FBI Tries To Force Google To Unlock User's Android Phone

Trailrunner7 writes "Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to 'provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory of cellular telephone.' The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he went back to his activities with the gang, according to the FBI's affidavit."

Re:Ars Technica Lnk

[yurtinus]

I wonder how much rage we'll see in the discussion on this article... Now, not that I'm a lawyer or anything, but it looks like a properly served warrant for access to a specific device. Pretty much exactly what I would expect (and want!!) law enforcement to do while investigating a crime. I suppose it remains to be seen if the information they get allows them to unlock an arbitrary Android device or just this one.

Re:Hashes

[anilg]

If this is the 9-dot pattern they are talking about, even a hash would be easy to brute force,. the worst case being 9!, but the average case being 4-6! as these are the sizes commonly chosen for phones.

However, the limitation could be the delay/lock after some unsuccessful tries. If they need to see that phone's memory, they need to maybe use a 0-day exploit that google knows of, but has not yet been fixed for that phone?

Re:Ars Technica Lnk

[billcopc]

Yes, but the problem I see is: they already had him behind bars. He was released, and he went back to being a parasitic sack of shit. This is a failure of the penal system to rehabilitate convicts, a failure of the legal system to legalize prostition, creating this black market where thugs thrive, and finally a failure of the economy for creating an environment where crime pays way better than any proper career this Dears twit could ever possibly sustain. Heck, $500 a night is more than I make as an I.T. contractor.

Re:As part of a case, okay sure, why not

[Anonymous Coward]

Former prosecuting attorney here. (Did it long enough to turn it into private sector bank). If the DA wants to drag you in court for bullshit reasons, you will be in court for bullshit reasons. I saw a guy brought up on some pretty serious drug dealing charges. The right judge signed off on everything put in front of him (had a pretty noticeable case of alzheimer's), the grand jury only sees what you want them to see. At the last minute the charges were dismissed (without prejudice) after he spent at least 6 figures on attorneys. Not one piece of evidence, but he was allegedly fucking the wife of somebody important (didn't find any evidence of that, either)

tl;dr -- you and all your fish eating friends can go fuck yourselves,

Re:Ars Technica Lnk

[Anonymous Coward]

I would hope that Google doesn't know my gmail password. I hope they use some security system that is similar to a salted one way hash. For example with Windows, the password is not known by the domain controller and it cannot be retrieved (short of doing dictionary hacks against the hashing function). I'd expect Google to be even more secure there and not have access to my password. Now, they could absolutely RESET my password. That's a different ball game than being able to produce my existing password on demand. One is scary. The other is just inevitable.

Re:Thought there was a cop device to just read pho

[silas_moeckel]

Assuming you can get all that through the usb port. Having dealt with the FBI they are in general technology challenged. My favorite was the computer forensics expert they could not get a .tgz open.

Re:Ars Technica Lnk

[interkin3tic]

So not only does he deal in human sex slavery, he also is acting as a catalyst for the FBI to erode our right to privacy a little bit more.

And both are eroding a little more of my faith in humanity.

FBI, instead of trying to get a skeleton key to all our phones, including me who has never made a woman sell herself for money, how about you just pass a law that people convicted of pimping can't have phones? No objections from me on that one... anyone else?

Re:Ars Technica Lnk

[Anonymous Coward]

Actually, yes, it is. The whole point of the prison system as it stands today is to rehabilitate criminals and release them back into society as free men. If that weren't the case, they'd never be released, and we would probably just kill them instead to save money.

As for actually rehabilitating people, it's pretty obvious the system has failed miserably. But hey, that's just what the government does. War on drugs, war on terror, apparent war on the economy; total failure has never stopped them before and it won't stop them now.

Re:Ars Technica Lnk

[Kalriath]

One question: are your private prison operators paid on a per capita basis per incarcerated person, or on a performance basis per rehabilitated person? Ours are paid per rehabilitated person. Et tu?

Re:Ars Technica Lnk

[Jah-Wren Ryel]

So not only does he deal in human sex slavery, he also is acting as a catalyst for the FBI to erode our right to privacy a little bit more.

Like they need an excuse.

FBI, instead of trying to get a skeleton key to all our phones, including me who has never made a woman sell herself for money, how about you just pass a law that people convicted of pimping can't have phones? No objections from me on that one... anyone else?

Yean I object. A phone is pretty much a requirement for anyone to find legitimate work. What you propose will make it just that much harder for criminals become former criminals - the only ones who would obey such a law are the very people you would want to have a phone.

Re:Plausible deniability...

[Kjella]

That's all well and nice, but people act on indicators not causation. To take an example I'm a male and most rapists are male and most rape victims are female. So if I happen to be walking in the same direction as a woman late at night she's got far more reason to fear that I'll drag her into the bushes and rape her than I got reason to fear that she'll drag me into the bushes and rape me. None of this has of course anything do to with causation, unless you're the kind who thinks women are "asking for it". Is it sexist or just good threat assessment? Now repeat the same with a potential mugger and a potential mugging victim, are you then a racist if you fear the black guy more than the white guy?

Of course we're all individuals, and I'm not guilty of anything because someone else who shares some physical or other characteristic with me commit crimes but you can't tell that from looking at me. Prejudice you can cure through knowledge, but what of statistical "truths"? Say you have two possible hires, practically identical resumes and interviews but you know one belongs to a group you know that's generally known to worker harder and complain less, which do you pick? Here in Norway we've had companies now pretty plainly state that they prefer Swedes for bars and restaurants and Poles for construction and industry and somehow that's not discrimination based on nationality - I guess it helps we're all white. But if someone were to say something of Somalis or Iraqis or Afghans, they'd be burned at the stake as racists.

In short my impression is that you get plenty discrimination, but only certain groups in certain situations gets to call foul and say it's racism. We're all equals but as usual some are more equal than others, the rest of us are just supposed to take it when we're being discriminated against. Why am I supposed to take blanket statements about us when I can't make the same kind of blanket statements about others? Same with our department of equality, you'd have to search long and hard to find a case where men were discriminated rather than women, sexism is another one-way street. But if you point that out it's STFU you're a white male, you got nothing to complain about - as if that wasn't the most racist, sexist remark of them all.

Re:Ars Technica Lnk

[elbonia]

What is "rubber stamped" on the warrant since it was when he was caught lying to his parole officer and violating parole? "Dears had denied to his parole officer that he owned a mobile phone, and in January the parole officer went to Dears's apartment and seized the phone."

Re:Brute force?

[swillden]

Which has always been a problem, and which is why we should be getting things right with smart phones.

Google Wallet stores the credit card number and other sensitive information in the "secure element", a special-purpose high-security chip that is separate from the main system, with its own CPU, it's own OS and it's own storage. The secure element (SE) is actually a smart card chip, which has the benefit of almost 30 years of evolution, as attacks were created and countermeasures added. Nothing is 100% secure, but smart cards are pretty darned good.

Among other things, they wrap the storage in cladding layers which are physically bonded and chemically similar, so peeling or dissolving the cladding to be able to get to the EEPROM is extremely difficult, and highly likely to destroy the EEPROM. They're also careful to expose no leads which can be used to directly manipulate the memory, etc.

There have been some minor weaknesses found in Google Wallet, which Google has fixed or is fixing, but nothing that would expose the credit card number, because it's locked securely in the SE. We are getting things right with smart phones; at least Google is. I imagine ISIS is also.

(Disclaimer: I work for Google, and have even done some work around Google Wallet, though that's not my primary job. However, everything I stated above is public knowledge, filtered through 10+ years of experience working with smart cards and SEs while at IBM.)

Re:Wha???

[MimeticLie]

I assumed that too, but it doesn't seem true in this case: [arstechnica.com]

Technicians apparently mis-entered the pattern enough times to lock the phone, which could only be unlocked using the phone owner's Google account credentials.

Why they were even bothering with the unlock screen rather than just slurping up all the data on the phone with a UFED [forensicswiki.org] is beyond me.