There is a new report on police decryption capabilities: specifically, mobile device forensic tools (MDFTs). Short summary: it’s not just the FBI that can do it.
This report documents the widespread adoption of MDFTs by law enforcement in the United States. Based on 110 public records requests to state and local law enforcement agencies across the country, our research documents more than 2,000 agencies that have purchased these tools, in all 50 states and the District of Columbia. We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant. To our knowledge, this is the first time that such records have been widely disclosed.
Lots of details in the report. And in this news article:
At least 49 of the 50 largest U.S. police departments have the tools, according to the records, as do the police and sheriffs in small towns and counties across the country, including Buckeye, Ariz.; Shaker Heights, Ohio; and Walla Walla, Wash. And local law enforcement agencies that don’t have such tools can often send a locked phone to a state or federal crime lab that does.
The tools mostly come from Grayshift, an Atlanta company co-founded by a former Apple engineer, and Cellebrite, an Israeli unit of Japan’s Sun Corporation. Their flagship tools cost roughly $9,000 to $18,000, plus $3,500 to $15,000 in annual licensing fees, according to invoices obtained by Upturn.
It’s complicated, but it’s basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able to convince the POS terminal to conduct the transaction without requiring the normally required PIN.
From a news article:
The researchers were able to demonstrate that it is possible to exploit the vulnerability in practice, although it is a fairly complex process. They first developed an Android app and installed it on two NFC-enabled mobile phones. This allowed the two devices to read data from the credit card chip and exchange information with payment terminals. Incidentally, the researchers did not have to bypass any special security features in the Android operating system to install the app.
To obtain unauthorized funds from a third-party credit card, the first mobile phone is used to scan the necessary data from the credit card and transfer it to the second phone. The second phone is then used to simultaneously debit the amount at the checkout, as many cardholders do nowadays. As the app declares that the customer is the authorized user of the credit card, the vendor does not realize that the transaction is fraudulent. The crucial factor is that the app outsmarts the card’s security system. Although the amount is over the limit and requires PIN verification, no code is requested.
The paper: “The EMV Standard: Break, Fix, Verify.”
Abstract: EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.
We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contact-less card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties.The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.
We’ve already seen indications that American consumers are holding onto their smartphones longer than before, posing challenges for companies like Apple and Samsung for whom mobile phone sales are important to the bottom line. A new NPD report reiterates that point but adds that fewer than 10 percent of American smartphone buyers spend more than $1,000, effectively ruling out flagship phones like the iPhone 11 Pro and the Samsung Galaxy Note10 that gather most of the marketer and media attention.
The main point of concern raised by the NPD report, though, is 5G adoption. 5G phones will likely be unaffordable for many consumers at first, with the first wave of mainstream 5G phones in 2020 likely to cost at least $1,000 in most cases. On the other hand, consumer awareness of the imminent rollout of 5G is high, and many consumers cited that coming change as a reason they’re holding out on spending big on new phones. It could be that some consumers who can afford $1,000 handsets but haven’t made the plunge will do so when 5G arrives, provided that it offers all the benefits marketers have claimed. (That will likely vary quite significantly by city and region, though.)
And speaking of cities and regions, the report also found notable differences in smartphone buying habits across different designated market areas (DMAs). For example, the NPD claims that Americans in major urban centers like New York City or Los Angeles are more likely to spend $1,000 or more on a smartphone. It’s unclear from the data whether this is a result of comparatively high average incomes in those areas or other factors.
In any case, the NPD therefore recommends to smartphone manufacturers that marketing budgets be focused on those DMAs for those types of phones, especially as the 5G era approaches.
Write what you know
This is speculation on my part, but that geographic disparity could partially explain why flagship phones get significantly more media coverage than other phones; most media professionals are in cities like that.
However, shortage of media coverage on these lower-market phones isn’t that surprising to begin with; there’s not much interesting for press or influencers to say about phones that use two- or three-year-old technologies and work just well enough for most people’s needs but don’t make any waves or innovations. And some companies, like Apple, offer phones at lower price points that used to be high-priced flagships, so they’ve already been covered extensively in their prime.
All of this reporting on the United States is to say nothing about developing countries, which remain the biggest potential growth markets for cell phones because the markets in developed economies are so saturated. Consumers in developing markets may be even more unlikely to spend $1,000 or more on a smartphone.
There are Android phones well below that price point that Ars can recommend, and Apple’s iPhone 8 lands at a still-pricy-but-cheaper $500 or so. There’s likely room for Apple to introduce a phone that pushes the price down even more to address markets outside of major cities in rich economies. But as we’ve noted in some of our reviews, the support infrastructure (that is, Apple Stores and the like) for iPhones is often comparatively inadequate in small towns or in many countries.
There has been much talk among economists and politicians lately about a gap in the US economy between affluent major cities and the rest of the country. This NPD report on gadgets, of all things, provides some evidence to back up that diagnosis, at least in part.