Criminals Remote-Wiping Cell Phones

An anonymous reader writes "Crafty criminals are increasingly using the remote wipe feature on the Apple iPhone and other business handsets, such as RIM's BlackBerry, to destroy incriminating evidence, the head of the UK's Serious Fraud Office Keith Foggon has warned. Foggon told silicon.com that the move away from PCs towards using mobile phones was causing a headache for crime fighters who were struggling to keep up with the fast pace of new handsets and platforms churned out by the mobile industry."

I can't be the only one on /....

[bistromath007 (1253428)]

...who took one look at this and thought "good."

Re:

[kabocox (199019)]

...who took one look at this and thought "good."

I did. I thought hmm, I'd want all the data loaded from a CF card that would be set to wipe if either an incorrect or emergency password were entered. Heck, you could even have a secure CF card that was guaranteed to wipe once its emergency code was sent. Basically, you've got to reformat and copy from another card if you want to reuse it. Or if you really want to go scifi you could have the card and phone turn to dust once the emergency code is entered.

Heck,

Re:I can't be the only one on /....

[Constantine XVI (880691)]

Actually, if you slot a microSD card in a BlackBerry, you can set it up to encrypt the card along with the rest of the device, and it's scrubbed along with everything else if too many wrong passwords are entered in*

*The password and encryption is done device-side, so it even works in Linux.

Re:I can't be the only one on /....

[Sockatume (732728)]

Yeah, after the bean burrito special I really wish I could wipe remotely too.

Good.

[mactard (1223412)]

That just means the police need to work a little harder to make a case. It doesn't make it impossible though. The next hope is that they don't outlaw these devices or something. The Brits are a bit jumpy.

News At 11

[CastrTroy (595695)]

Criminals destroy evidence that could be used against them. News At 11.

Re:News At 11

[Nymz (905908)]

Let's give the 11 o'clock news some credit. I'm sure they would realize this is computer crime, and use the more accurate and appropriate term. "Hackers destroy evidence that could be used against them."

photos

[bbdd (733681)]

Don't forget to view the photos. I thought the photos were more interesting than the article.

http://software.silicon.com/security/0,39024655,39270417,00.htm [silicon.com]

Encryption

[Boogaroo (604901)]

Here's an interesting bit too. Looks like they try simple password protection breaking, but...

The team does not attempt to crack high-grade encryption, relying instead on the threat of a prison sentence for individuals refusing to hand over passwords or decrypted files.

Re:Encryption

[CodeBuster (516420)]

Except that a Vermont judge recently ruled [cnet.com] that password(s) contained in one's head are protected under the 5th Amendment to the United States Constitution. [wikipedia.org] just like any other information in your head. It was discussed right here [slashdot.org] on Slashdot.

As for threatening law enforcement officers: say nothing, know your rights, and keep your cool. The law enforcement officer is NOT your friend and you shouldn't speak to them or answer their questions. You have a right to remain silent and you should use it. BTW every attorney that I have ever heard opine on the subject has said that it is better to say nothing than to answer some of the questions but not others. Don't let them scare you into giving up your rights with their Gestapo crap. Remember, if they are questioning you, especially if they are threatening, then there is NO way that you are NOT going to be held (i.e. arrested) for a while anyway until the matter either goes before a judge or they have to let you go (48 hours max w/out cause before any attorney can force them to let you out), so don't be dumb and tip your hand right at the start. Also, remember that if you ever get your equipment back then you can never use it or those passwords again (who knows what bugs they may have planted before releasing it back to you). You basically have to wipe and start over on new hardware.

Disclaimer: IANAL so if you find yourself in a situation like the one above find yourself one that you can trust and let them do the talking, but remember that the police are NOT your friends.

Well...

[Spazntwich (208070)]

If the only evidence the police have on said 'criminal' is a string of bits on his cell phone, they probably didn't have much of a case anyway, and likely shouldn't be arresting this criminal.

I genuinely hope small time 'criminals' continue getting these sorts of victories to the point that our police forces are forced to admit they have failed in the war on consensual acts between adults. The change certainly isn't going to come about while our various wars continue to make a tidy profit for those at the top.

Re:

[Sockatume (732728)]

What about eBay scammers? Extortionists? Kidnappers? Somebody who just won't stop sending you a picture of their wang? In some cases communcations evidence can be very significant indeed.

Re:

[Sockatume (732728)]

Heck, the article notes that smartphones are used by "enterprise", so that's corporate crime in there as well.

Re:

[Rix (54095)]

I imagine police forces would have a lot more cooperation on those things if so many people weren't worried that they'd turn on them for smoking the wrong thing.

Criminals Destroy Evidence on iPhones?

[Dieppe (668614)]

...that could be used against them?

Honestly, if the only case the prosecution has is possible evidence on an iPhone, their case is pretty shaky to begin with. Do REAL WORLD investigation you Nazi-a-holes, not worry about virtual evidence that you might or might not be able to get to!

Laptops and cell phones for the paranoid

[davidwr (791652)]

If you are really paranoid, you'll want your laptop or cell phone to:

• encrypt everything but the bootstrap code
• store part of the encryption key off-device, such as on a memory stick
• store part of the encryption key on-device and destroy it after a certain number of failed access attempts or after a specified time period since the last authorized access
• the on-device key could not be copied without tampering with the device
• tamper-resistant, preferably destroying the on-device part of the key if the device is ta

Communications crime

[Sockatume (732728)]

Given that we have crimes which are commited pretty much entirely via communications (eBay scams, 419 scams, harrasment, extortion, stock mischief, etc. etc.) should it be particularly surprising that some forensic scientists are interested in preserving the evidence that the communications took place?

We remote wipe our data in hands of criminals

[Ilgaz (86384)]

Sorry it sounds like a "In Soviet Russia" thing but it is true.

Symbian/WinMobile smart phones have tools to lock the handset remotely or in case of new Kaspersky antivirus/security or other 3rd solutions, you can remotely instruct phone to delete all personal data irrecoverably and lock itself. I am almost sure Blackberry, being an enterprise focused device must have similar option.

Once the Apple decided not to allow background running processes, they lost that possible solution. Not just they don't allow anyone to implement it, they don't implement it themselves too.

It is a completely fool safe thing. User sends a previously set SMS to device, device locks itself. Or in Kaspersky case, it doesn't just lock itself, it wipes its data and optionally transforms itself to a white hat (for you) rootkit/trojan and sends the number of first SIM card plugged to device to previously set number.

Re:We remote wipe our data in hands of criminals

[nxtw (866177)]

Symbian/WinMobile smart phones have tools to lock the handset remotely or in case of new Kaspersky antivirus/security or other 3rd solutions, you can remotely instruct phone to delete all personal data irrecoverably and lock itself. I am almost sure Blackberry, being an enterprise focused device must have similar option.

Remote wipe is a feature of BlackBerry/BES and Windows Mobile/Exchange. No third-party software is needed, unless your phone isn't connected to a BES/Exchange server. When the phone receives the wipe signal, all data stored on the device will be wiped.

The iPhone has remote wipe, but I don't think it has encryption of any of the content stored on the device.

BlackBerry has content encryption and the latest Windows Mobile (6.1) has encryption for the entire user-writable storage area. The key is stored on the device, encrypted with a password. BlackBerry overwrites the key in RAM when the device is locked (that is, when the device is inactive for a certain amount of time or when it is placed in its holster); since WM's encryption operates at a lower level, the key does stay in memory while the device is powered on. Either way, cutting power to the RAM will erase the decrypted copy of the key. Both support encryption of storage cards as well.

As long as the device is set to automatically lock itself out and there is no way to bypass the lock screen [engadgetmobile.com], there's not a whole lot you can do to a fully encrypted WM6.1 device without resorting to a RAM attack [tgdaily.com] or finding a weakness in the implementation. Since the BlackBerry will erase the unencrypted copy of the key when the device is not active, it's secure against searching for the key in RAM, too.

I love my Treo

[Zorque (894011)]

I have a program on there that'll reformat the hard drive and zero everything else out, as well as disabling the SIM card, if I text it a certain phrase. Of course, it isn't all that helpful if whoever gets ahold of my phone just turns the radio off or removes the antenna so it can't receive that message, but I guess I have to count on criminals not knowing much about PalmOS since it's apparently a dying platform or something.

White paper on date deleting & recovery

[BigGar' (411008)]

Since every time something like this comes out all kinds of FUD pops up about data erasure, etc...
A classic paper on secure data deletion & recovery:
http://www.cs.cornell.edu/people/clarkson/secdg/papers.sp06/secure_deletion.pdf [cornell.edu]

Enjoy

Re:Woah

[RiotingPacifist (1228016)]

what do they mean by irretrievable:
destroying the filesystem table? (easy to get the data back)
writing all bits to zero? (still retrievable)
writing over all bits with (psuedo-)random data? (aparaently this can be retrieved)
writing over all bits repeatedly?

Re:

[by Anonymous Coward]

on a hard disk you would be correct, try it with anything else and you get bupkis back.

Re:Woah

[Pfhor (40220)]

Remember, this is flash, not magnetic bits stored on a spinning metal platter were header drift and other things would theoretically allow you to retrieve data that has long been removed.

Recovering from (intentionally overwritten flash) may be considerably harder than a traditional drive. Most flash recovery apps for cameras, etc. are really just reading the stray bits, as the formatting, etc. does not actually wipe each sector (because flash is rated in number of write operations the individual bits can support before going bad, so you want to minimize that).

Overwriting a flash storage partition on an iphone or other device also makes this harder because you can't easily pop those things open and mount the custom flash chip into some universal adapter and read its filesystem like you can do with any old hard drive (they even make forensic, read only, hard drive enclosures).

So I zero out the data on my iphone, and well, there aren't any jailbroken or app store apps that you can run on the damn thing to do a low level recovery anyway, and I don't know of any target disk raw access mode to the device when attached to a computer that is available outside of apple's developer labs.

Re:Woah

[v1 (525388)]

you can't easily pop those things open and mount the custom flash chip into some universal adapter

Very very few devices use custom flash chips. The iPhone uses off the shelf standard flash memory chips. And in addition to readers that require the removal of the chip, there are units that have cables with clips that just attach right to the chip in the (powered off) device and can pull the data straight off.

And yes you can pop them open pretty easy. Some ipods are harder to open than an iPhone.

Re:Woah

[blueg3 (192743)]

You have to use something like squid, but it's because of magnetic hysteresis. (I could explain, but Wikipedia is pretty acccurate.)

It's possible in theory, but in practice, it's technology that law enforcement doesn't have access to.

Re:Woah

[khellendros1984 (792761)]

Magnetism is an analog property used to store digital information. A bit can be wiped so that a standard detector would read it as a zero, but the bit may be legible by a more sensitive detector.

For instance, say that anything above "0.5" (half of the full possible theoretical strength of the magnetic field there) is a 1, and anything below is a 0. Maybe, the drive would actually write "0.9", which would be correctly interpreted as 1. If that number was blanked, maybe it becomes "0.3"....low enough to be a 0, but maybe another detector could tell the difference and know what the original value was.

Re:Woah

[Rorschach1 (174480)]

And there's probably a certain amount of hysteresis too, so maybe that 0.3 gets overwritten with a 1 to become 0.93, and then with another 0 to become 0.393, and you can recover previous values to a degree limited by the amount of hysteresis, sensitivity of the detector, and noise floor. Or at least that's the theory I've always heard on why you're supposed to overwrite hard drives multiple times... I've never actually heard of it being done, but the assumption has always been that 'they' have the ability to do it. Anyone care to provide more substantial information on the feasibility of this sort of recovery?

Re:Woah

[Xanius (955737)]

When I took my computer forensics class they showed that you could use a hex editor on a zero wiped floppy disk and recover most of the data that was on it previously.
We had a guest speaker that told us some of what he does, he's a forensic analyst that pulls information from drives in criminal cases. He said that it takes somewhere around 72 hours to read a decent sized drive and costs around $10k to get it done.(It's been a few years so the details are fuzzy but that sounds about right)
But he wasn't too specific on what tools they use etc. Something around 10 full wipes is easy enough to recover the original data but if you write over it and delete actual data it becomes more corrupted and harder to get back than just all 1 then all 0.

Re:

[piojo (995934)]

When I took my computer forensics class they showed that you could use a hex editor on a zero wiped floppy disk and recover most of the data that was on it previously.

Do you know how this is done? Because if one just uses a hex editor, wouldn't the hex editor simply see a disk full of nulls?

Re:

[commodoresloat (172735)]

yeah that sounds like BS to me, I'd like to hear an explanation too. The magnetic explanations people have posted above are far more consistent with what I've heard about data recovery from wiped disks, which all involved hardware -- I've never heard of recovery through software alone, and it doesn't seem plausible. A hex editor would obviously be able to "undelete" data that had been "deleted" in the normal way, but I can't see how it would get to data that had been nulled.

Re:Woah

[lgw (121541)]

Modern hard drives pack bits *very* densely. The bits overlap by a large amount. The technology to determine whether a bit is 1 or 0 by calling everything above 0.5 a "1" is already necessary to read the bit *normally*. Writing random data to the drive is enough to make any active sectors unrecoverable.

However, modern drives have a huge count of spare sectors, and sectors get retired constantly, and there's no way to wipe those with normal reads and writes. So there's a random sampling of everything you've ever written stored in the retired sectors of a hard drive, and no in-band way to wipe those sectors.

The is why the government standard for hard drves that have ever contained classified information is to shred the hard drive so that the pieces fit through a 1mm sieve. Of course, in reality, the government is just as likely to sell the drives unwiped on Ebay, but that's bureaucracy for you.

Re:Woah

[piojo (995934)]

Does anyone know, off-hand, a way to query a sata disk for at least a count of how many sectors have been re-allocated, if not an actual map of them?

In linux, you can use smartctl (from smartmontools, I think)--
smartctl --all /dev/sda, and look for "Reallocated_Sector_Ct" in the output.

Re:Woah

[v1 (525388)]

any tool that accesses the drive's smart data can get this. the drive has to be directly connected to the computer, you cannot read smart via usb or firewire bridge. All drives track a small set of smart data including reallocated blocks. Most drives have additional smart parameters whose meaning varies.

Re:Woah

[jcuervo (715139)]

Two things.

First, ever had a magnet accidentally come into contact with your TV? Ever tried to fix it with another magnet, and deemed it "close enough"? There you go. You are a floating head. Your TV is a disk platter.

Second, hand in your geek card.

Re:Woah

[Constantine XVI (880691)]

Go to Options-Security Options-General Settings. Enable password and content protection. Set the security timeout and password attempts to your preference. Now, when the timeout expires (X minutes after you stop hitting buttons) or you hook it to a PC, it asks for a password. If someone types in the wrong password Y times (10 is default, but you can go lower), it forces a reboot, and scrubs down the memory, which takes 20 minutes to an hour.

To force the scrub, go to Options-Security Options-General Settings. Click the menu button, select "Wipe Handheld", type blackberry.

Send me a PIN message at 244EB7DA if you need a hand.

Re:Woah

[Constantine XVI (880691)]

PS: For remote wiping, you need to be on a BlackBerry Enterprise Server (BES), which usually means your BB is company-issued. If you need it nuked, call up your admin and ask him to trigger the remote wipe. Keep in mind that the BES can (and usually does) track anything and everything that happens on a BES-connected BB, so a wipe will do nothing to hide things from your company.

Re:First POST

[by Anonymous Coward]

I'm glad these articles focus on the negative facts that police have trouble with, and not the USEFUL part of remote data wipe so that millions of customers data can be deleted when a device is lost, instead of having that information in the hands of people that could do some damage. I'll take a wipe of evidence for that security any day.

Re:First POST

[Lumpy (12016)]

if the cops had any brains they would shut off the phones (remove battery) the second they get it and then give it to forensics that should have the IQ to operate it in a faraday cage so that it cant be tampered with remotely. Do they take laptops and PC's they capture and hook them to the net and turn them on? Why do they connect phones to the network when they look at them?

Come on, I though they taught the police how to handle evidence. Are you telling me that CSI tv show is a LIE!!!!

Re:

[lucifuge31337 (529072)]

Show me how to easily take the battery out of an iPhone. Please.

Re:

[KGIII (973947)]

The idea made me curious. I just wrapped my phone (mobile) in a rather large ball of aluminum foil. I then called it. Err... It still rang. I don't have any scientific evidence to say why, how, or all that but it rang. I obviously couldn't answer it.

Re:

[smoker2 (750216)]

A Faraday cage needs the cage and the object to be electrically separated. Otherwise, you just gave your device a big antenna.

Re:

[dougmc (70836)]

If it's truly a proper Faraday cage for the frequencies involved, it doesn't matter if the object and the cage are electrically separated or not -- it'll still work. This is a function of Gauss's law [wikipedia.org].

In this case, either the aluminum foil wasn't thick enough, or the gaps in it were too large. A cell phone is generally pretty sensitive, so even if you reduce the signal by a factor of one million, it may still be able to pick it up.

Re:

[KGIII (973947)]

NOT A SCIENTIST... So... I was curious. The dimensions were *about* 8" across with the phone in the center. Since I have had people tell me to drill holes in it. I will try that next.

Re:First POST

[speculatrix (678524)]

yes, drilling holes in your phone would definitely stop it from connecting to the cell network.

Re:

[KGIII (973947)]

Wrapped carefully and it did not ring. :)

Re:First POST

[MightyYar (622222)]

Not to mention right near the top of the ARTICLE ITSELF:

"Because we isolate the devices immediately, and never reconnect them to their network, the remote wiping capability does not present us with much of a problem," he noted.

Um, so the problem is? Talk about sensationalism.

Re:

[MightyYar (622222)]

I suppose if you are an organized crime syndicate, yes, they are interfering with your business plan. Perhaps you should inform all of your employees, er... henchmen, to please refrain from leaving their iPhone at any crime scenes they have created.

Re:First POST

[Karlt1 (231423)]

Yeah, that would be useful. How do you do that on an iPhone? I thought that the lack of that feature was one of it's problems for Enterprise.

It was added as part of the 2.0 firmware upgrade.

http://www.apple.com/iphone/enterprise/ [apple.com]

eatures include:

        * Push email
        * Push contacts
        * Push calendar
        * Global Address List (GAL) support
        * Certificates and identities
        * WPA2/802.1X
        * Enforced security policies
        * Cisco logo More VPN protocols
        * Device configuration
        * Remote wipe

Re:

[BSDevil (301159)]

If you manually enable "Content Protection" on your BlackBerry, doing a Security Wipe will take on the order of hours, and will overwrite the data several times with different patterns to the point that it's not recoverable by anyone, even RIM (if you don't have that mode enabled, a Security Wipe will only erase user-specific information, and it would be relatively trivial to recover it).

If you're on a BES (meaning your BlackBerry was issued and is controlled by your workplace), your BlackBerry administrato