HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Trump shooter used Android phone from Samsung; cracked by Cellebrite in 40 min(9to5mac.com)

86 points·by miles·vor 2 Jahren·66 comments
9to5mac.com
Trump shooter used Android phone from Samsung; cracked by Cellebrite in 40 min

https://9to5mac.com/2024/07/18/trump-shooter-android-phone-cellebrite/

70 comments

SEJeff·vor 2 Jahren
I suspected that they used Cellebrite for this three days ago:

https://x.com/SEJeff/status/1813079033430876433

As much as it makes folks reel, this is working as intended. If you don't want them to crack your phones, consider setting a 10+ digit alphanumeric passcode instead of a numeric PIN.

Also, do not enable the biometrics such as FaceID. I'm very much of this opinion[1] that biometrics are usernames, not passwords.

[1] https://blog.dustinkirkland.com/2013/10/fingerprints-are-use...
sholladay·vor 2 Jahren
In addition to the problems you mentioned, biometric systems are basically designed to cause hash collisions. And probably to a higher degree than most people realize.

After all, it would be annoying if FaceID failed just because I haven’t shaved today. So the algorithm has to account for that. As such, the entropy of the input is reduced.
Zak·vor 2 Jahren
> Also, do not enable the biometrics such as FaceID

I'd really like to see the ability to set a specific fingerprint to lock down the phone, requiring a different, more secure credential from the regular lockscreen to unlock. A long passphrase would probably be the right credential for most people.
eviks·vor 2 Jahren
I'd like to have different fingers do different things, including one that prevents fingers from working And have a short extra custom gesture to face to unlock Or a dozen of other simple things we could get with a little more competition in a more open space
doublepg23·vor 2 Jahren
If you hold power and a volume key on an iPhone will disable biometrics and require your password.
Zak·vor 2 Jahren
That's almost as good, but maybe harder under duress. As far as I can tell, Android requires interaction with the touchscreen.
officeplant·vor 2 Jahren
I'm not sure FaceID would have helped them as much in this instance going by pictures of the aftermath.
JKCalhoun·vor 2 Jahren
Numeric pin? Seems like fingerprints on the glass alone would make a shorter numeric pin trivial to crack.

I'm just thinking of all the other weak security systems like garage door keypads where the code is derived from the more worn buttons. Or cleaning/dusting an ATM keypad before someone enters their code and then carefully examining the buttons afterwards.

But who knows — perhaps people have completely munged up their displays making fingerprinting useless.
byproxy·vor 2 Jahren
There are some touchscreen input systems that will randomize the configuration of the numbers displayed to mitigate the "finger smudge" attack.
mc32·vor 2 Jahren
Man that would suck. I rely on muscle memory to recall passwords in everyday usage. Of course I could open a PWD manager elsewhere but it becomes cumbersome.
sebastiennight·vor 2 Jahren
You would be surprised. After a couple days only, my brain adapted to the random layout well enough that it's the regular layout (on my iPhone, which doesn't seem to have the randomization ability) that throws me for a loop.
askonomm·vor 2 Jahren
Would the ATM thing actually work though? Afaik most European ATM banks issue 4 digit pin codes and will block and eat the card at 3 invalid tries. Not sure how many tries you have total, but I figure it's not that easy to guess it right.

Update: ChatGPT says 12 tries total to get it right, so that makes it ~10% success ratio?
JKCalhoun·vor 2 Jahren
I probably read about this technique in Phrack or something similar .... so that kind of dates it.
askonomm·vor 2 Jahren
Yeah it could be very well possible that it wasn't limited to just 3 tries back then, or at the very least the ATM would not block and eat the card then, allowing you to try again or at a different machine.
jjav·vor 2 Jahren
> As much as it makes folks reel, this is working as intended. If you don't want them to crack your phones, consider setting a 10+ digit alphanumeric passcode instead of a numeric PIN.

Can't emphasize this enough. If you're going to use a phone, set a long strong password. Nothing else will do. Yes, it's a bit more inconvenient. There is no workaround.
dmix·vor 2 Jahren
And turn your phone power off before committing a crime…

The first thing the police will do is connect it to power battery packs
millzlane·vor 2 Jahren
Don't even bring your phone with you. You need to use old school methods to avoid tracking.
dist-epoch·vor 2 Jahren
But if you leave your phone at home only on the days you commit crimes, it's a problem too. This was used in the past to identify people.
mingus88·vor 2 Jahren
ALPR is the other big one. Your daily habits are in many databases and it’s easier than ever to sort out the outliers
lysp·vor 2 Jahren
I read this story many years ago where researchers were able to re-identify people using open travel datasets.

https://www.unimelb.edu.au/newsroom/news/2019/august/myki-pr...
azinman2·vor 2 Jahren
(4)
OutOfHere·vor 2 Jahren
Some basic phone security practices:

1. Set a sufficiently strong alphanumeric password for your lock screen.

2. Remember to reboot your phone weekly to reset any non-root malware.

3. Disable multimedia in the SMS messaging app as it's a vector for Pegasus style malware.

4. If using Signal, go to Settings, Privacy, Phone number, and set everything to Nobody. This again blocks messages from unknown users that could be a vector for Pegasus style malware.

I wish there was a system-wide permission to audit and/or disable screenshots, but there isn't.
rc_mob·vor 2 Jahren
Am I the only one who has nothing important on my phone and also don't lock it at all.

Can't even get emails on my phone. I can however post comments on hacker news. FBI can have this comment for its data.
trallnag·vor 2 Jahren
Then why do you have a phone?
talldayo·vor 2 Jahren
(1)
jrockway·vor 2 Jahren
That's interesting. Back when I used Android a decade ago I thought you had to enter a passcode for LUKS or something, to decrypt all the user data. Maybe I am misremembering?
15155·vor 2 Jahren
This is a company whose entire business model is derived from hoarding vulnerabilities.

I'm guessing this was a brute force attack or side channel attack of some kind, in concert with a packaged zero-day.
throwawayokwud·vor 2 Jahren
From a tour I got in a forensics lab a while back, injecting a bootloader to bruteforce PINs was one of the options available at least. Had rows of phones punching numbers just waiting for the screen to turn green
15155·vor 2 Jahren
The actual injection of this program is what would generally require a high-value exploit on most devices.
hereme888·vor 2 Jahren
So the TLDR is that a beta version of Cellbrite unlocked the phone, and it can't yet unlock iOS 17.x or later.

But we don't know what version of Android his phone had, or what "newer Samsung model" means.

There's nothing surprising about state actors being able to quickly unlock the phone of a [failed] presidential assassin.
tantalor·vor 2 Jahren
No, we expect phone locking to work, even against state actors. The news here is that some Samsung model has an otherwise unknown exploit.

If they can crack his phone they can crack your phone.
np-·vor 2 Jahren
It’s a bit of a futile strategy though, kind of like trying to build a wall thick enough that a state actor can’t bust through. That is impossible because the state has access to nuclear weapons, gigantic drills, thousands of intelligent people whose sole mission in life is to break down that wall, nearly infinite budget, etc.

The only strategy that might work is to make it expensive or unviable to crack every single device. But in the case of something like this, an assassination attempt, then it’s a given that all stops are going to be pulled to crack it.
a0123·vor 2 Jahren
> That is impossible because the state has access to nuclear weapons, gigantic drills, thousands of intelligent people whose sole mission in life is to break down that wall, nearly infinite budget, etc.

Those generic statements are great and all until you realise that every year, dozens (hundreds, thousands???) people disappear without a hint of a trace and the government is powerless to do anything about it and can't find them.

Or when a large, wealthy company commits crimes (or just government officials sometimes), all they have to say is "we lost the data" and suddenly, there is nothing that can be done about it, it's lost to the ether for ever without any possibility to find out anything about it.
np-·vor 2 Jahren
But that is my point - you can make it unviable to go after _everybody_. But if the state is targeting one person in particular, and has a super strong motivation to break the wall, like specifically in this case of domestic terrorism/attempted political assassination, there is no technology that is gonna stop them.

In those cases that people get way with crimes, it is much more likely that there is no political motivation to go after them for whatever reason du jour. I don't think it's because the technology is so strong that they can't.
bloqs·vor 2 Jahren
When enough budget is allocated, the person is always found.

Saddam/Osama
jeroenhd·vor 2 Jahren
> If they can crack his phone they can crack your phone.

And not just them, anyone with access (legal or otherwise) to these tools can.
tivert·vor 2 Jahren
> No, we expect phone locking to work, even against state actors

But that's an unreasonable expectation because software is universally such garbage. Some is just less garbage than others.

State actors have the resources to find the holes in anything that isn't utterly perfect.
nope1000·vor 2 Jahren
Maybe a morbid question but could they theoretically unlock the phone with the fingerprint of his corpse or do those sensors require current (like a touchscreen does)? I'm asking because I heard in the US law enforcement can force you to unlock your device with biometrics but I wonder if that only works if the subject is alive.
delecti·vor 2 Jahren
Seems the answer is yes, but only if you do the unlock very quickly after death. The reason seems to be what you suspected, that the fingerprint sensors require capacitance which is only maintained while we're alive.

https://www.livescience.com/62393-dead-fingerprint-unlock-ph...
spywaregorilla·vor 2 Jahren
Surely we can juice up a dead thumb to make it work, though, right?
nordsieck·vor 2 Jahren
> Surely we can juice up a dead thumb to make it work, though, right?

At that point, it's probably easier to just clone the fingerprint and drape it over a purpose built prosthetic.
spywaregorilla·vor 2 Jahren
Is that easy? Sounds not too difficult
nordsieck·vor 2 Jahren
> Is that easy?

Looks pretty easy to me

https://www.youtube.com/watch?v=tj2Ty7WkGqk
neutered_knot·vor 2 Jahren
It depends on the sensor and probably the state of the subject. This is called "liveness detection" and there is an article I found explianing the basics at: https://www.thalesgroup.com/en/markets/digital-identity-and-...
swader999·vor 2 Jahren
Yes they can unlock android with a deceased owners finger if the login is setup for it and phone isn't restarted.
jeroenhd·vor 2 Jahren
I can't find who's the source on this. The best I can find is "people familiar with the investigation", but both the FBI and Cellebrite refused to comment on the story. This article quotes Bloomberg, which seems to be a copy of the Washington Post's article without all of the fluff.

I'm not surprised, there was a recent report that showed that Cellebrite can unlock any phone except for recent iOS and GrapheneOS. I'm just confused who "the people" that are being quoted everywhere are supposed to be.
instagib·vor 2 Jahren
https://www.404media.co/leaked-docs-show-what-phones-cellebr...

They have a few charts listed. There’s still the several other companies with support documents that haven’t leaked.
kevinmchugh·vor 2 Jahren
It's an anonymous source. Someone who knows something and isn't supposed to say it, so figure someone at the FBI or Cellebrite most likely. Anonymous sourcing is a fraught practice, but often a necessary one if a journalist doesn't want to be restricted by what an organization will officially allow. You have to evaluate the publication, the journalist, and whatever details are available to decide if you want to trust them.

The better publications will have policies on when anonymous sources can be used and may have those policies or an explainer of same available to readers. Eg here's Wapo's write-up on it: https://www.washingtonpost.com/policies-and-standards/#sourc...
adolph·vor 2 Jahren
Its a claim that won't be confirmed and even if verified might be a lie to hide some better tech or just inane CYA. As an example, there is still nonpublic Kennedy material. Why would this event be any different?
[deleted]·vor 2 Jahren