Is Smartphone Security Good Enough?

Michigan State Police are alleged to be using forensic phone cloning devices in minor offense investigations.

Would you object if a police officer stopped you for speeding, then took your phone and cloned all its data--including photos, videos, e-mails, and recent GPS locations?

If you get pulled over by the Michigan State Police, this might be a reality, courtesy of handheld phone cloners that are designed for forensics use but which the American Civil Liberties Union (ACLU) claims are being used by patrol officers.

The ACLU has asked to see logs for any devices used this way, and the Michigan State Police responded by demanding half a million dollars to pay for retrieving the information. The ACLU has replied with a public letter (PDF link) mentioning constitutional rights and litigation, and that's where the matter rests at the moment.

It's alleged that the police force is using CelleBrite UFED devices out in the field. The handheld tool can quickly clone the data stored on more than 3000 different phone models, even if that data is protected by a PIN. It can even access deleted data no longer accessible by the owner of the phone.

It should be noted that, in a comment on the Popular Mechanics reporting of the issue, somebody claiming to be a former Michigan State Police officer says the ACLU has got it wrong, and that the police gave only five of the units, used in the forensic labs only after an arrest has taken place.

Whatever the case, the advice is simple: If you're stopped by the police and they ask if they can search your phone, simply refuse. The ACLU implies that state police in Michigan are cloning phones not by forcing people to hand them over, but simply by asking. Remember that they might phrase the request obscurely--such as, "Do you mind if we take a quick look at your phone?"-- so be on your guard. However, the whether cell phones are protected by the Fourth Amendment against searches is still being hashed out in the courts.

Bigger questions are raised closer to home: Are cell phone manufacturers enacting enough technical barriers to protect the data on handsets from snoops, whether that's law enforcement or anybody else?

A lot of work has gone into protecting transmissions, but it's wrongly assumed that if a person or agency has physical access to the phone, then they can be trusted. This simply isn't the case.

Modern smartphones contain extremely personal records of our lives. If Near Field Communications (NFC) take-off then phones may literally become our wallets when we use them to pay for purchases.

It's not just about handsets. Are app creators doing enough to protect confidential data they generate? For example, geolocation apps are all the rage right now, but are they protecting the GPS data we willingly record?

I decided to do a few tests. I attached my iPhone to a fresh Windows install and, after installing iTunes and iPhone Explorer, a piece of software that makes accessible the iPhone's file system, I tried to see what I could find.

It was a shocking experience. I use the Navfree satellite navigation app, for example, and was able to easily uncover my "home" address--street name as well as latitude and longitude coordinates--as well as recently visited destinations. All of that was contained within simple text files on the iPhone. With similar ease, I was able to uncover my recent Yahoo Messenger conversations.

Remember: I was able to do all this by doing little more than plugging my iPhone into a computer via USB and installing easily available, entirely legal software. I could do the same with your iPhone, provided I have access to it for a moment or two.

In my cursory explorations I wasn't able to view e-mails, and this is probably because the iPhone incorporates Data Protection, which encrypts e-mails and any attachments. Indeed, the iPhone has encryption built into the hardware along with an application programmer interface (API) allowing programmer access to this feature, allowing theoretically easy access for apps. However, it appears few make use of it.

My iPhone isn't jailbroken but I understand that even more data is freely accessible on such phones. I doubt many people consider this when choosing to jailbreak.

To be fair, iPhones set with a passcode are inaccessible to iTunes (and therefore iPhone Explorer) unless some first enters the passcode on the device. But how many people use this feature, which can make activating the phone for use each time a slightly annoying experience?

Google Android phones are no better. Android 3.0 will bring with it some powerful encryption features, and there's talk of a new open-source project called Guardian that will add fundamental encryption to Android and could be integrated into Android devices by handset manufacturers. But right now Android phones and tablets have almost no data protection.

RIM BlackBerry phones offer a much higher standard of protection, perhaps because they're aimed at enterprise users, and there's the rub. Data encryption on phones tends to be seen as an enterprise-level feature, where it's employed to protect employer data--and often in response to legislation.

However, every level of user can reasonably demand the same level of data protection.

Modern ARM processors used in most phones have encryption routines built into them, making data protection operations very simple to integrate without requiring huge amounts of battery power. So there's really is very little reason not to encrypt data.

Systems need to change, and handset manufacturers need to start taking the issue of data security far more seriously. Ultimately, it should be impossible for anybody--including law enforcement officers--to access our data without our express permission.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags American Civil Liberties Unionconsumer electronicsapplicationsCell PhonesPhonessoftwaredata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?