Original URL: http://www.theregister.co.uk/2009/08/21/locked_down_phones/

Handset makers, the criminal's friend

See no evil, speak no evil

By Bill Ray

Posted in Mobile, 21st August 2009 18:37 GMT

Last month the United Arab Emirates mobile operator Etisalat tried to sneak malware onto customers' BlackBerry handsets. But what pushed an operator to try such an underhand trick, and do so in such an inept manner?

The snooping software was pushed out as an upgrade, authorised by the operator but almost certainly at the behest of the local government. In reality the package was designed to intercept email communications of selected individuals, but didn't work very well and was rather poorly written.

While inept, the attempt serves to highlight the challenge facing law enforcement around the world: manufacturers aren't interested in helping police recover data from criminals, or bodies, data that can be that can be protected by something as complex as the encryption used on the BlackBerry or something as simple as a handset locked with a PIN.

Users can, of course, lock their SIMs too: but the SIM is owned by the network operator, and can be unlocked using a PIN Unlock Code - or PUK - supplied by that operator. In the UK a fairly comprehensive system exists to allow police to extract data from network operators, with some judicial oversight and budgetary considerations that prevent fishing expeditions.

Police at the scene of a crime, or on discovering a body, will grab any mobile phones nearby for analysis, and can expect to get historical call and location information from the operator.

Silent witness

The operator will also supply the PUK code, if necessary, allowing officers to extract the SIM address book, SMS messages received and the last location in which the phone was used. But that's nothing compared to the data stored on a modern handset, which is also available to police as long as they've not switched the phone off or allowed the suspect/corpse to switch on any kind of lock.

In these days when hackers are threatening to take control of everything from mobile phones to fridges, one might imagine that it would be relatively easy for the police to extract the information a handset in their possession. But you'd be sadly mistaken. Going back a few years, it was true that handsets capable of connecting to a PC yielded their contents pretty easily. Less intelligent handsets such as the Nokia 1100, 1600 and 2310 were much more difficult to open up.

Intensive work has now switched that around, with the better-equipped terminals now being much more secure as the mobile forensics industry has prised open the secrets of the dumb handsets.

And "prised open" is the right term - none of this work has been supported by the manufacturers who have no motivation to help the law enforcement community or their subcontractors. The recent case accusing West Yorkshire police of copyright theft would not have happened if Nokia and friends had shared the codes in the first place.

The data in question had been reverse engineered by Forensic Telecommunications Services (FTS), at its expense. FTS claims West Yorkshire coppers neglected to repeat this work - but why should the UK taxpayer be paying anyone to reverse engineer mobile-phone security when the data is sitting around in Finland?

Don't care to share

Network operators probably wouldn't share if they weren't legally obliged to, and compensated for their costs. But while a network operator will be subject to national laws, a handset manufacturer will likely be located outside such a jurisdiction.

International agreements cover national security issues, and you can be sure that the more secret services have tools at their disposal. But that's no use to a cop trying to work out the identity of the corpse he is putting into the body bag.

The manufacturers don't want to share security models, or codes, for fear that once shared they're unlikely to stay secret for long. Miscreants getting hold of such codes might be bad publicity, for starters. But manufacturers are even more worried about what their competitors will think.

There are no standards for device security. One handset might yield to simple command, while another will stay secure against any attack: legally authorized or otherwise. The industry is very reticent to talk about specific models, but we understand that the police Phone Examination Units particularly dread receiving handsets from Sony Ericsson.

A few years ago the Metropolitan Police tried to set up a working group with the manufacturers, to define some common-access standards that would allow legitimate law enforcement access to mobile-phone handsets. With no motivation and no legal threats to make against them, the manufacturers saw no advantage in taking part and the project was stalled.

SIMs remain secure, within a legal framework that allows law enforcement to break that security. But until the same thing can be applied to mobile phones, the manufacturers will create more secure systems. The UK taxpayer, meanwhile, will continue to fund police forces and private companies in order to break that security, to the enormous frustration of everyone involved.®