\[BrieFing\]
6 workarounds for accessing encrypted devices
BY MATT LEONARD
The story of Syed Farook’s iPhone is a perfect illustration of the power of encryption on personal devices and the government’s frustration when such security measures hinder an investigation.
In the wake of the shootings in San Bernardino, Calif., in 2015, investi- gators wanted access to an iPhone belonging to Farook, who was one of the shooters. The FBI asked Apple to write software to bypass the device’s encryption, but the company refused. A long battle ensued that played out in the courts and the media. In the end, the government allegedly paid $1 mil- lion to have another company unlock the phone.
Access to encrypted information need not always be so difficult or ex- pensive for investigators, however. In a recent research paper, Orin Kerr, direc- tor of the Cybersecurity Law Initiative at George Washington University Law School, and Bruce Schneier, a fellow
at Harvard University’s Berkman Klein Center for Internet and Society and CTO at Resilient, explored the practi- cal, technological and legal implica- tions of encryption workarounds.
They wrote that because encryption is now so widespread, investigators come across it in routine cases, making it especially timely and relevant to find ways to bypass encryption. The au- thors said there are six basic strategies for doing so:
1. Find the key. The most obvious way to get around encryption is to look for
the password, passcode or passphrase required to get into a device. That key might be written down somewhere or stored on an accessible device.
2. Guess the key. Although encryp- tion keys are long and random, the passwords that protect them are often
ceeded in opening Farook’s phone, the authors said. The company helping the FBI might have discovered a flaw in the device’s auto-erase function, which makes it harder to guess passwords. “This approach relied on two work- arounds in tandem: First, exploit the
Because encryption is now so widespread, investigators come across it in routine cases, making it especially timely and relevant to find ways to bypass encryption.
relatively easy to guess. Password- cracking software can try millions of passwords per second, but a device’s features might only allow investigators a certain number of tries before lock- ing out the would-be user. Therefore, an educated guess could be more fruitful.
3. Compel the key. Authorities can legally compel a device’s owner or oth- ers who know its password to provide it, the authors said. The Fourth and Fifth Amendments to the U.S. Consti- tution provide the device owners with some protection, but “considerable ambiguity remains about how much of a burden \[those amendments\] impose” on investigators.
4. Exploit a flaw in the encryption scheme. That’s likely how the FBI suc-
flaw; second, guess the key,” Kerr and Schneier said.
5. Access plaintext when the device is in use. This workaround involves accessing a device while it is in use and its data has been decrypted —
for example, when a suspect using a device is arrested before he or she can shut down the phone or computer.
6. Locate a plaintext copy. The infor- mation investigators are seeking likely exists in an unencrypted version some- where. In the San Bernardino case, investigators were able to get iCloud backups of Farook’s phone. Although the information provided some insights, it was six weeks out of date — which is why the FBI paid for the workaround.
Read the full paper at is.gd/GCN_ workarounds. •
GCN MAY 2017 • GCN.COM 5
SHUTTERSTOCK / 1105 MEDIA