Mobile Devices - Investigations, privacy and policy
Tip: Highlight text to annotate itX
If you know him from your classes on research or his research that he's done around the
school, so you know that he eats, sleeps, and lucid dreams about technology. At any
time, day or night, you'll find a line of people to his office either waiting to ask
what new device to buy or to ask how to conspire on their boyfriend or girlfriend whose cheating
on them. For those who have visited his office you'll quickly notice that Professor Wandt
sets up his office like its his own wing in the college with his cameras at the door and
his computers and interesting devices all over the office. There's a few of them that
you will never find out what they do so don't even try. The closest thing that I've ever
seen to Gotham, New York City will ever have a bat cave. As a matter of fact if one day
possibly I were to become batman Wandt would be the head of my RD division, he would be
my Morgan Freeman. So its only right that Professor Wandt is the one that is giving
this presentation that you're hearing this evening and I promise you, you will learn
a lot. So please join me in giving a warm welcome to Professor Adam Scott Wandt.
I have to start off by thanking the John Jay College of Criminal Justice Center for cybercrime
studies. Those of you who have never been to a cybercrime lecture at the college, we
have them here several times a semester usually upstairs. We bring in fascinating speakers
from around the country to talk about issues of cybercrime. I'm a researcher with the cybercrime
center. When I first came to John Jay and I had some ideas about the areas I wanted
to start to research with information security, the cybercrime center was there not only to
support me, but to also to help me find funding and help me get the equipment that I need
to get started. So I just wanted to give a shout out for lack of a better word to center
for cybercrime studies to John Jay.
Today, everything is digital or almost everything is digital. Information is ubiquitous, it
is everywhere. It is in our hands, it is in our computers, its in the air, it travels
at the speed of light all around us. Much of what we do today in our daily lives is
channeled and funneled through digital means. And we don't stop to think often enough about
what that means. If we look at smartphone adoption rates in the United States for example,
these are the smartphone adoption rates from 2009 into the projected 2014. And whats really
interesting about these rates, first of all when I did my research the first thing I found
out is that there are no real firm numbers. There are several numbers that are universally
agreed upon, but its really hard to tell smartphone adoption rates in the United States. The experts
disagree by as much as 8 percent at any given moment, but the one thing thats obvious is
that if you go back to 2009 and before which is not too long ago, smartphone rates in the
United States adoption rates of well under 20 percent. But in 2012, last year for the
first time smartphone adoption rates in the United States surpassed 50 percent. So today
more than half of Americans are carrying around a smartphone. By 2014, we expect that number
to be up around 80 percent. So what does it mean that 8 out of every 10 people walking
around on the streets have a smart phone or will have a smart phone as of next year. If
we look at John Jay as an example in New York we're always special, New York is a special
place and if we look at your numbers, John Jay student numbers, the numbers are even
higher. In 2009 and 2010 it was just below 25 percent, below 50 percent in 2010. We think
that between 2010 and 2011 we surpassed that 50 percent mark. So we surpassed it 2 years
before the national average. Today according to CUNY Institutional Research and the 2012
Student Experience Survey, we think at John Jay the smartphone adoption rate is somewhere
between the mid 80's and the low 90's, but its really hard to tell, the numbers differ
from survey to survey. It might be somewhere in the 80's, lets just say its in the 80's.
By 2014 we expect it to be near 100 percent. In my personal classes, last semester every
single one of my students other than one had a smartphone and this semester every single
one of my students other than two have smartphones.
So what does that really mean? What information, what I'm looking at, what information is going
over these smartphones and how do they propose security risks to the people who are carrying
them? If we look at market share distribution of smartphones in the United States, as of
the fourth quarter of last year, so your only talking about a month or two ago, Android
has almost 50 percent, their dominating the market at 48.5 percent. There are lots of
phones out there with android. iPhone is at about 32 percent, Blackberry rim about 11-12
percent, that 1.7 percent, thats Windows phone. And then everything else is about 6.2 percent.
What's important to recognize here is that an overwhelming number of smartphone operators
are using Android and iOS. So if an attacker or if law enforcement were to focus their
efforts on one or two of these systems, makes sense from a systems standpoint to choose
systems that are used by the majority of people. And if you can go between Android and or iOS
you have almost all of it covered.
If we break it down as to race, as to 2011, what we find is actually quite interesting.
The lowest percentage group in the United States that have smartphones are white caucasians
at 44.7 percent and the highest being Asian Pacific Islanders. Why I'm finding this information
interesting is because what we used to have this thing called the digital divide. We still
have the digital divide in this country where the have nots have trouble affording technology,
but what we're seeing if you look at either by race or socioeconomic status we're seeing
the digital divide virtually disappear due to mobile technology and thats something that's
really important.
At the same time its become a cultural icon. The iPhone or even an Android phone, the people
on the subways or the trains, we know that this is what happens, we see it everyday.
People are using smartphones everywhere. They bring it with them everywhere they go. One
of the things I looked at in my research is the savviness of the smartphone user. Because
the savviest of the smartphone user will help you understand the risk the smartphone user
has for exposure. For example the basic smartphone user, maybe their only using phone, contacts,
emails and games. Most of them might not be able, most of them might not even be using
emails and games, right? A lot of people, basic smartphone users are just using the
phone and contacts.
So what risk do these people have? The average smartphone user, they use the basic function,
but there're also heavy application users. They use large amounts of bandwidth, they
use large amounts of video, they look at youtube all the time. Many of these people are stood
enough to have second telephone lines on their phones. Anybody here have line two, or heard
of line two? And they spend the most money on their phones as well.
Finally you have the adept smartphone user or the expert. I consider myself an expert
smartphone user. At this point the expert smartphone user, they no longer care about
the phone or the device itself. For me it doesn't matter if its a phone or a tablet,
or a laptop. For me what's on one device s on all my devices. Everything is the same.
Any file I have, anywhere in the world I could access from my smartphone as long as I have
it set up that way. And what kind of risk do I have if my smartphone is compromised?
I can take all the security considerations in the world with my home system or my work
system. I can have files encrypted, I can have have the back up, I can have them stored
correctly, I can have all the safeguards and precautions, but if i can't bring those safeguards
to my smartphone, what's the risk?
I should mention this line of research and this work, its actually chunks of several
different things that I'm looking at. And I'm actually using this lecture to prepare
for another lecture that I'm gonna give in October for the Association of Inspector General.
And in giving that presentation we're really gonna focus on investigations, but in this
lecture I'm gonna jump around a little bit because I want your opinion, we're gonna have
some questions and answers. I'm gonna jump around a little bit and we're gonna look at
law for a second then we're gonna go back to technology.
The law is critical when it comes to this stuff. The law is what we have to protect
us, to keep us safe, to punish criminals, to regulate our conduct. The problem is that
when it comes to the law, the law and the policies behind them haven't kept up with
the times. Their so far behind the law does not protect us. Back in the days of the telephone
a law was passed, which we'll get to in a moment, and what the law said was that your
geographical location information can't be transmitted over a telephone. If you call
me from your home line I could see your caller ID, but it can't transmit your exact address
and location. And those were the rules that applied to the phone systems.
The Electronic Communications Privacy Act is one of the really important pieces of legislation
that control this stuff. It was passed in 1986 and it hasn't been substantially upgraded
since we're about to and we'll look at that. So one of the most important pieces of legislation
effecting both investigations and privacy comes from a time when before I even went
to high school. Think of what technology was like in 1986. Let me give you a really good
example of how the law hasn't kept up with the times.
The Electronic Communications Privacy Act when it comes to criminal investigations,
it places a presumption and the presumption is that if you leave your email on your servers
for more than 6 months, they're presumed to be abandoned. And once their presumed to be
abandoned the government no longer needs a warrant to access them. They only need to
meet the standard of showing that its apart of a criminal investigation. Who here in the
audience has emails on gmail or hotmail that are older than 6 months? You have abandoned
you emails. I mean how many people consider those emails truly abandoned? The federal
government does. If your a law enforcement official thats a good thing. Because if your
a law enforcement official it allows you to do investigations into people without them
knowing about it. You never have to go to court, And unless you arrest them you never
have to tell them you were looking at them. So from an investigation standpoint, what
a great thing. I can investigate you and I could have every email as soon as it turns
six months old, and I don't even have to go to court for a warrant. But from a privacy
standpoint thats pretty scary. Its those types of complications that we have right now and
that Congress really needs to address.
And its not just the Electronic Communications Privacy Act thats complicating all this. There
are many other acts. The stored communications act for example which allows government to
reach out to your cloud service providers. The USA Patriot Act, the Protect America Act,
and for any of you who know how they work, National Security Letters. These are all legal
mechanisms that are put into place to help with legitimate investigations. I'll tell
you about it in a second, but we're going to be looking at a lot of this from two sides,
legitimate investigations and privacy.
I also wanna talk really quick about a really old piece of law called Third Part Doctrine.
The third party doctrine really complicates this issue. Its old law, common law from long
ago. What the third party doctrine basically says if I dumb it down is that if you have
a secret and you tell somebody that secret its no longer a secret. And since its no longer
a secret the government has the right to access it for criminal investigations and for other
proceedings where they normally wouldn't have had the right to access it before.
So let me give you some real life examples of how this used to play out in the old days
before technology, before modern technology. If John and Lisa were getting a divorce and
John goes to his attorney to talk to his attorney about the case. So John and his attorney are
locked in a room away from the public having a private conversation, most of us understand
that its covered by attorney-client privilege, correct. But, now if John tells anybody about
that conversation, if he goes home and tells his sister about the conversation or if John
was stupid enough to bring his sister to the meeting in the first place when she wasn't
needed, just the presence of the sister or the sister knowing about it afterwords could,
the third party, could break down that privilege to a point where it actually could no longer
exist. So even that attorney could be forced to testify about parts of the conversation.
If you have a secret you have to keep it to yourself. There are some exemptions, spouses,
attorney-client, some psychiatrist privileges, but for the most part under the third party
doctrine if you tell somebody your secret, its no longer a secret.
I have an iPad mini I carry around. It contains my secrets. I don't have any major secrets
really, where i'm going, what i'm eating, where i'm doing my private communications.
If i'm backing my iPad up to a third party cloud storage solution such as iCloud , I
am taking all of my information and I'm giving it to iCloud, that third party.
The law today is starting to suggest that by me backing up my iPad to the Cloud, I am
giving it to a third party and therefore releasing all of my expectations of privacy. Now I don't
know about you, but just because I back up my iPad to the iCloud I still have an expectation
of privacy. But, the government doesn't recognize that right now. So your emails that go through
mail servers, your private Facebook messages, your journals and diaries that are kept online,
even if meant to be private there is a legitimate argument that they fall under the third party
doctrine and therefore are no longer private, you no longer have that expectation of privacy.
So its one of the many pieces of legislation, or its not a piece of legislation, its one
of the many legal principles we really need to take a close look at because I don't wanna
give up all my privacy just by protecting myself with common sense backups.
Now Congress is trying to do something about this. The geo location privacy and surveillance
act is an act currently before Congress. Its an act that wants to establish privacy guidelines
for people against the government and private corporations which is far more important these
days. Who knows what's gonna happen with this and we're not gonna talk about it more today,
but its a really important piece of legislation that people need to take a close look at because
we need to fix what is going on right now. We need to fix it for our law enforcement
officials that work really hard and we need to fix it for our people that deserve some
sort of privacy.
Lets talk a little bit about technology. The days of the Zach Morris cellphone are over.
You know everyone knows Zach Morris from Saved by the Bell and if you don't I feel very old,
which I shouldn't. He had one of the early cellphones in the show and he would carry
it around. These cellphones were a real beast. They sucked up a lot of power. The reason
you can't use a cellphone in a hospital, most people don't know the background, but the
reason you can't use a cellphone in a hospital still today was because of this phone. These
phones were so powerful back then, their transmissions would mess up hospital frequencies. Not today,
today we have something new. Today we have things that are much more than a phone. I
don't know why we're sill calling it a phone. How many people make phone calls on their
smartphones? A lot, a little, I mean are you really using it as a phone anymore? Its a
converged digital media device. Brings everything together. And it does it with a bunch of censors
that are scary as hell. It has assisted GPS to know where you are, a digital compass to
know which direction your facing. It has wi-fi to communicate over 802-11. It has cellular
antennas which could communicate over one of five or six different standards. It has
three access gyroscopes to know which direction its turned and an accelerometer to know if
its moving. A proximity censor to know whats around it. An ambient light censor to know
what the ambient light in the room is. Knows if your sleeping, knows if your awake, has
a high definition video camera and high definition audio. This is not a phone, its a surveillance
device nice enough to carry around with you. And from the surveillance device we can calculate
your location almost anywhere within 50 feet. If your out of Manhattan we can even get better
location. In Manhattan its a little hard. We get angular velocity. I can turn those
censors on in your phone and not only tell which way your phone is moving, but what angle
and how fast. We can look at pitch, raw and yaw. We can look at rotation around gravity.
Centrifugal force can be measured by your iPad or iPhone or your Android. And we have
six access motion censing. Second by second analysis of everything this device is doing.
Which way its turned, which way its moving, whats around it, its all capable.
Some people are already starting to make a profit on this. Exercise applications for
example. Some require an external sensor. This one doesn't. Simple put the phone in
your pocket and run. Activates its pedometer, it uses its gyroscope, it uses its accelerometer,
it uses its GPS, it uses its wi-fi and it tells you how far your running down the block
and what your exercising and how many calories your burning. Its using those censors for
good, help you lose weight, help you get into shape. Another application called sleep time.
Sleep time uses the gyroscope, accelerometer, ambient light sensor, proximity sensor and
microphone. You put the phone under your pillow before you go to sleep. And it records your
sleep patterns and movements. It knows when for moving in your sleep so it knows how deep
your asleep. It knows when you wake up, it knows when you go to sleep, it knows when
you start snoring, stop moving, it looks at all of these and it measures your sleep and
it helps wake you up at the right times, when your in the right rhythms. I have used this,
pretty accurate, its interesting. But, their using all of these sensors to obtain information
on you.
Matter of fact, today the world. All of the information in the world is in the palm of
your hand. And we're all connected, all of us at all times. So my question, and many
Privacy Advocates questions are, could you take all of these sensors and devices and
do harm with them? Could I use these sensors and devices that your carrying around without,
could I use them without your knowledge? Could we either take control of these sensors or
devices? Could we obtain intelligence and information from them? Could we use them for
law enforcement purposes? Those are questions we're gonna look at now.
Everything I go over they'll be two sides to it and I'm not taking a side here. On one
side we have cyber investigations enabling us to stop crime and terrorism. And on the
other side of this very closely balanced scale we have privacy. Now when I start one of my
classes, two of my classes at John Jay, the first thing I say is, welcome I'm Adam Wandt
and you no longer have any privacy. You no longer have any legitimate privacy and thats
not really a good thing necessarily. But, everything that we go over from here on, and
I'm gonna give you four big cases to discuss. We're gonna talk about four major incidents.
We could look at the privacy, we could look at the cyber investigations and we can balance
the two. And I think the purpose of government is to balance those two. To find a good balance
between giving the law enforcement officials, the powers that they need to investigate crime
while giving us at least privacy to keep our personal life personal if we want to do that.
Now unfortunately most of you broadcast your life over Facebook 24/7. Coming up here I
got 2 or 3 questions, could I record this, could I put it on twitter. So even like pictures
right now are being taken and put online. We're recording this to put online for the
college. On the investigation side of it here are some names you should know. On the left
hand column we have federal agencies or police like the Unites States secret service, the
Federal Bureau of Investigation, the United States military and large police agencies.
Those four groups, I should've put banks in here too actually, but I didn't, those groups
along with banks and the financial industry do almost the huge majority of the cyber investigations
in this country. On the right we have companies that prepare devices for their use and prepare
software and mobile forensics. Cellebrite we'll look at in a moment, many of you have
heard of it, Guidance software which makes encase, Crole a consoling company and firm
thats very close to John Jay College, they put out software for this as well, Access
Data which makes fore sic tool kits, KPMG the consulting company, Price Water House,
all of these groups are on the investigation side working every single day to stop child
exploitation, to stop child ***, to stop terrorists from laundering money. These
people dedicate their lives to protecting us. So its really important that they have
the legal tools necessary, that are constitutionally valid to protect us.
On the other side we have certain privacy groups and here are three of them that are
worth talking about. The American Civil Liberties Union, really big one really important. The
Electronic Frontier Foundation, the EFF and academics frankly, they provide a lot of your
privacy control. They call out the government when they overstep their bounds, they provide
amicus briefs to courts. Their all really interested in policy.
So I told you we're gonna talk about four situations and this is the heart of the lecture.
These are situations that I'm looking at very closely. Each one of these is designed to
provoke a response from you. All of you will probably fall into one of these categories.
All of you should understand how this really works in a moment. The first situation that
I wanna discuss is physical access to your smartphones. There are many ways to investigate
or to compromise the privacy of your smartphone. Nothings better than getting physical access
to it. A smartphone in the right persons hands is an unlimited amount of information. Think
of the data you put over your smartphone, think of the information. I don't care if
you delete it, its still there. The text messages, the phone calls, the pictures, the emails,
the apps, getting physical access to your phone is very close to getting physical access
to your mind for some of us. How many people think they fall into that category? I'm just
curious, by a show of hands how many people would say that getting physical access to
their phone is like getting physical access to their mind? Just curious, raise of hands.
I do consider that for me. I consider my phone and my computer an extension of my mind. Its
not a device for me, its part of me, as ridiculous as that sounds.
I should've wrote what state this was oops. Think Michigan, Michigan or Minnesota, this
is Michigan or Minnesota state police. Michigan, somebody knows for sure, good. Michigan state
police. Michigan state police had a program that some of you might find interesting. They
used a cellebrite uFed device, this is a cellebrite uFed touch ultimate. This is the best of the
best mobile digital device forensics. I would love to get one of these from John Jay and
when cellebrite watches this maybe they can get us one. John Jay would love a cellebrite
unit to teach our students with, their extremely expensive. These could download your entire
iPhone in under 2 minutes, even if its full. And what the state police, we said Michigan,
what Michigan state police were doing is driving around with their highway patrol, pulling
people over and getting them to voluntarily submit to a cellphone interrogation. So they
would pull you over, you've been speeding, you want a ticket or you wanna participate
in a program. We're tryna catch drug dealers trafficking drugs. I don't wanna write you
a ticket. Would you participate in a program and let me analyze your phone that will help
police build a data set that will help us solve crimes in the future. It sounds pretty
legitimate right. You don't realize that the phone is being plugged into this unit which
in the matter of two minutes. This is the software. Downloads and recovers everything.
Anything that's been deleted it doesn't matter. It puts it into really nice categories to
look at. Application usage, calendar, call log, notes, SMS text messages including deleted
ones, web history, the wireless networks you've connected to. This is cool because I could
prove you have been somewhere off of the records that have been contained in the wireless network
profiles. Web history, user accounts, locations. The cellebrite uFed device in two minutes
populates this data set and your phone is handed back to you and your off on your way.
Now its, this is a very expensive device. So expensive its hard for us even to get one.
Its hard for us to justify spending that much money for a couple of training sessions. But,
you don't need to spend that much money. Linux, there's a free open source operating system
of Linux called back track 5. How many people have heard of it? Those of you who are in
my 750 class use it in class. Back track 5 comes with an iPhone analyzer thats open source
and free. Its not gonna do what cellebrite does, Its not gonna do what the uFed does.
This one analyzes back ups made on a computer. So when you plug in your iPhones to the computer
to do a back up, it creates a back up file that this takes apart. Anyone can download
this, go home and play with it. Not that hard to figure out how to use. This is really important
for us to talk about. Because just by getting physical access to your device for two minutes,
anyone can make a complete image of your device and be able to take it apart years afterwards.
So it might not be so important to the person that was pulled over at the time, but when
that information goes into a data set that's analyzed days, months, or years later, when
their deleted text messages are brought back, when their deleted pictures are recovered.
I don't think that people don't know what they went in for, what their in for, if that
makes any sense. At the same time, police departments all over the country are using
the uFed to automatically image and inventory smartphones that are in the possession of
people when arrested. So if your arrested for something totally unrelated, drunken and
disorderly conduct, possession of a drug,disorderly conduct, assault, whatever your arrested for.
In many parts of the country, if your brought into jail, well in all parts of the country
if your arrested and brought in they do an inventory of your property, a legal inventory.
Police departments are starting to inventory cellphones as well where they'll make an image
using a uFed device of the cellphone of everybody and then if they need it later on in their
criminal investigation they have it. And they don't even necessarily need a warrant to do
it because the inventory right is something thats recognized under the law. And the law
in all areas isn't clear enough yet to tell us whether or not that's right or wrong.
Is it the same going through your pockets or the trunk of your car as it is going through
your smartphone. Courts are undecided or split in all parts of the country on that. Situation
number one, the physical access. For an investigator, you want access to the persons device, you
want access to their smartphone, you want access to the computers. Even if you don't
use the information you get, just to obtain it could tell you so much. But from the privacy
standpoint, is that disturbing? Is it disturbing that if your arrested for throwing a fit in
a bar that your cellphone could be inventoried and copied and put into a database that can
come back later on, years later. I'll tell you from an investigators point of view its
a great thing. But from a privacy standpoint its not.
Situation two is far more dangerous. If you think thats dangerous wait until we go to
two. The service providers . AT&T, Verizon, Sprint, Boost, Cricket, T-mobile, there're
a lot out there. Ultimately it boils down to Verizon, Sprint, and AT&T for the most
part. Most of everything goes over their networks. What do they know about you? What do they
know about you just by you carrying around their phones? And how does the law protect
that information, or even does it? Here are the types of hints cellphone companies keep
as records. Pen registry, trap and trace information, who you call and who they call, cell sight
information, where are you when you place that call, who else is making calls on the
same tower at the same time, part of the standard reports. So if I wanna know who John called
from the corners of 59th and tenth at 3 o'clock in the morning, those records are easy. Even
if I don't know John's phone number. I can find out what phones made calls from that
area and as part of the report I get all the other calls. They record call content at times
and we'll talk about how that works at the end. They record text messages and and MMS'
if you send somebody a text, yes they know you sent that text and yes there's a record
of that text and yes the actual content of that text is kept as well.
Email, URL, ISP DNS connections. Every website you visit, every connection you make, every
app that you lunch that makes a connection, it all elves a recording it all leaves a mark.
And the most dangerous out of all of them live or historical geolocation information.
Where you are, what you have done, well where you've been and the problem is that this information,
if a request is done, isn't only necessarily isolated to the suspect. First, second, and
third degree information comes back at times. So since we're all connected. If you happen
to call somebody whose being investigated and that investigation is large enough the
software could automatically make you part of the investigation. So now your looked at
and all the people you called are analyzed. From a law enforcement standpoint this is
great and cops know exactly where to go to get the information when they want it. Verizon,
Sprint, AT&T, all of them have guides for law enforcement. Manuals to advise them how
to get information when they need it. And these manuals are online, you could find them.
This is the cover of the Verizon manual.
So the question is, what information are the cellphone providers keeping? Well, I'm gonna
go past AT&T and I'm gonna go to Sprint then Verizon because I know the answers for that.
Sprint received over 200,000 requests from law enforcement for geographical locations,
geolocation data subscribers. 200,000 requests. They had so many requests that Sprint launched
a self service portal for law enforcement to access. So if your a law enforcement officer
with proper rights you can access the Sprint self service portal. And in that portal for
each Sprint Nextel customer, you can go back several years, at least 5 and get 5 years
of almost minute by minute information, 5 years. Definitely 3 probably 5 at this point
of minute by minute information on where every Sprint customer has been. Every phone call
they've made, every text message. Its in a permanent computer data set. And the best
part is law enforcement doesn't even need to go to Sprint to get it, there's a self
service portal now. This is great for investigators. If your an investigator and your investigating
somebody and you have the legal right to obtain their information through a warrant or other
process, you can sign right into the Sprint's self service portal and on a very large map
that looks just like google maps, be able to set the day and time to whatever you want
and see exactly where your suspect has been years back. Verizon doesn't keep as long records,
their records I think go back 2 to 3 years at this point we think. But we know Sprint
goes back many years.
Do you choose your cellphone based on the amount of time the carrier keeps your information.
Do you choose your cellphone based on best service, do you choose your cellphone based
on best pricing? Everyone has different priorities here. But for law enforcement its critical
to know that during your investigations you just need to go to a computer and you have
absolute evidence, not absolute evidence thats not the right word, you have very good circumstantial
evidence as to where your suspect was. Most people are where their phones are. And most
juries buy that. That makes sense to everybody?
Situation three, spyware. This gets dangerous. There are a host of both commercially available
and private programs out on the market which are designed simply to spy on your phones.
49 dollars is all you need to get a hold of a good one. ePhone tracker for example is
being spouses who suspect their spouses are cheating. You grab your spouses phone while
their in the shower and in 5 minutes you secretly upload a program to it that they don't know
about where you could listen to their calls as their talking. You can get their contacts
, their email forwarded to you, their text messages and their GPS. And you can even set
the interval that the GPS is sent to you. So if you wanna know where they are 10 minutes
by ten minutes or minute by minute or hour by hour ePhone tracker for 49 dollars a year
would give that to you. They'll ignore the fact that installing it on somebody else's
phone is a crime. They'll say if you own the phone you could install it legally. Most spouses
I assume would assume they own each other's phones.
The U.S senate, there's a bill in the U.S senate to outlaw this by the way. The government
doesn't want people doing this. This does not play out well when it comes to things
like domestic violence. This is not recommended people do. This doesn't end well. If you have
to spy on your spouse you shouldn't be with them. It works on Android or IOS. Androids
a problem in itself due to its open source operating system. It has become increasingly
easy to spy on Android users.
I was at Defcon last year in Vegas and I walked into a lecture where they were discussing
how easy it is to turn on the microphone on somebody's Android phone and listen to them
without them knowing or the webcam and see them. Matter of fact certain companies are
selling software that does it for you and it takes the magic out of it. Environmental
listening imagine a shady room in your child, I mean their trying to sell this to parents
protecting their kids but we all know there are many other uses of this. So that if you
think your spouse or your coworker, or your colleague, or your worst enemy is doing something
wrong you can install this software in their phone and listen to them all the time and
they would have no clue. Software like this also supports taking pictures with the webcam
or video and uploading them so you could see where they are and what they're doing. Its
out there on the web. In my information security class later this semester we're going to be
downloading and configuring one of these softwares to see how they work. Setting it up, again
this is not something that you should be using on your spouse or your kids necessarily.
But it gets even worse. I don't know if anyone knows this disaster. Fin Fisher is a UK based
company that creates government spyware. They create the software that governments all around
the world are using to spy on their people. Two scandals have broken. One of the scandals
is that their selling their software to governments that are less than reputable. Their software
was being used to crack down on human rights advocates for example and spy on them. The
real problem with Fin Fisher software is it could be installed remotely. So you no longer
need access to the phone to install the software. You could install it remotely by tricking
the user into clicking on a link, they won't even know whats going on. And then to access
the users phone you simply send a text message with a special code. The text message doesn't
even necessarily go through to the user, but it commands the phone to take a picture, to
turn on its webcam, to turn on its audio, to forward SMS'. They created this really
powerful software for governments to spy on its people and from the best I could tell
they lost a copy, allegedly. There's a lot of research out there that shows that this
software has made its hands into the black market. I have been looking for a copy of
it and I found what were some bad links of it. But there is a very high chance that a
copy of their software got stolen and leaked out and that the code is online and its being
used by hackers all over the world and remotely uploaded to their servers. Matter of fact
we even found a press release from Fin Fisher admitting that this is happening. Its hard
however, to tell if the press release is real. So whenever looking at these things online
you really need to look at them, you know with a skeptical eye. You can do your own
research on the Fin Fisher issue. Made Bloomberg news, so Bloomberg reported on it. The question
of whether they actually lost a piece of software is questionable. So you can go do your own
research and take a look. If they did loose a piece of this software thats very serious.
Because it makes it so that anyone without skill or massive amount of skill could remotely
upload spyware to anybody's phone without them ever knowing. And spy on them 24/7. We
could do it now, but this makes it 10 times easier.
Situation 4, third party apps. Our final situation for the evening. Now this is the part of the
research thats not all mine. Again when I was at Defcon last year I ran into a cybercrime
researcher whose doing this with the ACLU and we're trying to get him into the college
to come and speak. And what's really interesting about his research is he's concentrating on
privacy and he's concentrating on privacy issues I want to concentrate on investigation
issues having to do with the information that's collected when you use a third party application.
Pandora, everybody use Pandora. What information are you giving up by using Pandora? You wouldn't
think of you giving up information right? But what information are you giving up and
to who? And who has access to that information. The Wall Street Journal found this very interesting.
And they actually have a website you can go and visit after class, I'm gonna show it to
you now, because the best way I could show you all of this is to show you the Wall Street
Journal. This is a cool website. I will make the website available on my twitter account
at @Prof_Wandt for those of you who are interested in going to it. This'll be challenging. So
the way this website works is they actually went out and investigated like 100 apps or
something like that and they hired a security researcher and this is an experiment that
anybody in the digital forensics team, any of our digital forensics students here could
do this. This is easy to do. We could replicate this experiment real easily. What they did
was they took their cellphone, they connected it via wifi they used packet capturing to
capture the packets then they analyzed the packets. So what they did was they connected
the cellphone to the wifi and they ran each program for 5 minutes to simulate normal use.
And while simulating normal use they then analyzed all the packets coming out of the
phone to try to figure out what exactly each app was doing and who it was connecting to.
And they took the database and the dataset and they turned it into this really cool data
base on the Wall Street Journal. Let me show you how it works. We pick an app, we could
pick any app. Lets use Pandora because I know its here and we already discussed it, click
on Pandora. We could look at the iPhone version of it, sometimes you can click on the Android
version of it too. But it gives you this really cool graph. And this is an interactive graph
where the top is information its taking from your phone and the bottom is information that
their passing through to third party content providers or advertisers or marketing companies.
So we can see Pandora, the red is your phone ID, the UUID, the unique individual number
of your phone. You do not want people having that number. Once we get your unique ID its
very easy to compromise your phone. So, and by the way apple is putting a new procedure
into place now that prevents apps from transmitting the UUID. They don't want people, they understand
the problem. So it gives you the unique ID of your phone, your location, so its seeing
where you are, your age and your gender, your contacts, your usernames and passwords. Its
accessing those, but its not passing them through. The reason these lines aren't connected
is cause Pandora's accessing it, its just not doing anything with that information.
So your phone ID, your location and your age and gender for Pandora. And its passing them
through to these providers. Its giving Yahoo your location. So if you launch Pandora right
now, Yahoo knows who you are and where you are. So its telling Yahoo somebody from John
Jay just launched Pandora. Its telling weekly plus your location, its telling google analytics
your location, its telling google Adsense your age, gender and location. Its giving
Facebook your location, i don't know I can't read that backwards. Media lists, its giving
them your phone ID. Google and double click, its an ad campaigning, marketing research
company your age, gender, location and phone ID. And its giving Apple and Quatro your phone
ID and location. So just by launching Pandora you are communicating umbanose to you without
your necessary permission with Yahoo, Google, Weekly Plus, Media lists, Google Adsense , Apple.
Do you recognize that? Is that something that sticks in your mind? Do you say let me listen
to some music and tell Yahoo where I am. Is it a big deal that your telling Yahoo where
you are? I don't know. I use Pandora still. I don't seem to have a problem with it.
Law enforcement officials, investigators, attorney's with subpoena power, when are they
going to start going to Yahoo for this information? Yes they can go to Sprint and Verizon and
who knows maybe Verizon's only keeping the data your geolocation data for a year or two
at this point, but maybe Pandora's keeping it forever. So if I wanna find out if Sebastian,
if I wanna find out if Sebastian was at John Jay today and if I wanna find it out 10 years
from now, if he happened to have launched Pandora and created a record with his unique
ID and his location, I could subpoena Pandora I could subpoena Yahoo or Google and get that
information. And depending on whether its a criminal or civil action or what jurisdiction
its in Sebastian might never know that I'm looking into him. And I think that if there's
one lesson I've learned through all of this, and I mean this, the real problem is that
all of this, when investigators go to do investigations only the guilty people, I don't wanna say
it that way, only the people who are going to be arrested and indicted find out they've
been looked at. We've created a system where the good people could be spied on and the
law even if their totally good, the law never requires them to be notified that their being
looked at. So only the bad people find out that their being looked at. And to me, I think
out of everything I've looked at, thats the most disturbing thing. Because if your are
Mother Teresa, the most Holy person on Earth, the government has the right to look into
you and investigate you and get all of your emails that are more than six months old and
get all your information thats with third party people and they never have to tell you
about it. Its only when you are found to have done something wrong and your indicted, what
is it the sixth amendment, right to confront witnesses 6th amendment, I think its sixth.
Its only then the sixth amendment comes into play and they have to tell you that their
looking at you and what they have, its only then discoveries starts up, its only then
disclosures happen. So the good people are investigated and they never know. And thats
something I have a problem with. As much as I think its important for law enforcement
to have the tools that they need, I don't want them having all my information if I did
something not wrong, and never tell me about it. I think that if i'm being looked at I
should at least be, you know, told after the fact at least. And thats just Pandora. There
are lots of other apps on here and they have a little quick guide, who gives a username
and password. See this is dangerous. Passwords, how many of you use the same passwords for
almost everything, don't raise your hand. Keep your hands down for this one. How many
people use the same passwords for almost everything. If Pandora is passing it through to third
parties or if some of those apps like Angry Birds, anybody play Angry birds. If their
passing through your username and password to a database that I own, what happens when
I use that database to start logging into all of your accounts as you using your credentials.
When Facebook first came out I was an early adopter of Facebook. This was before I was
a faculty member, before I was a Professor. When Facebook first came out I immediately
jumped on the bandwagon and I hired somebody to write an app with me, we wrote an app,
an early Facebook app. It was an app that allowed people to take my photography and
post it on their wall. It was called a gift giving app, that makes sense to everybody.
But, at the time Facebook didn't have privacy standards, if they did they were horrible.
So by installing the app on your Facebook site it gave me, the app owner, almost complete
access to your Facebook profile. All of your contacts, all of their pictures, everything
thats private. Now this was when Facebook first came out, since then, and yes I have
discontinued the app, app no longer exists its been taken down. When I went and did the
movement into academia, I can't do stuff like that anymore. So the app was destroyed and
it really was, its not even on a server anymore, everything's gone. Facebook has tightened
their grip on app people like, that wanted your information. So Facebook has been restricting
the information that apps could gather on you and pass through. But, there are still
a lot of old apps out there that are still in use. And you need to realize that by using
one of these old apps, many of them were created just to violate your privacy, just to obtain
marketing information, just to obtain intelligence. So by using these old apps still today you
are putting yourself in a situation that you don't actually realize. You should be going
back to Facebook checking your privacy app settings, getting rid of old applications
that have been authorized. Something like Angry Birds, not so bad. Their only talking
to Google, Chill N' Go, but their still giving that phone Id and username and password and
location.
Virtually our entire lives are being imported to these mobile devices. Today the point of
this lecture is to start you thinking about these issues. Congress is thinking about these
issues, the media is thinking about these issues, privacy advocates are thinking of
these issues, law enforcement are thinking of these issues, but so do you. You guys are
the future of law enforcement, of government. Its time we start really taking a close look
at investigations, privacy and policies and law having to do with mobile devices. The
law is so far behind when it comes to our computers and our technology. We shouldn't
accept the same anymore when it comes to mobile technology. We have too much at risk, too
much at stake, we invest too much of our knowledge into our mobile devices, too much of our personality.
So we need to always have the balancing.
Now I'm gonna leave you with some conjecture. I have no direct evidence for any of this
even though almost everyone who knows about it agrees that its as clear as day. When we
talk about criminal investigations, the constitution protects us. The fourth amendment, the first
amendment, the fifth amendment, the sixth amendment are all really important amendments
protecting us digitally. And they definitely protect us when it comes to criminal investigations.
But post 9/11 there has been a split in this country. A split between national security
and criminal investigations. National security is being routed through the national security
agency and the military, while criminal investigations go more through law enforcement. What we are
seeing is that there doesn't seem to be rules when it comes to national security. The White
House and Congress seem to be taking the standpoint that the constitution does not lie. Don't
have to believe me, go look it up yourselves, both Bush and Obama. And that the National
Security Agency do whatever they want as long as its just for National Security. We're fairly
sure with like 99 percent accuracy that the NSA is monitoring every cellular communication
we make, every word you say over the phone, every email, every text message is being permanently
recorded by the National Security Agency, is being analyzed by the computers and if
the right algorithms are met, its bumped up to a real live analyst to see if its a threat.
Now I can't tell you if what the NSA is doing is right or wrong and I can't tell you that
because I'm standing here in the larges city in the world, I guess this is the largest
city in the world, largest safe city in the world I'll tell you that much. I'm sitting
here in the middle of Manhattan at almost 8:30 at night and I'm completely safe. I'm
gonna walk home as soon as I leave here, I' gonna walk home I'm not going to be worried
about being mugged. I live in a high-rise apartment 25 floors above ground level. I
don't worry about a plane flying into my building. I feel safe. And am I safe because of the
National Security Agency and their intrusiveness. Am I safe because of the NYPD and the way
they handle themselves? I don' know. But what I do know is me and my family feel safe. And
that's really important for us as Americans. But on the other side, the balancing side.
Do I really want every word I say on a phone being permanently recorded forever being analyzed
for national security risks? Even if I'm not a risk today, with my luck I'll *** somebody
off in the future who will deem me a risk in the future. These are all things that we
really need to start just thinking about. We really need to start analyzing.
Doctoral students, these are perfect subject for dissertations. Master students, masters
thesis on these topics. There is a plethora of peer review journal articles coming out
on these topics, one or two of them will be by me this year hopefully. We need to start
paying a really close look at this so that 3, 4, 5, 10, 20 years down the line we don't
regret it today because we need to provide that balance between investigations and privacy.
I don't have the answer to what that balance is, its all within us. My balance is different
than your balance, its different than everyone else's balance. So we need to have a conversation
as a society to see what we'll put up with and what we won't. thank you for coming tonight.
We still have plenty of food leftover for those of you who want. Before we get up and
start a commotion let me just ask if there are any questions because this is just a small
chunk of the stuff that I have been looking at. I'm really interested in wireless security,
wi-fi security. I was going to do some experiments in here, but decided not to. We'll do them
in the future.
Question: How is the private sector trying to secure mobile communications?
Sure, yes and no. Yes in that there is a very large private sector move to be able to securely
communicate via portable devices. Mobile iron for example, blackberry, they all put a lot
of effort into securing your communications. There are new programs out there, one of them
is called Tiger text, you could write it down, another one is called Wickr. Wickr claims
to provide military grade point to point encryption for text messages and private communications.
They allow like self destructing messages that erase themselves off your phone. They
have a lot of options so people are taking this seriously. There's a lot of effort to
let you live privately. The problem with that is two fold. We don't want to exclude law
enforcement that has legitimate right. We could be the most dedicating privacy advocates
in the world. We still need law enforcement to have the right to get information when
they have the legal right. The other issue too is while all of these products exist,
you have a constant fight back on the other side of it to invade the sanctity of the security.
For example, I'll give you a great example, nobody know the app what's app, there's an
app called what's app, its like a text messaging program, anybody hear of it? Cellebrite is
very, very happy that they now support that program in their software. So when you use
the cellebrite unit if you've been using what's up app, the what's up app, it will download
that data set and it will give it to you even though its been erased. One of the programs
I showed you today, one of the like 49 dollar programs, also accesses what's app. So even
though there's a move to secure, there's an equal if not a greater pushback from people
who want to invade. That answer your question? Yes.
Question: How safe is mobile banking? What is being shared?
Banking, mobile banking is a very difficult issue. I do not have enough information to
right now give you a good answer. But, I could tell you about a situation. When the first
iPhone came out and the first app store was launched, City bank was vey quick to launch
the first mobile banking application. Maybe they were the first or second, but they were
quick. I was a city bank user at the time. I used the city bank mobile app for a year
until the new iPhone came out. Then I took my old iPhone and I sold it to somebody in
Indonesia. So I took my old iPhone, I pressed reset, I did everything I could do to wipe
it, and then I sent it to Indonesia. A year later I get a letter from city bank apologizing
for a security risk with their old software. Turns out everything I did with their software,
almost everything was being recorded to the local phone and it wasn't being erased as
part of the normal erasing processes. So the phone that I shipped to Indonesia had all
of me banking information on it. The didn't update to their software so their solution
was just install our new software. But my phone was in Indonesia. So that cold give
you a really good idea. I'll tell you that I've seen a number of studies recently that
are starting to, they're starting to suggest that online banking is more secure than traditional
banking. There are less people interactions and causes for fraud in online banking. And
there's a lot of fraud in traditional banking. There's a lot of people, not me, other people
looking at whether mobile banking and online banking is actually more secure because you
take the teller and people out of the equation. It's nothing that we're gonna answer today
though.
Comment; Student subpoenaed Sprint and was able to retrieve several 6-month old text
messages for a civl case. They gave you the actual content of the messages,
correct? That was six months old. I enjoy working with law firms to the subpoena's by
the way. It's incredible the stuff that we can get. So what else do you get? You get
towers, you get locations, you got the actual text messages. By the way the e911 act, has
anyone ever heard of the e911 act? The e911 act requires the cell phone companies to obtain
and store geolocation information on every phone thats out there. So for geolocation
you don't need a smartphone. So there are two types of phones in this country, we have
gsm and cdma for the most part. I don't remember which ones which. One of the systems, all
of the information comes from the phones. So all of the information, even a dumb phone,
all the geolocation information goes to the phone. The other system its through the tower,
so the tower records and then they triangulate so yeah you don't need a smartphone to know
where you are. All that geolocation information is available on those cheap disposable phones
and actually there was a case that came out just a couple of days ago where the courts
held that the government could track prepaid phones. And thats a very knew case.
Are you one of my students? what class? okay we should talk one day because I'm really
interested in your experience.
For people that know what they're doing your password's an irrelevancy. We don't even need
a cellbrite unit, cellebrite unit to invade your iPhone. The master password for the,
you cam just google and look up, its not an password that you can put into the phone you
actually have to go in and enter it via terminal commands. But for anyone who knows what they're
doing your passwords on your phones or your computers are pretty much irrelevant. Whether
you have a password on your mac or pc or your phone, passwords are never a good solution.
Now you should always use passwords, I'm not saying don't use passwords, you should always
have passwords on your phone, but their not going to keep people out who know how to get
in and its very simple to get in. That answer your question? We'll take two more.
Well you got to remember the conversation exists on both sides of the channel. So AT&T
and Verizon or Sprint, their both recording everything. So if your in a multi carrier
communication whoever keeps the data the longest will have it. They might both have it and
different carriers are recording different parts of information. So there are no clear
answers yet. The only clear answer is we need clear answers.
How long does data stay on a smartphone? Almost all electronic devices that we carry
on us will make close to permanent records of information that travels through it. Especially
an iPhone where it would be stored on their flash memory. Now sometimes that informations
overwritten. So if you fill it up sometimes it over writes and erases the old stuff. But
in general, you have months if not years of data on your phone. Its not gonna be deleted
just by you hitting delete. You need to be really careful when you get rid of your mobile
devices, when you sell your cellphones. I have not spent time yet and maybe I should,
I have not spent time yet doing a good mobile forensic, doing a good digital forensic analysis
of a totally wiped phone. I don't know if anybody in the audience has had an experience
with it. I've looked at plenty of phones but nothing thats been wiped purposely and perhaps
we should do that to see whats recovered. Thats a very good question. I know that its
very easy to get almost everything back so who knows what you get back during a total
wipe. Abe, you know?
Comment: Retrieval seems to vary a lot from individual phone to individual phone.
Remember I told you about that Wickr program W-I-C-K-R? One of the things they claim, I
have never, again, tested it to see if it works. They actually have a file shredder
in the program and if you run the program it claims it wipes your phone completely of
all deleted information. And when I get access again to either cellebrite unit or I have
time to do a archive and do an analysis through backtrack I'm curious what its actually deleting
and what its not deleting. One of these days hopeful I can get together with some forensics
people we can get a celebrate unit and we could really see whats being erased and whats
being obtained. But I think Abe, Abraham's point is really valid that, you know, different
devices, people are doing different things with them, people are clearing them, you know
so not everything is equal, who knows what we get back in the long run. That's a really
important distinction.
So some of these phones allow you to do encryption will that help you? Yes encryptions always
a good thing. There's an encryption to changing the data to a different format . Encrypted
format is always positive. Ive never, I mean I'm sure it exists, but I'e never heard of
anybody being hurt by encrypting. But, encryption is not the answer, the end answer. Encryption
can be broken. The research for the Wall Street Journal article, most of the information that
was coming out of the cellphones was encrypted. And they used an open source tool to break
the encryption. So yeah we need to encrypt and my tools, my web tools to much of the
websites I use, my students that use project gnosis for example, they all use digital certificates
you know. We have certificates to encrypt the information, provide secure connections.
But I think we'll be fooling ourselves if we think encryptions the overall protection
that will always keep us safe. We're seeing more and more that good encryption is being
defeated. bank grade encryption, RSA encryption, AES encryption, I mean the reason that we
have so much encryption today is because old encryption keeps becoming obsolete. So even
stuff thats well encrypted today, 5 or 10 years from now will be as easy to de encrypt
like child's play. Some of the old DES encryption that was around in the 80s can be, and it
used to take decades to break can be broken now in seconds. Computers go faster we learn
more. So encryption is an answer but its not an end solution. The real end solution comes
down to user practices, our behavior, and law. They actually sen me a sleeve to protect
me too.
One last question then we're done for the night.
Question: What is the best way to wipe data? I'm gonna answer it with a joke. I have heard
rumors that when the British government wants to destroy electronic media first they demagnetize
it, so they put it through massive magnetic fields, then they shred it, so they actually
take the entire disk or device and put it though a shredder and they turn it into little
pieces and then they lock it away in the safe forever. Now I've heard that several times
from people. So think about what the british government is doing to secure classified information.
Thank you for coming. Please enjoy some of this food that was paid for by the differential
tuition fund of the NPA program and have a good night.
