Risk
5/14/2013
10:53 AM
50%
50%

Apple iPhone Decryption Backlog Stymies Police

Apple's waiting list to bypass security controls on latest-generation iPhone and iPad devices means months-long delays for law enforcement investigators.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Apple is overwhelmed by requests from law enforcement agencies to decrypt seized iPhones, and its waiting list is so long that it may take months before new requests get handled.

That revelation, first reported by CNET, was gleaned from a search warrant affidavit for a seized iPhone last summer by a federal agent who was investigating a Kentucky man on crack cocaine distribution charges.

The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) agent, Rob Maynard, said in court documents that he'd "attempted to locate a local, state or federal law enforcement agency with the forensic capabilities to unlock" an iPhone 4S seized during the investigation, but every contacted law enforcement agency said that it "did not have the forensic capability." Apple, meanwhile, told him that the wait time for recovering data from an iPhone -- which the technology firm copied to a USB key then provided to investigators -- was approximately seven weeks, though Maynard ultimately had to wait about four months.

The ATF case highlights that technology companies, including Apple, must comply with court orders to unlock devices they build or sell. But it also revealed that Apple is somehow able to bypass the security controls built into its latest-generation devices. "That is something that I don't think most people realize," Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project, told CNET. "Even if you turn on disk encryption with a password, these firms can and will provide the government with a way to get your data."

[ Who can you trust? Check out Microsoft Tech Support Scams: Why They Thrive. ]

Does court-ordered data retrieval infringe on people's privacy rights? "It's important to note that both cops and legislation tend to trail criminals in the adoption of new technologies," said Nick Selby, a Texas police officer and the CEO of StreetCred Software, which provides fugitive case management software to law enforcement agencies, via email. "It's important to question whether police may be going too far, but it is equally important to consider criminals' use of these technologies to abet, and in some cases actually commit, crimes."

Many judges have granted warrants to law enforcement agencies to retrieve data from -- or that's associated with -- mobile devices or their radio frequency (RF) communications. "Recent rulings encourage law enforcement to better develop their mobile device and RF chops. For example, in U.S. vs. Skinner last August, the U.S. Court of Appeals for the 6th Circuit ruled that police may track the signals emanating from wireless devices like a cellphone owned by a person," Selby said. "The fact that the court found that users do not have a reasonable expectation of privacy in the data given off by a voluntarily procured, pay as-you-go cellphone means that we can expect to see more use cases like these."

Is Apple putting cases at risk by not complying more quickly with court orders? In the ATF investigation, the attorney for the 24-year-old defendant, Mark Edmond Brown, filed a motion to suppress the evidence gathered from the defendant's iPhone, given the delay in retrieving it.

But U.S. district court judge Karen Caldwell wrote in an opinion that the ATF was "placed on a waiting list by the company" -- referring to Apple -- for what had been a court-ordered seizure, meaning it was backed by a warrant. "The court finds nothing in the record to demonstrate any evidence of bad faith or unnecessary delay in procuring assistance from Apple to unlock the phone," she wrote.

In October 2012, Brown -- a convicted felon -- pleaded guilty to possessing firearms, and according to CNET, last month pleaded guilty to a charge of conspiracy to distribute less than five kilograms of crack cocaine.

If Apple didn't unlock iPhones for law enforcement agencies in response to a court order, would police have any other options? Some police forces have been testing smartphone data dump kits to allow investigators to easily retrieve data without having to use an external lab or appeal to a device manufacturer or carrier.

But recent iOS devices appear tough to crack. For example, Russian digital forensics toolmaker Elcomsoft says its iOS Forensic Toolkit -- only sold to law enforcement agencies, intelligence agencies and professional forensic investigators -- can "acquire bit-precise images of Apple iOS devices in real time" from all iPhone, iPad and iPod Touch devices that run iOS 3, iOS 4 and iOS 5. But the iPhone 5, released last year, and which ships with iOS6, doesn't appear to be unlockable with the Elcomsoft tool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/20/2013 | 3:00:13 AM
re: Apple iPhone Decryption Backlog Stymies Police
They're supporting law enforcement activities, but it seems that with the iPhone being such a common device anymore... basically, a lot of people use it, even criminals.

There's a fix for this process - store all of the user's personal data in the carrier's storage cloud instead of on the device itself. Law enforcement wouldn't even need to sieze the phone at that point to get what they need as far as call logs go.

Andrew Hornback
InformationWeek Contributor
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
5/18/2013 | 12:38:41 PM
re: Apple iPhone Decryption Backlog Stymies Police
This is absolutely unbelievable! There is a company that as hundreds of billions of Dollars in offshore accounts and is at the same time too cheap to support law enforcement activities. Apple should be taken to court over this!
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jamie, the darn Unicorn is back."
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.