Trump shooter used Android phone from Samsung; cracked by Cellebrite in 40 min(9to5mac.com)
9to5mac.com
Trump shooter used Android phone from Samsung; cracked by Cellebrite in 40 min
https://9to5mac.com/2024/07/18/trump-shooter-android-phone-cellebrite/
70 comments
In addition to the problems you mentioned, biometric systems are basically designed to cause hash collisions. And probably to a higher degree than most people realize.
After all, it would be annoying if FaceID failed just because I haven’t shaved today. So the algorithm has to account for that. As such, the entropy of the input is reduced.
After all, it would be annoying if FaceID failed just because I haven’t shaved today. So the algorithm has to account for that. As such, the entropy of the input is reduced.
> Also, do not enable the biometrics such as FaceID
I'd really like to see the ability to set a specific fingerprint to lock down the phone, requiring a different, more secure credential from the regular lockscreen to unlock. A long passphrase would probably be the right credential for most people.
I'd really like to see the ability to set a specific fingerprint to lock down the phone, requiring a different, more secure credential from the regular lockscreen to unlock. A long passphrase would probably be the right credential for most people.
I'd like to have different fingers do different things, including one that prevents fingers from working
And have a short extra custom gesture to face to unlock
Or a dozen of other simple things we could get with a little more competition in a more open space
If you hold power and a volume key on an iPhone will disable biometrics and require your password.
That's almost as good, but maybe harder under duress. As far as I can tell, Android requires interaction with the touchscreen.
I'm not sure FaceID would have helped them as much in this instance going by pictures of the aftermath.
Numeric pin? Seems like fingerprints on the glass alone would make a shorter numeric pin trivial to crack.
I'm just thinking of all the other weak security systems like garage door keypads where the code is derived from the more worn buttons. Or cleaning/dusting an ATM keypad before someone enters their code and then carefully examining the buttons afterwards.
But who knows — perhaps people have completely munged up their displays making fingerprinting useless.
I'm just thinking of all the other weak security systems like garage door keypads where the code is derived from the more worn buttons. Or cleaning/dusting an ATM keypad before someone enters their code and then carefully examining the buttons afterwards.
But who knows — perhaps people have completely munged up their displays making fingerprinting useless.
There are some touchscreen input systems that will randomize the configuration of the numbers displayed to mitigate the "finger smudge" attack.
Man that would suck. I rely on muscle memory to recall passwords in everyday usage. Of course I could open a PWD manager elsewhere but it becomes cumbersome.
You would be surprised. After a couple days only, my brain adapted to the random layout well enough that it's the regular layout (on my iPhone, which doesn't seem to have the randomization ability) that throws me for a loop.
Would the ATM thing actually work though? Afaik most European ATM banks issue 4 digit pin codes and will block and eat the card at 3 invalid tries. Not sure how many tries you have total, but I figure it's not that easy to guess it right.
Update: ChatGPT says 12 tries total to get it right, so that makes it ~10% success ratio?
Update: ChatGPT says 12 tries total to get it right, so that makes it ~10% success ratio?
I probably read about this technique in Phrack or something similar .... so that kind of dates it.
Yeah it could be very well possible that it wasn't limited to just 3 tries back then, or at the very least the ATM would not block and eat the card then, allowing you to try again or at a different machine.
> As much as it makes folks reel, this is working as intended. If you don't want them to crack your phones, consider setting a 10+ digit alphanumeric passcode instead of a numeric PIN.
Can't emphasize this enough. If you're going to use a phone, set a long strong password. Nothing else will do. Yes, it's a bit more inconvenient. There is no workaround.
Can't emphasize this enough. If you're going to use a phone, set a long strong password. Nothing else will do. Yes, it's a bit more inconvenient. There is no workaround.
And turn your phone power off before committing a crime…
The first thing the police will do is connect it to power battery packs
The first thing the police will do is connect it to power battery packs
Don't even bring your phone with you. You need to use old school methods to avoid tracking.
But if you leave your phone at home only on the days you commit crimes, it's a problem too. This was used in the past to identify people.
ALPR is the other big one. Your daily habits are in many databases and it’s easier than ever to sort out the outliers
I read this story many years ago where researchers were able to re-identify people using open travel datasets.
https://www.unimelb.edu.au/newsroom/news/2019/august/myki-pr...
https://www.unimelb.edu.au/newsroom/news/2019/august/myki-pr...
azinman2(4)
Some basic phone security practices:
1. Set a sufficiently strong alphanumeric password for your lock screen.
2. Remember to reboot your phone weekly to reset any non-root malware.
3. Disable multimedia in the SMS messaging app as it's a vector for Pegasus style malware.
4. If using Signal, go to Settings, Privacy, Phone number, and set everything to Nobody. This again blocks messages from unknown users that could be a vector for Pegasus style malware.
I wish there was a system-wide permission to audit and/or disable screenshots, but there isn't.
1. Set a sufficiently strong alphanumeric password for your lock screen.
2. Remember to reboot your phone weekly to reset any non-root malware.
3. Disable multimedia in the SMS messaging app as it's a vector for Pegasus style malware.
4. If using Signal, go to Settings, Privacy, Phone number, and set everything to Nobody. This again blocks messages from unknown users that could be a vector for Pegasus style malware.
I wish there was a system-wide permission to audit and/or disable screenshots, but there isn't.
talldayo(1)
That's interesting. Back when I used Android a decade ago I thought you had to enter a passcode for LUKS or something, to decrypt all the user data. Maybe I am misremembering?
This is a company whose entire business model is derived from hoarding vulnerabilities.
I'm guessing this was a brute force attack or side channel attack of some kind, in concert with a packaged zero-day.
I'm guessing this was a brute force attack or side channel attack of some kind, in concert with a packaged zero-day.
From a tour I got in a forensics lab a while back, injecting a bootloader to bruteforce PINs was one of the options available at least. Had rows of phones punching numbers just waiting for the screen to turn green
The actual injection of this program is what would generally require a high-value exploit on most devices.
So the TLDR is that a beta version of Cellbrite unlocked the phone, and it can't yet unlock iOS 17.x or later.
But we don't know what version of Android his phone had, or what "newer Samsung model" means.
There's nothing surprising about state actors being able to quickly unlock the phone of a [failed] presidential assassin.
But we don't know what version of Android his phone had, or what "newer Samsung model" means.
There's nothing surprising about state actors being able to quickly unlock the phone of a [failed] presidential assassin.
No, we expect phone locking to work, even against state actors. The news here is that some Samsung model has an otherwise unknown exploit.
If they can crack his phone they can crack your phone.
If they can crack his phone they can crack your phone.
It’s a bit of a futile strategy though, kind of like trying to build a wall thick enough that a state actor can’t bust through. That is impossible because the state has access to nuclear weapons, gigantic drills, thousands of intelligent people whose sole mission in life is to break down that wall, nearly infinite budget, etc.
The only strategy that might work is to make it expensive or unviable to crack every single device. But in the case of something like this, an assassination attempt, then it’s a given that all stops are going to be pulled to crack it.
The only strategy that might work is to make it expensive or unviable to crack every single device. But in the case of something like this, an assassination attempt, then it’s a given that all stops are going to be pulled to crack it.
> That is impossible because the state has access to nuclear weapons, gigantic drills, thousands of intelligent people whose sole mission in life is to break down that wall, nearly infinite budget, etc.
Those generic statements are great and all until you realise that every year, dozens (hundreds, thousands???) people disappear without a hint of a trace and the government is powerless to do anything about it and can't find them.
Or when a large, wealthy company commits crimes (or just government officials sometimes), all they have to say is "we lost the data" and suddenly, there is nothing that can be done about it, it's lost to the ether for ever without any possibility to find out anything about it.
Those generic statements are great and all until you realise that every year, dozens (hundreds, thousands???) people disappear without a hint of a trace and the government is powerless to do anything about it and can't find them.
Or when a large, wealthy company commits crimes (or just government officials sometimes), all they have to say is "we lost the data" and suddenly, there is nothing that can be done about it, it's lost to the ether for ever without any possibility to find out anything about it.
But that is my point - you can make it unviable to go after _everybody_. But if the state is targeting one person in particular, and has a super strong motivation to break the wall, like specifically in this case of domestic terrorism/attempted political assassination, there is no technology that is gonna stop them.
In those cases that people get way with crimes, it is much more likely that there is no political motivation to go after them for whatever reason du jour. I don't think it's because the technology is so strong that they can't.
In those cases that people get way with crimes, it is much more likely that there is no political motivation to go after them for whatever reason du jour. I don't think it's because the technology is so strong that they can't.
When enough budget is allocated, the person is always found.
Saddam/Osama
Saddam/Osama
> If they can crack his phone they can crack your phone.
And not just them, anyone with access (legal or otherwise) to these tools can.
And not just them, anyone with access (legal or otherwise) to these tools can.
> No, we expect phone locking to work, even against state actors
But that's an unreasonable expectation because software is universally such garbage. Some is just less garbage than others.
State actors have the resources to find the holes in anything that isn't utterly perfect.
But that's an unreasonable expectation because software is universally such garbage. Some is just less garbage than others.
State actors have the resources to find the holes in anything that isn't utterly perfect.
Maybe a morbid question but could they theoretically unlock the phone with the fingerprint of his corpse or do those sensors require current (like a touchscreen does)? I'm asking because I heard in the US law enforcement can force you to unlock your device with biometrics but I wonder if that only works if the subject is alive.
Seems the answer is yes, but only if you do the unlock very quickly after death. The reason seems to be what you suspected, that the fingerprint sensors require capacitance which is only maintained while we're alive.
https://www.livescience.com/62393-dead-fingerprint-unlock-ph...
https://www.livescience.com/62393-dead-fingerprint-unlock-ph...
Surely we can juice up a dead thumb to make it work, though, right?
> Surely we can juice up a dead thumb to make it work, though, right?
At that point, it's probably easier to just clone the fingerprint and drape it over a purpose built prosthetic.
At that point, it's probably easier to just clone the fingerprint and drape it over a purpose built prosthetic.
Is that easy? Sounds not too difficult
> Is that easy?
Looks pretty easy to me
https://www.youtube.com/watch?v=tj2Ty7WkGqk
Looks pretty easy to me
https://www.youtube.com/watch?v=tj2Ty7WkGqk
It depends on the sensor and probably the state of the subject. This is called "liveness detection" and there is an article I found explianing the basics at: https://www.thalesgroup.com/en/markets/digital-identity-and-...
Yes they can unlock android with a deceased owners finger if the login is setup for it and phone isn't restarted.
I can't find who's the source on this. The best I can find is "people familiar with the investigation", but both the FBI and Cellebrite refused to comment on the story. This article quotes Bloomberg, which seems to be a copy of the Washington Post's article without all of the fluff.
I'm not surprised, there was a recent report that showed that Cellebrite can unlock any phone except for recent iOS and GrapheneOS. I'm just confused who "the people" that are being quoted everywhere are supposed to be.
I'm not surprised, there was a recent report that showed that Cellebrite can unlock any phone except for recent iOS and GrapheneOS. I'm just confused who "the people" that are being quoted everywhere are supposed to be.
https://www.404media.co/leaked-docs-show-what-phones-cellebr...
They have a few charts listed. There’s still the several other companies with support documents that haven’t leaked.
They have a few charts listed. There’s still the several other companies with support documents that haven’t leaked.
It's an anonymous source. Someone who knows something and isn't supposed to say it, so figure someone at the FBI or Cellebrite most likely. Anonymous sourcing is a fraught practice, but often a necessary one if a journalist doesn't want to be restricted by what an organization will officially allow. You have to evaluate the publication, the journalist, and whatever details are available to decide if you want to trust them.
The better publications will have policies on when anonymous sources can be used and may have those policies or an explainer of same available to readers. Eg here's Wapo's write-up on it: https://www.washingtonpost.com/policies-and-standards/#sourc...
The better publications will have policies on when anonymous sources can be used and may have those policies or an explainer of same available to readers. Eg here's Wapo's write-up on it: https://www.washingtonpost.com/policies-and-standards/#sourc...
Its a claim that won't be confirmed and even if verified might be a lie to hide some better tech or just inane CYA. As an example, there is still nonpublic Kennedy material. Why would this event be any different?
[deleted]
https://x.com/SEJeff/status/1813079033430876433
As much as it makes folks reel, this is working as intended. If you don't want them to crack your phones, consider setting a 10+ digit alphanumeric passcode instead of a numeric PIN.
Also, do not enable the biometrics such as FaceID. I'm very much of this opinion[1] that biometrics are usernames, not passwords.
[1] https://blog.dustinkirkland.com/2013/10/fingerprints-are-use...