Local police execute a search warrant and confiscate a suspected drug dealer's phone—only to find that he's called his mom, the local pizza delivery and nobody else. Or after a reporting trip a journalist’s phone is confiscated by airport security. But when they look to see what's on it, they find only calls to her home and editor's office. They let her go—but minutes later, after she is safely on her way, the real data reappears with all her sources’ names and numbers. Or a thief steals your phone and hooks it up to a device used to reveal your passwords, photos and personal information—and finds nothing.
These James Bond–like scenarios aren’t fiction anymore. What if your phone could “lie” to prying eyes? That’s the idea behind a new technique recently presented by Karl-Johan Karlsson, a computer scientist formerly at the University of Glasgow in Scotland, at the 47th Annual Hawaii International Conference on System Sciences in Hawaii in January.
In the past people who wanted to conceal data from so-called spying software have traditionally use one of several methods: One is encryption. Another is a "self-destruct" option, which obliterates data if programs ask for it in a certain way. A third is to hide the information somewhere that the spying software won't look or tag the file so that it is "invisible." Sometimes these methods are combined. All have their limitations: encryption keys and passwords can be discovered. Data self-destruct programs, of course, destroy the data. "Invisible" files can be found. Apps that can mask information using these techniques are themselves detectable by forensics software.
Karlsson’s innovation was that instead of writing an application he altered the operating system. The doctored system presents false information to any forensics tool; the concealment is part of the system architecture. An analyst looking for suspicious software will see nothing using conventional data-searching programs.
Using an HTC Desire phone running a modification of the operating system known as CyanogenMod, one of a number of modifications available for Android systems, Karlsson said anyone can rework the code on a device. (An iPhone would be a much more daunting task because Apple's systems don't allow for such tinkering as easily as Android does.) It took about three weeks for him to create a working prototype.
Karlsson tested his hack with CelleBrite and XRY, two forensics tools in common use by police departments for checking phone data in the field. CelleBrite makes a device that hooks up to the phone via a USB cable whereas XRY runs from a laptop or PC. Both can retrieve contact lists, call logs and even passwords. When Karlsson ran his modified system and plugged the phone in, however, the forensics programs picked up only the "decoy" data—false information that he programmed into the phone, such as phone numbers on the contact list.
The technique would be ineffective on a PC or laptop, because it's possible to remove the hard drive from a computer entirely and bypass the computer's operating system. A phone, however, stores data on a SIM card or on hard-to-remove chips. The software used to access data differs among handsets, so there's no standard way to query the phone as there is with Windows- or Mac-based hard drives. In addition, it's simply harder to remove those parts from a phone without destroying it and possibly losing the valuable information in the process.
Karlsson’s hack isn't going to stop a really sophisticated analysis, he said. If a phone were sent to the FBI or National Security Agency, they could dig around in the operating system and determine that it had been modified. It's even possible that some field-level forensics tools have that capability, although makers CelleBrite and Micro Systemation, the maker of XRY, declined to respond to queries.
If masking data were to become commonplace, it could make it harder to try some criminal cases. The National Institute of Standards and Technology guidelines say that investigators should be careful not to change any data on a device when that evidence might be used in court because some extraction methods can cast doubt on its authenticity.
Mikko Hypponen, chief research officer at F-Secure, a maker of computer security tools, said that Karlsson’s modification represents another stage in the arms race between spies, law enforcement and users. When any one of them makes a technological advance, the others will work to counter it. The research also highlights the issue of finding ways to protect legitimate needs for privacy. "This kind of tool can be used for good or bad," Hypponen said.