01-31-2025, 07:35 AM
News How law enforcement agents gain access to encrypted devices
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Accessing data on encrypted devices might seem like something out of a hacker or spy movie, but for law enforcement, it’s a very real challenge.</p>
<p>The issue is of relevance to CISOs and other security professionals because workers on sales trips or attending conferences overseas might face demands to decrypt devices and present their contents at border crossings.</p>
<p>Chinese border agents, for example, may use specialized equipment to extract data from devices, even if locked or encrypted.</p>
<p>Contrary to films, brute forcing an <a href="https://www.csoonline.com/article/513119/advanced-encryption-standard-aes.html">AES encryption</a> key or similar encryption technologies is impractical — at least <a href="https://www.csoonline.com/article/3552701/the-cisos-guide-to-establishing-quantum-resilience.html">pending the advent of powerful enough quantum computers</a>.</p>
<p>Modern encryption is pretty solid, but luckily for law enforcement and spy agencies the software and people using it are pretty fallible.</p>
<h2 class="wp-block-heading" id="access-requests">Access requests</h2>
<p>Gaining access to a suspect’s mobile phone or computer is a high priority for law enforcement.</p>
<p>When a mobile device is seized, law enforcement can request the PIN, password, or biometric data from the suspect to access the phone if they believe it contains evidence relevant to an investigation.</p>
<p>In England and Wales, if the suspect refuses, the police can give a notice for compliance, and a further refusal is in itself a criminal offence under the Regulation of Investigatory Powers Act (RIPA).</p>
<p>“If access is not gained, law enforcement use forensic tools and software to unlock, decrypt, and extract critical digital evidence from a mobile phone or computer,” says James Farrell, an associate at cyber security consultancy CyXcel. “However, there are challenges on newer devices and success can depend on the version of operating system being used.”</p>
<p>In general, law enforcement agencies gain access to encrypted devices (both PCs and mobile devices) using one of several general approaches:</p>
<ul class="wp-block-list">
<li>Traditional investigative techniques</li>
<li>Exploiting vulnerabilities and zero days</li>
<li>Backdoors</li>
<li>Manufacturer cooperation</li>
<li>Remote hacking</li>
<li>Supply chain attacks</li>
</ul>
<h2 class="wp-block-heading" id=""> </h2>
<h2 class="wp-block-heading" id="traditional-investigative-techniques">Traditional investigative techniques</h2>
<p>The most straightforward approach is for law enforcement agencies to seize devices while in an “unlocked” state. Search and seizure of physical locations to find written passwords or unencrypted copies of data might also be possible.</p>
<p>Surveillance to capture passwords or encryption keys as they are entered offers another conventional approach to access data on encrypted devices.</p>
<p>Simply guessing the device password may or may not be viable depending on the retry lockouts, and the kind of password/locking mechanism chosen, but it’s a possibility.</p>
<p>“This could involve brute force, dictionary attacks (testing likely passwords from past breaches using many combinations), or social engineering, such as stealing the password or shoulder surfing,” Jeff Watkins, CTO at digital consultancy CreateFuture, tells CSO. “Another option is to attack or obtain a warrant to access cloud backups, which may be the easiest route to the required data, depending on their security.”</p>
<h2 class="wp-block-heading" id="vulnerability-exploits">Vulnerability exploits</h2>
<p>Similar to penetration testers, law enforcement or vendors, such as Cellebrite, leverage vulnerabilities to bypass encryption.</p>
<p>Often referred to as <a href="https://www.csoonline.com/article/565704/zero-days-explained-how-unknown-vulnerabilities-become-gateways-for-attackers.html">zero days</a>, these may be unknown to the general public or even the device manufacturer at the time.</p>
<p>In some cases, older — but only partially resolved — vulnerabilities might still be open to exploitation.</p>
<p>For example, a <a href="https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver">talk at the recent Chaos Computer Club conference</a> showed how bypassing BitLocker encryption on a fully up-to-date Windows 11 system using Secure Boot might be possible. The hack exploited a Windows vulnerability, bitpixie (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21563">CVE-2023-21563</a>), combined with a downgrade attack.</p>
<p>Exploiting the bitpixie vulnerability against Windows BitLocker involves forcing the machine to boot in recovery mode over a network connection, loading the volume mount key into memory.</p>
<p>Another machine can then create a memory dump over the local area network, which contains the key, effectively bypassing BitLocker.</p>
<p>The exploit opens the door to a full-scale compromise of a Windows system protected by BitLocker encryption, utilizing Secure Boot and TPM (Trusted Platform Module).</p>
<p>Neither the researcher — Thomas Lambertz of Neodyme — nor Microsoft returned requests for comment from CSO; however, independent security experts told CSO that the attack vector was unlikely to be closed anytime soon.</p>
<p>“This isn’t a new vulnerability, but its scope is limited to UEFI systems, meaning it leans in the favour of newer devices,” says Conor Agnew, head of compliance operations at penetration testing firm Closed Door Security.</p>
<p>Agnew continued: “It was publicly announced in 2023 and supposedly patched. What’s most concerning is how there’s not the usual requirement of having possession of a device, stripping it to pieces, and brute forcing encryption keys.”</p>
<p>“It’s a very quick attack — in relative terms of decryption attacks — and is likely not going to be resolved until 2026 when Microsoft rolls out the Secure Boot certificate updates,” Agnew says.</p>
<p>Being able to entirely negate the on-disk encryption obviously poses a huge concern for anyone carrying data around on portable devices.</p>
<p>“Getting a hold of something running BitLocker as the only form of encryption essentially becomes an open book,” Agnew says. “We don’t have to look too far back to see MOD [UK Ministry of Defence] devices left at bus stops.”</p>
<h2 class="wp-block-heading" id="backdoors">Backdoors</h2>
<p>Vendors such as Apple publicly state they do not create backdoors for law enforcement, but there’s a lot of speculation around this and many vendors have been caught with backdoors or security weaknesses in their systems.</p>
<p>Law enforcement agencies have pressured companies to create “lawful access” solutions, particularly on smartphones, to take Apple as an example.</p>
<p>“You also have the co-operation of cloud companies, which if backups are held can sidestep the need to break the encryption of a device all together,” Closed Door Security’s Agnew explains.</p>
<p>The security community has long argued against law enforcement backdoors, not least because they create security weaknesses that criminal hackers might exploit.</p>
<p>“Despite protests from law enforcement and national security organizations, creating a skeleton key to access encrypted data is never a sensible solution,” CreateFuture’s Watkins argues.</p>
<p>“What good actors can access, bad actors eventually will, too. The same applies to hardware-level backdoors in devices like phones and laptops — often requested by law enforcement but a terrible idea for genuine security,” Watkins adds.</p>
<h2 class="wp-block-heading" id="remote-hacking">Remote hacking</h2>
<p>Remote access to phones and computers can be achieved through remote hacking with the relevant sanctioned authorities.</p>
<p>“This includes accessing data and listening to communications,” says CyXcel’s Farrell. “Alternatively, software or hardware can be introduced covertly to the physical devices and then monitored remotely.”</p>
<p>Law enforcement agencies do need to identify the suspect’s number before gaining access remotely. This can be achieved by deploying equipment that replicates a cell site base station.</p>
<p>“Deploying the equipment convinces the phones that it is the best connection and once connected, the IMSI (International Mobile Subscriber Identity) is then recorded,” Farrell explains. “Tactical use with the suspect under surveillance will identify the suspects phone number. This equipment is used globally by law enforcement.”</p>
<p>Depending on the user’s location, an <a href="https://www.csoonline.com/article/521084/build-ci-sdlc-beware-of-lsquo-evil-twin-rsquo-wi-fi-access-points.html">evil twin Wi-Fi network</a> in a public place could allow for decrypted access to network traffic without physically accessing the machine.</p>
<p>Malware is likely the easiest way to achieve machine access, probably through a targeted attack, such as tricking a suspect into downloading malware or a USB key left on a desk with “free bitcoin” printed on it (or a similar enticing promise).</p>
<p>“A similar alternative, which sounds like a ‘Mission Impossible’ plot but is in use today, is to exploit side channels, such as EM [electro-magnetic] interference or acoustic attacks, to retrieve a machine’s password,” CreateFuture’s Watkins says.</p>
<p>“Wireless keyboards and other devices are often vulnerable and can be exploited without the user’s knowledge,” Watkins adds.</p>
<h2 class="wp-block-heading" id="supply-chain-attacks">Supply chain attacks</h2>
<p>Another possibility to expose a target’s encryption key or password relies on malware or hardware interference using something installed in the supply chain.</p>
<p>EncroChat was a Europe-based encrypted communications network and service provider. It offered modified Android smartphones with enhanced security features, including encrypted communications and remote wiping.</p>
<p>The service gained popularity among criminals following the closure of similar services, helping to boost its membership to around 60,000 subscribers by mid-2020.</p>
<p>European law enforcement agencies successfully infiltrated the EncroChat network, deploying malware on a French server allowing them to access messages and disable the panic wipe feature. <a href="https://www.csoonline.com/article/643888/encrochat-bust-leads-to-6500-arrests-seizure-of-1b-in-assets.html">The police operation led to thousands of arrests</a>.</p>
<p>Jessica Sobey, barrister at Stokoe Partnership Solicitors, an experienced criminal defense lawyer, said the admissibility of evidence obtained through the Encrochat hack was fiercely contested in court.</p>
<p>“The IPT [Investigatory Powers Tribunal] rejected the defense argument that the NCA withheld critical information when it applied for a warrant to obtain messages from the EncroChat network,” Sobey tells CSO. “It ruled that the use of a TEI warrant was justified, and that the investigation could be classified as a single investigation into the criminal use of EncroChat.”</p>
<p>Sobey adds: “Defense lawyers, however, continue to argue that the IPT has blurred the distinction between bulk warrants and thematic warrants and this could still prove to be fertile ground for legal challenges. concerning the gathering of digital evidence from encrypted devices.”</p>
</div></div></div></div>
https://www.csoonline.com/article/381287...vices.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Accessing data on encrypted devices might seem like something out of a hacker or spy movie, but for law enforcement, it’s a very real challenge.</p>
<p>The issue is of relevance to CISOs and other security professionals because workers on sales trips or attending conferences overseas might face demands to decrypt devices and present their contents at border crossings.</p>
<p>Chinese border agents, for example, may use specialized equipment to extract data from devices, even if locked or encrypted.</p>
<p>Contrary to films, brute forcing an <a href="https://www.csoonline.com/article/513119/advanced-encryption-standard-aes.html">AES encryption</a> key or similar encryption technologies is impractical — at least <a href="https://www.csoonline.com/article/3552701/the-cisos-guide-to-establishing-quantum-resilience.html">pending the advent of powerful enough quantum computers</a>.</p>
<p>Modern encryption is pretty solid, but luckily for law enforcement and spy agencies the software and people using it are pretty fallible.</p>
<h2 class="wp-block-heading" id="access-requests">Access requests</h2>
<p>Gaining access to a suspect’s mobile phone or computer is a high priority for law enforcement.</p>
<p>When a mobile device is seized, law enforcement can request the PIN, password, or biometric data from the suspect to access the phone if they believe it contains evidence relevant to an investigation.</p>
<p>In England and Wales, if the suspect refuses, the police can give a notice for compliance, and a further refusal is in itself a criminal offence under the Regulation of Investigatory Powers Act (RIPA).</p>
<p>“If access is not gained, law enforcement use forensic tools and software to unlock, decrypt, and extract critical digital evidence from a mobile phone or computer,” says James Farrell, an associate at cyber security consultancy CyXcel. “However, there are challenges on newer devices and success can depend on the version of operating system being used.”</p>
<p>In general, law enforcement agencies gain access to encrypted devices (both PCs and mobile devices) using one of several general approaches:</p>
<ul class="wp-block-list">
<li>Traditional investigative techniques</li>
<li>Exploiting vulnerabilities and zero days</li>
<li>Backdoors</li>
<li>Manufacturer cooperation</li>
<li>Remote hacking</li>
<li>Supply chain attacks</li>
</ul>
<h2 class="wp-block-heading" id=""> </h2>
<h2 class="wp-block-heading" id="traditional-investigative-techniques">Traditional investigative techniques</h2>
<p>The most straightforward approach is for law enforcement agencies to seize devices while in an “unlocked” state. Search and seizure of physical locations to find written passwords or unencrypted copies of data might also be possible.</p>
<p>Surveillance to capture passwords or encryption keys as they are entered offers another conventional approach to access data on encrypted devices.</p>
<p>Simply guessing the device password may or may not be viable depending on the retry lockouts, and the kind of password/locking mechanism chosen, but it’s a possibility.</p>
<p>“This could involve brute force, dictionary attacks (testing likely passwords from past breaches using many combinations), or social engineering, such as stealing the password or shoulder surfing,” Jeff Watkins, CTO at digital consultancy CreateFuture, tells CSO. “Another option is to attack or obtain a warrant to access cloud backups, which may be the easiest route to the required data, depending on their security.”</p>
<h2 class="wp-block-heading" id="vulnerability-exploits">Vulnerability exploits</h2>
<p>Similar to penetration testers, law enforcement or vendors, such as Cellebrite, leverage vulnerabilities to bypass encryption.</p>
<p>Often referred to as <a href="https://www.csoonline.com/article/565704/zero-days-explained-how-unknown-vulnerabilities-become-gateways-for-attackers.html">zero days</a>, these may be unknown to the general public or even the device manufacturer at the time.</p>
<p>In some cases, older — but only partially resolved — vulnerabilities might still be open to exploitation.</p>
<p>For example, a <a href="https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver">talk at the recent Chaos Computer Club conference</a> showed how bypassing BitLocker encryption on a fully up-to-date Windows 11 system using Secure Boot might be possible. The hack exploited a Windows vulnerability, bitpixie (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21563">CVE-2023-21563</a>), combined with a downgrade attack.</p>
<p>Exploiting the bitpixie vulnerability against Windows BitLocker involves forcing the machine to boot in recovery mode over a network connection, loading the volume mount key into memory.</p>
<p>Another machine can then create a memory dump over the local area network, which contains the key, effectively bypassing BitLocker.</p>
<p>The exploit opens the door to a full-scale compromise of a Windows system protected by BitLocker encryption, utilizing Secure Boot and TPM (Trusted Platform Module).</p>
<p>Neither the researcher — Thomas Lambertz of Neodyme — nor Microsoft returned requests for comment from CSO; however, independent security experts told CSO that the attack vector was unlikely to be closed anytime soon.</p>
<p>“This isn’t a new vulnerability, but its scope is limited to UEFI systems, meaning it leans in the favour of newer devices,” says Conor Agnew, head of compliance operations at penetration testing firm Closed Door Security.</p>
<p>Agnew continued: “It was publicly announced in 2023 and supposedly patched. What’s most concerning is how there’s not the usual requirement of having possession of a device, stripping it to pieces, and brute forcing encryption keys.”</p>
<p>“It’s a very quick attack — in relative terms of decryption attacks — and is likely not going to be resolved until 2026 when Microsoft rolls out the Secure Boot certificate updates,” Agnew says.</p>
<p>Being able to entirely negate the on-disk encryption obviously poses a huge concern for anyone carrying data around on portable devices.</p>
<p>“Getting a hold of something running BitLocker as the only form of encryption essentially becomes an open book,” Agnew says. “We don’t have to look too far back to see MOD [UK Ministry of Defence] devices left at bus stops.”</p>
<h2 class="wp-block-heading" id="backdoors">Backdoors</h2>
<p>Vendors such as Apple publicly state they do not create backdoors for law enforcement, but there’s a lot of speculation around this and many vendors have been caught with backdoors or security weaknesses in their systems.</p>
<p>Law enforcement agencies have pressured companies to create “lawful access” solutions, particularly on smartphones, to take Apple as an example.</p>
<p>“You also have the co-operation of cloud companies, which if backups are held can sidestep the need to break the encryption of a device all together,” Closed Door Security’s Agnew explains.</p>
<p>The security community has long argued against law enforcement backdoors, not least because they create security weaknesses that criminal hackers might exploit.</p>
<p>“Despite protests from law enforcement and national security organizations, creating a skeleton key to access encrypted data is never a sensible solution,” CreateFuture’s Watkins argues.</p>
<p>“What good actors can access, bad actors eventually will, too. The same applies to hardware-level backdoors in devices like phones and laptops — often requested by law enforcement but a terrible idea for genuine security,” Watkins adds.</p>
<h2 class="wp-block-heading" id="remote-hacking">Remote hacking</h2>
<p>Remote access to phones and computers can be achieved through remote hacking with the relevant sanctioned authorities.</p>
<p>“This includes accessing data and listening to communications,” says CyXcel’s Farrell. “Alternatively, software or hardware can be introduced covertly to the physical devices and then monitored remotely.”</p>
<p>Law enforcement agencies do need to identify the suspect’s number before gaining access remotely. This can be achieved by deploying equipment that replicates a cell site base station.</p>
<p>“Deploying the equipment convinces the phones that it is the best connection and once connected, the IMSI (International Mobile Subscriber Identity) is then recorded,” Farrell explains. “Tactical use with the suspect under surveillance will identify the suspects phone number. This equipment is used globally by law enforcement.”</p>
<p>Depending on the user’s location, an <a href="https://www.csoonline.com/article/521084/build-ci-sdlc-beware-of-lsquo-evil-twin-rsquo-wi-fi-access-points.html">evil twin Wi-Fi network</a> in a public place could allow for decrypted access to network traffic without physically accessing the machine.</p>
<p>Malware is likely the easiest way to achieve machine access, probably through a targeted attack, such as tricking a suspect into downloading malware or a USB key left on a desk with “free bitcoin” printed on it (or a similar enticing promise).</p>
<p>“A similar alternative, which sounds like a ‘Mission Impossible’ plot but is in use today, is to exploit side channels, such as EM [electro-magnetic] interference or acoustic attacks, to retrieve a machine’s password,” CreateFuture’s Watkins says.</p>
<p>“Wireless keyboards and other devices are often vulnerable and can be exploited without the user’s knowledge,” Watkins adds.</p>
<h2 class="wp-block-heading" id="supply-chain-attacks">Supply chain attacks</h2>
<p>Another possibility to expose a target’s encryption key or password relies on malware or hardware interference using something installed in the supply chain.</p>
<p>EncroChat was a Europe-based encrypted communications network and service provider. It offered modified Android smartphones with enhanced security features, including encrypted communications and remote wiping.</p>
<p>The service gained popularity among criminals following the closure of similar services, helping to boost its membership to around 60,000 subscribers by mid-2020.</p>
<p>European law enforcement agencies successfully infiltrated the EncroChat network, deploying malware on a French server allowing them to access messages and disable the panic wipe feature. <a href="https://www.csoonline.com/article/643888/encrochat-bust-leads-to-6500-arrests-seizure-of-1b-in-assets.html">The police operation led to thousands of arrests</a>.</p>
<p>Jessica Sobey, barrister at Stokoe Partnership Solicitors, an experienced criminal defense lawyer, said the admissibility of evidence obtained through the Encrochat hack was fiercely contested in court.</p>
<p>“The IPT [Investigatory Powers Tribunal] rejected the defense argument that the NCA withheld critical information when it applied for a warrant to obtain messages from the EncroChat network,” Sobey tells CSO. “It ruled that the use of a TEI warrant was justified, and that the investigation could be classified as a single investigation into the criminal use of EncroChat.”</p>
<p>Sobey adds: “Defense lawyers, however, continue to argue that the IPT has blurred the distinction between bulk warrants and thematic warrants and this could still prove to be fertile ground for legal challenges. concerning the gathering of digital evidence from encrypted devices.”</p>
</div></div></div></div>
https://www.csoonline.com/article/381287...vices.html