To break terrorist encryption, pay off Apple and Google, expert urges

17.12.2015
To break encrypted smartphone messages used by terrorists, tech companies such as Apple and Google need to be paid by law enforcement, an expert urged Thursday.

"If there were a financial incentive for Google and Apple to assist law enforcement, then they would be more willing to change their encryption technology to facilitate law enforcement in possession of a warrant," said Professor Darren Hayes, director of cybersecurity at Pace University, in an interview.

Tech companies and wireless carriers currently get reimbursed "quite nicely," he said, for their time and help when faced with a court warrant under the 1994 Communications Assistance for Law Enforcement Act (CALEA), a wiretap law that allows the FBI and others access to some communications, but not encrypted data.

Apple and others "are in the business to make money, so you have to make a business case for them to cooperate," Hayes added.

In the latest versions of their operating systems -- after Apple iOS 4 and Google Android 5.0 (Lollipop) -- decryption keys are kept only on the devices themselves, with disk-level encryption. In both cases, the companies would likely need to re-work their operating systems to allow access to the decryption keys.

Hayes believes updating CALEA to apply to encrypted data or some other standard is needed, but he also believes added financial incentives to cooperate with authorities will persuade tech companies.

"Something needs to be done, if there's a warrant, to intercept encrypted communications," he said. 'Until a year ago [under older iOS versions], Apple held the decryption keys, so it's not a challenge to go back to what they were doing a year ago."

Neither Apple nor Google would comment when asked about Hayes' proposal. But the Information Technology Industry Council, which represents both companies as well as others, has opposed attempts to break encryption.

Hayes admitted that gaining access to encrypted terrorist communications is a "massive undertaking" given the wide variety of encryption tools, including hundreds of free or low-cost smartphone apps for voice, text, files and more, as well as privately developed apps.

Members of ISIS, which has been linked to deadly attacks in Paris and San Bernardino, are widely reported to be using an encryption tool called Mujahedeen Secrets 2, written by anonymous developers.

CNN reported on Thursday that investigators in the Paris attacks have found evidence that indicates some of the terrorists used encrypted apps, including WhatsApp and Telegram, for plotting the attacks.

Previously, investigators said there were encrypted apps on the cell phones recovered from the crime scenes in the Paris attacks, but at the time they weren't sure the apps were used to plot the attacks.

Hayes said having an update to CALEA or some other standard as well as financial incentives to break encryption would especially help investigators in ongoing investigations once they have recovered devices. While a U.S. law probably wouldn't apply to other countries or to many encryption app makers outside of the country, it could serve as a starting point for addressing a difficult problem, Hayes and others said.

The chairman of the Senate Intelligence Committee, Sen. Richard Burr (R-N.C.) is working on encryption legislation, which has not yet been introduced, according to Hill staffers on Thursday. Details were not available.

Burr and U.S. Sen. Dianne Feinstein (D-Calif.) introduced separate legislation on Dec. 8 to require tech companies to report online terrorist activity to law enforcement. That legislation does not currently mandate tech companies decrypt communications and pertains primarily to social media activities by potential terrorists.

Sen. Mark Warner, D-Va., is also studying ways to deal with encryption used by terrorists, a spokeswoman said.

Tracking encrypted communications prior to an attack poses greater difficulties than trying to break encryption on a recovered terrorist's phone, since intelligence officials need to know which terrorist and which phone to pinpoint beforehand. It's a daunting task, considering the billions of phones in use, and the limitations of tracking technology.

"You won't listen [to] or track someone's encrypted communications unless [you] know they are a target," said Gartner analyst Avivah Litan. "You first have to narrow down who you are listening to and then start eavesdropping."

Litan said of FBI director James Comey and others: "They have a point about how they would like to read these encrypted communications and that tech companies are stopping them, but they don't recognize encryption is a moving target and that the bad guys will find their own private encryption."

Comey has repeatedly said he doesn't want to force tech companies to turn over encryption keys or provide back doors to encrypted data, and has urged companies to comply voluntarily.

In fact, FBI spokesman Christopher Allen said on Thursday in an email to Computerworld, "Just to be clear, the FBI supports strong encryption." He didn't elaborate.

Litan said the focus by Comey and lawmakers should be on better coordination between intelligence agencies inside the U.S. and in other countries, instead of primarily on breaking encryption.

"If intelligence groups can't decrypt messages, there are still others electronic signs to follow," Litan said. "Good intelligence people tell me that there is always other information available to correlate information for attacks. Sure, it's better to listen in, but not having that ability is not a showstopper."

One technique Litan said has been valuable in narrowing down past terrorist activity is to compare communications from a potential terrorist's personal handset, which is usually operating without encryption, with that person's second encrypted phone, a dedicated handset for communicating with superiors. If both handsets are used in the same location, as tracked by triangulation from cell towers, the information can potentially offer clues about location and timing for a planned attack.

Litan said that even if Apple gave up encryption keys to its smartphones, there still might be encrypted data inside apps running on the phone. Encrypted apps sometimes work by recording encrypted keystrokes used in text, email and files, which would mean that breaking into an encrypted phone might yield only a string of encrypted text. "That encryption can't be broken in a timely fashion. It would take weeks," she said.

By studying a suspicious person's handset behaviors, credit card purchases and other electronic footprints -- and even voice calls -- investigators can glean a lot about a suspicious person without access to encrypted files. "Why not go after bigger-picture problems like integrating intelligence silos and stop terrorizing the tech companies" Litan asked.

(www.computerworld.com)

Matt Hamblen