All Tech Considered
2:56 pm
Tue March 25, 2014

The Security Cracks In Your Smartphone

Originally published on Tue March 25, 2014 5:25 pm

Law enforcement's ability to get past your phone password depends on "exploits," hacker tricks that take advantage of vulnerabilities in the phones' operating systems. Many exploits are kept quiet, to be sold to criminals or security companies. Others leak out. Here's a list of some of the known cracks in the security of the two major types of smartphone.

Apple/iOS

  • Brute Force Attack: The most direct way past a password is to throw a lot of guesses at it. If you're using Apple's basic four-digit PIN, it'll take no more than 10,000 guesses. That's a lot of guesses to enter by thumb; it's child's play for a computer. Apple closed the known window for brute force attacks on its newest operating system, iOS 7, though hackers are most likely probing it for new vulnerabilities.
  • Jailbreaking: Widely available software like "Redsn0w" can get at the "root" system of an iPhone. Once you're in the root, you can use other kinds of software to make the phone cough up its PIN. But this hack can be balky and it works most reliably on older iPhones.
  • Your iTunes: If your iPhone is locked, police sometimes find what they need by checking the backup you made on your computer, which you may have neglected to password-protect.

  • Your Pictures: Most of the contents of your iPhone are automatically encrypted and readable only with a "key" associated with your PIN. Not your photos. Apple leaves those unencrypted, probably for ease and speed of access. So if you're withholding your PIN to keep the cops from seeing a certain image, you could be out of luck.

  • Your Fingers: Longer passwords are a pain, so Apple introduced the fingerprint reader. The fingerprint is the equivalent of a long string of characters — very secure. Unless the police have your finger. The Supreme Court says the police don't need a warrant to take fingerprints, and right now the assumption is that that applies to electronics, too.

  • Your Fingerprints: They may not even need your actual finger. German hackers show how prints could be lifted from a glass surface and used to open the phone, though some security experts say the technique is not very reliable.

Google/Android

  • Bad Patterns: Unlike the iPhone, the screen lock (or "pattern lock") on an Android does not automatically encrypt the phone's data. It's more of a stumbling block for the nosy. Security experts say many people pick overly simple patterns that are easily guessed.

  • Google Login: You can get around the pattern lock on an Android if you have the user's Google username and password. This is meant as a backdoor for the phone's user. Police can use it, too, if they somehow have your Gmail login credentials.

  • Remote Unlock? In 2012, the ACLU's tech privacy expert Chris Soghoian wrote that he had information indicating that Google was selective about the access it gives police. He says the company may draw a distinction between unlocking information already stored on the phone and information that may flow into the phone while it's in police custody. In 2014, police sources told NPR that they've been able to get Google to unlock a phone completely and via remote control. They say Google requires a warrant for this service.

  • Smudges: Researchers showed that they could figure out the unlocking pattern on Androids 90 percent of the time — all they had to do was follow the finger grease.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.