17 Jun 2014

Cool Android Hack Intentionally Creates False Data on Your Cell Phone to Fool Authorities

By Michael Krieger: An increasing concern amongst journalists, activists and just about anyone else who values their privacy is that a bad cop, TSA agent or other bully in a costume will commandeer your cell phone and search its contents. This isn’t just a theoretical issue either, it seems to happen quite often, and is an important enough issue that it went before the Supreme Court early last month. I covered this issue in my post: Can Police Search Your Cell Phone Without a Warrant? The Supreme Court is About to Decide.
I haven’t been able to figure out if there’s been a judgement in that case, so if you have any information, please post it in the comment section. Nevertheless, it appears Android hackers have decided to take matters into their own hands and have developed a new technique that purposely reprograms your phone to lie. Scientific American reported on this in the article, A Phone That Lies for You. We learn that:

Local police confiscate a suspected drug dealer’s phone—only to find that he has called his mother and no one else. Meanwhile a journalist’s phone is examined by airport security. But when officials look to see what is on it, they find that she has spent all her time at the beach. The drug dealer and the journalist are free to go. Minutes later the names, numbers and GPS data that the police were looking for reappear.
A new programming technique could bring these scenarios to life. Computer scientist Karl-Johan Karlsson has reprogrammed a phone to lie. By modifying the operating system of an Android-based smartphone, he was able to put decoy data on it—innocent numbers, for example—so that the real data escape forensics.
He presented the hack in January at the Hawaii International Conference on System Sciences.
Karlsson tested his hack on two forensics tools commonly used by police departments. Both can retrieve call logs, location data and even passwords. When he ran his modified system, the tools picked up the false information that he programmed into the phone and missed the real contents.
BoingBoing also reported on this achievement yesterday, writing:

In Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson and William Bradley Glisson present a version of the Cyanogenmod alternate operating system for Android devices, modified so that it generates plausible false data to foil forensic analysis by law enforcement. The idea is to create a mobile phone that “lies” for you so that adversaries who coerce you into letting them take a copy of its data can’t find out where you’ve been, who you’ve been talking to, or what you’ve been talking about.

I’m interested in this project but wonder about how to make it practical for daily use. Presently, it maintains a hidden set of true data, and a trick set of false data intended to be fetched by forensic tools. Presumably, this only works until the forensic tools are modified to spot the real data. But you can conceptually imagine a phone that maintains a normal address book and SMS history, etc — all the things that are useful to have in daily use — but that, on a certain signal (say, when an alternate unlock code is entered, or after a certain number of failed unlock attempts) scrubs all that and replaces it with plausible deniability data.

Obviously, this kind of thing doesn’t work against state-level actors who can subpoena (or coerce) your location data and call history from your carrier, but those people don’t need to seize your phone in the first place.

On a related note, if you are considering installing a “smart home” system, you may want to be aware of some of the privacy implications. CNN Money published an interesting article on the topic, in which we learn:
Your lights are off and your doors are locked, but if you’ve got a “smart home” system, you may be offering cops a window into your house.

But smart home customers might be unaware that their security footage is being stored in some cases, and that it can be used against them in legal proceedings.
“We’re seeing law enforcement across a variety of areas arguing that they should be able to access information with lower standards than before the electronic age,” said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.
“If a lot of information is flowing out of your home, it provides a window into the things you’re doing in your private space,” he added.
Tech companies already get thousands of requests for customer data each year from government intelligence agencies as well as traditional law enforcement for things like email and phone records. Once home security footage begins being stored on companies’ servers, there’s no reason why cops wouldn’t seek that out as well.
That means you may want to study the terms of service from your smart home provider to see what kinds of requirements they place on government and law enforcement data requests.
 
In Liberty,
Michael Krieger


Source

No comments:

Post a Comment