When authorities confiscate your electronics: The fate of David Miranda's computer and phone

What if you are traveling through an airport, and authorities confiscate your laptop and phone?

In some countries, modifying confiscated devices in any way is either illegal or requires suspicion of serious crime. But in the UK hacking of random suspects and inserting malware on their computers became routine protocol as early as 2011.

Electronics confiscation is exactly what happened to David Miranda, husband of Guardian newspaper journalist Glenn Greenwald, last Sunday August 18.

Under UK law, Mr. Miranda - who was not charged for any crime - is supposed to get his devices back seven days after confiscation. Update Friday, August 23, 5:47 PST: UK High Court has ruled UK authorities can keep Mr. Miranda's property for continued access to his electronics until Tuesday, August 27 - a total of ten days.

In the meantime, UK authorities have received judicial permission to hack Miranda's laptop, phone, and all of his electronic devices to their heart's content - as evidenced in yesterday's UK High Court order allowing British authorities to "continue investigating the materials" they seized from him on Sunday.

The Court ruled that British police don't have official permission to share or 'use' anything they find on his electronic devices.

But with what ZDNet has now learned about police hacking, the ruling is little more than lip service for privacy advocates.

Miranda's devices have most certainly been copied and all personal information extracted, and the Court did not prevent authorities from modifying the devices.

Security researcher Felix "FX" Lindner runs Berlin-based security consultancy Recurity Labs, and is well-known for exposing grave vulnerabilities in Huawei routers, as well as the famous default password list.

Lindner explained that the general classes of what authorities can do when a device is confiscated include:

• Hardware modification
• Firmware modification
• Certificate material addition
• Software changes (think apps)
• Data dump (this is usually through the charger connection)

According to top security researchers on the topic of device spyhacks - interviewed for this article - typical targets of confiscation and remote police hacking include political activists, freedom fighters, terrorists, journalists connected to political topics, hackers and security researchers, political documentarians, academics (especially on political science connected or researching political activism or situations) and corporate personnel connected to interesting technology or large scale business decisions.

Finland-based F-Secure Senior Researcher Jarno Niemelä stated, "If you fall into one of the above groups you can expect pretty much anything.

At the very least, he elaborated, victims of confiscation can expect that a full copy of their computer and phone will be made.

If the government officials decide to modify the device all bets are off.

There is a wide range of software that they could install to the device which provide full access to everything that the phone or PC is capable of doing.

This means that they can observe any phone calls or messages being sent from the device, see the devices physical location and manipulate whatever information they want in the device.

Authorities modify confiscated devices in a number of ways, and can do so with commercially available tools and software.

Niemelä added,

Typical example of consumer-grade spying tools would be Flexispy for mobile devices, and Realtime-Spy for PC's.

The government grade-software have a similar feature set, but they are provided only for limited distribution, which means that Antivirus and other security products are much less likely to detect them.

Anti-virus and other security software provide good detection against consumer-level spying tools, because researchers can obtain samples of them.

But real spy stuff is hard because we almost never receive a copy of them.

And what can authorities make your confiscated computer or phone do after it's returned to you? F-Secure's Niemelä detailed,

Everything.

Phone calls, call records, SMS messages and SMS records, email messages, physical location, ability to use device as a listening bug, websites visited (and visit duration), screenshots of user activity, all windows interacted with, all internet connections made, all app usage (and use duration), all files used and deleted, all documents opened, all chatroom conversations, all computer usage sessions, etc.

Lindner explained in more direct terms, "However, just imagine I get your phone and computer and put every data point I can find in Maltego. The secondary and following layers reveal everything, especially if the authority doing it also has the power to go to the central service providers you use (Facebook, Twitter, Google)."

How can you tell if authorities hacked your laptop or phone?

If a computer or phone has been hacked by authorities, only in rare cases will there be any visible evidence that might reveal tampering.

Finland-based F-Secure Senior Researcher Jarno Niemelä tells ZDNet that also with phones,

There is an alternative way of doing espionage operations over a modified SIM card, which means that an operative replaces the phone's SIM with a cloned version that contains additional SIM Toolkit software which allows quite wide range of access to device information - all without modifying the phone at all.

I have feeling that the SIM card attack is used more often than we think. Mostly due to the fact that almost no-one knows how powerful they are and how easy it is for someone to make a SIM clone with government-level resources.

One thing I would recommend is mark the SIM card so that I can see if it has been replaced with modified version.

In terms of visual evidence for phone tampering, a SIM-card "man in the middle" technique has been around for over five years. F-Secure's Security Advisor Sean Sullivan explained that "SIM piggybacks" are now much smaller and slimmer than the one in the photo at right, which F-Secure provided as an example.

Another phone hardware spy technique is swapping out a modified battery; in this instance, authorities replace the suspect's phone battery with a visually identical duplicate that houses a smaller battery and a range of possible surveillance tools (able to track physical location, intercept phone calls, activate software to record video, among other functions).

Still, the battery looks identical - and there is no visual reason for the person having their phone taken by authorities to suspect that anything has changed.

So-called 'piggyback SIM' card man-in-the-middle attacks, stealth battery swap, and more was confirmed by San Francisco based Rift Recon. Researchers interviewed for this article (such as Lindner) sent me to Rift's team for expert answers about physical tampering; evidence, methods of attack, and detection.

Rift Recon's team explained that computers and phones don't even need to be confiscated and kept in order for authorities to modify devices and insert silently running surveillance malware.

All authorities need to do, Rift explained, is to have your phone or laptop out of your sight for anywhere between a few seconds to a few minutes to insert a thumb drive that spoofs the device, copies the data, and inserts an undetectable piece of surveillance software.

Rift Recon Founder and CEO Eric Michaud confirmed that aside from a piggyback SIM, visual evidence of phone tampering is rare.

There will be no visual evidence if they utilized restricted law enforcement kits like the Cellebrite UFED- and there are many such restricted kits.

Most phones have a debug mode that is trivial to access and/or bypass, and then authorities can download the contents of the phone. This affects even modern devices like the iPhone 5 or Nexus devices from Google sold in the consumer market.

Miranda also had his hard drives confiscated. External drives are also targeted, and these prove difficult when trying to determine if they have been accessed.

A few vendors sell ones that require a password or fingerprint to activate, but most drives don’t offer much to go on in the way of tamper-evidencing. The problem here lies with the fact that there are open ports, and most commercial devices just power on and are ready for Read/Write almost immediately, and do not log access.

This is an especially acute issue with law enforcement data acquisition devices that do not write to the drives (which is required for logging).

If David Miranda's laptop and phone don't appear to be modified, it may display behaviors during normal operation that reveal ways in which the devices have been hacked - although, again, government malware typically evades anti-virus software and operates invisibly.

All of the researchers agreed that for both computers and phones, a good bet would be to monitor and document all network traffic. Niemelä, the Senior Researcher at F-Secure suggested,

The best way to detect tampering is to look for unexplained network connections.

Switch off all software that uses a network; Twitter, Facebook, Gmail, etc. and monitor if the device makes any sort of network connections, and if they do, to where. Best way to do this is to set up a WiFi router with which you can observe all traffic, either from logs or by using Wireshark, or another network sniffing tool.

Another option is a full forensic examination of the device. But this is very expensive. So traffic analysis is a sensible starting point.

At Berlin's Recurity Labs, Mr. Lindner provided a tip for people who have had their phones confiscated, or otherwise suspect phone modifications:

With cell phones, the key is battery life.

Review how the Etisalat BlackBerry trojan was found: The server died under load and everyone's BB drained its battery while trying to reach it. In similar modifications, the battery drain of a 5 minute call to person A is double or triple of that to person B.

Having surveillance done on a phone itself is hard, batteries are b*tches. The advanced version for phones is knowing someone with a faraday cage (or having access to a shipping container) and an IMSI-catcher. This will allow you to monitor communication over the GSM/3G interface. You can make calls and see how many channels are opened for voice etc.

Your computer and phone have been hacked and modified by British authorities. Now what?

All researchers agreed that device replacement is safest option, as long as with phones the SIM card is also replaced.

Most hackers told me that once your phone or laptop has been confiscated by authorities or modified by authorities on the fly, you should just think of them as pricey paperweights.

Not all of the researchers were quite so cynical, but across the board all were skeptical about being able to effectively clean any authority-tainted devices. Because, as Lindner put it, "Defense is >10 years behind attack research. Detection of compromise is only very slowly getting attention. Recovery from compromise is absolutely blank in terms of research."

F-Secure's Niemelä reminded me that there's a difference between what low-level (and low-budget) authorities will use to modify your devices and what budgeted police will use. "Of course if anti-virus detects the spying tool then running AV cleanup could be enough, but that is more effective against tools used by private investigators than government spies."

How can we keep our private property, private?

The researchers interviewed for this article described a few ways - in some cases, their own personal precautions - in which travelers can take precautions to keep the private lives and sensitive information stored on laptops and phones, private.

The Electronic Frontier Foundation has an excellent and detailed post, Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.

While focused on American borders (specifically digital travelers and U.S. law), it suggests a lot of techniques with which you can decide how you want to try and protect your data from authorities. The EFF's list of basic precautions in that post are invaluable.

F-Secure's Niemelä recommended, "If the device is encrypted and switched off when entering a checkpoint, the officials would have to be able to crack the encryption first before being able to tamper with the device. Which means that unless a SIM card attack is used, the user can feel quite safe even if the device is taken from their possession."

Recurity's Lindner also had great advice, more along the lines of having an OPSEC (operations security) philosophy. "Computers are cheap, stop using one for everything. If you are disciplined about that (OPSEC again), you always have a clear mental picture of what you lost when it's taken from you. Much like a wallet, basically. F*ck the Cloud - be one."

File encryption is a commonly prescribed precaution - but one hacker interviewed for this article who has worked in the infiltration and penetration field for two decades was adamant that file encryption was worthless in the face of some government tools. The EFF agrees that file encryption is not a complete solution. Even with file encryption there are attacks which can still access a device's operating system. The source exclaimed, "Once they access your OS, you're done."

According to this anonymous source, full disk encryption is the surest option because it prevents access to the operating system and suggestions included PointSec and Sophos.

Contents: unknown, and under pressure

Brazilian citizen Miranda was held for nine hours and all his electronic equipment including mobile phone, laptop, memory sticks and smart watch were taken and kept by British police.

Miranda, a 28-year-old university student, was traveling home to Brazil after visiting Germany, where he met with Emmy-nominated documentarian (and Freedom of the Press Foundation Board Member) Laura Poitras, who has worked with Greenwald and Edward Snowden while involved with her current docu about Wikileaks and whistleblowers. Greenwald said Miranda was carrying materials, but it is unknown what he was carrying.

I don't in any way intend to minimize the obviously deep bond between Mr. Greenwald and his husband with the following statement.

But I think that what is happening to David Miranda at the hands of British authorities should give every ordinary citizen of the world ice in their veins - especially those traveling through London Heathrow - when we're wondering if all we do to get detained, interrogated and have our lives violated in ways we're only starting to understand - is simply to fall in love with a journalist.

Hopefully Mr. Miranda will have all of his possessions returned to him this weekend.

Photo credit for "piggyback SIM" card - used with full permission and shot by Sean Sullivan, F-Secure. All other images: CNET. Hardware hacker in CNET photo: Limor Fried. Full disclosure: the author of this article is in a personal relationship with Rift Recon's Eric Michaud. On the basis of this disclosure, no conflict with the material was posed in regard to the subject's inclusion in the article.