android – Techdirt (original) (raw)
Leaked Docs Show Cellebrite Is Still Trailing Apple In The Device Security Arms Race
from the still-mostly-secure-on-the-home-front dept
Good news for phone owners. Perhaps a little less great for law enforcement, which presumably still doesn’t have the capability to crack the latest cell phones.
Not that it’s all bad news for law enforcement. Whether or not compelled password production is a constitutional violation is still an open question. Those whose phones are secured with biometrics are definitely less protected by the Constitution than those using passcodes. And, despite all the crying you might hear from officials (like, say, consecutive FBI directors), law enforcement still has plenty of options to obtain evidence that don’t involve cracking encrypted devices but rather serving warrants to service providers to obtain stuff stored in the cloud.
Cellebrite has been selling its phone-cracking tech for several years now. But it’s stuck in a one step forward, one step back loop as device makers patch exploitable flaws, including those used by purveyors of these devices.
Joseph Cox of 404 Media managed to obtain some very recent documents that apparently show the limitations of Cellebrite’s tech. The documents were leaked in April 2024, which doesn’t necessarily mean they document Cellebrite’s latest software version, but they do at least provide a fairly up-to-date snapshot of the tech’s capabilities.
For all locked iPhones able to run 17.4 or newer, the Cellebrite document says “In Research,” meaning they cannot necessarily be unlocked with Cellebrite’s tools. For previous iterations of iOS 17, stretching from 17.1 to 17.3.1, Cellebrite says it does support the iPhone XR and iPhone 11 series. Specifically, the document says Cellebrite recently added support to those models for its Supersonic BF [brute force] capability, which claims to gain access to phones quickly. But for the iPhone 12 and up running those operating systems, Cellebrite says support is “Coming soon.”
As Cox notes in his article, this means Cellebrite is capable of cracking iPhones released through the first part of 2020, but possibly only if they haven’t been updated to the latest iOS version. That’s still a significant number of phones, which means staying ahead of Cellebrite possibly means having to be an early adopter or, at the very least, ensuring the latest updates have been applied to your phone.
The same can’t be said for Android, something pretty much everyone has already known. Not only are carriers hit-and-miss when it comes to regular Android updates, the wide variety of manufacturers and models means it’s often difficult to tell which Android model is more secure (or, more accurately, less compromised). The rule of thumb, though, is that newer is better, at least in terms of crack-thwarting.
The second document shows that Cellebrite does not have blanket coverage of locked Android devices either, although it covers most of those listed. Cellebrite cannot, for example, brute force a Google Pixel 6, 7, or 8 that has been turned off to get the users’ data, according to the document. The most recent version of Android at the time of the Cellebrite documents was Android 14, released October 2023. The Pixel 6 was released in 2021.
Cellebrite has confirmed the authenticity of the leaked documents but told 404 Media that it does not completely reflect its current line of products or their capabilities. So, these should be taken with at least as large a grain of salt as Cellebrite’s statement. If these documents accurately portray Cellebrite’s offerings, one would expect the company to claim they don’t in order to keep criminals (or journalists, activists, politicians, dissidents, etc.) guessing about the current state of cracking tech.
Then there’s the fact that Cellebrite is not the only player in this market, even if it appears to be the most well-known. Competitors are presumably engaged in the same race against patches and system updates in order to provide something worth paying for to government customers.
Finally, the Israel-based company appears to have been stung a bit by the steady deluge of negative press covering phone-hacking malware purveyors like NSO Group and Candiru, both of which have been blacklisted by the US government for selling their goods to known human rights violators.
“Cellebrite does not sell to countries sanctioned by the U.S., EU, UK or Israeli governments or those on the Financial Action Task Force (FATF) blacklist. We only work with and pursue customers who we believe will act lawfully and not in a manner incompatible with privacy rights or human rights,” the email added.
Well, great, I guess. That answers a question no one asked, but as long as you’re in the news, I suppose it’s smart to get out ahead of the criticism, even if it’s still unspoken at this point.
While some in law enforcement might view this reporting as a half-empty glass where the tech they use will always be a step or two behind the efforts of device manufacturers, everyone else should see this as more than half-full. More companies and developers are putting more time and effort into ensuring the devices they sell are as secure as humanly possible. That’s a net win for everyone, even if you halfway believe the often-hysterical proclamations of government officials who think device security is the enemy of public safety.
It may not necessarily discourage device theft, but it does limit the damage done by those who steal devices. And it helps protect journalists, dissidents, activists, and political opposition leaders from abusive tech deployments just as much as it “protects” criminals from having their seized devices cracked. Non-criminals will always outnumber criminals. And that fact shouldn’t be ignored by law enforcement officials just because it makes things a bit tougher when it comes to extracting data from seized devices.
Filed Under: cellphone cracking, encryption, fbi
Companies: android, apple, cellebrite
Another Police Chief Says Phone Encryption Is A Pedophile's Best Friend
from the public-suffers-third-degree-stupidity-burns dept
More law enforcement officials are coming forward to express their dismay at Apple’s and Google’s decision to encrypt cellphones by default. And the hysteria seems to be getting worse. As was recently covered, FBI director James Comey stated that no one was above the law, while failing to realize there’s actually no law preventing Apple or Google from doing this.
The chief of the Chicago police went even further:
“Apple will become the phone of choice for the pedophile,” said John J. Escalante, chief of detectives for Chicago’s police department. “The average pedophile at this point is probably thinking, I’ve got to get an Apple phone.”
Now, Washington DC’s police chief, Cathy Lanier (who we’ve praised previously for her implementation and enforcement of a tough [on cops] citizen recording policy) is echoing Escalante’s ridiculous statement.
“This is a very bad idea,” said Cathy Lanier, chief of the Washington Metropolitan Police Department, in an interview. Smartphone communication is “going to be the preferred method of the pedophile and the criminal. We are going to lose a lot of investigative opportunities.”
First off, law enforcement rarely ever encounters encryption. These facts are borne out by the US Courts’ annual statistics on warrant requests. That they’ll encounter it more often from now on has nothing to do with the scary stories they’ve been telling to justify their collective freakout. Those criminals didn’t use it, for the most part. And if they did, it was circumvented nearly 100% of the time.
Second, implying that pedophiles are suddenly going to start buying iPhones/Androids is a non-starter. Plenty of encryption options already exist and most pedophiles and criminals already own cellphones. Police have captured plenty of criminals and pedophiles without cracking encryption. See “first off” above.
Third, and this is where the irony sets in, Lanier’s department is a big fan of encryption. From 2011:
D.C. police became one of the latest departments to adopt the practice [encrypting police radio communications] this fall. Police Chief Cathy Lanier said recently that a group of burglars who police believe were following radio communications on their smartphones pulled off more than a dozen crimes before ultimately being arrested and that drug dealers fled a laundromat after a sergeant used his radio to call in other officers — suggesting that they, too, might have been listening in.
“Whereas listeners used to be tied to stationary scanners, new technology has allowed people — and especially criminals — to listen to police communications on a smartphone from anywhere,” Lanier testified at a D.C. Council committee hearing this month. “When a potential criminal can evade capture and learn, ‘There’s an app for that,’ it’s time to change our practices.”
Journalist wondered what sort of impact this decision would have on public safety, if only certain individuals were allowed to hear as-it-happens discussions of dangerous events. All the cops could think about was the ones that got away. Now the encryption’s on the other end and the police are using both the public safety argument and counting their escaped criminals before they’ve actually escaped justice.
I guess encryption only works for the government. All others need not apply. Lanier’s statement — combined with the DCPD’s encrypted transmissions — means she only wants to encrypt the communications of the department’s “pedophiles and criminals.”
Now, going back to James Comey complaining about Apple and Google being above the law. Nothing that exists can legally prevent them from providing this encryption to their customers… at least for now. Surfing high on a wave of hysteria, former FBI Counsel Andrew Weissman has arrived to push for exactly that: new laws.
“They have created a system that is a free-for-all for criminals,” said Weissmann, a law professor at New York University. “It’s the wrong balancing act. Having court-ordered access to telephones is essential to thwart criminal acts and terrorist acts.”
Weissmann said there was little the Justice Department could do to stop the emerging policies. The companies are permitted to have encryption systems. The only way to ensure law enforcement access is for Congress to pass legislation, he said.
The answer to a move prompted by the exposure of government overreach is… more government overreach. Weissman’s horrendous idea will find some sympathetic ears in Congress, but not nearly as many as it would have found a few years ago. Any legislation prompted by law enforcement officials’ iPedophile hallucinations will be decidedly terrible and loaded with negative side effects and collateral damage.
And let’s not forget that, since the beginning of criminal activity, there have always been panics about new technology placing ne’er-do-wells ahead of pursuing flatfoots. Here’s one from 1922, pointed out by the ACLU’s Chris Soghoian:
Here’s a text version:
The automobile is a swift and powerful vehicle of recent development, which has multiplied by quantity production and taken possession of our highways in battalions, until the slower, animal-drawn vehicles, with their easily noted individuality, are rare. Constructed as covered vehicles to standard form in immense quantities, and with a capacity for speed rivaling express trains, they furnish for successful commission of crime a disguising means of silent approach and swift escape unknown in the history of the world before their advent. The question of their police control and reasonable search on highways or other public places is a serious question.
The baffling extent to which they are successfully utilised to facilitate commission of crime of all degrees, from those against morality, chastity, and decency to robbery, rape, burglary, and murder, is a matter of common knowledge. Upon that problem a condition and not a theory confronts proper administration of our criminal laws.
Law enforcement techno-panic. Dating all the way back to the “silent approach” of a 1920’s-era internal combustion engine.
Filed Under: cathy lanier, fud, phone encryption
Companies: android, google