Is Smartphone Security Good Enough?

Michigan State Police are alleged to be using forensic phone cloning devices in minor offense investigations.

Would you object if a police officer stopped you for speeding, then took your phone and cloned all its data--including photos, videos, e-mails, and recent GPS locations?

If you get pulled over by the Michigan State Police, this might be a reality, courtesy of handheld phone cloners that are designed for forensics use but which the American Civil Liberties Union (ACLU) claims are being used by patrol officers.

The ACLU has asked to see logs for any devices used this way, and the Michigan State Police responded by demanding half a million dollars to pay for retrieving the information. The ACLU has replied with a public letter (PDF link) mentioning constitutional rights and litigation, and that's where the matter rests at the moment.

It's alleged that the police force is using CelleBrite UFED devices out in the field. The handheld tool can quickly clone the data stored on more than 3000 different phone models, even if that data is protected by a PIN. It can even access deleted data no longer accessible by the owner of the phone.

It should be noted that, in a comment on the Popular Mechanics reporting of the issue, somebody claiming to be a former Michigan State Police officer says the ACLU has got it wrong, and that the police gave only five of the units, used in the forensic labs only after an arrest has taken place.

Whatever the case, the advice is simple: If you're stopped by the police and they ask if they can search your phone, simply refuse. The ACLU implies that state police in Michigan are cloning phones not by forcing people to hand them over, but simply by asking. Remember that they might phrase the request obscurely--such as, "Do you mind if we take a quick look at your phone?"-- so be on your guard. However, the whether cell phones are protected by the Fourth Amendment against searches is still being hashed out in the courts.

Bigger questions are raised closer to home: Are cell phone manufacturers enacting enough technical barriers to protect the data on handsets from snoops, whether that's law enforcement or anybody else?

A lot of work has gone into protecting transmissions, but it's wrongly assumed that if a person or agency has physical access to the phone, then they can be trusted. This simply isn't the case.

Modern smartphones contain extremely personal records of our lives. If Near Field Communications (NFC) take-off then phones may literally become our wallets when we use them to pay for purchases.

It's not just about handsets. Are app creators doing enough to protect confidential data they generate? For example, geolocation apps are all the rage right now, but are they protecting the GPS data we willingly record?

I decided to do a few tests. I attached my iPhone to a fresh Windows install and, after installing iTunes and iPhone Explorer, a piece of software that makes accessible the iPhone's file system, I tried to see what I could find.

It was a shocking experience. I use the Navfree satellite navigation app, for example, and was able to easily uncover my "home" address--street name as well as latitude and longitude coordinates--as well as recently visited destinations. All of that was contained within simple text files on the iPhone. With similar ease, I was able to uncover my recent Yahoo Messenger conversations.

Remember: I was able to do all this by doing little more than plugging my iPhone into a computer via USB and installing easily available, entirely legal software. I could do the same with your iPhone, provided I have access to it for a moment or two.

In my cursory explorations I wasn't able to view e-mails, and this is probably because the iPhone incorporates Data Protection, which encrypts e-mails and any attachments. Indeed, the iPhone has encryption built into the hardware along with an application programmer interface (API) allowing programmer access to this feature, allowing theoretically easy access for apps. However, it appears few make use of it.

My iPhone isn't jailbroken but I understand that even more data is freely accessible on such phones. I doubt many people consider this when choosing to jailbreak.

To be fair, iPhones set with a passcode are inaccessible to iTunes (and therefore iPhone Explorer) unless some first enters the passcode on the device. But how many people use this feature, which can make activating the phone for use each time a slightly annoying experience?

Google Android phones are no better. Android 3.0 will bring with it some powerful encryption features, and there's talk of a new open-source project called Guardian that will add fundamental encryption to Android and could be integrated into Android devices by handset manufacturers. But right now Android phones and tablets have almost no data protection.

RIM BlackBerry phones offer a much higher standard of protection, perhaps because they're aimed at enterprise users, and there's the rub. Data encryption on phones tends to be seen as an enterprise-level feature, where it's employed to protect employer data--and often in response to legislation.

However, every level of user can reasonably demand the same level of data protection.

Modern ARM processors used in most phones have encryption routines built into them, making data protection operations very simple to integrate without requiring huge amounts of battery power. So there's really is very little reason not to encrypt data.

Systems need to change, and handset manufacturers need to start taking the issue of data security far more seriously. Ultimately, it should be impossible for anybody--including law enforcement officers--to access our data without our express permission.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags American Civil Liberties Unionconsumer electronicsapplicationsCell PhonesPhonessoftwaredata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?