Legaltech News: How the FBI Breaks Absolute Encryption, and How it Doesn't
The FBI has unlocked “unbreakable” mobile device encryptions before, but its success largely depended on a host of uncontrollable variables, and practices some regard as unethical.
By Rhys Dipshan
Following the November shooting at a church in Sutherland Springs, Texas, the FBI found itself facing an all-too-familiar problem: The shooter’s mobile device, a key data repository storing information that could potentially aid the agency’s investigation, was locked with an unbreakable encryption.
The problem was reminiscent of one the agency faced after the 2015 San Bernardino, California, shooting, where the gunman’s iPhone was also encrypted. The situation led to the U.S. Department of Justice seeking court orders to force Apple Inc. to hack its own device.
And this wasn’t the only time the agency has run up against absolute encryption, or locks on consumer devices that manufacturers themselves cannot readily break. In an October speech, FBI Director Christopher Wray noted that “in the first 11 months of this fiscal year alone, we were unable to access the content of more [than] 6,900—that’s six-thousand, nine-hundred—mobile devices using appropriate and available technical tools, even though we had the legal authority to do so.”
Yet while a vexing and often impossible security feature to bypass, absolute encryption does not always live up to its name. During the San Bernardino shooting investigation, the FBI ultimately dropped its case against Apple when it found a way to unlock the shooter’s phone without Apple’s help.
But breaking absolute encryption, while possible, is still no easy feat, and it often only works if several variables line up in just the right way. And even then, one needs a good amount of luck and help from potentially ethically questionable actions.
The first thing law enforcement authorities and data forensics specialists do to unlock an encrypted mobile device is fairly simple and straightforward: They try to crack the password. “A lot of times they’ll use methods for approximating different pieces of information that they are aware are connected to you,” said Brandon Daniels, president of ExigerTech and Global Head of Analytics at Exiger. These can be “different combinations of strings, so your birthday, or your child’s birthday or your mother’s middle name, etc.”
These attempts constitute “brute force attacks,” a basic trial-and-error method that oftentimes will be automated by the use of modern tools, which allows parties to try large volumes of passwords in a short time.
But technology companies like Apple and Google are well aware of brute force attacks and have installed safeguards in consumer smartphones to prevent this very thing. Some of today’s mobile devices will often “put caps on the number of failed entries and lock or erase [the phone’s] data after you incorrectly interact with the system a certain number of times,” Daniels said.
Breaking this fail safe is often vital to breaking the encryption. According to The Washington Post, the FBI was able to access the San Bernardino shooter’s phone because of a then-newly discovered software vulnerability in the iPhone 5C, which allowed the agency to successfully perform brute force attacks without triggering the fail safe.
The problem, however, is that the security flaw was specific to the iPhone 5C.
“You really can’t use the San Bernardino phone an as example,” said John Simek, vice president of Sensei Enterprises Inc. “That iPhone 5C is a different structure, and methods that were available to that particular model will not work with anything other than the 5C.”
While ABC News reported that the Sutherland Springs shooter’s phone was an “Apple product,” there is no public information on make or model of the phone. But even if it’s the same type of iPhone 5C, it’s almost certain the vulnerability wouldn’t work a second time.
One of the keys to breaking absolute encryption lies not only within finding software vulnerabilities in consumer devices, but keeping such vulnerabilities secret for as long as possible.
But as law enforcement and forensics experts move to uncover security flaws to break encryption, others are uncovering them to allow tech companies to better secure their encryption.
There are many “engaging the cyber community and security specialists to conduct ethical and routine hacks on their devices and on their infrastructure on an ongoing basis to close those gaps,” Daniels said.
Software flaws are therefore almost always time-limited, and the most valuable are what many refer to as “zero day” vulnerabilities, meaning exploits that are, for now, unknown to the device’s or software’s manufacturer.
But keeping such vulnerabilities secret has raised ethical questions, not in the least because such exploits represent a threat to consumers if exploited by cyberattackers or criminals. For U.S. officials, the federal government has a process named the Vulnerabilities Equities Process (VEP), whereby they can determine whether a newly discovered, not publicly disclosed vulnerability should be disclosed. The policy was recently updated by the Trump administration in November.
Yet even if the VEP did address all ethics and security concerns, in today’s modern economy, it’s not just law enforcement authorities that are on the hunt for zero-day exploits. Over recent years, the demand for such information has become a growing business.
Simek singled out mobile device forensics and e-discovery company Cellebrite as an example, noting that it “advertises the ability to unlock and bypass iPhone in particular for a fee. It’s a one-time fee for each device, though they only sell that to law enforcement, and it’s not available to the private sector.”
He added that Cellebrite is just one of many companies that cater to law enforcement’s need for zero-day exploits, including some that will offer monetary bounties to anyone that can find a new and undiscovered vulnerability.
And there are likely to be more companies entering the field in the future. The data forensics and security industry “is pivoting toward the identification of latent cybersecurity flaws and could be an area of intense growth within government contracting,” Daniels said. “I already see this happening with some of the major consultancy firms.”
Of course, not all found vulnerabilities are necessarily useful. Even if law enforcement were to find an actionable exploit, it still may not be able to break the multiple layers of encryption or bypass a device’s authentication process.
As an example, Daniels said, consider a device that is unlocked with a fingerprint image. A vulnerability that enables one to trick the device into believing a fingerprint image is the same as one it stored internally could ostensibly be useful. But while one may now have a “key,” there could be a problem with how that key is read or accepted by the device.
“If I am not able to recreate the translation” that happens when the system authenticates the fingerprint image to unlock the device, “then that will create a failure that again will render the entire system inaccessible,” Daniels said.
The success law enforcement and data forensics teams will have cracking devices therefore depends on the nature of the vulnerability and the encryption processes within the device itself, which can vary so widely as to make each attempt an arduous feat.
And to be sure, exploiting vulnerabilities and brute force attacks may likely get even more difficult in the future. “Let’s be honest, with processors being able to absorb and to translate information at the speed they can do today, a thousand character encryption, or a million character encryption, or a billion character encryption is not outside the realm of the possible,” Daniels said.
“In the near future, not even quantum computers could get through those permutations in a few weeks, let alone a few years.”
So for now, while law enforcement can rely on some difficult but proven methods, they still have to reckon with an all too intimidating truth: Absolute encryption may not be absolute, but it’s quickly getting there.
Rhys Dipshan CT-born, New York-based legal tech reporter covering everything from in-house technology disruption to privacy trends, blockchain, AI, cybersecurity, and ghosts-in-the-machine. Continually waiting for law to catch up with tech. (It’s like waiting for Godot, but without the clowns)
Brandon Daniels is President of ExigerTech and Global Head of Analytics. He leads Exiger’s Technology Division and Analytics Practice, overseeing the execution of data-driven solutions in the firm’s regulatory and financial crime compliance efforts.
Reprinted with permission from the November 16, 2017 edition of Legaltech News. © 2017 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or firstname.lastname@example.org. #010-11-17-03