FBI Tries To Force Google To Unlock User's Android Phone

Trailrunner7 writes "Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to 'provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory of cellular telephone.' The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he went back to his activities with the gang, according to the FBI's affidavit."

Ars Technica Lnk

[DarkHelmet]

http://arstechnica.com/tech-policy/news/2012/03/fbi-stumped-by-pimps-androids-pattern-lock-serves-warrant-on-google.ars [arstechnica.com]

The one thing I found amusing about the whole thing is that PhD supposedly stood for "Pimpin' Hoes Daily". Then I read this:

Her $500 a night went straight to Dears, though, who "took care of her" in his own special way. As San Diego's Union Tribune reported, Dears found out the woman had spoken to a man who wanted to help her get off the streets. So Dears "beat her up in the back seat of his Cadillac and then forced her to get into the car's trunk, she testified. While in the trunk, she was driven from East Main Street in El Cajon to Hotel Circle in Mission Valley, she testified."

Major league asshole. I hope he gets the book thrown at him.

Hashes

[hilather]

If his credentials are being properly stored as SHA2 hashes, I don't think Google could comply with this anyways. This is the whole point in using hashes over encryption.

Re:Ars Technica Lnk

[oakgrove]

When you try and fail to unlock an Android device enough times and fail it just asks for your gmail password. I doubt Google will do anything more than give them that which would be pretty worthless against any other Android phone.

Brute force?

[subreality]

I'm surprised the FBI can't just dump the flash and brute force it. There are only about 100,000 possible patterns.

Re:Ars Technica Lnk

[EdIII]

It should not be that much of a problem for Google then.

There lawyers could just have fun with it. A nice lunch with some IT guys and a hour or so later you have a well written response with supporting documentation on why the FBI are complete technology retards.

They could have a few pages on how PUK and SIM actually work, and even being helpful, list contact information for the manufacturers.

Judge would just love reading that the FBI was wasting the courts time because they could not even figure out who to serve a warrant to. :)

Re:Hashes

[Americano]

However, the limitation could be the delay/lock after some unsuccessful tries

That's exactly what happened [arstechnica.com]:

Technicians apparently mis-entered the pattern enough times to lock the phone, which could only be unlocked using the phone owner's Google account credentials.

Re:Ars Technica Lnk

[cpu6502]

It doesn't look like the warrant was issued yet. The judge may turn it down, or severely limit its scope (only require Google to provide the passgesture, if they have it).

Re:Ars Technica Lnk

[Anonymous Coward]

The PUK is also unnecessary since it's only used to unlock the phone's SIM card (and hence it's contacts.) If you fail too many times it self-destructs.

The Wireless provider knows the PUK as it's based on the serial number of the sim card, so Google certainly wouldn't have it.

Text messages are bit of a "maybe yes", while they are transmitted through the carrier, for billing purposes, the carrier has no way of reading them unless they've been stored. Having worked for AT&T, their customer service software, and all the support software doesn't let you read text messages, but it does let you send text messages anonymously to phones. If you're a technical staffer who can manually provision phones, you may have access to the SMS in-transit, but I don't think they're stored unless the FBI has been requiring it.

The actual storage of SMS messages are on the phone/SIM if not deleted. It largely depends on what the phone's software is setup to do. On early Motorola and Nokia phones, all the contacts were stored on the SIM card, but on later models (post 2005) they are stored in the phone memory by default.

So there's no need to get the SIM card PUK, It's just the easiest way to bypass the PIN password. If you remove the sim card and replace it with another one without a PIN, it will give you access to the phone and all it's data anyway. Depending on the device, you may have better luck simply syncing the device to a computer.

As for what you can do with a stolen/lost phone, not a hell of a lot. If you're looking to wipe it so you can keep it, it's much easier to do that, than to use it for identity theft. As a golden rule, I never "save my password" on any device. I'd rather a lost device be wiped than someone using the data for nefarious purposes.

Re:Ars Technica Lnk

[Anonymous Coward]

Resetting the gmail password won't help if the phone is locked. The phone still needs the old password to unlock it.

Re:Ars Technica Lnk

[Anonymous Coward]

To use google (ldap) directory sync with google apps, you need to use unsalted SHA1, or cleartext passwords in the directory you wish to sync.

So, maybe? maybe not.

BTW, windows does _not_ use salted passwords, that is why it is so fast/easy to crack windows passwords-- since you _can_ use precomputed hashes in a rainbow table, unlike pretty much any other OS.

Also, windows has an option to use reversible passwords in AD.

Re:Ars Technica Lnk

[Obfuscant]

"Asshole"? Really? My limited understanding is that he is an innocent person until found otherwise, no?

No. He's either guilty or not. He cannot be innocent today and then guilty tomorrow for something he did last week.

The legal system is required to treat him as not until proven otherwise. That, however, does NOT mean that the legal system cannot get a search warrant to obtain evidence that can be used in a court to allow the court to make that determination, so even the claim "innocent until proven guilty" doesn't apply here.

As for how the rest of the world treats him, we have no limits on calling him guilty because we aren't the legal system.

A warrant *is* enough, conditionally

[dacarr]

Picking through the details, it's pretty simple. The FBI served Google a warrant for a user.

What they will get out of it is any information on the perpetrator that Google has in their control - so Gmail, Picasa, anything on their servers. This is what a warrant does, and any content provider such as Google will have this in their TOS.

What they *might* get is a replacement account password to access the phone. That's unclear to me. It's in that respect that I don't know how Google will proceed.

What they will NOT get, however, are unlocks, text messages (unless he backs those up into his Gmail account), device passwords, device unlock patterns, or anything that would be used to unlock the device. That's all up to the mobile carrier or (possibly) the device manufacturer - not Google.

And for those who think Google made the device, no, they didn't. Somebody else did. May have been Motorola, LG, HTC, or Samsung, just to name the big four phone makers who put out Android off the top of my head. Google's support ends at the operating system development level, and whatever they have on their network. Demanding of Google whatever's on the mobile network or the device unto itself is like demanding an Amtrak schedule of Pepsico.

Re:Wha???

[lsolano]

This is not a technical case. It's a legal one.

They want to be able to hack the phone the "legally", so the alleged proof can be use in court.

Re:Plausible deniability...

[stanlyb]

It is useless to argue with people that cite statistic in order to imply fact. What is wrong in his post, and partially yours, is that you say "black people are 8 times more likely to.....". Do you see where is the problem? Let me try another way: "......if you go in your backyard, the probability that you will see dinosaur is 50%. Because you will either see it, or not see it....."
But the FACT is that you don't have dino in your backyards, and you will never have, no matter what the "fact", i mean statistic says.
The same with all these "...8 times more likely....", and then you put in a row 1 black and 1 white, and everybody would be convinced that it was the black guy. Oh, never mind, who am i to argue with the facts.

Re:Ars Technica Lnk

[swillden]

To use google (ldap) directory sync with google apps, you need to use unsalted SHA1, or cleartext passwords in the directory you wish to sync.

That doesn't mean Google stores unsalted hashes or cleartext, it just means that whatever Google stores is computable from those.

(Disclaimer: I work for Google, on security stuff, but I don't know anything about how user passwords are stored. I will say that storing unsalted hashes or cleartext would be very out of character for Google. Google tends towards great caution when it comes to security, and employs a lot of serious security experts and cryptographers.)

Re:Wha???

[__aaltlg1547]

No, the story says the phone in question is a seized phone. It's evidence in their possession. They just can't read it.

Re:Wha???

[CharlyFoxtrot]

Why they were even bothering with the unlock screen rather than just slurping up all the data on the phone with a UFED [forensicswiki.org] is beyond me.

Because cops are idiots and the only reason the system works is because criminals are usually even dumber ?

Re:Plausible deniability...

[mattie_p]

Considering the dinosaur clade includes birds, there is almost certainly a dinosaur in your backyard, if you have a backyard. The odds of seeing one would depend upon your eyesight, if you have a dinosaur feeder, if you have binoculars, day vs. night, etc. But I think we could use 50% as a nice estimate for daylight hours.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Wha???

[YeeHaW_Jelte]

Because according to the link you provided Android support is not included on this UFED thingy?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Ars Technica Lnk

[darkmeridian]

Also, note that under the Constitution, parolees are afforded less civil liberties in return for early release. Parole officers can do a lot of stuff that would normally require a warrant. Certainly, prisoners don't have a right against search and seizure of their cells. Therefore, parolees aren't protected against illegal search and seizure of their personal property. In this case, the government has all sorts of strong corroborating evidence in support of their warrant.

Thus, I'm not too worried about this. It isn't a warrantless search against some innocent guy. It's a well-supported motion against a guy who is on parole for doing lots of shitty things, which means that he was jailed, then released conditionally on him not continuing his asshat activities, and it seems that he has violated the terms of his parole.