6 workarounds for accessing encrypted devices
Connecting state and local government leaders
A pair cybersecurity experts have published an essay that discusses the practical, technological and legal implications of encryption workarounds.
The story of Syed Farook’s iPhone is a perfect illustration of both the power of encryption on personal devices and the government’s frustration with such security when it hinders an investigation.
In the wake of the 2015 San Bernadino, Calif., shootings, investigators wanted access to Farook’s iPhone. The phone was encrypted, the FBI asked Apple to write software to give it access and Apple refused to comply. What ensued was a long battle that played out in courts and in public. In the end the government allegedly paid $1 million to third party to have the phone unlocked.
Access to encrypted information need not always be as difficult or expensive for investigators, however. Two cybersecurity experts have published an essay that discusses the practical, technological and legal implications of six encryption workarounds.
“Encryption raises a challenge for criminal investigators,” wrote Orin S. Kerr, director of the Cybersecurity Law Initiative at George Washington University Law School, and Bruce Schneier, fellow at Harvard University’s Berkman Klein Center for Internet & Society and CTO at Resilient. When law enforcement attempts to access encrypted data, only ciphertext or scrambled information can be seen, which is useless unless it can be decrypted. “For government investigators," Kerr & Schneider wrote, "encryption adds an extra step: They must figure out a way to access the plaintext form of a suspect’s encrypted data.”
The following workarounds have been used by investigators since messages have been encrypted – back to the time of Elizabeth I when decoded private letters revealed an assassination plot. Today, because encryption is so widespread, investigators come across it in routine cases, making ways to bypass encryption especially timely and relevant.
1. Find the key. The most obvious of the six ways to get around encryption is finding the passwords, passcodes or passphrases required to get into a device. The key might be written down somewhere or stored on an accessible device.
2. Guess the key. Although encryption keys themselves are long and random, the passwords that protect them are usually easier to guess. Investigators have used a suspect’s date of birth as a password to access personal devices. Password-cracking software can try millions of passwords per second, but investigators can be limited by a device’s features that only allow a certain number of password tries before locking out the would-be user.
3. Compel the key. Merely asking, “What’s your password?” could get investigators the exact information they need, and authorities could legally compel device owners or others who know its password to provide it, the authors said. Both the Fourth and Fifth Amendments provide the device owners with some protection, but “considerable ambiguity remains about how much of a burden [these Amendments] impose” on investigators.
4. Exploit a flaw in the encryption scheme. This workaround requires finding a flaw in the encryption and using that weakness to gain access to the device. This technique, commonly used by hackers, “is analogous to breaking into a locked car by breaking a window instead of picking the lock,” the researchers said. The FBI likely gained access to the San Bernardino shooter’s phone this way, the authors said. The company helping the FBI may have found a flaw in an auto-erase function used on the phone to make it harder to guess passwords. “This approach relied on two workarounds in tandem: First, exploit the flaw; second, guess the key,” they said.
5. Access plaintext when the device is in use. This workaround requires accessing a device while it is in use and its data has been decrypted, such as when a suspect using a device is arrested before the phone or computer can be shut down. Gaining remote access “is much more complicated than physically seizing the machine,” the two said. “First, hacking will require the government to have figured out a technical means to gain remote access to the device. Second, government hacking can raise complex legal questions under the Fourth Amendment and other laws. Dozens of federal courts are currently considering the legality.”
6. Locate a plaintext copy. Can’t get into the device? Find the information somewhere else. The information that investigators are looking for likely exists in an unencrypted version somewhere, Kerr and Schneier suggested; cloud copies are increasingly common. In the San Bernardino case, investigators were able to get iCloud backups of the shooter’s phone. The information was six weeks out of date – which is why the FBI paid for the workaround -- but it still provided insight.
Read the full paper here.