Sign In

Communications of the ACM

ACM News

Why Is It Difficult For the Fbi to Break Into Smartphones?


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
ACM A.M. Turing laureate Whitfield Diffie.

At present and for many years to come, all aspects of computer systems will suffer from bugs that may allow them to be broken, says ACM A.M. Turing laureate Whitfield Diffie.

Credit: ACM

When a shooter killed 26 people at a Texas church in November, the U.S. was all too familiar with this kind of tragedy; it was not the first time a killer has opened fire on an unsuspecting crowd, and it likely will not be the last. It was not the first time the U.S. Federal Bureau of Investigation (FBI) had to investigate one of these crimes, and it also was not the first time the FBI ran into trouble unlocking the shooter's phone.

Back in 2015, the FBI attracted media attention and legal repercussions when it tried to compel Apple to unlock the smartphone of the San Bernardino shooter in the event it stored valuable evidence. The FBI could not convince Apple to cooperate, nor could it crack the phone. This was not an uncommon scenario: FBI director Christopher Wray indicated the Bureau has been unable to crack more than 7,000 mobile devices involved in criminal cases.

The same problem has now cropped up in the Texas church shooting: the shooter's phone is encrypted, which means the FBI can't access information stored on it, reports CNET.

This is a unique problem facing 21st century law enforcement, one that has major implications for public safety, personal privacy, and the future of consumer technology.

Better-than-average encryption

The reason these smartphones are hard to open is because the standard cryptographic algorithms used in mobile devices are actually very good, says Whitfield Diffie, who was awarded (along with Martin Hellman) the ACM A.M Turing Award for 2015. He should know; Diffie helped develop the type of encryption that today protects your phone.

Today's smartphones secure your data with principles of public key cryptography, which Diffie developed with cryptologist Hellman in 1976.

Smartphones employ end-to-end encryption, which uses public key encryption to make sure that no party—you, a tech company, or someone you're contacting—possesses the cryptographic keys that will unlock your data. This means the Apples of the world could not give the FBI the keys to unlocking your phone even if they wanted to do so.

The result? You need someone to try and break into the phone through other means—and that is not expertise law enforcement keeps in-house.

"All of the cases I know about do not involve attacking the cryptosystem itself," says Diffie. "It's closer to industrial reverse engineering, recovering data on damaged equipment or other endeavors whose results may be useful to police, but not useful enough for them to maintain their own laboratories."

Cracking the code

Cryptographically, end-to-end encryption like that on your smartphone is a dead end to breaking into the device, but it can be compromised in other ways.

"The two most common strategies are to exploit the end-systems, or trick the end-systems into believing they are talking to each other when there is an intruder in the middle," says Diffie.

He cites an example of malware on a computer that logs keystrokes; this malware will capture anything you type, including a password that extracts your cryptographic keys. "This may compromise not only the machine that has been attacked, but other computers on which data protected with those keys are stored," he says.

So there are ways to crack the end-to-end encryption on your phone, if you get creative. However, should it be easier for law enforcement to access phone-stored data when lives are on the line?

This is where it gets tricky. Give law enforcement too much leeway and consumers could find their private communications under surveillance; on the other hand, too much encryption could impede investigations into serious crimes where public safety is under threat.

Diffie believes a balance is already in place. Police can still break into cryptographic devices; it's just not easy.

"At present and for many years to come, all aspects of computer systems will suffer from bugs that may allow them to be broken," he says. "Police and their allies will exploit these bugs to break into many systems."

He points out that the police's unique position as defenders of public safety puts them in a tough spot.

"They don't always see it or describe it this way. It wouldn't be very persuasive to say: 'We can't always get into everything we want to, so you should make it easier for us.' So they present their problems as insuperable and the fact they have the problems as a threat to public safety."

Logan Kugler is a freelance technology writer based in Tampa, FL. He has written for over 60 major publications.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account