Bypassing Phone Security through Social Engineering

This works:

Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work.

The undercover officers asked to see his iPhone and Khan handed it over. After that, he was arrested. British police had 30 seconds to change the password settings to keep the phone open.

Reminds me about how the FBI arrested Ross William Ulbricht:

The agents had tailed him, waiting for the 29-year-old to open his computer and enter his passwords before swooping in.

That also works.

And, yes, I understand that none of this would have worked with the already dead Syed Farook and his iPhone.

Posted on April 7, 2016 at 6:39 AM • 29 Comments

Comments

Clive RobinsonApril 7, 2016 7:00 AM

@ Bruce,

And, yes, I understand that none of this would have worked with the already dead Syed Farook and his iPhone.

And I suspect it will not work the same way again with other live suspects.

The thing about social engineering is it generaly works against those who have no knowledge of the particular attack, and generaly have no reason to be suspicious.

It works rather less well against those who are either naturaly suspicious or have reason to be suspicious.

I suspect that after the SB incident many of those under suspicion have changed their habits and will have got themselves second phones etc, thus keeping their "work phone" clean.

Further I expect the smarter ones will also now consider all Smart Phones to be insecure, after both SB and the Mexican Tunnel King.

Which all things considered is probably a good thing.

GridlockApril 7, 2016 7:13 AM

Doesn't iOS request your old passcode before allowing any changes to keycode or screen lock options? In fact I'm certain it does. Seems fishy.

GaryApril 7, 2016 7:32 AM

Just have another officer - wearing a vest cam - stand near the suspect to observe and record the unlock code.

No need to grab the phone before the arrest and charge of the suspect.
Avoids potential issues of 'seizure of property before being charged' (if that even is an issue)

PiperApril 7, 2016 7:46 AM

This may be the first case I've ever heard of where evil-doers in the real world (ie, not in movies) actually went to the trouble of photographing targets before an attack.

But even so, the article seems to indicate that the videos were for propaganda purposes, not operational. So, the War on Photography remains silly.

ianfApril 7, 2016 7:54 AM

Focus(@ gridlock), focus.

[…] “police had 30 seconds to change the password settings to keep the phone open

Apparently old password is not required within a 30 second time window after keying it in, to change it to new one (more likely it was the PIN code in the iPhone's Settings > General > Passcode Lock).

Wang-LoApril 7, 2016 12:15 PM

This is not a crypto issue, but I am very concerned that the agents asked for his phone before identifying themselves as police, that is, persons with authority to gather evidence and make arrests. In the USA that would almost certainly taint all the evidence.

AApril 7, 2016 12:19 PM

@Gridlock, @ianf

I don't know for the iPhone but on iPad (i just tested it) i cannot create a new password without enter the old one (after turning on too). IOS 9.3.1

ianfApril 7, 2016 12:47 PM


Hey! No less an expert source than the CNN wrote that up, hence must be true. Learning to live with unpalatable truths is part of attaining maturity.

micheleApril 7, 2016 1:01 PM

The 4 digit iphone passcode is very easy to shoulder surf. It happened to me. That will never happen again!

kakaaApril 7, 2016 1:34 PM

British police had 30 seconds to change the password settings to keep the phone open.
I just tested this on my iOS device:
  • After unlocking and heading to Settings > Passcode, it always asks for the old passcode, even within the first 30 seconds after unlocking. I don't see how the cops could have changed Khan's passcode without already knowing it by other means.
  • When I go to Settings > General > Auto-Lock and change it to "Never" to prevent the device from locking automatically, it doesn't ask for my passcode to change the setting, even 30 seconds after unlocking. The cops could have done this to maintain access to Khan's phone without needing to know or change the passcode. Add an external battery charger and enable airplane mode (or put it in a faraday bag) to preserve the evidence.
I don't see any 30 second time limits anywhere. Maybe that part is BS from CNN.

BobApril 7, 2016 2:16 PM

@Wang-Lo

They run sting operations and undercover work all the time in the US. What silliness are you on about?

DanApril 7, 2016 5:48 PM

Just of of curiosity, what if the phone lock screen says "By unlocking this phone, I assert that I am not a law enforcement officer and will not use any evidence on this phone against the user."? What effects would that have in a criminal investigation? What about other End-User-License-Agreements? (Although calling this a EULA is a bit of a stretch, it would probably be similar to one legally)

Saint HubertusApril 7, 2016 5:58 PM

@wang-lo, so what if the secret police taint evidence? US prosecutors are a mafia. There's no rule or law they won't break to destroy the state's designated enemies. As Judge Rakoff stated, there has been "a determination by the Department of Justice to place strategic advantage over a search for the truth."

https://www.techdirt.com/articles/20150202/11152629883/judge-resigns-forensic-science-committee-calls-out-dojs-trial-ambush-tactics.shtml

http://harpers.org/blog/2010/09/an-ethics-meltdown-at-the-justice-department/

The US judicial system has degenerated beyond the end stage of the Soviet Наркомюст.

RalphApril 8, 2016 2:34 AM

Re:

> 30 seconds to change the password settings to keep the phone open

This reminds me of an old work colleague. He got annoyed by a strictly enforced work policy that desktops locked after ten minutes idle.

So he built a little device to sit under his mouse pad and jiggle it.

The same idea, updated to touch phone screens, would seem ideal for the law enforcement people nowadays.

PiperApril 8, 2016 8:11 AM

@Dan: It sounds like you're trying to create a binding legal contract with anyone who unlocks your phone. But there are specific requirements to create a binding contract, and your scheme has none of them. I doubt it would hold up. And even if it does, breaking a contract is not illegal, it just means you can take the person to court and sue for damages. That will be little consolation while you're in prison for terrorism.

You might also be thinking of the old myth that police cannot lie. They can and do. All the time.

DanApril 8, 2016 3:59 PM

@Piper,
I wanted to see what that mean legally. I had no idea how the law would handle something like that.

"You might also be thinking of the old myth that police cannot lie. They can and do. All the time."

Of course cops can lie. Agreeing to a EULA that prohibits them from using the data on the phone as evidence is probably different. It would be a good joke if Apple or another major phone company made that their default phone lock screen.

albertApril 8, 2016 4:23 PM

@Wang-Lo,

He gave up his phone willingly; in fact, he offered it. It doesn't matter if the request came from LE or not. This sort of thing happens all the time. If LE has probable cause that a crime has been committed, they can search you. They must identify themselves in order to do so.

. .. . .. --- ....

albertApril 8, 2016 4:42 PM

@Piper,
Breaking a contract IS illegal, otherwise contracts would be worthless.
@Dan,
A TOS is often used on websites. It is considered a legal contract. There is no way to prevent LE from engaging some non- LE person to do the work, then turn it over to the them. Police obtain and use stolen evidence all the time. It's OK as long as they don't do the stealing.

I'm speaking theoretically here.
. .. . .. --- ....

PiperApril 8, 2016 10:29 PM

Well, it's illegal in the sense that the legal system is involved.

But breaking a contract is not a criminal act. You can't be arrested or thrown in jail. The government won't prosecute you for it. It's a civil matter, and it's up to the offended party to file a lawsuit against you.

Fraud, on the other hand, can be criminal. If a police officer signs a contract saying he is not law-enforcement officer when he actually is, it might be argued that he's committing some kind of fraud. But I doubt it would hold up in court.


DanApril 8, 2016 10:32 PM

@albert,
I am sure someone could design a TOS for a personal storage device in a way that is really frustrating for law enforcement. Maybe something that requires the consent of the owner to use any data...

DanApril 8, 2016 10:40 PM

@albert, @Piper,
I note that anyone doing so would probably attract attention from law enforcement. The realistic way to prevent social engineering attacks is password hierarchy(I have no idea what it is officially called): password #1 unlocks its data and the data protected by password #2, but password #2 only unlocks its own data. Use password #2 for unimportant stuff and only log in using password #1 in a protected area. Secure personal computers could also use an instant-lock button, in an easy to reach place.

Peggie O'valApril 9, 2016 5:44 AM

Generally there is something like a file system permission exploit accessible via using a recovery process to gain access to a terminal, some other exploit like hijacking remote delivery of updates and notifications, or impersonating equipment like cellular towers or hotspots. New bugs are found regularly that expose usually inaccessible interfaces given the right scenario.

Encrypting your storage devices is the only means of protecting your data, but also increasing the likeliness that it will be lost in the event of an accident. Any backups you might make also need to be kept encrypted and secured. All completely useless if your passwords were captured using a hidden camera or identified written down on paper nearby.

Perhaps they examined footage taken while searching his personal belongings and spotted a written down password they could deduct was more likely to be for his iPhone than any other device.

danApril 9, 2016 9:08 AM

@Peggie O'val,
I have an idea for securing written-down passwords: Write down a totally wrong password, but write the real password on the same piece of paper with lemon juice or some other invisible ink. if you don't forget your password that often, it won't be a big inconvenience. This scheme only works if a few people use it, so that law enforcement doesn't look for it.

LouApril 12, 2016 10:25 AM

@Dan:

Yeah, but when the trick becomes well known to all the cops, write the REAL password in ink and the WRONG password in lemon juice. ;]

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.