These days, if you’re arrested and charged with a crime, the first thing cops will probably try to do is look at the contents of your phone. Digital forensics is increasingly a favourite way to secure a conviction, or at least gain a broader understanding of a crime.
However, these tools aren’t perfect — and ongoing research suggests that the evidence they provide could be tampered with under the right circumstances.
To draw attention to these issues, a security researcher recently created an app designed to thwart exactly this kind of data extraction. Specifically, the program is meant to obstruct the use of Cellebrite, the digital forensics firm popular with U.S. law enforcement, which recently came under fire for egregious vulnerabilities in its signature UFED data-extraction product.
Called “LockUp,” the app is the work of Matt Bergin, a senior researcher with security firm KoreLogic, who has spent the last couple of years studying Cellebrite’s products. Bergin debuted his creation at last week’s Black Hat Asia (the annual cybersecurity conference that takes place in multiple cities around the world), where he presented it alongside his security research into the company.
The idea with LockUp isn’t so much to create a safe haven for criminals as it is to demonstrate potential technical problems with some of law enforcement’s most cherished data extraction devices, said Bergin, in a phone call with Gizmodo.
“Really, I wrote LockUp to support the research that I was doing and to prove a point that forensic software isn’t immune to issues,” said Bergin. “I wanted to demonstrate that not only can the Cellebrite software itself have issues, but there are ways to trick forensic software to do something that you might not expect it to be able to do.”
Bergin’s ongoing analysis of Cellebrite probably looks quite similar to a recent, viral blog post written by Moxie Marlinspike, CEO of encrypted chat app Signal. In the post, Marlinspike showed how data being extracted via the company’s devices could easily be manipulated, potentially spoiling evidence. Since court cases around the world have relied on this technology, the idea that data could so easily be tampered with stirs up a lot of legal issues.
LockUp is pretty interesting. Essentially, the app’s ears perk up whenever a new program is downloaded onto a user’s phone. “That’s when the interrogation of the application begins,” he said. “We look at things like the hashes, the files themselves, the certificate metadata associated with the application. And if LockUp finds anything that it knows, it will programmatically factory reset the target device.”
In layman’s terms, the app is designed to scan any new programs that are downloaded and if it recognises any of the code associated with Cellebrite, it hits the self-destruct button and automatically initiates a full-blown data wipeout.
If you think this sounds appealing, know that you can’t actually download it from the Google Play Store or any other third-party market — because LockUp is just code. After BlackHat, Bergin dropped his “app” onto Github, and, hypothetically, if someone had the time and resources they could take the code and re-package it into a functional, marketable app. But that wasn’t the point of the exercise.
“The end result that I’d like to see out of all of my research is adoption of new testing procedures that have to be undertaken before forensic tools like these can be used in our courts,” said Bergin, implying there aren’t currently any regulations that meet a high enough security standard.
It’s not that tools sold by companies like Cellebrite shouldn’t be used. Rather, as long as their products are in circulation, the results they produce need to be accurate and secure, he said.