Can Google Be Forced By the FBI to Unlock Users’ Phones?

Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to “provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code (“PUK”), in order to obtain the complete contents of the memory of cellular telephone”. 

Those multi-gesture passcode locks on Android phones that give users (and their spouses) fits apparently present quite a challenge for the FBI as well. Frustrated by a swipe passcode on the seized phone of an alleged gang leader, FBI officials have requested a search warrant that would force Google to “provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code (“PUK”), in order to obtain the complete contents of the memory of cellular telephone”. 

The request is part of a case involving an alleged gang leader and human trafficker named Dante Dears in California. Dears served several years in prison for his role in founding a gang in California called PhD, and upon his release he allegedly went back to his activities with the gang, according to the FBI’s affidavit. Agents conducted surveillance on Dears and found that he was using a mobile phone to allegedly communicate with prostitutes and other associates. 

Dears had denied to his parole officer that he owned a mobile phone, and in January the parole officer went to Dears’s apartment and seized the phone. The FBI subsequently served a search warrant on the parole officer and took the phone, but the bureau’s forensics investigators couldn’t get past the swipe lock on the Android handset. Once they failed enough times, the phone locked and now requires the user’s Google username and password for access. As a result, the FBI is asking that Google be forced to hand over the information to get them into the phone.

The move by the FBI to try and force Google to turn over the information–including email subscriber information, emails, text messages and Internet access data–leads to some interesting questions.

“[I]t suggests that a warrant might be enough to get Google to unlock a phone. Presumably, this is not the first time that the FBI has requested Google unlock a phone, so one would assume that the FBI would request the right kind of order. However, we do not know if Google has complied with the request. Given that an unlocked smartphone will continue to receive text messages and new emails (transmitted after the device was first seized), one could reasonably argue that the government should have to obtain a wiretap order in order to unlock the phone,” Chris Soghoian, a privacy advocate and security researcher, wrote in a blog post on the case. 

The FBI special agent who wrote the affidavit also requested that Dears not be told about the information request, however the search warrant and affidavit were not sealed.

Suggested articles

Discussion

  • Anonymous on

    The industry is already giving access or Cellebrite devices wouldn't work over 3000 models of cell phones.
  • Anonymous on

    This definitely shows how clueful our law enforcement types are - they think that Google has the cleartext of its users' passwords?  Good luck with that.  Little tip: putting in the hash that Google gives you isn't going to work so well.

     

  • Anonymous on

    Quick question - what the HELL is that document doing online?

  • Anonymous on

    Good point that the passwords are all encrypted.   But a phone hacker who knows the Samsung SGH-T679 would need to reset the settings that the screen lock be turned off.  Then all the phone call logs, TXT msg, and browser history is all available on the phone internal memory.  Photos and stuff that are stored on the sdram is easy to take out and inspect without the screen lock password swipe. 

    The criminal or his associates  by now would be deleting all the google email and other data on the servers.  Contacting google to retain a copy of those server data might be hopeful.  But google might be encrypting the email content as well as the password -- so it would take a while to crack the password to decrypt the content.

     

     

  • Anonymous on

    Since when was the swipe sequence known by Google? Isn't it stored on the phone? so you can unlock your phone when you don't have network coverage. They seem to be assuming Google has the ability to remotely unlock any Android smartphone. I doubt that.  Is the swipe to unlock feature even provided by software Google wrote or is it 3rd party?

  • Anonymous on

    I'm guessing that the FBI wants a magic backdoor past the phones security like all those hackers in Hollywood movies always have. In the real world, those just don't exist anymore.

    Here's why: 
    Backdoors will always be found, eventually. Instant Security Risk == Instant Class Action Lawsuit, major loss of reputaion, and subsequent drop in sales.

    General rule of thumb - The devices you have in your hot little hands, or house, don't have backdoors unless you installed one. Do NOT forget your passwords. (Although you might be able to regain functionality with a factory reset, but that tends to trash all your data, otherwise it would just be a backdoor.)

  • Anonymous on

    Hello... you people obviously have not read the story very well. No backdoor is needed, the original swipe sequence is not needed, and google obviously does not store it. When a user forgets his swipe sequence the phone can be unlocked with his gmail password.

    All that needs to be done is a reset of the password to the phone's corresponding gmail account. Then the FBI can login to his gmail and set a new password. After that they can unlock the phone by logging in with the gmail address and password. Simple!

    Now they have his fully unlocked phone...

    If the owner of the phone was smart, which he most likely is not, he could have just installed an application that gives him remote wipe capability. Then as soon as he knew that his phone was siezed, he could easily have rendered it useless to the law enforcement.

  • Anonymous on

    The idea here is that they want a backdoor (secondary entrance) to the phone, to be provided by Google for all future phones (kind of like a master key).  The passwords are stored on the phone.  Google doesn't store them remotely on a server and can't access them.   Its not like accessing a help desk where they store all passwords on a central server (with a administrator password).  Google doesn't know what is on a local users phone.  The back door in the software would allow access (but is also hackable by all others).  Someone was a dope for suggesting Google could just access it like a helpdesk password.  Silly!

  • Anonymous on

    thats why iPhones are better, i can set my iPhone 4 that after so many unsucessful tries of trying to unlock it, it will wipe all data on the phone, nothing will be left. lets see them try to get that data back.

  • Anonymous on

    Yeah but your iCrap was sychronized with : iTunes on your macintosh, your iCloud, your iPad, your iShit (FBI will seize your loo!), ... so many almost freely accessible copies of your data.

  • Penguintopia on

    Not the original anonymys poster, but good luck with siezing my Mac - the disk is encrypted. I wasn't silly enough to send the recovery key to Apple, nor does anyone else know my password. Good luck with that! Oh the recovery key does exist, but it too is in an encrypted place where only I know the password (on a different OS, different device).

    I have nothing to hide, but if the government wants my stuff, good luck to them.

  • Anonyllarious on

    I'm sure that you are aware that a lot of whole-disk encryptions can be circunvented.

    And if you're using FileVault 2, guess what... you're in deep shit.

  • Anonymous on

    The government works closely with various industries to ensure they can have access or a "angle" unknown to most users before a product even hits the market place. The Cellbrite device was used by Michigan police during "routine" traffic stops to download the entire contents of users smartphones, apparently the password is also retrieved and they claim this device works on over 3000 models of cell phones, so that shows there is collusion between the government and the electronic industry. The government routinely gets a copy of all new or improved electronic devices and/or appliances to get a copy of it's electronic signature for military warfare uses. It's well known Google, Yahoo and Microsoft all provide "law enforcement" web page access to users email accounts. The head of Apple's security is a ex-top NSA guy, if you think because of his new position that he's all of sudden going to start respecting users privacy over the governments terrorist paranoia? Printers have light yellow coding on the paper background to identify the serial number of the machine which can be cross referenced with purchase data the government already gets routinely from businesses and industry. The government has DNA computers at it's disposal that can brute force passwords of hundreds of random characters in length. Apple has been busted recording/uploading users iPhone location data, AddressBook Photo both had "flaws" that any app can access and upload. Webkit is worst that Flash or Java security speaking (over 70 flaws in the last update? Insane!) Apple doesn't fix flaws in previous OS X operating system versions, only in the last two in circulation and they release new paid versions on a rapid (now) annual cycle leaving million of users machines insecure and open to attack. If you walk through customs in the US, good chance your laptop will be searched and if encrypted they will ask for the password or hold you until they crack it or you crack. All cell phones (even dumb non-GPS) are tower triangle tracked and recorded at least 8 times a hour and this data is recorded. ISP's and DNS all record their data, Google tracking, recording search info, cookies of various sorts, closed devices like iOS that one can't install privacy controls, stop the tracking or at least remove the annoying advertising. The list goes on and on and on, it's the same rigged deck stacked against you. The government working closely with the industry to give users the illusion of privacy and security, but retaining various methods or means to undo that because they all are about control. Stories like this one are purposely thrown out into the public with the intention that other crooks would think "hey they FBI can't crack my swipe code" when in fact the "man" controls the whole game and always has. Your only solution for the safety of data from the government is a off line encrypted computer purchased used for cash, in a closed box metal room that's a Faraday cage, sitting upon a ledge above a kettle of molten metal that only a slight tap when bum rushed by the feds would give you a few seconds to incinerate it while they are cutting open the door with a half dozen portable grinders to get at you, drag you out and beat you to a pulp for outsmarting them.
  • Jim Davis on

    "thats why iPhones are better, i can set my iPhone 4 that after so many unsucessful tries of trying to unlock it, it will wipe all data on the phone, nothing will be left. lets see them try to get that data back."

     

    Are iPhone users seriously this ignorant about Android phones?  There are plenty of (free) apps that do this exact same thing available on Android.  Seriously, the iPhoners must be the least informed smartphone users on the planet.

  • Anonymous on

    "Thats why iPhones are better, i can set my iPhone 4 that after so many unsucessful tries of trying to unlock it, it will wipe all data on the phone, nothing will be left. lets see them try to get that data back."

    LOLOLOLOLOL...  No phone is secure.  How are you going to remote wipe your phone if it's immediately turned off and then booted up with Cellebrite UFED analyzer with no web or cell connection around?

    If you want to be secure, don't use a smartphone.  If you want to be smart, don't violate your parole.  Or maybe just don't be a pimp?

  • Anonymous on

    "thats why iPhones are better, i can set my iPhone 4 that after so many unsucessful tries of trying to unlock it, it will wipe all data on the phone, nothing will be left. lets see them try to get that data back." Actually the data remains on the SSD as they can't be securely erased like hard drives can after 7x overwrites. It's just the access to the data by the iPhone is removed, not the data itself. Any competent agency with the right device can access the data you believe to be wiped. Also they can simply demand Apple give them any information they want, including tracking data and other unknown things going on in the background that's uploaded to the "iCloud". The days of using electronic devices for anything private or secure has passed a long time ago. If you don't want anyone knowing your business, use the extreme measures outlined above or don't use it, because they are recording everything.
  • Anonymous on

    "Actually the data remains on the SSD as they can't be securely erased like hard drives can after 7x overwrites. It's just the access to the data by the iPhone is removed, not the data itself. Any competent agency with the right device can access the data you believe to be wiped."

    Actually, no.  The iPhone's data storage is encrypted using a randomly generated private key.  When you ask the iPhone to erase its data, it erases that key.  The encrypted data is still on the disk, true, but it is impossible to access without the private key (which has now been erased forever).  The entire purpose of this method of encryption was to allow the owner to instantaneously wipe his device.

    Now, if you backup your device to the cloud, then that can always be accessed.  But if you only backup to your (full-disk-encrypted) computer, then you are reasonably secure.  Of course, encryption can always be thwarted if someone can access your key or password...

  • Tinman on

    Ain't it nice to know that you live in a police state that has access to any and all information on you, public and private?  Last time I heard you were innocent until proven guilty....

  • Anonymous on

    Actually yes. The device is not "wiped" if the data remains encrypted on the SSD which can be removed from the phone, the data retrieved then brute forced to guess the password, easy or hard, depending how long/complex the password is and the resources available to those doing the brute forcing. Also device makers can simply be requested to provide a targeted "update" that will compromise a users password/machine, even remote upload their contents.
  • Anonymous on

    "Are iPhone users seriously this ignorant about Android phones?" iUsers of anything in general are seriously ignorant. You might get a small percentage of smart ones using Apple's "Pro" machines, but in general most Apple product users are very ignorant of anything other than Apple, like this dingbat who thinks erasing the password is the same as "wiping" the storage.
  • George Ronald Adkisson on

    Hidden ... you will find the uS's failure to initiate an emergency braodcast system that was suppose to include the internet as well as cell phones as targets for the alarm sound plus annoucements...instructing  individuals what to do in the particular emergency.

    Most people wonder why the (FBI) is so demanding...of everyone..and at a time anyone could easily consider society as a whole in the uS as an ill one.

    It just reminds me of the 500 dollar meals in contrast to many in the uS facing pink stuff in their sandwiches for lunch.It's like prison food in the regular school lunches...I am sure Google is experienced in handling the suggestions of the uS government agencies including Congress's head man Obama, to the point of loosing their influence as google search in China while Bing made off big!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.