FBI Can’t Crack Android Pattern-Screen Lock

Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation.

The bureau claims in federal court documents that forensics experts performed “multiple attempts” to access the contents of a Samsung Exhibit II handset, but failed to unlock the phone.

An Android device requires the handset’s Google e-mail address and its accompanying password to unlock the handset once too many wrong swipes are made. The bureau is seeking that information via a court-approved warrant to Google in order to unlock a suspected San Diego-area prostitution pimp’s mobile phone. (For details on the pimp investigation, check out Ars Technica‘s story on the case.)

Locking down a phone is even more important today than ever because smart phones store so much personal information. What’s more,  many states, including California, grant authorities the right to access a suspect’s mobile phone, without a warrant, upon arrest for any crime.

Forensic experts and companies in the phone-cracking space agreed that the Android passcode locks can defeat unauthorized intrusions.

“It’s not unreasonable they don’t have the capability to bypass that on a live device,” said Dan Rosenberg, a consultant at Boston-based Virtual Security Research.

A San Diego federal judge days ago approved the warrant upon a request by FBI Special Agent Jonathan Cupina. The warrant was disclosed Wednesday by security researcher Christopher Soghoian,

In a court filing, Cupina wrote: (.pdf)

Failure to gain access to the cellular telephone’s memory was caused by an electronic ‘pattern lock’ programmed into the cellular telephone. A pattern lock is a modern type of password installed on electronic devices, typically cellular telephones. To unlock the device, a user must move a finger or stylus over the keypad touch screen in a precise pattern so as to trigger the previously coded un-locking mechanism. Entering repeated incorrect patterns will cause a lock-out, requiring a Google e-mail login and password to override. Without the Google e-mail login and password, the cellular telephone’s memory can not be accessed. Obtaining this information from Google, per the issuance of this search warrant, will allow law enforcement to gain access to the contents of the memory of the cellular telephone in question.

Rosenberg, in a telephone interview, suggested the authorities could “dismantle a phone and extract data from the physical components inside if you’re looking to get access.”

However, that runs the risk of damaging the phone’s innards, and preventing any data recovery.

Linda Davis, a spokeswoman for forensics-solutions company Logicube of suburban Los Angeles, said law enforcement is a customer of its CellXtract technology, which it advertises as a means to “fast and thorough forensic data extraction from mobile devices.”

But that software, she said in a telephone interview, “is not going to work” on a locked device.

All of which is another way of saying those Android screen locks are a lot stronger than one might suspect.

It was not immediately clear whether the iPhone’s locking system is as powerful as its Android counterpart. But the iPhone’s passcode has been defeated with simple hacks, the latest of which was revealed in October 2010.

Clearly, the bureau is none too happy about having to call in Google for help. The warrant requires Google to turn over Samsung’s “default code” in “verbal” or “written instructions for overriding the ‘pattern lock’ installed on the Samsung model SGH-T679.”

Google spokesman Chris Gaither would not say if Google would challenge any aspect of the warrant. Google, he said, does not comment on “specific cases.”

“Like all law-abiding companies, we comply with valid legal process. Whenever we receive a request we make sure it meets both the letter and spirit of the law before complying,” he said in an e-mail. “If we believe a request is overly broad, we will seek to narrow it.”

Photo: Mike Dent/Flickr