Forgot your password?
typodupeerror
Privacy Google Your Rights Online

FBI Tries To Force Google To Unlock User's Android Phone 385

Posted by samzenpus
from the open-says-me dept.
Trailrunner7 writes "Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to 'provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory of cellular telephone.' The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he went back to his activities with the gang, according to the FBI's affidavit."
This discussion has been archived. No new comments can be posted.

FBI Tries To Force Google To Unlock User's Android Phone

Comments Filter:
  • Ars Technica Lnk (Score:5, Informative)

    by DarkHelmet (120004) <[mark] [at] [seventhcycle.net]> on Wednesday March 14, 2012 @08:07PM (#39359355) Homepage

    http://arstechnica.com/tech-policy/news/2012/03/fbi-stumped-by-pimps-androids-pattern-lock-serves-warrant-on-google.ars [arstechnica.com]

    The one thing I found amusing about the whole thing is that PhD supposedly stood for "Pimpin' Hoes Daily". Then I read this:

    Her $500 a night went straight to Dears, though, who "took care of her" in his own special way. As San Diego's Union Tribune reported, Dears found out the woman had spoken to a man who wanted to help her get off the streets. So Dears "beat her up in the back seat of his Cadillac and then forced her to get into the car's trunk, she testified. While in the trunk, she was driven from East Main Street in El Cajon to Hotel Circle in Mission Valley, she testified."

    Major league asshole. I hope he gets the book thrown at him.

  • Hashes (Score:4, Informative)

    by hilather (1079603) on Wednesday March 14, 2012 @08:13PM (#39359421)
    If his credentials are being properly stored as SHA2 hashes, I don't think Google could comply with this anyways. This is the whole point in using hashes over encryption.
  • Re:Ars Technica Lnk (Score:5, Informative)

    by oakgrove (845019) on Wednesday March 14, 2012 @08:22PM (#39359493)
    When you try and fail to unlock an Android device enough times and fail it just asks for your gmail password. I doubt Google will do anything more than give them that which would be pretty worthless against any other Android phone.
  • Brute force? (Score:5, Informative)

    by subreality (157447) on Wednesday March 14, 2012 @08:28PM (#39359539)

    I'm surprised the FBI can't just dump the flash and brute force it. There are only about 100,000 possible patterns.

  • Re:Ars Technica Lnk (Score:5, Informative)

    by EdIII (1114411) on Wednesday March 14, 2012 @08:30PM (#39359561)

    It should not be that much of a problem for Google then.

    There lawyers could just have fun with it. A nice lunch with some IT guys and a hour or so later you have a well written response with supporting documentation on why the FBI are complete technology retards.

    They could have a few pages on how PUK and SIM actually work, and even being helpful, list contact information for the manufacturers.

    Judge would just love reading that the FBI was wasting the courts time because they could not even figure out who to serve a warrant to. :)

  • Re:Hashes (Score:5, Informative)

    by Americano (920576) on Wednesday March 14, 2012 @08:34PM (#39359583)

    However, the limitation could be the delay/lock after some unsuccessful tries

    That's exactly what happened [arstechnica.com]:

    Technicians apparently mis-entered the pattern enough times to lock the phone, which could only be unlocked using the phone owner's Google account credentials.

  • Re:Ars Technica Lnk (Score:5, Informative)

    by cpu6502 (1960974) on Wednesday March 14, 2012 @08:43PM (#39359655)

    It doesn't look like the warrant was issued yet. The judge may turn it down, or severely limit its scope (only require Google to provide the passgesture, if they have it).

  • Re:Ars Technica Lnk (Score:5, Informative)

    by Anonymous Coward on Wednesday March 14, 2012 @08:49PM (#39359693)

    The PUK is also unnecessary since it's only used to unlock the phone's SIM card (and hence it's contacts.) If you fail too many times it self-destructs.

    The Wireless provider knows the PUK as it's based on the serial number of the sim card, so Google certainly wouldn't have it.

    Text messages are bit of a "maybe yes", while they are transmitted through the carrier, for billing purposes, the carrier has no way of reading them unless they've been stored. Having worked for AT&T, their customer service software, and all the support software doesn't let you read text messages, but it does let you send text messages anonymously to phones. If you're a technical staffer who can manually provision phones, you may have access to the SMS in-transit, but I don't think they're stored unless the FBI has been requiring it.

    The actual storage of SMS messages are on the phone/SIM if not deleted. It largely depends on what the phone's software is setup to do. On early Motorola and Nokia phones, all the contacts were stored on the SIM card, but on later models (post 2005) they are stored in the phone memory by default.

    So there's no need to get the SIM card PUK, It's just the easiest way to bypass the PIN password. If you remove the sim card and replace it with another one without a PIN, it will give you access to the phone and all it's data anyway. Depending on the device, you may have better luck simply syncing the device to a computer.

    As for what you can do with a stolen/lost phone, not a hell of a lot. If you're looking to wipe it so you can keep it, it's much easier to do that, than to use it for identity theft. As a golden rule, I never "save my password" on any device. I'd rather a lost device be wiped than someone using the data for nefarious purposes.

  • Re:Ars Technica Lnk (Score:3, Informative)

    by Anonymous Coward on Wednesday March 14, 2012 @09:09PM (#39359845)

    Resetting the gmail password won't help if the phone is locked. The phone still needs the old password to unlock it.

  • Re:Ars Technica Lnk (Score:2, Informative)

    by Anonymous Coward on Wednesday March 14, 2012 @09:15PM (#39359889)

    To use google (ldap) directory sync with google apps, you need to use unsalted SHA1, or cleartext passwords in the directory you wish to sync.

    So, maybe? maybe not.

    BTW, windows does _not_ use salted passwords, that is why it is so fast/easy to crack windows passwords-- since you _can_ use precomputed hashes in a rainbow table, unlike pretty much any other OS.

    Also, windows has an option to use reversible passwords in AD.

  • Re:Ars Technica Lnk (Score:4, Informative)

    by Obfuscant (592200) on Wednesday March 14, 2012 @09:36PM (#39360025)

    "Asshole"? Really? My limited understanding is that he is an innocent person until found otherwise, no?

    No. He's either guilty or not. He cannot be innocent today and then guilty tomorrow for something he did last week.

    The legal system is required to treat him as not until proven otherwise. That, however, does NOT mean that the legal system cannot get a search warrant to obtain evidence that can be used in a court to allow the court to make that determination, so even the claim "innocent until proven guilty" doesn't apply here.

    As for how the rest of the world treats him, we have no limits on calling him guilty because we aren't the legal system.

  • by dacarr (562277) on Wednesday March 14, 2012 @09:58PM (#39360169) Homepage Journal
    Picking through the details, it's pretty simple. The FBI served Google a warrant for a user.

    What they will get out of it is any information on the perpetrator that Google has in their control - so Gmail, Picasa, anything on their servers. This is what a warrant does, and any content provider such as Google will have this in their TOS.

    What they *might* get is a replacement account password to access the phone. That's unclear to me. It's in that respect that I don't know how Google will proceed.

    What they will NOT get, however, are unlocks, text messages (unless he backs those up into his Gmail account), device passwords, device unlock patterns, or anything that would be used to unlock the device. That's all up to the mobile carrier or (possibly) the device manufacturer - not Google.

    And for those who think Google made the device, no, they didn't. Somebody else did. May have been Motorola, LG, HTC, or Samsung, just to name the big four phone makers who put out Android off the top of my head. Google's support ends at the operating system development level, and whatever they have on their network. Demanding of Google whatever's on the mobile network or the device unto itself is like demanding an Amtrak schedule of Pepsico.

  • Re:Wha??? (Score:2, Informative)

    by lsolano (398432) on Wednesday March 14, 2012 @10:20PM (#39360273)

    This is not a technical case. It's a legal one.

    They want to be able to hack the phone the "legally", so the alleged proof can be use in court.

  • by stanlyb (1839382) on Wednesday March 14, 2012 @10:20PM (#39360275)
    It is useless to argue with people that cite statistic in order to imply fact. What is wrong in his post, and partially yours, is that you say "black people are 8 times more likely to.....". Do you see where is the problem? Let me try another way: "......if you go in your backyard, the probability that you will see dinosaur is 50%. Because you will either see it, or not see it....."
    But the FACT is that you don't have dino in your backyards, and you will never have, no matter what the "fact", i mean statistic says.
    The same with all these "...8 times more likely....", and then you put in a row 1 black and 1 white, and everybody would be convinced that it was the black guy. Oh, never mind, who am i to argue with the facts.
  • Re:Ars Technica Lnk (Score:5, Informative)

    by swillden (191260) <shawn-ds@willden.org> on Wednesday March 14, 2012 @11:44PM (#39360747) Homepage Journal

    To use google (ldap) directory sync with google apps, you need to use unsalted SHA1, or cleartext passwords in the directory you wish to sync.

    That doesn't mean Google stores unsalted hashes or cleartext, it just means that whatever Google stores is computable from those.

    (Disclaimer: I work for Google, on security stuff, but I don't know anything about how user passwords are stored. I will say that storing unsalted hashes or cleartext would be very out of character for Google. Google tends towards great caution when it comes to security, and employs a lot of serious security experts and cryptographers.)

  • Re:Wha??? (Score:4, Informative)

    by Shavano (2541114) on Wednesday March 14, 2012 @11:59PM (#39360819)

    No, the story says the phone in question is a seized phone. It's evidence in their possession. They just can't read it.

  • Re:Wha??? (Score:4, Informative)

    by CharlyFoxtrot (1607527) on Thursday March 15, 2012 @02:16AM (#39361425)

    Why they were even bothering with the unlock screen rather than just slurping up all the data on the phone with a UFED [forensicswiki.org] is beyond me.

    Because cops are idiots and the only reason the system works is because criminals are usually even dumber ?

  • by mattie_p (2512046) on Thursday March 15, 2012 @02:38AM (#39361499)
    Considering the dinosaur clade includes birds, there is almost certainly a dinosaur in your backyard, if you have a backyard. The odds of seeing one would depend upon your eyesight, if you have a dinosaur feeder, if you have binoculars, day vs. night, etc. But I think we could use 50% as a nice estimate for daylight hours.
  • by toadlife (301863) on Thursday March 15, 2012 @03:02AM (#39361575) Journal

    1) Flash a rooted kernel and CWM recovery with ODIN (all Samsung phones allow this)
    2) boot into recovery
    3) connect to the phone using ADB
    4) Using sqlite, update the settings database and disable security

    You're welcome.

  • Re:Wha??? (Score:4, Informative)

    by YeeHaW_Jelte (451855) on Thursday March 15, 2012 @04:43AM (#39361879) Homepage

    Because according to the link you provided Android support is not included on this UFED thingy?

  • by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Thursday March 15, 2012 @10:03AM (#39363393) Journal

    I used to think that the whole "stay the fuck away from black women" by black men was bullshit...until i spent nearly two years playing in a black band as the only white guy. in fact the singer used to diffuse tense situations when we'd first go into a black club by saying "Haven't you people heard of affirmative action? this is our token white boy!", but not a single one of them would EVER so much as speak to a black woman, much less date one. One night at the club I just flat out asked "Why? there are plenty of seriously hot women in this club, why wouldn't you even speak to them?" and finally Charles the singer said "Go try it, and see for yourself". i did and fuuuuuck, talk about queen bitches of the western world! they make it VERY fucking clear they look at you as nothing but a walking wallet, really don't give a fuck WHAT you think, and are more fucking bossy than a damned dominatrix. When I went back to Charles they were all snickering at the thousand yard stare I had on and I was all "Holy shit, not if they was the last fucking females on the face of God's green earth would i put up with that much domination!"

    So I can see why black men completely avoid black women and won't stay with one, I wouldn't have one on a bet! I've dated White, Asian, Latino, and my current GF is Cherokee and I have NEVER seen women that are so damned emasculating as the black. I even thought "Maybe its just a fluke, i'll try the next state over when we play there on sat" and nope, not a fluke, being a ball breaking superbitch is pretty much SOP for the black female, and talk about racist! There are many of them that made it quite clear they look at any race other than black as beneath them, which is of course ironic as hell as the black males don't want a damned thing to do with them on account of their ballbusting. No wonder in cities like Atlanta there is less than 2 black men for every 10 black women, because the black men that actually want to keep a pair sure as hell ain't gonna go near them bitches!

  • Re:Ars Technica Lnk (Score:4, Informative)

    by darkmeridian (119044) <william@chuang.gmail@com> on Thursday March 15, 2012 @10:45AM (#39363981) Homepage

    Also, note that under the Constitution, parolees are afforded less civil liberties in return for early release. Parole officers can do a lot of stuff that would normally require a warrant. Certainly, prisoners don't have a right against search and seizure of their cells. Therefore, parolees aren't protected against illegal search and seizure of their personal property. In this case, the government has all sorts of strong corroborating evidence in support of their warrant.

    Thus, I'm not too worried about this. It isn't a warrantless search against some innocent guy. It's a well-supported motion against a guy who is on parole for doing lots of shitty things, which means that he was jailed, then released conditionally on him not continuing his asshat activities, and it seems that he has violated the terms of his parole.

Air is water with holes in it.

Working...