UK Police Circumventing Cellphone Encryption By 'Mugging' Suspects While Their Phones Are Unlocked

from the snatch-and-grab dept

UK police are experimenting with a new brute force technique to defeat cellphone encryption:

Undercover surveillance officers trailed Yew and waited for him to unlock his phone to make a call - thereby disabling the encryption.

One officer then rushed in to seize the phone from Yew's hand - just as would happen in a criminal mugging. As his colleagues restrained the suspect, the officer continually "swiped" through the phone's screens to prevent it from locking before they had downloaded its data.

So, it's come to this: lawful mugging. Still, it's not a terrible solution to the problem. Sometimes the best methods are lo-tech, as anyone swinging a $5 Password Acquisition Tool can tell you.

This method will work in the UK. It may not in the US. UK law enforcement would likely find compelling a suspect to unlock a device a long and possibly fruitless endeavor, but there's no Riley decision standing in the way of seizing/searching phones on the hoof (as it were).

Courts here in the US have interpreted the Supreme Court's Riley decision in diverse ways, but a motion to suppress evidence might succeed if US law enforcement began engaging in this novel form of encryption circumvention. In one case, a judge found that simply opening a flip phone constituted a search under Riley. Keeping a phone "alive" until evidence can be retrieved from it might run afoul of the Fourth Amendment, even if the seizure itself is completely lawful.

It's still a better idea than making encryption backdoors mandatory or requiring device manufacturers to make a second set of keys for the government. The solution isn't elegant but it works. And it will only work in certain circumstances, so there's not much potential for abuse. It might encourage rougher arrests than usual, if only to separate the cellphone from the suspect, but the small number of arrests where this process would work shouldn't result in a sharp uptick in excessive force deployment.

This is a technique US law enforcement should definitely look into. While I'm sure most agencies would prefer a precedential court decision compelling decryption or a legislative mandate, this alternative would allow police officers to end up with fewer inaccessible phones.

There are other benefits as well -- some that could positively affect community relations. The arrest of a suspect in conjunction with the seizure of potential evidence could make related searches far less destructive. With the suspect out of the way, searches of homes/places of business wouldn't necessitate a barrage of flashbang grenades and the tearing of new entryholes by predawn raiding parties in SWAT gear. Sure, this less violent approach to serving search warrants won't appeal to officers who find the real military too restrictive but still harbor a desire to carry a gun and pretend they're participants in a war. But that's actually a good thing.

In addition, arrests of suspects out in the open should lower the chance of violent resistance. People tend to expect the arrival of police officers at their residence -- not so much when they're going about their daily, noncriminal business.

If efforts to keep seized phones alive until a search warrant arrives (or: novel idea -- get one first!) adhere to the Riley decision, the "going dark" problem isn't quite as all-encompassing as it's frequently been portrayed. (Even without this method, the "threat" of phone encryption has been greatly overstated.) It's tough to believe "mugging" might be the lesser of law enforcement's desired anti-encryption evils, but that's the reality of the situation.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, mugging, police, uk


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    John Cressman, 5 Dec 2016 @ 6:44am

    GREAT IDEA!

    This is GREAT idea!

    I want to be the first person to patent (I know, evil word here) a bluetooth device that locks the phone automatically when the phone is moved more than X feet from the device.

    Problem solved. Police come... grab your phone, it locks automatically as you are moved away!

    Also, a new feature on the phone - the phone can no longer be unlocked by a fingerprint, but the finger must remain on the phone for it to remain unlocked.

    Inconvenient, but enough of those measures start appearing and the legal mugging becomes mute.

    link to this | view in chronology ]

    • identicon
      zm, 5 Dec 2016 @ 6:53am

      Re: GREAT IDEA!

      And I will patent an app that locks the phone when a sudden acceleration is detected.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Dec 2016 @ 8:14am

        Re: Re: GREAT IDEA!

        too late, there is prior art

        https://play.google.com/store/apps/details?id=net.syntaxblitz.plucklock

        "The application will run in the background, constantly monitoring the accelerometer to determine if the phone has been taken from your hand."

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 5 Dec 2016 @ 11:37am

          Re: Re: Re: GREAT IDEA!

          Well I now have PluckLock on my phone. Thanks!

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Dec 2016 @ 9:50am

        Re: Re: GREAT IDEA!

        That's a good idea; it works for locking the phone when you drive away too, so can be touted as a vehicle safety feature.

        link to this | view in chronology ]

      • identicon
        Anon, 5 Dec 2016 @ 2:11pm

        Re: Re: GREAT IDEA!

        Or, a basic "opposite of lift to talk" setting - if the phone departs from vertical by more than 45 degrees sideways or backward, it locks.

        link to this | view in chronology ]

        • identicon
          ANON, 5 Dec 2016 @ 2:12pm

          Re: Re: Re: GREAT IDEA!

          Or locks after 10 seconds during phone calls after connected, so when you finish the call and want to use an app, you must unlock it.

          link to this | view in chronology ]

    • identicon
      Rekrul, 5 Dec 2016 @ 6:57am

      Re: GREAT IDEA!

      Also, a new feature on the phone - the phone can no longer be unlocked by a fingerprint, but the finger must remain on the phone for it to remain unlocked.

      No need for that. Just make a button/pressure switch on the side of the phone, in a place where the user's fingers would normally be while holding the phone. This button needs to be depressed to unlock the phone, and needs to remain pressed to use it. Take your finger off the button and the phone instantly locks itself.

      link to this | view in chronology ]

    • icon
      Machin Shin (profile), 5 Dec 2016 @ 8:14am

      Re: GREAT IDEA!

      There are actually already apps to handle this situation. Solution I like was one that watched the sensors on the phone to detect a sudden acceleration, like when phone is snatched from you, and it locks the phone.

      Pretty sure the idea was to stop those annoying friends that snatch your phone to read your latest text, but it would work just as well in this case.

      link to this | view in chronology ]

      • identicon
        ANON, 5 Dec 2016 @ 2:14pm

        Re: Re: GREAT IDEA!

        >Re: GREAT IDEA!
        >There are actually already apps to handle this situation. Solution I like was one that watched the sensors on the phone to detect a sudden acceleration, like when phone is snatched from you, and it locks the phone.
        >Pretty sure the idea was to stop those annoying friends that snatch your phone to read your latest text, but it would work just as well in this case.

        Or to foil snatch and grab thieves, no matter what colour they are wearing.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 6:49am

    We've come to that point in that old adage where you live long enough to see yourself become the villain. The line has been crossed.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 7:07am

    So this conversation is now reallity:

    - Heeey friend from another country. Did you hear? A police man just took someones phone while his friends held the guy back.
    - Oh.... what has the world come to? That is pretty terrib...
    - Terrific? Yes! Now they don't have to destroy everyones digital security and our whole online infrastructure.


    This is indeed a sad day when we find positive things in socalled "lawful mugging". That silver lining is starting to look very thin.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Dec 2016 @ 7:11am

      Re: So this conversation is now reallity:

      Why is this activity lawful?

      None of this will stop until the police are treated as what they are - a criminal conspiracy.

      link to this | view in chronology ]

    • icon
      Roger Strong (profile), 5 Dec 2016 @ 9:20am

      Re: So this conversation is now reallity:

      Oh.... what has the world come to?

      This.

      Yes! Now they don't have to destroy everyones digital security and our whole online infrastructure.

      Good point. Still disturbing, but a good point.

      link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 5 Dec 2016 @ 9:38am

        Re: Re: So this conversation is now reallity:

        What I imagine is that cops will feel yet another need to unload a firearm at you if they think you are depressing the power button.

        link to this | view in chronology ]

  • identicon
    Bilateralrope, 5 Dec 2016 @ 7:20am

    Lets look at what software alterations could do:

    The phone automatically locks itself at the end of any phone call. Police snatch my phone while I'm on a call. The person I'm talking to thinks it's a mugging and hangs up to call the police. Since the call ended, the phone is now locked.

    Maybe a voice command to lock the phone. Call it an anti-mugging feature and have the voice command also dial 911 (or whatever your countries emergency services number is)

    Or the phone has multiple levels of how locked it is. For example, there is very little data on the phone that I need to start a call. Once the call is connected, that data isn't useful so can be locked away.

    link to this | view in chronology ]

  • icon
    DB (profile), 5 Dec 2016 @ 7:23am

    I don't see a problem with this, with a warrant

    I don't see any problem with this, when the police have an arrest warrant and a search warrant.

    It could even be a regular part of an arrest warrant, if the investigators have probable cause that specific evidence related to the activity for which the warrant is issued is on the phone.

    But this sounds as if the police are arresting someone in order to do a fishing expedition on everything the phone can access. They want not just the phone and text history, but unfettered access to all online accounts.

    link to this | view in chronology ]

    • identicon
      Anonymous Howard II, 5 Dec 2016 @ 8:05am

      Re: I don't see a problem with this, with a warrant

      But this sounds as if the police are arresting someone in order to do a fishing expedition on everything the phone can access. They want not just the phone and text history, but unfettered access to all online accounts.

      The guy was already under investigation, likely they would have got a warrant. That seems wholly reasonable to me.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Dec 2016 @ 9:44am

        Re: Re: I don't see a problem with this, with a warrant

        The guy was already under investigation, likely they would have got a warrant. That seems wholly reasonable to me.

        But is it necessary? This is the UK. If you unlock your phone in a public space, don't they already have your password on several cameras?

        link to this | view in chronology ]

        • identicon
          Techanon, 5 Dec 2016 @ 5:46pm

          Re: Re: Re: I don't see a problem with this, with a warrant

          You're assuming that security cameras have enough resolution to be able to record someone tipping a password on a tiny screen.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Dec 2016 @ 8:24am

      Re: I don't see a problem with this, with a warrant

      I think its a bad idea. Dont the cops have to ID themselves? Screaming "we're the cops" as they attach you will lead to a cop being killed. I would consider that as self defense for the perp.

      link to this | view in chronology ]

      • icon
        Richard (profile), 5 Dec 2016 @ 9:45am

        Re: Re: I don't see a problem with this, with a warrant

        Dont the cops have to ID themselves? Screaming "we're the cops" as they attach you will lead to a cop being killed. I would consider that as self defense for the perp.

        Probably not a problem in the (unarmed - even the police) UK where this happened.

        Perhaps a big issue in the (armed to the teeth) US.

        link to this | view in chronology ]

    • icon
      DannyB (profile), 5 Dec 2016 @ 8:55am

      Re: I don't see a problem with this, with a warrant

      > If efforts to keep seized phones alive until a search
      > warrant arrives (or: novel idea -- get one first!)

      That sounds to me like they don't have a search warrant first.

      So the police will mug someone, steal their phone, and search through it to "keep it alive" until the presumed warrant arrives. But what if the warrant doesn't arrive? Is this assault and battery by the police?

      What happens if the victim of the mugging, or one of their friends, uses deadly force against one of these muggers only later to discover they are the police?

      One other observation: The police seem to wonder why they have a problem with the public not trusting them.

      link to this | view in chronology ]

  • identicon
    Rob, 5 Dec 2016 @ 7:25am

    This has already happened before; it's how they got Ross Ulbrict, aka Dread Pirate Roberts. He was in a library with his laptop, a couple of federal agents made a huge racket that distracted him, and while he wasn't looking another agent grabbed his laptop out of his hands.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 7:27am

    Mabye...

    "So, it's come to this: lawful mugging. Still, it's not a terrible solution to the problem."

    I don't know about UK law, but what is up with the rhetoric?

    Without exception, any seizure of property by government authority IS ALWAYS lawful mugging. But since it is lawful, we usually like to call it something else.

    Here in America this is constitutional, so long as said officer has a warrant to do so. Any attempt to seize property outside of a warrant will remain unconstitutional regardless of how creative they try to get with fuzzy logic.

    link to this | view in chronology ]

    • identicon
      Lexi, 6 Dec 2016 @ 2:34am

      Re: Mabye...

      It is lawful by definition only. It is still mugging, when you take into account, how many of those warrants are being obtained: Be a cop, go to the judge of your liking and the judge will just sign it without even reading. That's probably not what the lawmaker intended.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 7:29am

    So, instead of telling the police to do their legwork and to do their job properly, we are celebrating that now they are "legally mugging" people instead of wanting to break our encryption?

    Shame on you.

    Sorry, but I find nothing to celebrate in this. The "but they are going to break our encryption if they don't do that", doesn't work on me.

    In the end, it's the same excuse as "if we don't break your encryption, terrorists are going to break our country", just that applied in a different way.


    Btw, I guess that people will come up with solutions to that fast enough.

    And it just would be an anti-theft measure, btw. I guess that criminals do that already (stealing your phone while you're using it, then keeping it live so that it can't get locked).

    And if they don't do it, they will learn from this to do the same, particularly now that phones are being used to pay shit and that.


    Btw, this puts you at risk of being accused of resistance to authority. If I get caught by surprise by someone I think it's mugging me, first thing I will do is resist with any means I have at hand, because I don't fucking know who was the one who attacked me.

    Until they identify themselves, at least.


    And I guess that they are going to use this technique by default, whether they have a warrant or not.

    And yet, you're celebrating this...

    link to this | view in chronology ]

    • identicon
      Anonymous Howard II, 5 Dec 2016 @ 7:53am

      Re:

      Conceptually, it's not that different from how UK police would conduct a drugs bust; gather evidence that gives reasonable suspicion, get a warrant on said evidence, rock up at 5am when everyone's in bed, loudly declare yourself to be police as you break the door down, then detain everyone before they have a chance to flush the gear down the toilet.

      link to this | view in chronology ]

    • icon
      Richard (profile), 5 Dec 2016 @ 9:47am

      Re:

      Until they identify themselves, at least.

      No

      "Until they identify themselves to your satisfaction"

      which is a much higher hurdle to get over.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 8:12am

    Nothing wrong with this

    As long as they get a warrant this is no different than other forms of raids and defeats encryption without backdoors.

    Win win.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 5 Dec 2016 @ 9:04am

    This is better than most tactics but I can easily see this being abused against the regular citizen. Mug first under 'reasonable suspicion', ask afterwards. I'm installing those motion apps for sure.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 9:44am

    Well, it has the benefit of the suspect knowing that their device has been searched, anyway. And it can't be used to decrypt phones en masse - the police have to carefully plan the operation and it takes actual manpower. And it's probably safer for the cops to not try to arrest someone in his own home - when he's distracted by his own phone would seem like a good time.

    Riley wouldn't be a problem if the police got a warrant for the phone beforehand, right? They should be doing that anyway, if they have actual reason to believe the phone is evidence. (As opposed to just taking the phone because it *might* have evidence.)

    On the other hand, it's probably a little more dangerous for the general public if the guy resists. And I'm not sure we should train the public that a bunch of plainclothes people mobbing a guy and taking his phone is typical police behavior, unless you want a sudden rash of violent phone-theft.

    link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 5 Dec 2016 @ 11:32am

    Aren't Law Enforcement (at the very least) borderline organized crime as it is? Why should we expect petty theft to be exempt?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 11:36am

    Better yet...

    Someone make an app that wipes the phone when a certain finger's fingerprint is used to "unlock" it instead of the normal one - say the left ring finger or pinky. If you want to try to avoid charges of destruction of evidence, make it only wipe certain records/contacts/logs instead of all of them.

    Or you could make an app that geo-locates the phone itself and auto wipes when it is taken into certain locations like police stations.

    Or make one that unlocks into a shell UI loaded with fake information - call logs to elected officials with their contact information, contacts for local VIPs and prostitutes, location tracking information for Topeka Kansas instead of locally, fun stuff like that.

    Maybe one that executes on verbal command - "Siri - wipe!" :D

    Personally, I'll just try to avoid breaking the law, but since that's pretty impossible in the current surveillance/selective prosecution culture we have, it would be nice to have some level of privacy protection.

    link to this | view in chronology ]

  • icon
    Dukrugger (profile), 5 Dec 2016 @ 12:39pm

    Use siri without unlocking to make the call.

    link to this | view in chronology ]

    • icon
      Roger Strong (profile), 5 Dec 2016 @ 12:54pm

      Re:

      If you're describing how to maintain your privacy, the instruction "Use Siri" should play no part in it.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Dec 2016 @ 1:56pm

        Re: Re: Siri

        Eh. I don't use Siri. Or Cortana. Or the cloud. Or Facebook or Twitter. Location services off.

        Doesn't mean jack as long as I keep carrying around my own personal tracking device, but I try to minimize my exposure while realizing that it's ultimately pointless.

        link to this | view in chronology ]

      • icon
        Dukrugger (profile), 5 Dec 2016 @ 3:40pm

        Re: Re:

        If you want absolute privacy you should have no phone at all, but the idea is not to let whoever is taking you to have easy access to your data, to access siri's data surely a warrant or a subpoena will be needed. Also you'll be using it to make a single call whose number can easily be obtained even if you used a nokia.

        link to this | view in chronology ]

  • icon
    That One Guy (profile), 5 Dec 2016 @ 1:04pm

    How about 'NO'?

    It's tough to believe "mugging" might be the lesser of law enforcement's desired anti-encryption evils, but that's the reality of the situation.

    Which is kinda like saying "Sure they could have shot you dead, but instead they only broke your leg, so progress!"

    If they can't force someone to unlock a device through legal means, then the correct response is not 'Well have you tried mugging them?', it's 'Too bad, guess you don't get everything you want, now back to actually doing your job rather than expecting everyone else to do it for you.'

    Their actions here are wrong, that it's slightly better to have the cops mugging people rather than breaking encryption wholesale doesn't make it any better.

    link to this | view in chronology ]

  • icon
    killthelawyers (profile), 5 Dec 2016 @ 2:02pm

    At least in the United States, I think people arguing that physically taking a temporarily unprotected device = mugging misunderstand what rights they have and don't have. You have a right to be free of unreasonable searches not supported by probable cause. In many, if not most circumstances, that will also require a search warrant. Once a search warrant is obtained, you lose the right to withhold physical access. The point of encryption is that it often implicates another right: the right against self-incrimination. Yes, you know the passcode and, arguably, compelling you to give it up is a requirement that you incriminate yourself. Whether that is true or not is an argument well worth having, but that is not the issue here. The issue here is whether steps you have taken to assure that you will have the ability to invoke that right have to be scrupulously honored, even when you have voluntarily, albeit unwittingly, surrendered them. Unfortunately, I do not think this is a battle that the "mugging" advocates are going to win. You're really arguing about whether search warrants should be allowed and, if so, should even relatively minor levels of force be allowed in their execution. That's not a strong position to start from and it's worse when you consider the level of force routinely authorized for the execution of search warrants.

    link to this | view in chronology ]

  • icon
    Padpaw (profile), 5 Dec 2016 @ 3:25pm

    Again with putting an emphasis on when police/government does it calling it lawful or routine in these types of articles.

    Even if it is meant as satire just feels wrong to call it that.

    Why not just call it a criminal act instead of putting the word "lawful" in front of it.

    Been bothering me to see this lately. Almost legitamizes the act by not calling it for what it is. A crime.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 4:27pm

    This method will work in the UK. It may not in the US.

    Why not?

    If it does happen in the US, do you realistically expect the cops involved to be punished for it?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Dec 2016 @ 5:30pm

    UK police committing crimes. Water is wet.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Dec 2016 @ 6:49pm

    This is already legal in the US

    They already did this when they arrested Ross Ulbricht (Dread Pirate Roberts)

    http://arstechnica.com/tech-policy/2015/05/sunk-how-ross-ulbricht-ended-up-in-prison-for-lif e/

    link to this | view in chronology ]

  • identicon
    Freemor, 7 Dec 2016 @ 5:52am

    Already solved..

    Plucklock:

    https://f-droid.org/repository/browse/?fdfilter=plucklock&fdid=net.syntaxblitz.plucklo ck

    has been around for years.. So this problem is solveed already.. People just need to protect themselves.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.