another two years every time?

      1. Peladon

        Re: In the UK we have another solution...

        By my understanding, it goes like this:

        Plod: Gimme your password, cuz.

        You: No.

        Two years inside

        Plod waiting at gate: Gimme your password, cuz.

        You: no.

        You turn round. You go back in. Rinse, repeat...

        Of course, I could be wrong...

        1. Mark 65

          Re: In the UK we have another solution...

          @Peladon: I'm guessing that, as the current Government are finding out, most laws like this one fall foul of some facet of European law - they just haven't been tested yet in terms of the rinse repeat aspect. Two years? You might get away with that. Repeating the sentence for the same crime is unlikely to fly with the EU.

          1. Ross K Silver badge

            Re: In the UK we have another solution...

            I'm guessing you would be brought before a judge and found guilty of contempt of court each time. So you wouldn't *technically* be getting jailed for the same thing each time? IANAL etc...

        2. Rich 30

          Re: In the UK we have another solution...

          *After my 2 year stretch*

          Policeman Pete - "Cuz, whats the password?"

          Me - "Well, i remember it just being random letters and numbers, I think it started "1bii19w", but it was well over 20 characters long, maybe 30, used letters numbers and special characters, and after 2 years in nick, i've totally forgotten it. Sorry, cuz"

          Policeman Pete - "???"

  14. airwaffle
    Alert

    Errr.... doesn't this violate chain of custody?

    ... and render anything found on the device inadmissible as you are essentially changing the source by jailbreaking it and installing your own stuff?

    Or is there a safe copy technology (like Guidance's EnCase) involved to an emulator / another device that's not referenced in the article?

  15. Anonymous Coward
    Anonymous Coward

    I just use the "security" lock to stop myself dialling people at random when it's in my pocket.

    I've never kidded myself that it would keep anybody out of the phone.

  16. Andus McCoatover
    Windows

    Remembering J.Edgar.Hoover....

    The FBI are angels..

    They sit on 'clouds'....

  17. NumptyScrub
    WTF?

    Reverse engineering?

    quote: "Micro Systemation differentiates itself by specialising in this market and employing more than 30 developers and reverse engineers to research mobile operating system vulnerabilities that its forensic tools might subsequently be able to exploit."

    Wait a minute, I thought reverse engineering was specifically prohibited in the TOS for pretty much all handset operating systems (including Android, I believe, for the proprietary bits), and that deliberately using exploits to gain unauthorised access to a device is a crime? Aren't they comitting and enabling (extraditable) offenses simply by creating this software? Why are they not all banged up by now?

    These guys aren't a government agency, they are a commercial venture, and therefore I assumed they are supposed to be governed by the same laws as the rest of us. Does this mean I can create phone hacking tool(s) with impunity as long as I "only intend to sell it to authorised government operatives"?

  18. xyz Silver badge
    Devil

    Wait a goddamn minute here

    We're talking about an iPhone here...owned by the brains o' vaccuum brigade. Air heads are heavyweights compared to that lot...and what's going to be on it, well probably photos of "Me wiff Darren," "Tracy wiff that hunk at Annanbels" etc etc. The simplest way to find out what's on one of these retards' phones is to just say "nice phone" and they'll show you everything (including knickers/underpants dependent upon gender preference)

  19. Anonymous Coward
    Anonymous Coward

    And that is why I will not keep anything of importance on my (Cyanogenmod Android) phone. No online banking, no ssh certificates for servers, no pictures, no passwords. Have fun with my MicroSD card, it only gets wiped weekly.

    If my remote wipe (cerberus installed in rom) were to fail, somebody able to bypass my 16+ character password including special characters could theoretically access the few locally stored messages of my email accounts, though I would imagine that the IMAP passwords are changed before that phone is unlocked, so that is somewhat marginal.

    1. Ross K Silver badge
      Black Helicopters

      0 rly?

      Overkill much?

  20. Tony Luck
    Boffin

    What's on the outside of the phone

    The Faraday bag seems to assume that all of the evidence of interest is digitally contained inside the phone. What if there is something useful (trace chemicals, blood etc.) on the outside of the phone? Dropping it into one of these "reusable" bags will mess that up.

    1. Aqua Marina

      Re: What's on the outside of the phone

      So pop the phone into an evidence bag, before popping it into a Faraday bag. And just make sure the receiving lab is housed inside a Faraday cage.

      1. Anonymous Coward
        Anonymous Coward

        Re: What's on the outside of the phone

        Faraday Bags are just a little bit cheaper and slightly more portable though...

  21. Confuciousmobil
    FAIL

    I wonder...

    I wonder why they released this video that relies on publicly available JailBreaks?

    Is it to fool people who own iPad 2/3 or iPhone 4S that their data is safe?

    If someone has paid $250K for an A5 JailBreak I'm guessing it wasn't just for their personal device....

This topic is closed for new posts.