Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/30/2019
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

Hacking Phones: How Law Enforcement Is Saving Privacy

It's no longer true that society must choose to either weaken everybody's privacy or let criminals run rampant.

As a staunch privacy advocate, I am excited that law enforcement now has access to tools to decrypt locked smartphones! But, wait! Isn't that the opposite of privacy? Well, no, if you consider the bigger picture.

There is a battle raging right now with many governments wanting to broadly undermine privacy by weakening allowable algorithms so they can decrypt communication messages over networks and undermine device protections. The primary justification for this has been to track down terrorists and prosecute criminals. Governments contend that without any other means, bad people would be able to communicate and do illicit activities without law enforcement able to gather necessary evidence. The downside is that all people, including the innocent, would be surrendering their privacy and greatly weakening the security of everyday information.

Many people, including political representatives, are openly maneuvering to enact such laws, which, in my opinion, would weaken everybody's privacy because all communications could remotely be captured, analyzed, and stored. Additionally, purposely weakening encryption algorithms would undermine the necessary digital security controls that protect our personal, financial, health, employment, and intellectual property. We all need the best security on the Internet to keep cybercriminals at bay. These proposed laws are far-reaching and represent a very dangerous path to pursue as the world continues to embrace digital technology. To intentionally weaken encryption opens the door to many unintended consequences. As Ben Franklin opined: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

The argument by proponents of more rigid security controls is that society must choose to either to weaken everybody's privacy or let criminals run rampant. This is a false argument because there are other options. We currently have laws and checks and balances that allow law enforcement to monitor suspects when sufficient evidence has been presented and approved by the judicial branch of government. Wiretaps, search warrants, and evidence collection are a few allowances, but these are very specific powers and must be granted with oversight and accountability. We don't let police invasively surveil the entire general populace and inspect their property without due cause and approval. However, we do let them investigate individuals when probable cause is present. The key is that they investigate only those who are doing something suspicious and not infringing upon law-abiding citizens.

Tech to the Rescue
With today's technology, law enforcement has the tools to conduct pinpoint investigations and gather evidence from devices they collect during the normal investigative process. This largely invalidates the need for broadband surveillance as it restores their powers to previous limits. They can get a warrant to search and seize evidence, including bypassing locks on smartphones, to further their investigation.

Cellebrite, the infamous Israeli company that specializes in hacking hardware that can unlock smartphones, has been providing devices to law enforcement that can unlock all Android and iPhones since last year, including the latest versions, according to some reports. This allows police departments to hack into phones directly for forensic investigation, even when they are locked. In the past, for the devices that could be hacked, agencies had to send the phones directly to Cellebrite but with the new premium hardware, law enforcement agencies are able to do the work themselves, under controlled conditions. This opens up a whole new level of flexibility for criminal investigations.

This capability also has natural boundaries, which limits the potential of abuse. The agencies are vetted, so distribution is limited. The cost is somewhat prohibitive, so there will not be too many devices out there. Additionally, as a requirement from the vendor, the agency must agree to have a designated secure room where the decryption will take place. This means patrol cars won't have them and wouldn't be able to break into your phone during a traffic stop, for example.

Most importantly, the phone must be in the physical possession of the agency. This is not a tracer, bug, or surveillance capability that will remotely monitor thousands or millions of users on a continuous basis. Decryption is directly tied to a specific phone in possession by law enforcement.

We all want and have a right to privacy, but we also want law enforcement to be able to investigate suspected criminals and have the ability to gather the necessary evidence to prosecute them.

The solution is clear: Keep encryption strong for everyone but allow law enforcement officers the tools to investigate pinpoint situations — for example, where they have a suspect's phone in custody as part of a legitimate search and seizure. In doing so, we avoid unnecessarily expansive surveillance capabilities and all the problems that accompany weaker digital security for our privacy, finances, and information security. The balance of freedom, justice, and liberty must be preserved.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Real Reasons Why the C-Suite Isn't Complying with Security."

Matthew Rosenquist is a cybersecurity strategist who actively advises global businesses, academia, and governments to identify emerging risks and opportunities.  Formerly the cybersecurity strategist for Intel Corp., he benefits from 30 years in the security field. He ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...