After 175 million failed password guesses, a judge rules that the Canadian police must return a suspect’s phone.
[Judge] Carter said the investigation can continue without the phones, and he noted that Ottawa police have made a formal request to obtain more data from Google.
“This strikes me as a potentially more fruitful avenue of investigation than using brute force to enter the phones,” he said.
Clive Robinson • January 18, 2024 10:25 AM
@ ALL,
The judge is very probably right.
If you have any Google App on your phone it either grabs or builds a contact list and meta-data about the who and when of your communications.
As the longer term readers know, I’ve explained traffic analysis and why in inteligence work TA is often of more use than Message Content.
Whilst TA might not be directly enterable in Court as primary evidence unlike message content, it is isually acceptable to get warrents for others. Who may have weaker passwords or will just roll over when glared at.
It’s why as a 1st Party in even a face to face communication with a 2nd Party you should assume that they will betray you to a 3rd party in a way that is admissible in Court, even for Criminal Proceadings.
Thus the reason I’ve been talking about “deniable content communications” that appear as ordinary “Plain Text” that is innocent.
Do it right and you can “betray yourself with little or no risk”.
But… Whilst that can take care of the message text, it does not of necessity work against TA which can sow doubt. To take care of TA you have to tailor your concealing plaintext to other events in various ways.
The issue is you need good OpSec skills and have no investment in the 2nd party or events being organised.
It’s interesting to note the goings on around EncroChat and how the users thought encryption was enough. They are now finding not just the encryption was broken but metadata such as places and times are being used as well.
It’s kind of hard to say you knew norhing about tourture cells and worse, when your mobile phone left “bread crumbs” as to your where abouts and commings and goings.
Avoiding leaving such bread crumbs I’ve discussed before. Unfortunately the task is getting harder and harder, but still possible.
Peter • January 18, 2024 11:48 AM
Not sure it matters, they have the image so will just keep it up as the order only applies to the phones themselves. If anything it seems like a trap where the police lost the court order on purpose to “begrudgingly” give them back having tampered them in the hopes she will log into them.
Plus what a waste of resources, how about the police quit investigating seventeen year olds sexting their boyfriends.
Morley • January 18, 2024 12:10 PM
Can phones auto-delete after the first hundred wrong passwords?
Clive Robinson • January 18, 2024 12:17 PM
@ Peter,
“Plus what a waste of resources, how about the police quit investigating seventeen year olds sexting their boyfriends.”
Are you talking about the same case?
Because the newspaper says,
“… investigators used general password dictionaries along with specialized ones related to the man’s known interests.”
surprised • January 18, 2024 12:56 PM
I’ve always assumed that most cellphones had back doors, and that both Apple and Google would give away their customers’ “private” data in a heartbeat to any government agency that asked for it. So the only “protection” on my cellphone is just 4 digits, discoverable by brute-force search in minutes. Am I wrong?
JonKnowsNothing • January 18, 2024 1:15 PM
@Morley, @Not really, All
re: Can phones auto-delete after the first hundred wrong passwords?
Officially, a number of phone will perma lock and then perma delete information after n-timer of failed attempts.
Similar to how banks theoretically lock your on-line access after 3 failed password tries.
However, as some of the earlier posts indicate, there are other ways to get to the phone but technical and Social Engineering.
The technique of getting the suspect to unlock the phone or laptop or website access has been done many times. Including breaking-and-entering to install a keylogger on an home or office laptop.
re: I think it would be unwise to ever unlock those phones if he does get them back.
Not only not unlocking it but getting rid of it.
In previous cases, depending on the device and what may or may not be on it, the nearest trash can works. Otherwise a steam roller or concrete grinding machine (used in highway construction) would be a useful disposal method.
note: If you put something in the garbage and the can goes on the street, the content belongs to the city-county-business entity that collects it. LEAs often collect garbage from pickups. They find many useful things in it.
vaadu • January 18, 2024 1:50 PM
Canada doesn’t have a ‘hand over the passcode or go to jail’ law? Surprising given their recent history.
Clive Robinson • January 18, 2024 3:25 PM
@ vaadu,
“Canada doesn’t have a ‘hand over the passcode or go to jail’ law?”
They may not have had at the time of the alleged offence, or the suspect may already have done time in jail, we don’t know.
If you look at the newspaper article the Police have had the phones for quite a long time now (nearly a year and a quater and they want another 2 years at least).
The article says little more of relevence to the original arrest than the suspect is a man, and that three phones were taken in Oct 2022.
Oh and consider there might be other legislation involved, such as a right to a speedy trial, and unlawfull detention that are in other jurisdictions.
The Judge probably knows what the alleged photo is, and thus how long the jail sentance would be with the equivalent of “time served” and that it’s possible a prosecution would serve no practical purpose at significant cost to the tax payer.
All things we do not know, so can only guess at. Unless someone with familiarity with Canadan law, similar cases and the details so far of this case comes along and says.
Life is the most precious thing in the universe • January 18, 2024 8:53 PM
“ tried about 175 million passcodes in an effort to break into the phones during the past year.”
Hmmm, phones have protection in place against brute force attacks with max attempts and exponential rise in lock time before new passwords are tried and as such the number of attempts mentioned in the article does not make sense.
JonKnowsNothing • January 19, 2024 1:42 AM
@Life is the most, All
re: phones have protection in place against brute force attacks with max attempts and exponential rise in lock time before new passwords are tried and as such the number of attempts mentioned in the article does not make sense
The 175 million passcodes used in a brute force dictionary attack on the suspect’s phone are not likely being typed on the phone itself.
The phone has likely been cloned by any of the many LEA phone cloning systems. They are using the clones as guinea pigs.
They are also not likely using the full N-tries, as the LEAs have a keypad-logic interface to the secure password storage section of the phone. This is an external connection to the probably cloned version. While it doesn’t crack the password itself, it can intercept the electronic “tumblers” without triggering an attempt.
The FBI and Co have such devices and lend them to LEAs. I would guess the Canadians have similar access.
The OH? Question is:
Jon (a different Jon) • January 19, 2024 2:59 AM
A: They did get the crack done, and are trying to make people think that they can hide away their actions that way.
Ismar • January 19, 2024 3:35 AM
Given the Police knew the identity of the accused, they would be much more likely to have succeeded in decrypting his communications than going for data stored on his devices.
ResearcherZero • January 19, 2024 3:51 AM
@surprised
You can remotely delete the contents of a phone. Which is the general idea of securing it properly so it takes longer to back up. Nothing them coppers can do about it but moan.
Have someone who will do it for you immediately if you get pinched. You can’t have done it.
They are going to smack your head in anyway, at least ’round these parts. Get one up ’em.
Generally the cops don’t practice any better OPSEC than anyone else. According to their audits, the local state police were using 123456 as the password with no logging for years.
–
‘https://www.abc.net.au/news/2024-01-19/what-is-credential-stuffing-scams-how-to-prevent-and-protect/103367570
change all your saved passwords… (probably read this)
‘https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/
–
Rust backdoor SPICA disguised as decryption utility for PDFs
‘https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/
credential theft for the FSB — “They are involved in directly supporting Kremlin information operations.”
https://www.reuters.com/world/europe/russian-hackers-targeted-us-nuclear-scientists-2023-01-06/
Ties to the Russian internet marketing and SEO industry, technical security and Russian governmental entities.
‘https://www.nisos.com/blog/coldriver-group-report/
Use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages.
https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/
–
It was more powerful than an atomic bomb.
‘https://www.abc.net.au/news/2024-01-16/lost-villages-of-tonga-after-volcano-tsunami/103228574
–
crumpled towers — importance of building resilience went far beyond power infrastructure
‘https://www.abc.net.au/news/2024-01-19/wa-live-blog-power-water-phone-fuel-outages-updates/103369704
https://www.abc.net.au/news/2024-01-17/nsw-victoria-canberra-tasmania-storms-summer-rain/103325940
ResearcherZero • January 19, 2024 4:00 AM
The general idea of security is to keep the crooks out, even the ones in blue. But you have to practice it all the time. It’s the convenience of short cuts that catches people out.
Clive Robinson • January 19, 2024 5:13 AM
@ Life is the most…, JonKnowsNothing, SpaceLifeForm, ALL,
Re : Is AI potential a password crack solution?
“… as such the number of attempts mentioned in the article does not make sense.”
First up lets look at the rate they are claiming in court,
They’ve had the phone for a year and a quarter so,
Days = 1.25 x 365.25 = 456.5625
Hours = 10957.5
Secs = 39447000
Call it ~39.5 million, so approximate,trys per second claimed,
~175 / ~39.5 is ~4.43 / Sec.
That would suggest some form of hardware phone emulator is in use as you could easily generate and hash passwords at well over a thousand times that rate at a tiny cost[1].
But remember the approximate cost of a password halves every year for various reasons thus password protection algorithms get changed rather frequently to try to stay tight to some crack-curve[2]. This has also given rise to “split techniques” that Apple fielded on the iPhone very much to the anoyance of Law Enforcment. And the probable reason as I’ve indicated in the past the FBI and DoJ psychos tried it on with Apple and got a nasty shock when they fought back. Thus facing an adverse to their interests judgment thus precedent they “pulled the rip cord” and bailed. Leading to the not unlikely suggestion the FBI already had it tucked away as a “Get out of Jail Free” Card.
But interestingly from a wider perspective there has been a convergence on the likes of Nvidia high end graphics cards in recent time for mining some types of crypto coins and more recently building LLM AI systems[3][4].
Which raises a currently open question about,
“Can an AI algorithmic system more efficiently crack passwords?”
That is rather than “Brut Force” passwords which is inefficient, can AI algorithms be used to produce a “Supper Dictionary Attack” of some form, that kind of,
“Models a known suspects hobbies and interests?”
As they say,
“You heard it here first!.”
(Actually I’ve more or less said it before on this blog to Nicholas Weaver[5]).
But keep your eye open for papers and PhD thesis arising in the next decade 😉
[1] I’m not sure what the current “John the ripper” password rigs do these days, they’ve been used as an aproximate benchmark in the past[2],
‘https://www.openwall.com/john/
[2] Due to the now many semi-standard password hashing/protection schemes a single “benchmark” is not considered that usefull any more. Also the costs involved for hardware and power are significant so people are producing “tables of costs” for rigs and power[3] against the hashing/protection algorithms,
‘https://jacobegner.blogspot.com/2020/11/password-strength-in-dollars.html
[3] It just so happens that the “mining-rigs” for certain types of crypto-coins are just as suitable for cracking some types of passwords. Further the same is true for the rigs that build LLM type AI. With the bottom dropped out of crypto-mining faux market and NFT based Web3 a blowout, the rigs in effect have second-hand or recycling value. Thus following the “Swords into plough shears” notion some crypto rigs can be repurposed as LLM-rigs and when the LLM bubble inevitably pops they in turn could get repurposed into password cracking rigs etc[4]. Which is one of the reasons “Cloud Providers” get included in all sorts of cost tables based on crypto-mining, password-cracking and more recently LLM weights-building.
[4] What ever the HiTech computing need is these days outside of “Quantum” it appears Nvidia will have a Graphics Chip to answer it. Hence my comments in the recent past about keeping an eye on them as barometer on both where interesting “popcorn bowl” stuff is happening and especially in the VC bubble markets for unwise investors to get fleeced.
I’m absolutely not suggesting in any way people invest in shares etc, but a quoted investment tactic is secondary investing where you invest in the suppliers to those building bubbles and other new or faux markets. Thus Nvidia has been a “weather eye” barometer for a while now and can indicate when bubbles are inflating and start to deflate.
[5] Actually I’ve suggested something similar and had an argument on this blog about it.
It goes back to Stuxnet and siblings from the NSA. To stop people like AV and security firms getting at their payload code they in effect encrypted it. To hide the key the decryption program used some value in the Windows Registry…
Many people pointed out the “Brut Force” impossibility, I pointed out that there were only around a billion windows PC’s… So as AV software “Phoned Home” getting all the known Win registry keys would make the issue way way simpler thus tractable. That is run a “Super Dictionary” plaintext attack.
Clive Robinson • January 19, 2024 7:59 AM
@ ResearcherZero, ALL,
Re : More than short cuts.
“It’s the convenience of short cuts that catches people out.”
Whilst we get told “short cuts” they are just part of the problem otherwise scripts and other work automation would be more secure.
It’s actually the slightly mad sounding,
“It’s the convenience of convenience mistaken as smart thinking”
Remember those impossible to understand “C Smart statments” where programers who thought they were smart would try to do in a single terse statment, what should have been done in a “well found” block[1].
The excuse was along the lines of the resulting executable was smaller or faster and so you were getting more from the hardware… It was mostly untrue, it was in part “ego food” but also “self protection”.
The theory was if you were the only person who could do “essential things” that made you “essential” thus stopped the “Hands in bucket” principle being appled to you.
There was a lot of it around “Microsoft Foundation Class”(MFC). It was clear from reversing Microsoft code that they had secret entry points, that gave their applications advantages in the 1990’s. So other code developers went digging to find their own. But also those wirh MFC experience mainly would not help others, almost in emulation of work practices in the Far East where “Knowledge was power” so keeping knowledge secret gave you power…
One of the good things about the FOSS movment was it broke this nonsense as a mainstream activity, especially as the hardware resources became more powerfull. Whilst MFC still lurkes, people tend to use it correctly and the information to do this has oozed into the public domain.
I seem to remember there were a couple of guys who wrote up about similar “blind spots” and turned it into an academic study as well as a catch phrase…
[1] Yes I’ve been guilty of this but for almost entirely malevolent self protection reasons oh around four decades ago before there were certain legislative changes… It was not just impenetrable statments, it was spaghettified[2], and I also made all names of variables and macros and functions meaningless and had no comments that were anything usefull, in fact more misdirections… Why because I was “contracting” and even though they had signed various agrements, I knew they were not going to stick to them. So I made the source only understandable by a compiler. Note the singular “a compiler”, I suppled the compiler as well and as x86 has redundant instructions that do the same thing, it effectively “watermarked the executable”. Surprise surprise I caught them cheating and made it known to their customers that they were unlawfully using code that had been misappropriated… Apparantly it’s not just fur but teeth that can fly if you spit hard enough.
[2] As a kind of proof good ideas “come of age” and like “good men” can not be kept down. I automated much of my malevolence by wriring what were the equivalent of “pre processor” scripts. That is the actual code I wrote was mostly clear using sensible names and helpful comments. What the customer got had been through my pre processor scripts… For instance macros and functions can be dealt with in a number of ways which can become quite obscure (see some of the tricks in the Obfuscated C contest). Well someone has run with such ideas, apparently “just for fun”,
Time Traveler of Versailles • January 21, 2024 2:33 PM
Obligatory reminder about 16th century N.Am justice:
‘https://www.ymlaw.ca/news/yan-muirhead-files-claim-for-john-nuttall-and-amanda-korody-alleging-police-misconduct
BIBI • January 21, 2024 9:14 PM
what model of phone it is?
ekalfwonS • February 27, 2024 10:31 AM
“He denied the Crown’s application to retain the phones and ordered them returned or destroyed.”
So which one do you think the RCMP will choose given those options?
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Not really anonymous • January 18, 2024 10:17 AM
I think it would be unwise to ever unlock those phones if he does get them back.