Hunting for evidence, Secret Service unlocks phone data with force or finesse
On July 20, 2014, a missing Conway, N.H., teenager walked back into her home, ending a heinous nine-month-long kidnapping听ordeal.
About a week later, police arrested听Nathaniel Kibby at his home and charged him with the abduction. During听a warranted search, investigators confiscated several听mobile devices听that may have contained valuable information in the case.
But there was one smartphone they couldn't crack, a password-protected听ZTE.听That's when听New Hampshire State Police听turned to the Secret Service, which has become听a听go-to听federal agency听to help听police departments with warrants听to听extract data from听password-protected smartphones and other devices for criminal investigations.
The information on the ZTE contained "a huge piece of evidence," says Sgt. Michael Cote, a New Hampshire State Police detective.听In May,听Mr. Kibby听pleaded听guilty to kidnapping and rape, among other charges. A judge sentenced him听to consecutive听prison terms听totaling 45 to 90 years.
As smartphones are interwoven into daily life 鈥 collecting text messages, emails, phone numbers, photos, location data, and chat logs 鈥 they can be incredibly important to criminal investigators. And since many of the phones that police confiscate are locked by passwords or contain encrypted data, law enforcement听agencies are听looking for new and creative ways of听getting听that听evidence out.
While some large metropolitan police departments may have resources to hack phones themselves,听the听Secret Service, part of the Homeland Security Department, has become a valuable resource for听law enforcement units听that may not have听strong enough decryption tools.
To do that work, the Secret Service has been running its Cell Phone Forensics Facility, a听10,000 sq. foot lab, in Tulsa,听Okla., since 2008. Two听Secret Service agents work听there full time, aided by听students and faculty at the University of Tulsa Cyber Corps Program. The facility trains federal agents in digital device forensics, invents its own hardware and software for parsing evidence from electronics, and uses that听technology to examine听40 phones a year from police departments around the country.
When the lab received the ZTE phone in the Kibby case, it attempted to open it by connecting forensic software that is designed听to exploit specific vulnerabilities in听a听particular device.听But听it was听still unable to get around the听phone鈥檚 password.
After roughly a week, the Tulsa facility was able to听take the device apart and pull the flash memory chip out to read the memory,听said James Darnell, assistant to the special agent in charge at the lab. In this case, the听Secret Service agents applied physical force to gain access to Kibby's ZTE.
The experts at the lab often have to get creative to crack phones. In another case, involving a听password-locked Huawei听H883G听phone, agents bought听multiple copies of the same model and practiced carefully polishing off material from the back of the device with an automated sander.听
Often, agents can apply heat to phones to open them up. But听Huawei built this particular model in a way that applying too much heat could damage its memory. So, agents听sanded off material from the back of the Huawei H883G device to excise sexually explicit images for a case involving a different New Hampshire man.
A less damaging approach to getting into password-protected phones can often听involve听connecting the device to special software designed to exfiltrate data.听
In one case, agents used a tool known as the Cellebrite UFED Touch Physical Boot Loader听to obtain information from a Samsung Galaxy S5. The device听is part of an ongoing听first-degree murder case in Virginia. The product听developed by听Cellebrite, an Israeli firm that makes phone-cracking software, is听designed听to听copy the phone鈥檚听entire memory,听Mr. Darnell听said.
Typically, a device听takes anywhere from a day to a month to break into, depending on whether Secret Service computer engineers need to disassemble the device and software to figure out how it was programmed.
Digital tools "simply do not go around the passwords on many phones," Darnell said.
,听FBI Director James Comey described the problem of law enforcement's inability to access evidence on some phones that are encrypted as "going dark," meaning agents are unable听to extract听data even with a warrant.
Perhaps the most high-profile example of this issue involved the iPhone used by听one听shooter in the 2015 San Bernardino terrorist attack. The FBI听obtained a court order to compel Apple's help to open听the encrypted phone. The company refused, saying its assistance could听effectively听weaken听security for all of its customers. The FBI eventually opened the device with the help of an unidentified third party.
"Technical assistance in and of itself isn't of concern from a privacy perspective," says Gabe Rottman, deputy director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.
"But to the extent that the Secret Service or the FBI or any other federal agency becomes kind of a gun-for-hire when you're talking about hacking into people's cellphones or computers or other electronic devices, it could become an issue, just as it starts to normalize that practice,"听Mr. Rottman adds.
But many听cybersecurity experts say the听Secret Service's work on phone hacking is exactly what law enforcement needs to be doing to confront the "going dark" problem.
Watering down encryption on phones is "not a good path," says听Dave Aitel, a former National Security Agency听research scientist who currently runs the cybersecurity firm听Immunity.听"The path of hacking is much nicer 鈥 from a policy perspective."
The Secret Service is adamant that it examines phones only when a judge has issued a warrant听to听authorities.听It also does not refer to its work as "hacking" phones.
Fortunately for investigators, the data on both the ZTE and听Huawei听phones that Secret Service agents worked on wasn't encrypted.听"If a device is using encryption at rest ... that could be problematic, especially if the implementation of the encryption is good,鈥 he said.听Encryption at rest protects data while it's stored inside the device.
The agency wouldn't say how many phones from which it can't access data.
When it听comes to breaking into phones, it's tougher to access听devices听that听aren't as popular as iPhones or Samsungs, according to investigators. Most forensics technology developers don't waste their time trying to find design flaws in off-brand phones, they said.
"A cheaper phone that might be less popular, it seems like it'd be easier for the vendors to get into it," says Darnell of the Secret Service phone lab. "But it's actually quite the opposite."
