FBI Can’t Crack Android Pattern-Screen Lock

A San Diego federal judge days ago approved the warrant upon a request by FBI Special Agent Jonathan Cupina. The warrant was disclosed Wednesday by security researcher Christopher Soghoian,

In a court filing, Cupina wrote: (.pdf)

Failure to gain access to the cellular telephone’s memory was caused by an electronic ‘pattern lock’ programmed into the cellular telephone. A pattern lock is a modern type of password installed on electronic devices, typically cellular telephones. To unlock the device, a user must move a finger or stylus over the keypad touch screen in a precise pattern so as to trigger the previously coded un-locking mechanism. Entering repeated incorrect patterns will cause a lock-out, requiring a Google e-mail login and password to override. Without the Google e-mail login and password, the cellular telephone’s memory can not be accessed. Obtaining this information from Google, per the issuance of this search warrant, will allow law enforcement to gain access to the contents of the memory of the cellular telephone in question.

Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation.

The bureau claims in federal court documents that forensics experts performed “multiple attempts” to access the contents of a Samsung Exhibit II handset, but failed to unlock the phone.

An Android device requires the handset’s Google e-mail address and its accompanying password to unlock the handset once too many wrong swipes are made. The bureau is seeking that information via a court-approved warrant to Google in order to unlock a suspected San Diego-area prostitution pimp’s mobile phone. (For details on the pimp investigation, check out Ars Technica‘s story on the case.)

Locking down a phone is even more important today than ever because smart phones store so much personal information. What’s more,  many states, including California, grant authorities the right to access a suspect’s mobile phone, without a warrant, upon arrest for any crime.

Forensic experts and companies in the phone-cracking space agreed that the Android passcode locks can defeat unauthorized intrusions.

“It’s not unreasonable they don’t have the capability to bypass that on a live device,” said Dan Rosenberg, a consultant at Boston-based Virtual Security Research. Leer más “FBI Can’t Crack Android Pattern-Screen Lock”

From encryption to darknets: As governments snoop, activists fight back

In Iran, they would think about jamming as a first countermeasure.

In the wake of the Occupy protest movement in cities around the world, some online activists have gathered together to create The Darknet Projectand the Free Network Foundation, two rather quixotic attempts to re-engineer mesh networking to the point that it would encircle the globe and act as a giant encrypted network.

“With an ISP, the government can tell an ISP to cut that connection,” wrote a Reddit user named pomegranati in a recent post. “With a public network, especially if all the connections are anonymous, they won’t know where something is coming from or where something is going. They can track what’s happening, but they won’t be able to shut it down unless they go to every specific node and physically shut them down. Now, if the network is encrypted, then they won’t know what’s being sent.”

The problem for activists is that, just as in the mobile world, there are also real-world attacks that can compromise physical networks.

WiFi uses the same band of energy (2.4 GHz) that microwave ovens do, so getting a few people to stand on rooftops, Say Anything-style, would probably do much to disrupt any local mesh WiFi network within a radius of tens of meters.

“If you want to jam a wireless signal, you can just put a microwave on the roof and set it to full power,” Kaplan said. “In Iran, they would think about jamming as a first countermeasure, because it’s so extremely cheap.”

Plus, if the network is designed to have new nodes join easily, then it will be just as easy to add fake nodes, and to inject fake instructions into the network, confusing traffic or causing it to come to a halt entirely.

Doing the most good

Knowing how to use much of this technology at the level of detail required to stay reasonably safe is beyond most common users. For the majority of activists, properly vetted software and hardware protection of mobile phones and Internet connections may be too expensive or too complicated to set up and maintain properly.

But for those not well-versed in security, the hope for secure communications isn’t over. Some of the most dramatic worldwide gains come when the tech behemoths that we all rely on everyday start re-thinking their own approach to privacy.

“When Google turned on SSL by default, in January 2010, in one day that company did more to protect the privacy of activists than the rest of us have done since,” Chris Soghoian concluded.

“If Google encrypted the contents of your Android phone by default, that would provide a huge protection [for] people whose phones are stolen or are seized by the police. Those are the kind of protections that we need,” he added. “All these applications that people are creating, that activists are creating, and then abandoning six months after their funding runs out—those are just a waste of time. Those are never going to go anywhere and they’re never going to be used by anyone. We need technologies that can be used by millions of consumers, without playing with configuration options.”

By  | http://arstechnica.com
The Free Network Foundation has worldwide plans
The Free Network Foundation has worldwide plans


Other projects have moved beyond mobile phones, trying to create new infrastructure that can be used by activists to spread an Internet connection across a wide area through either mesh networking or a related project spawned out of Anonymous and reddit, often referred to as a “darknet.”

For years, mesh networking projects have sprung up across the world as a way to share an Internet connection over a large geographic area. The idea is that each individual node can share data (including an Internet backhaul) with other local nodes, eventually cobbling together a much larger network.

Many community wireless projects got started in the early 2000s as a way to provide Internet access to underserved, and particularly rural communities. Since then, many have collapsed due to a corresponding rise in commercial Internet service, particularly 3G service provided via local mobile providers. Of the community WiFi networks that still operate, few are designed for encrypted, heavily secure communication. Activists instead are now trying to create community networks that are built from the ground up with security in mind.

Some have been more successful than others. Since 2003, for instance, the FunkFeuer network in Austria has worked on expanding its wireless network across many parts of the country. This past weekend, the two main hubs in Vienna and Graz were connected via a new node over the Alps, with the Graz network extending southward into neighboring Slovenia. Other similar city-scale projects exist in St. Louis, Oakland, Vancouver, Montevideo, and Athens.

“What you want to have is end-to-end encryption the whole time,” said Aaron Kaplan, one of the leaders of FunkFeuer. “If you rely on the encryption happening in between, it just takes one link to cheat on the encryption, which decrypt the packets, stores them, and then encrypts them again—like a man-in-the-middle attack.” Leer más “From encryption to darknets: As governments snoop, activists fight back”