By Adam Rouse
Apple recently announced that starting with the release of iOS 8 that device encryption would be enabled by default. On the heels of Apple’s announcement, Google also announced that it would be turning on whole device encryption by default with the release of its Android 5 operating system. Previously, on both Apple and Android devices a consumer would have to go in to the settings of the device and enable encryption. Apple and Google added that neither company would hold the keys to the kingdom by maintaining cryptographic keys capable of decrypting secured devices. Apple states that there is no longer a way for the company to decrypt a locked device, even if presented with a valid warrant from law enforcement personnel. Google also reiterated that Android devices have never stored cryptographic keys anywhere other than the encrypted device. Thus, Google also claims that it cannot decrypt an encrypted device for law enforcement, even when presented with a valid warrant.
Even though device encryption by default provides additional protection, a lock is only as strong as the key required to unlock it. Apple and Android devices (which make up 96.4% of the world cellular device market), as part of the device encryption, will ask the user to create some sort of passcode the first time the device is powered on. This passcode should be a strong password. All of the device encryption in the world can’t help you if all it takes to unlock your device is typing in “1234” to the PIN field. On average a 4 digit PIN on an Android device can be broken in just under 17 hours using a commonly available phone hacking tool. Interestingly, increasing the PIN to a 10 digit number ups the time required to brute force unlock the device to just less than 2 centuries. Apple iOS devices fare a bit better because they lock devices out for successively longer times after repeated incorrect PIN entries. Both Android and Apple iOS devices can also be setup to use an alphanumeric password to access the device. While an alphanumeric password offers better security for the device it is much less convenient to type a full password than to enter a PIN code.
Smartphones suffer from the same security dilemma that all computing devices do: securing the device and data within often makes for an inconvenient end user experience. On average people check their smartphone or other mobile device 150 times a day. While Apple and Google could require complex passwords for lock screens to greatly improve security the consumer backlash could very well be crippling. It’s doubtful that the average consumer would want to type “dR#41nfE” on a smartphone keyboard 150 times a day just to check email or retrieve a text. There is a middle-of-the-road solution that could bridge the gap between effortless convenience and good security practice.
Apple and Google could require a unique, strong, password to decrypt the device when it powers on, but allow for a more convenient PIN or password to be used for a screen lock. Another feature could be added to the devices that would automatically power them down if an incorrect password or PIN was entered 10 times in a row. This feature would make it much less likely that someone could guess or brute force the screen lock password or PIN. Thus forcing even complex forensic programs to brute force attack the more complex and secure power on password. Incidentally, it would take about 14 years to brute force guess “dR#41nfE” on a computer capable of trying 2.6 million passwords per second. Any 4 digit PIN would take less than a second on the same computer. Thus, while the transition to decryption by default is a wonderful leap in the right direction for privacy minded consumers; the addition of the ability to have complex power on passwords separate from the lock screen credentials would help protect privacy while not being so inconvenient that people will do nothing but disable the security feature.
While moving to whole device encryption is commendable for Apple and Google, there are two security features that should be avoided in their current state. These features are little more than security theater; you may feel secure by using them but there are fatal flaws with each that could leave you exposed to the snooping eyes of the government.
The first security feature to avoid is Apple iOS’s (as well as some upcoming Android devices) option to use a biometric lock with a thumb or fingerprint. Besides the problem of the sensor technology being defeated by gummy bears, there is a legal issue with a fingerprint lock on your device. Recently, a court in Virginia issued an opinion that stated that because fingerprints are non-testimonial in nature, police can legally require a detainee to provide their fingerprint to unlock a device.
A federal judge in the Eastern District of Michigan held that a password is testimonial in nature and thus protected from forced disclosure to the government by the Fifth Amendment (which applies to the states via the 14th Amendment). Justice Stevens in U.S. v. Hubbell distinguished between someone being forced to provide a key to a lockbox and being forced to reveal the combination to a safe. Providing a key to the government is a physical act, the key exists independently of the mental processes of the person who possesses it. Conversely, a password exists exclusively in the realm of a person’s mind and thus becomes testimonial in nature and protected under the 5th and 14th Amendments. Justice Stevens also stated in Hubbell that the act of providing physical evidence such as forcing someone “to put on a shirt, to provide a blood sample or handwriting exemplar, or to make a recording of his voice” was wholly separate from compelling someone to provide testimonial knowledge.
Thus, passwords and PINs appear to be protected by the 5th and 14th Amendments as being testimonial in nature because they exist as the exclusive result of your own mental process. You may, however, be required to provide your physical attributes such as finger prints, voice sample, or photograph to the police, who could then use the sample like a key on a biometric lock as suggested by the court in Virginia.
The second security feature to avoid is Android’s pattern unlock feature. This option displays 9 dots on the screen and allows you to draw a pattern connecting between 4 and 9 of the dots. This pattern serves as the method to unlock the phone in place of a typed PIN or password. The pattern lock appears to cause the government problems when trying to access data on a pattern locked phone. The issue is that Google can simply reset the lock pattern on the phone when presented with a court order requiring them to do so. Thus, while the pattern may initially stifle prying government eyes from peering into the locked device, the protection is lost when a warrant is issued with an order for Google to reset the pattern so the device can be unlocked. Google cannot reset a PIN or password the same way.
Of course, all of the device security in the world can’t protect your data in the cloud from snooping eyes. Most cell phones today store various amounts of data in the cloud automatically without any user intervention. For example, when creating contacts on Android phones you have to option to associate them to the Google account on the phone. This option is great if you switch phones or otherwise lose access to your original phone. This also means that the government doesn’t need to take or unlock your phone to see your contact information. They can simply show up to Google with a warrant and you may never know that they were there. In fact, Apple and Google are perfectly able and willing to hand over cloud stored data to law enforcement, sometimes proactively.
You can disable the cloud storage features of your Apple or Android device entirely, or simply choose what you are willing to store in the cloud for convenience and what information you wish to remain truly private. Overall the decision of both Apple and Google to enable device encryption by default in the new operation systems is a great step forward in the struggle for privacy in the digital age, but the consumer also needs to do their part and use smart, strong, passwords to help protect their privacy.