Forgot your password?
typodupeerror
Iphone Crime Government Privacy Apple Your Rights Online

Apple Can Extract Texts, Photos, Contacts From Locked iPhones 202

Posted by timothy
from the as-a-public-service dept.
Trailrunner7 (1100399) writes "If law enforcement gets hold of your locked iPhone and has some interest in its contents, Apple can pull all kinds of content from the device, including texts, contacts, photos and videos, call history and audio recordings. The company said in a new document that provides guidance for law enforcement agencies on the kinds of information Apple can provide and what methods can be used to obtain it that if served with a search warrant, officials will help law enforcement agents extract specific application-specific data from a locked iOS device. However, that data appears to be limited to information related to Apple apps, such as iMessage, the contacts and the camera. Email contents and calendar data can't be extracted, the company said in the guidelines."
This discussion has been archived. No new comments can be posted.

Apple Can Extract Texts, Photos, Contacts From Locked iPhones

Comments Filter:
  • by Kenja (541830) on Thursday May 08, 2014 @12:16PM (#46950215)
    All the things listed, are synced to the iCloud. Sounds to me like they are not accessing the phone, but the contents of the cloud server, which have push/pull access to selected apps. Wonder if this is true if you disable cloud access or simply don't sign into it.
    • by Number42 (3443229) on Thursday May 08, 2014 @12:20PM (#46950261)
      TFA says that the data can only be accessed at the company HQ, so no, it seems that they are referring to local data that is unencrypted. It also states that they can access some data in the iCloud, too.
    • by Sockatume (732728) on Thursday May 08, 2014 @12:22PM (#46950299)

      Apparently not. It sounds like they're limited to whatever applications are currently running though:

      Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

      • by swb (14022)

        So what exactly constitutes a "user generated active file"? Some kind of temp file kept open as long as an app is "open"? And what does "open" mean, really? Shows up when you double-click the home button? Many of those apps aren't really running, if you switch to them most seem to revert to cold-start behavior.

        It makes me wonder if there's a paranoia step a person could take before entering a known security zone, like force-quitting the native apps in question, or whether powering the device off does th

        • by VortexCortex (1117377) <VortexCortex@NOs ... t-retrograde.com> on Thursday May 08, 2014 @01:01PM (#46950731) Homepage

          So what exactly constitutes a "user generated active file"? Some kind of temp file kept open as long as an app is "open"? And what does "open" mean, really?

          Look at the source code and see. Oh, right. Never mind, it's proprietary and thus 4200% fucked.

          Add this question to your list: How do you even trust them to be telling the truth with national security gag letters now standard?

          • by swb (14022) on Thursday May 08, 2014 @01:11PM (#46950861)

            Look at the source code and see.

            Even if I had the source code, it wouldn't do me personally any good as I couldn't grok what it did just from reading it. It would do me as much good as it did 99.99% of OpenSSL users.

            Gag letters prohibit what they can say, they don't require them to make false statements of fact. You might make the argument that they could in fact be strong-armed through some extralegal method of making false statements of fact to engender false confidence in potential targets of spying, but that's getting a little into tinfoil hat territory.

            In fact, I think an Apple statement of what little they can extract is pretty good and serves as a kind of interesting statement on what they believe is recoverable. It doesn't include third-party techniques or equipment that you might find in an NSA laboratory, but I don't know that Apple makes that kind of penetration test of their own devices.

        • by blueg3 (192743)

          The appropriate paranoid step is enabling encryption. Then, turn off your phone if you suspect it may be taken from you.

          • by swb (14022)

            I've had encryption enabled since it became available.

          • Or, smash it. Apple specifically states that the phone must be in good working condition for them to do shit.

            • by blueg3 (192743)

              They mean functional. If you break the screen, they may still do it. Drop it in some water, though, and it may be hosed enough for them to not bother. (Really, the "in good working condition" statement is there for one purpose: it says that they won't go to any extreme measures to make it work. They have a process in place for doing this, and if it's successful, they'll give you the data; if it's not, they're not doing experimental forensics for you.)

              I was thinking more of something you could do to secure y

        • So what exactly constitutes a "user generated active file"?

          From the document: "Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data."

          It's things that no phone tends to encrypt.

    • by Anubis IV (1279820) on Thursday May 08, 2014 @12:30PM (#46950407)

      If you read Apple's document [apple.com], they make it pretty clear in Section I that they're talking about extracting data from an iOS 4 or later iOS device that is passcode locked and in good working order. Besides which, not all of that data goes through iCloud (e.g. call history, audio recordings (unless you're backing them up), etc.).

      Moreover, they've detailed the security of their iCloud offerings before, and what I noticed immediately is that while SMS texts can be extracted according to this document, iMessages are not listed, suggesting this isn't just an iCloud backdoor. Likewise, if they were able to access your iCloud stuff, they'd have access to a whole lot more, such as calendar events, e-mails, and any third-party data you had backed up using iCloud Backup.

      • by TheP4st (1164315)

        Likewise, if they were able to access your iCloud stuff, they'd have access to a whole lot more, such as calendar events, e-mails, and any third-party data you had backed up using iCloud Backup.

        From the source you linked:

        iii. Email Content
        iCloud only stores the email a user has elected to maintain in the account while the customer’s account remains active. Apple is unable to produce deleted content. Apple will produce customer content, as it exists in the customer’s mailbox in response to a search warrant.

        • by TheP4st (1164315)
          By mistake I clicked submit before adding section iv

          iv. Other iCloud Content. PhotoStream, Docs, Contacts, Calendars, Bookmarks, iOS Device Backups
          iCloud only stores the content for these services that the customer has elected to maintain in the account while the customer’s account remains active. Apple does not retain deleted content once it is cleared from Apple’s servers. Apple will produce customer content in these categories only in response to a valid search warrant.

  • by bazmail (764941) on Thursday May 08, 2014 @12:19PM (#46950243)
    How about google, hotmail, facebook etc passwords from Safari's settings? Thats what law enforcement always look for. That is cop gold right there. Who gives a crap about the data in the calendar app, thats all hosted on apples cloud anyway.
    • Keychain's encrypted. So I'm guessing no, but it could be back doored.

    • Wouldn't law enforcement just require the account usernames and then get the data from the respective service providers with a warrant? Sounds a bit unprofessional that they would go logging in to the accounts by themselves.
      • by Charliemopps (1157495) on Thursday May 08, 2014 @01:15PM (#46950887)

        Wouldn't law enforcement just require the account usernames and then get the data from the respective service providers with a warrant? Sounds a bit unprofessional that they would go logging in to the accounts by themselves.

        You've never been in court have you?

        The primary legal argument in most cases in this country are: "Well we're the police we can do that. Constitution? Sure you could appeal this but the fines $500, you're legal fees on appeal would be at least $5000... tell you what, pay the fine and we expunge the charges in 6 months!"

        Yes, this has happened to me. I even got a ticket once for "unlawful use of horn" when I honked at a guy that almost hit me. But he was the cops uncle (cop told me this) he then proceeded to tell me "Sure this would get thrown out of court, but I get paid to go to court. You don't. I can give you a ticket every day you drive through here. How long would you keep your job? Now how about you stop being a jerk and honking at old people?" I called the police station later and spoke with the guys boss who laughed at me and said his officer told him "Some jerk will be calling you..."

        The police only follow proper procedure and what-not when they think the case is big enough that it'll mater... i.e. you're going to jail and they know you'll fight tooth and nail. Otherwise they just search illegally, bully and batter people, contaminate evidence (if they even bother to collect any) and then slap a fine on you. If the fines aren't over a couple of thousand and there's no jail involved, its almost always in your financial best interest to just roll over and take it. In the few cases where the person doesn't? They don't care, 100 other people got arrested on the same day.

    • by fermion (181285)
      And here is the question. Is it accessing the phone, in which case a remote wipe can protect the citizen from a warrent, or is it accessing the 'cloud' in which case the courts have ruled that because you have shared the information with a third party, i.e. your service provider, the privacy of the data is much more limited.

      I don't have as much issue with this kind of police state antics as some other things because these kind of communications just don't seem to have as much expatiation of privacy. Lik

      • They require the phone to be shipped to Cupertino, in good working order. So I'm guessing that if you execute a remote wipe (which, on an encrypted iPhone constitutes the disk controller basically forgetting the encryption key), that law enforcement is fucked. And, because we're not talking about a magnetic medium, there's very little forensic recovery possible.

    • by Penguinisto (415985) on Thursday May 08, 2014 @01:00PM (#46950715) Journal

      How about google, hotmail, facebook etc passwords from Safari's settings? Thats what law enforcement always look for. That is cop gold right there.

      No, that is prosecutor cyanide. Cops do not generally log in with the user's credentials, because it poisons the evidence gained from that site. Any competent defense attorney could get the subsequent evidence found that way thrown out almost immediately ("So, officer, you logged in as the user and acted on his behalf in the website? How do we know that you and your cohorts didn't plant the evidence yourself? Tainted evidence, yerhonor!")

      Easier to get a warrant, have the provider give you the data. That way you can have a valid chain of custody, proof that there was no impersonation by cops or prosecutor, and absolutely no chance of any claims being valid that questions the veracity and integrity of the evidence found. Hell, even in those few cases where a user/pass is used, both prosecution and defense attorneys are present during its use (and depending on locate, a clerk of the court) - the defense (and clerk) are there to keep 'em honest.

      • by vux984 (928602)

        ("So, officer, you logged in as the user and acted on his behalf in the website? How do we know that you and your cohorts didn't plant the evidence yourself? Tainted evidence, yerhonor!")

        Yet...
        "So, officer, you opened the defendants trunk and 'found' drugs there? How do we know that you and your cohorts didn't plant the evidence yourself? Tainted evidence, yerhonor!"

        Doesn't seem to be a get out of jail free card for people getting pulled over and having their vehicle searched.

        Hell, even if the police get a

    • How about google, hotmail, facebook etc passwords from Safari's settings?

      No, they can't extract those.

      Who gives a crap about the data in the calendar app, thats all hosted on apples cloud anyway.

      Well it might be. If the user chose to set up an iCloud account, and hasn't deleted the data since. In every other case it's unavailable. It can't be extracted from the phone.

    • by BitZtream (692029)

      Or in the Enterprise, the calendar data is stored on MY servers. MY caldav, MY carddav, MY imap server.

      People who care about security don't use someone else's servers to store their important data.

  • by Bill_the_Engineer (772575) on Thursday May 08, 2014 @12:26PM (#46950347)

    How much is threat post paying timothy to drive up their traffic with these half ass stories?

    The summary fails to mention that the phone must be in their possession and the both the phone and the search warrant must be delivered to Apple's headquarters which is the only place Apple will perform the extraction.

    If anything I applaud Apple for both publicly disclosing their policy for dealing with law enforcement and requiring a search warrant with more detail than "suspect's phone". They require the model number, phone number, serial of IEMI number and FCC ID number.

  • Whoever owns the system, owns the system.
  • iMessage? (Score:4, Informative)

    by kurowski (11243) on Thursday May 08, 2014 @12:33PM (#46950427) Homepage

    "iMessage" is a message transport. The app is "Messages". The document from Apple specifically says "SMS": it does not mention either Messages or iMessage. While it's possible that Apple leaves iMessages unencrypted on the device, it would be surprising given how much trouble they go through to protect then in transit. So while this document doesn't explicitly say iMessages are safe, it also doesn't say they're vulnerable.

    • You;re right. The only mention in the document of either "iMessages" or "messages" is:

      "Apple cannot intercept usersâ(TM) iMessage or FaceTime communications as these communications are end-to-end encrypted."

      As this is a document saying what Apple CAN get with a warrant, clearly iMessages can't be.

  • The actual article (Score:5, Informative)

    by rabtech (223758) on Thursday May 08, 2014 @12:40PM (#46950497) Homepage

    Hey, let's link to the actual document in question! What a novel concept!

    http://www.apple.com/legal/mor... [apple.com]

    Good news:

    - Apple cannot track a phone via GPS, nor forcibly enable Find My Friends/Find my iPhone

    - Apple cannot monitor FaceTime or iMessage conversations since they are end-to-end encrypted

    - Apple cannot provide third-party app data that is encrypted since the files are encrypted with the user's passcode.

    - It appears if the user does a remote wipe before law enforcement can get a warrant and ship the phone to Apple (or fly it there), then there is nothing that can be done. I wonder if they power up the device in an anechoic chamber so it can't receive the remote wipe signal? I would guess no because most people aren't smart enough to do an immediate wipe.

    - We already knew the only trick they have as far as encrypted files goes is a custom firmware that bypasses the max attempt auto-erase and rate limit feature, so it can attempt to brute-force passcodes quickly. However it requires the attempt be made on-device, since the keys are stored in the secure storage with no facility to get them off-device. So even a moderately complex passcode is effectively unbreakable, let alone a good strong password.

    Questionable:

    - user generated active files (this is what SMS/call logs/photos/etc are listed under). Normally if a device is powered off and rebooted, I was under the impression that these things were not available because the files are encrypted. It seems that iMessage is at least encrypted here, but I would be curious to find out what the situation is. Everything except photos, videos, and recordings is a moot point because you can get stuff like SMS history and call logs from the carrier anyway so those are the only ones I'd be concerned about.

    There are some definite good points here - Apple has chosen not to build themselves backdoors or workarounds, presumably because they can't be ordered to disclose information they don't have access to... same reason they built iMessage the way they did. A court would have to order them to refactor their software before it could order them to intercept messages, and at least in the US there is no precedent or law that can compel them to do so.

    However I would expect the âoeuser generated active filesâ to be encrypted after a device reboot until the passcode is entered. If that is not the case, Apple should fix it pronto.

    I would also expect Apple to refactor the storage of those things to be segmented, given the NSA revelations and increasingly authoritarian behavior of law enforcement; for example, photos pending background upload could be kept unencrypted, but once uploaded they should be rewritten as encrypted so they require the passcode to access. They already have the ephemeral key tech and per-file key support so you can generate a key for the unencrypted file while the device is unlocked, then toss the passcode key when the device locks and only hold onto the file key until the upload is finished, then toss it. Thus no risk to the main key but you can still encrypt the file in the background.

    I won't bother discussing Android phones - they are almost all trivial to break and access all the user's data, when people like Samsung aren't coding back doors directly into the firmware.

    • by rwv (1636355)

      if the user does a remote wipe

      I do not claim to know details... but as you mentioned a remote wipe won't work on a phone that is powered off and there are things known as Faraday Cage that should block signals once the time to power on the device and take evidence off it arrives.

  • If at this point people are still surprised that this is possible then they are just naïve. Privacy in public forums (internet being the biggest forum of all) is not possible in this current age. Other than my personal information I don't care what people know or get from me. Some people have a dark past and don't want information to leak but I honestly have nothing to hide so I don't care.

    Think of it this way: We are all Truman in the Truman show. The public is watching and so are the officials. Crook

    • No, think of it this way: You don't understand what is and is not a "public forum". The "texts, contacts, photos and videos, call history and audio recordings" stored on your personal phone are not accessible in a "public forum", and Apple is somehow (allegedly) pulling these things from your device remotely (heaven knows why the security model even allows this to happen) at the behest of law enforcement.

      Other than my personal information I don't care what people know or get from me.

      What if people knew you were an idiot? Congrats, you just displayed it in a public forum.

      • No, think of it this way: You don't understand what is and is not a "public forum". The "texts, contacts, photos and videos, call history and audio recordings" stored on your personal phone are not accessible in a "public forum", and Apple is somehow (allegedly) pulling these things from your device remotely (heaven knows why the security model even allows this to happen) at the behest of law enforcement.

        The whole thing and how it works has been well-documented for a long time.

        First, an iOS device's flash storage is always encrypted. The encryption is basically unbreakable. But obviously, the iPhone can still read it. That's because you enter your passcode, and that passcode is used to unlock the data.

        The bit of code where you enter your passcode is written and signed by Apple. Only code that is cryptographically signed by Apple is capable of checking a passcode and with the right passcode giving acce

      • by tlhIngan (30335)

        Apple is somehow (allegedly) pulling these things from your device remotely (heaven knows why the security model even allows this to happen) at the behest of law enforcement.

        Not remotely, unless your definition has changed to "using some other computer hooked up to it".

        Apple needs to be in physical possession of the suspect device, AND said device needs to be delivered with warrant simultaneously.

        Likely this means the phone needs to be hooked up to a special test rig to actually work.

        Older iPhones and other

      • Except that they aren't pulling that stuff remotely, as their policy requires the device be sent to Cupertino in good working condition.

        Doesn't sound very remote to me.

  • by DanSSJ4 (1693476) on Thursday May 08, 2014 @01:19PM (#46950931)

    I just did this on a locked iPhone i Found Yesterday to try to identify the owner.

    It was locked from too many bad PIN's entered and I was able to access Photos, Call Log, TXT Messages, etc.

    Didn't give me access to every single thing on the phone, but that is still a lot considering this is a shareware limited app anyone can download.

    There are more advanced Forensic programs that are available, but they can get more pricey.

    But if anyone with google can find a shareware app, what hope to you have against the government with all their money and resources.

    http://www.easeus.com/mobile-t... [easeus.com]

    • what hope to you have against the government with all their money and resources.

      Given that the App you mention and Apple's list of what they can extract amount to the same thing, it's probable the government also can access the same things. Basically anything that not encrypted on the device or backup can be accessed by all (with physical access). Things that are encrypted can't be. Even by people working for scary 3 letter acronyms.

  • by spinozaq (409589) on Thursday May 08, 2014 @01:37PM (#46951129)

    I had someone give me an iphone 4 last year where a child playing with the phone had accidentally deleted all the pictures. My task was to recover all the deleted pictures. It took me a few hours, mainly because I had never done anything with an iphone before. The process that worked invovled booting the phone with a different bootloader and breaking the encryption key. Most of the information and software to accomplish this can be found with a few minutes of searching.

  • See http://www.cellebrite.com/mobile-forensics. Every Apple store has Cellebrite phone forensics software and so do a every police agency who can afford it.

  • I posted this elsewhere in the thread, but this describes the iOS security mechanisms in excruciating detail, including the full-disk encryption, etc. etc. Note that it does vary by hardware platform (3GS, 4, 4S, 5, 5S) and iOS version, so this is the "new hotness". There's a lot of incorrect information in the comments.

    http://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf

    • by Kimomaru (2579489)
      So, let me understand your point better. You're saying that you believe what Apple publishes on its own security mechanism?
      • So, let me understand your point better. You're saying that you believe what Apple publishes on its own security mechanism?

        Don't you?

        Remember, we are Apple's customers. We are the people paying Apple. How much money do you think does Apple make by supporting law enforcement? I'd say $0 if they are lucky, but quite possibly a loss. What interest does Apple have in reading your data or making it available to someone? Apple's biggest source of profit is selling phones, followed by selling tablets, followed by selling computers. Just like Google, Apple's interested in keeping their customers happy so they keep paying money. Unli

The F-15 Eagle: If it's up, we'll shoot it down. If it's down, we'll blow it up. -- A McDonnel-Douglas ad from a few years ago

Working...