Falsifying Evidence on a Smart Phone

Here's a way to plant false evidence -- call records, locations, etc -- on your smart phone. I have no idea how good this will be. Presumably it will be an arms race between programs like this and programs that harvest data from your phone.

Posted on June 16, 2014 at 7:01 AM • 36 Comments


Mike the goatJune 16, 2014 7:22 AM

I guess this would only be useful if the person you are attempting to fool doesnt' obtain the CDR and text records from the carrier. This could be even worse than no alibis at all (in that you'd throw a lot more suspicion on yourself once they found you went to this kind of trouble to generate one).

jockularJune 16, 2014 7:48 AM

Couldn't such tech also be used by police,political enemies, business rivals, or estranged spouses to plant false, incriminating info on one's phone?

uh, MikeJune 16, 2014 8:36 AM

I respond as with any Peeping Tom. They want a show, give them a show.

With the govt, I have to consider that they can throw me in jail, and Habeas Corpuz is out of style lately. Still, there's plenty of goatse to throw up at them.

When they want your data, throw in plenty of garbage. If the NSA stays in the out-of-control state, counter measures might include mailing burner phones along with payload and trading smartphones for a day, etc. Garbage In.

Thinking AheadJune 16, 2014 10:42 AM

The in the not too distant future, expect an app that spoofs the GPS and CDR data.

GPS would be rather simple, particularly with a rooted device. Google, Apple, et al would then have location records on their servers showing you were somewhere you were not. Law enforcement would be hard pressed to disavow this "scientific evidence" when their own experts attested to its accuracy in numerous previous court testimony.

The user could also take a selfie and upload it to Flikr or Facebook where it is automatically geotagged, to further provide geographical evidence. In criminal and civil cases, such evidence could provide sufficient doubt to alter the outcome of a trial.

SMS transmissions would also include the spoofed GPS data stored in the CDR.

IMQ and CDR spoofing...how about an app that "shares" your SID, ESN and MIN data with other people using the same app? A co-user of "the app" would send your data with an SMS message you originated. The app would substitute your phone's data with the message. That would provide evidence your message originated from a distance location.

Carl 'SAI' MitchellJune 16, 2014 10:46 AM

Far more disturbing is that this gives the police an easy way to plant evidence.

CreideikiJune 16, 2014 11:24 AM

Thinking Ahead: There's already been apps developed to make a phone perform actions like posting to Facebook on its own, to make it seem like you're actively using the phone when in reality you've left it somewhere while you're committing crimes in other parts of town. If you spoof the GPS, the phone company still knows where you are - with these kinds of apps, that doesn't matter, because your phone isn't with you. You want to read this paper:

P. Albano, A. Castiglione, G. Cattaneo, G. De Maio, and A. De Santis. On the construction of a false digital alibi on the Android OS. In Intelligent Networking and Collaborative Systems (INCoS), 2011 Third International Conference on, pages 685–690, December 2011.

DanielJune 16, 2014 11:41 AM

Exactly Carl.

The issue is thus:

You control the phone while the police control the carrier.
With this program the police now control both the phone and the carrier.

That cannot end well.

Clive RobinsonJune 16, 2014 11:41 AM

This just brings home yet again the message that "forensics" is not a science but the equivalent of a "Sunday Red Top" "kiss and tell expose", but with rather less integraty than you would expect from the sleeziest of scuzz ball journalists.

The fundemental assumption of much digital forensics is the user is not technicaly savey. Inveriably the evidence is not gathered by skilled humans who look for decite in all evidence --as a court requires-- but, some software tool driven by a person who often had had minimal formal training in the tool and chances their way through the written and verbal evidence presentation.

To be honest I'm surprised legal representatives don't call out such expert witnesses as what they are, ill educated tool jockies.

In the past I've been asked to assess the evidence put forward for what are civil/tribunal (employment) cases and demonstrated clearly that the supposed evidence (from the employers expert) was either false or unsupportable with a clear statment showing why (in effect calling the expert a fraud/liar). In both cases the employer lost, one chose not to present their experts opinion and had no other defence and agreed terms on the court steps, and the other employer failed to attend court at all, and had a significant judgment made against them.

The simple fact is that judges are currently ill equiped to deal with digital forensics and don't have the required training, to assess when they are being "snowed" by "Expert witnesses" that are anything but.

American Agony Auntie (AAA)June 16, 2014 11:48 AM

First check the attestation records from the TPM in the phone, then decide if the logs are reliable. This also defends against planted evidence.

I suspect this causes angst in some readers, but it is a technical solution. Alternatives to discuss?

CreideikiJune 16, 2014 11:58 AM

To those who think that this means it's easy for the police to plant evidence on your phone:

The system works by exploiting the facts that
1) the Android security model means that a quick examination (i.e. not disassembling the phone and reading the flash memory separately) of a phone has to go through the OS information brokers ("content providers", in Android API terminology),
2) the Android OS can be modified, through e.g. CyanogenMod, and
3) the phone forensics systems currently in use do not attempt to hide their purpose.

The system is a modification to the content providers of CyanogenMod which detects the fact that a phone forensics system is accessing the phone and chooses to return false information in that case. Installing it requires overwriting the original Android OS with CyanogenMod, which is a non-trivial operation. Of course you could use it to add incriminating evidence that is only visible when the phone is connected to a forensics system, but that seems an awful lot of work for very little gain when they can just add the planted evidence manually on an unmodified phone and still claim it was there all along.

Again, please read the paper for more information.

DanielJune 16, 2014 12:00 PM

"To be honest I'm surprised legal representatives don't call out such expert witnesses as what they are, ill educated tool jockies."

They do but it usually doesn't do any good. The way it works in the USA is that the judge determines whether the science is any good (it is ) and the two parties (prosecution and defense) agree on whether the expert is qualified to testify (he usually is). Whether he did a good job using his expertise in a specific case is a decision left up the the jury of his peers. But what do they know? Not much. The defense is in a difficult position in trying to argue that the science is good and the expert is good but he did a poor job in a specific--it's possible but a hard row to hoe.

BTW, the "ill educated tool jockey" problem is not isolated to computer forensics. It's a problem in all cases that rely heavily on technicians such as drunk diving convictions and DNA analysis. People have a remarkable faith in the magic that emanates from technology.

Bob S.June 16, 2014 12:13 PM

Not that long ago we were worried about script kiddies, foreign governments, foreign hackers and crackers.

Now, we are looking for ways to protect ourselves from the local PD, FBI and NSA.

But, as always the federal OZ is viewed as all powerful and invincible.

Meanwhile, some people have given up and learned to simply love big brother.

1984June 16, 2014 12:43 PM

I do not see the point on this research. As the owner of a phone you can do anything you want on your device once you get the right access permissions to it (usually root privileges). I see no point in making installation of forensic tools more difficult, or storing false data on the device itself. Even wiping the phone looks more challenging.

Of course, changing data stored by the service provider or modifying information stored on devices you do not have direct access would be a more interesting threat.

DanielJune 16, 2014 12:59 PM


First, you write "but that seems an awful lot of work for very little gain when they can just add the planted evidence manually on an unmodified phone and still claim it was there all along."

But your own paper on page 52 notes how difficult this planting of manual evidence is. So my assumption is that this modification using CyanogenMod (which is well known in the Android community) is going to simplify the process of planting false evidence considerably. Maybe I'm wrong on that score but that certainly the impression that both the news article and your paper leave.

I have one follow-up question. Why is this being covered in the press now almost two full years after you wrote your paper? The cynical part of me wonders if the software vendors haven't already modified their forensic programs to defeat your hack.

ArclightJune 16, 2014 2:03 PM

As the previous callers have said, the main thing this would do is create a local evidence trail that may or may not conflict with the records stored by the carrier. I'm not sure if generating geotagged photos or Facebook posts that conflict with cell-tower records would be immediately useful to the phone user, although they could help create reasonable doubt in a prosecution.

They could also be used by a malicious policeman to generate probable cause on the spot, so that is a consideration.

One final thought: The photo or other smartphone-generated data might become the definitive evidence if the crime is not discovered or charged until weeks or months after, when the detailed logs of cell tower pings and auch may havr been summarized and deleted by the carrier.


qmcJune 16, 2014 7:54 PM

encrypt your phone. And can we install something that triggers a wipe of the real data while returning the fake data?

riokiJune 17, 2014 2:42 AM

@1984 I think the primary point of this research is not to be a practical means to defy cellphone forensics. But the aim is to lower the trust in the forensics tools, so that they are not seen as a magic bullet by the police and the courts. It is always good when these "magic bullet" evidence (DNA, lie detector, etc.) is given a good shakedown and are show to be fallible. The reduction of trust means that to build a case the police and prosecutor need multiple pieces of evidence that show your guilt and not just one of questionable value. The number of false convictions because of "foolproof" DNA evidence is just to high, this should not be the case with cellphones.

G FernandesJune 17, 2014 3:04 AM

I can see just one problem with this - lying/falsifying evidence is a crime under many jurisdictions.

Refusing to co-operate, however, is not. There is no jurisdiction that I can think of under which refusing to incriminate oneself is a crime.

While there are on-going efforts to make it illegal to refuse a decryption key, there is still sufficient grey area around this particular area (and in fact, strong precedent in the physical equivalent of refusing to hand over a physical key even under warrant - the police can always break down the door) that a good lawyer will get you easily out of this kind of situation.

In a nutshell, I wouldn't recommend this kind of technique to hide one's tracks. Instead I would recommend strong encryption and anonymysing software (Tor/VPN).

Clive RobinsonJune 17, 2014 3:36 AM

There is no jurisdiction that I can think of under which refusing to incriminate oneself is a crime.

I would take a closer look at the UK RIPA befor making a statment like that.

Some argue the only reason this part of RIPAs not be used in anger, is the previous dirty tricks the failing SFO used via the Companies Act where it was a crime not to answer a Department of Trade Inspectors questions. The SFO used the CA to get a conviction in a very a complex fraud investigation. An appeal was made to the ECHR who kicked the UK action into touch in a way that made it clear that this sort of legislation was not compatible with justice.

The ECHR finding against the UK Gov is such a regular occurance that some rather foolish politicos use it as an argument to "pull out of Europe" meaning the EEC --as was now EU--. The UK&NI is signed up to the EU and ECHR by two entirely seperate treaties signed at different times so pulling out of the original EEC treaty will not effect the obligation to the ECHR or other human rights legislation.

The problem is the UK nolonger has real politicians who take time to ensure the legislation they bring forward is actually compatible with that which has gone befor. You can argue which party started it but now both major parties have signed up to the Startreck "Make it so Number One" style of managment for law making, which is a disaster on oh so many levels that it is difficult to comprehend why the politicos do it.

ChrisJune 17, 2014 3:36 AM

Hi, ok cool, I am glad I actually read it, since I thought it was just another spoofing program to spoof the Advertising companies with fake data.
This was something different, not sure how legal this kind of thing might be in different jurisdictions, however, as long as the phone is mine I at least do what ever I want with it and its not anyones business what I tinkle with.

But yes I can see that this could be a pain in the ass for the forensics but what comes around goes around I guess, I am sure alot more of these things will come at a higher pace now.

Regarding GPS Fakedata, havent checked if it writes to the forensic part of the phone or not, but those do exist, and they can even make it look like you are driving around etc...


ATNJune 17, 2014 3:38 AM

> Falsifying Evidence on a Smart Phone

The problem is in the title, there is no evidence whatsoever on a phone, and you agree to that because you agree to turn it on (thereby accepting the software licenses).
There is a probability of truth, only until someone decides that "truth" is important and has to be modified.

G FernandesJune 17, 2014 4:52 AM

@Clive R:
>>I would take a closer look at the UK RIPA befor making a statment like that.

Thanks for pointing this out. Yes indeed, the UK can in many ways hardly be called a democracy anymore.

It has degenerated into a country where freedom of the press has no standing (legal or otherwise).

Both political parties, as you rightly pointed out, are more interested in self-preservation, than in standing up for what is right.

koita nehalotiJune 17, 2014 4:52 AM

RE: Write-only filesystems and public keys

Can we have a camera that uses write-only files or write-only filesystem for storing photos? I mean it needs to have a firmware that encrypts pictures with a public key. The secret key of that public key is somewhere else. I know that at least canon camera firmware can be replaced with custom versions. How about signing pictures with a public key, inside some special chip? Is that kind of cryptography too much for camera's puny computer?

Also we should have laws that require all police-used locally logging GPS trackers and locally logging audio spy devices to have write-only files or filesystems to prevent unauthorized parties from stealing or falsifying that data.

Uses of locally logging Gps trackers where encryption is or may be useful include: keeping a diary of one self's movements and cat's movements, spying, and making a record for later studying and for history books, of massive military operations by attaching loggers to helmets, jeeps, tanks etc. Why cats? Logs of targeted person's cat's in and out movement times may give knowledge that help attacks or just help plain old burglary to anyone.

To prevent GPS spoofing, GPS transmissions should be signed with a public key generated in the satellite while in orbit, and the private key staying in the satellite in orbit, never leaving space.

Mike the goatJune 17, 2014 5:52 AM

Koita: I believe Sandisk produced WORM SD cards, primarily at the request of a foreign police department who wanted some kind of assurance that photographic evidence collected at a crime scene could not be altered. Having a GPS device that signed its NMEA packets and then wrote them to such a card would be one option, providing that the GPS device cannot be tampered with and the keys compromised.

Gerard van VoorenJune 17, 2014 5:52 AM

@ koita nehaloti

"Can we have a camera that uses write-only files or write-only filesystem for storing photos?"

Yes. Just use an old fashion camera with film. The whole idea of digital cameras is that the picture is easy to manipulate, delete, spread, add metadata etc..

I still have a Nokia "classic" mobile phone. I am quite sure there is not GPS tracking here.

What I want to say is that if you don't want the side effects of a certain technology, maybe it is better to not use that technology in the first place.

FimeraJune 17, 2014 7:07 AM

Her painting The Green Apple (1922) was inspired by Precisionism an Lancel Pas d depicted a simple and a purposeful life. During this time, she completed her first large scale painting, Petunia No.2 (1924). He played a significant role in the October Revolution of 1917, which led to the dissolution of Russian P

June 1984June 17, 2014 9:02 AM

I've often wondered how long it would be till someone comes up with a small program for installation on a botnet that sends out trash/spam/fake email/calls/posts/texts containing "terrorist" keywords and phrases. The spam data wouldn't be directed at any one point, but just bounce back and forth across millions of random inboxes/numbers/sites all over the world.

This could trash up the NSA/FBI/GCHQ/etc's spy tools so as to make them more or less useless. Reduced capacity to detect real events, yes, but that's the price the .gov pays for being such a-holes about the whole illegal surveillance thing in the first place.

Mike the goat (horn equipped)June 17, 2014 11:31 AM

Nick P: come to think of it pretty much all of the Five Eyes countries have mandatory key disclosure laws - the UK, USA and AU at the very least.

Which makes me wonder how they can *prove* the data is encrypted (assuming that there is no header or other "tells"). You may have simply cat /dev/urandom to the disk to sanitize it.

Mike the goat (horn equipped)June 17, 2014 11:36 AM

Not aimed at Nick, but more any uninitiated wondering what these 'tells' could be - take a look at tchunt. Obviously if you are using an FDE solution the boot blocks would also be a dead giveaway. How good any plausibile deniability features are is questionable.

Clive RobinsonJune 17, 2014 2:02 PM

@ Mike the Goat,

Which makes me wonder how they can *prove* the data is encrypted (assuming that there is no header or other "tells") You may have simply cat /dev/urandom to the disk to sanitize it.

They don't need to prove it, they only have to show reasonable suspicion, it's then up to you to show what the file is used for and that it is not in fact encrypted. If you can not show this then the suspicion becomes defacto and you have to give over the key, or pay the penalty...

It's this presumption that the burden of proof lies not with the prosecution as it traditionaly does but with the defendant that makes many including the ECHR very nervous. Especialy when the water mark is "beyond reasonable doubt" while this is a sensible mark for proving guilt, it is far from sensible when you are trying to prove your inocence...

Mike the goatJune 18, 2014 12:23 AM

Clive: just goes to prove that governments, when faced with something they don't like (public use of encryption tech) will either outright ban it (e.g. India) or make non-disclosure of keys a crime.

AnnoyedJune 19, 2014 5:13 AM

Where does one find these "forensics tools commonly used by police departments"? I would think these would be locked up tighter than their guns and cruisers.

Anyway, as for falsifying evidence, I think in the US that can hurt more than it helps. Consider US Code Title 18, Part 1, Chapter 73:

Destruction, alteration or falsification of records

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Yes you read that right, 20 years.

So the drug crime being investigated might have only got you 5 years probation but instead you got 20 years for trying to make the police believe you were calling your grandmother.

Thomas WeatherlyJune 23, 2014 8:26 PM

I have two phones, one a smart phone on which I do the things I dont care if the NSA wants to spend a half million or more to break into to find not a thing sensitive. We have rooted and heavily defend.

The other phone an antique sans any technologies which make phones easy to bug; when it's turned off it's almost really off. Carrier keeps telling me to buy a new phone, with explanations of benefits. My immediate tech bud have same. I expect one day they stop support; it only makes phone calls. And the only encryption we use are language ciphers and codes, the latter we laboriously memorized. Ciphers you only need know the principle; they're only for temporary thwart. We memorized the code so no hard copies exist. Low tech defeats the NSA high tech; although I suppose they could torture the code out of one of us. We would first lie. And if one of us is missing, the others switch to the other code memorized. So eventually I would divulge the first and the others would exchange innocuous info with it. We do it as a hobby. So NSA you waste money and time with us.
Any smart terrorist or criminal gang already knows that low tech is safest, best transmit info in face to face, with cutouts, and each person only knows enough to do the job.

I have always known that the government, any government spies on citizens,and new tech makes it easier.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.