{"id":1727,"date":"2025-01-31T07:30:00","date_gmt":"2025-01-31T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1727"},"modified":"2025-01-31T07:30:00","modified_gmt":"2025-01-31T07:30:00","slug":"how-law-enforcement-agents-gain-access-to-encrypted-devices","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1727","title":{"rendered":"How law enforcement agents gain access to encrypted devices"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Accessing data on encrypted devices might seem like something out of a hacker or spy movie, but for law enforcement, it\u2019s a very real challenge.<\/p>\n

The issue is of relevance to CISOs and other security professionals because workers on sales trips or attending conferences overseas might face demands to decrypt devices and present their contents at border crossings.<\/p>\n

Chinese border agents, for example, may use specialized equipment to extract data from devices, even if locked or encrypted.<\/p>\n

Contrary to films, brute forcing an AES encryption<\/a> key or similar encryption technologies is impractical \u2014 at least pending the advent of powerful enough quantum computers<\/a>.<\/p>\n

Modern encryption is pretty solid, but luckily for law enforcement and spy agencies the software and people using it are pretty fallible.<\/p>\n

Access requests<\/h2>\n

Gaining access to a suspect\u2019s mobile phone or computer is a high priority for law enforcement.<\/p>\n

When a mobile device is seized, law enforcement can request the PIN, password, or biometric data from the suspect to access the phone if they believe it contains evidence relevant to an investigation.<\/p>\n

In England and Wales, if the suspect refuses, the police can give a notice for compliance, and a further refusal is in itself a criminal offence under the Regulation of Investigatory Powers Act (RIPA).<\/p>\n

\u201cIf access is not gained, law enforcement use forensic tools and software to unlock, decrypt, and extract critical digital evidence from a mobile phone or computer,\u201d says James Farrell, an associate at cyber security consultancy CyXcel. \u201cHowever, there are challenges on newer devices and success can depend on the version of operating system being used.\u201d<\/p>\n

In general, law enforcement agencies gain access to encrypted devices (both PCs and mobile devices) using one of several general approaches:<\/p>\n

Traditional investigative techniques<\/p>\n

Exploiting vulnerabilities and zero days<\/p>\n

Backdoors<\/p>\n

Manufacturer cooperation<\/p>\n

Remote hacking<\/p>\n

Supply chain attacks<\/p>\n

\u00a0<\/h2>\n

Traditional investigative techniques<\/h2>\n

The most straightforward approach is for law enforcement agencies to seize devices while in an \u201cunlocked\u201d state. Search and seizure of physical locations to find written passwords or unencrypted copies of data might also be possible.<\/p>\n

Surveillance to capture passwords or encryption keys as they are entered offers another conventional approach to access data on encrypted devices.<\/p>\n

Simply guessing the device password may or may not be viable depending on the retry lockouts, and the kind of password\/locking mechanism chosen, but it\u2019s a possibility.<\/p>\n

\u201cThis could involve brute force, dictionary attacks (testing likely passwords from past breaches using many combinations), or social engineering, such as stealing the password or shoulder surfing,\u201d Jeff Watkins, CTO at digital consultancy CreateFuture, tells CSO. \u201cAnother option is to attack or obtain a warrant to access cloud backups, which may be the easiest route to the required data, depending on their security.\u201d<\/p>\n

Vulnerability exploits<\/h2>\n

Similar to penetration testers, law enforcement or vendors, such as Cellebrite, leverage vulnerabilities to bypass encryption.<\/p>\n

Often referred to as zero days<\/a>, these may be unknown to the general public or even the device manufacturer at the time.<\/p>\n

In some cases, older \u2014 but only partially resolved \u2014 vulnerabilities might still be open to exploitation.<\/p>\n

For example, a talk at the recent Chaos Computer Club conference<\/a> showed how bypassing BitLocker encryption on a fully up-to-date Windows 11 system using Secure Boot might be possible. The hack exploited a Windows vulnerability, bitpixie (CVE-2023-21563<\/a>), combined with a downgrade attack.<\/p>\n

Exploiting the bitpixie vulnerability against Windows BitLocker involves forcing the machine to boot in recovery mode over a network connection, loading the volume mount key into memory.<\/p>\n

Another machine can then create a memory dump over the local area network, which contains the key, effectively bypassing BitLocker.<\/p>\n

The exploit opens the door to a full-scale compromise of a Windows system protected by BitLocker encryption, utilizing Secure Boot and TPM (Trusted Platform Module).<\/p>\n

Neither the researcher \u2014 Thomas Lambertz of Neodyme \u2014 nor Microsoft returned requests for comment from CSO; however, independent security experts told CSO that the attack vector was unlikely to be closed anytime soon.<\/p>\n

\u201cThis isn\u2019t a new vulnerability, but its scope is limited to UEFI systems, meaning it leans in the favour of newer devices,\u201d says Conor Agnew, head of compliance operations at penetration testing firm Closed Door Security.<\/p>\n

Agnew continued: \u201cIt was publicly announced in 2023 and supposedly patched. What\u2019s most concerning is how there\u2019s not the usual requirement of having possession of a device, stripping it to pieces, and brute forcing encryption keys.\u201d<\/p>\n

\u201cIt\u2019s a very quick attack \u2014 in relative terms of decryption attacks \u2014 and is likely not going to be resolved until 2026 when Microsoft rolls out the Secure Boot certificate updates,\u201d Agnew says.<\/p>\n

Being able to entirely negate the on-disk encryption obviously poses a huge concern for anyone carrying data around on portable devices.<\/p>\n

\u201cGetting a hold of something running BitLocker as the only form of encryption essentially becomes an open book,\u201d Agnew says. \u201cWe don\u2019t have to look too far back to see MOD [UK Ministry of Defence] devices left at bus stops.\u201d<\/p>\n

Backdoors<\/h2>\n

Vendors such as Apple publicly state they do not create backdoors for law enforcement, but there\u2019s a lot of speculation around this and many vendors have been caught with backdoors or security weaknesses in their systems.<\/p>\n

Law enforcement agencies have pressured companies to create \u201clawful access\u201d solutions, particularly on smartphones, to take Apple as an example.<\/p>\n

\u201cYou also have the co-operation of cloud companies, which if backups are held can sidestep the need to break the encryption of a device all together,\u201d Closed Door Security\u2019s Agnew explains.<\/p>\n

The security community has long argued against law enforcement backdoors, not least because they create security weaknesses that criminal hackers might exploit.<\/p>\n

\u201cDespite protests from law enforcement and national security organizations, creating a skeleton key to access encrypted data is never a sensible solution,\u201d CreateFuture\u2019s Watkins argues.<\/p>\n

\u201cWhat good actors can access, bad actors eventually will, too. The same applies to hardware-level backdoors in devices like phones and laptops \u2014 often requested by law enforcement but a terrible idea for genuine security,\u201d Watkins adds.<\/p>\n

Remote hacking<\/h2>\n

Remote access to phones and computers can be achieved through remote hacking with the relevant sanctioned authorities.<\/p>\n

\u201cThis includes accessing data and listening to communications,\u201d says CyXcel\u2019s Farrell. \u201cAlternatively, software or hardware can be introduced covertly to the physical devices and then monitored remotely.\u201d<\/p>\n

Law enforcement agencies do need to identify the suspect\u2019s number before gaining access remotely. This can be achieved by deploying equipment that replicates a cell site base station.<\/p>\n

\u201cDeploying the equipment convinces the phones that it is the best connection and once connected, the IMSI (International Mobile Subscriber Identity) is then recorded,\u201d Farrell explains. \u201cTactical use with the suspect under surveillance will identify the suspects phone number. This equipment is used globally by law enforcement.\u201d<\/p>\n

Depending on the user\u2019s location, an evil twin Wi-Fi network<\/a> in a public place could allow for decrypted access to network traffic without physically accessing the machine.<\/p>\n

Malware is likely the easiest way to achieve machine access, probably through a targeted attack, such as tricking a suspect into downloading malware or a USB key left on a desk with \u201cfree bitcoin\u201d printed on it (or a similar enticing promise).<\/p>\n

\u201cA similar alternative, which sounds like a \u2018Mission Impossible\u2019 plot but is in use today, is to exploit side channels, such as EM [electro-magnetic] interference or acoustic attacks, to retrieve a machine\u2019s password,\u201d CreateFuture\u2019s Watkins says.<\/p>\n

\u201cWireless keyboards and other devices are often vulnerable and can be exploited without the user\u2019s knowledge,\u201d Watkins adds.<\/p>\n

Supply chain attacks<\/h2>\n

Another possibility to expose a target\u2019s encryption key or password relies on malware or hardware interference using something installed in the supply chain.<\/p>\n

EncroChat was a Europe-based encrypted communications network and service provider. It offered modified Android smartphones with enhanced security features, including encrypted communications and remote wiping.<\/p>\n

The service gained popularity among criminals following the closure of similar services, helping to boost its membership to around 60,000 subscribers by mid-2020.<\/p>\n

European law enforcement agencies successfully infiltrated the EncroChat network, deploying malware on a French server allowing them to access messages and disable the panic wipe feature. The police operation led to thousands of arrests<\/a>.<\/p>\n

Jessica Sobey, barrister at Stokoe Partnership Solicitors, an experienced criminal defense lawyer, said the admissibility of evidence obtained through the Encrochat hack was fiercely contested in court.<\/p>\n

\u201cThe IPT [Investigatory Powers Tribunal] rejected the defense argument that the NCA withheld critical information when it applied for a warrant to obtain messages from the EncroChat network,\u201d Sobey tells CSO. \u201cIt ruled that the use of a TEI warrant was justified, and that the investigation could be classified as a single investigation into the criminal use of EncroChat.\u201d<\/p>\n

Sobey adds: \u201cDefense lawyers, however, continue to argue that the IPT has blurred the distinction between bulk warrants and thematic warrants and this could still prove to be fertile ground for legal challenges. concerning the gathering of digital evidence from encrypted devices.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Accessing data on encrypted devices might seem like something out of a hacker or spy movie, but for law enforcement, it\u2019s a very real challenge. The issue is of relevance to CISOs and other security professionals because workers on sales trips or attending conferences overseas might face demands to decrypt devices and present their contents […]<\/p>\n","protected":false},"author":0,"featured_media":1728,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1727","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1727"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1727"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1727\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1728"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}