Hey Siri: How iOS 10 Improves Encrypted Phone Forensic Capabilities
The battle earlier this year between the FBI and Apple brought encryption issues to the forefront. With the introduction of iOS 8, phones became encrypted and Apple could no longer unlock them when law enforcement requested. While cracking a locked phone may now be impossible, another consideration is the data collected by Apple to make the device users’ life more convenient. iOS 9 allowed the iPhone to become proactive, and iOS 10 furthered these enhancements. If this data can’t be obtained from the device, could Apple still have access to the data?
Phones running iOS 9 and higher collect a lot of user data in order to make Siri more proactive. For example, an eye opening feature in iOS 9 was maps suggestion. Utilizing the various sensors within the iPhone, the device learned the users driving behavior. When an individual would leave for work every weekday at 6am, the phone would provide the estimated driving time and the best route. iOS 10 has taken this a step further and provides users with parked car location. This Proactive feature is turned on by default and many users do not know that it is an optional feature.
Some other Proactive features include; call suggestions based on time and frequency, using a connected email account to provide contact info for an unknown incoming phone call, and listening to the song or podcast from the part you left off while driving. This analytical data is being sent to Apple’s servers in order to make our lives more convenient. In addition to improving Siri and other features, Apple has admitted selling the behavior information to third parties and back in 2013 told Wired magazine, that they store Siri data for two years. However, this data is stripped of identifying information and given an ID number which Apple considers to be secure.
The issues with ID numbers is they are not as anonymous as one would think. For example, over the past few days I have asked Siri to call my wife, play Jonathan’s playlist, directions to get home, provide directions to my friend’s house based on his address in my contacts list, and dictate an email with my home address and phone number in the content. In addition, Siri has provided proactive responses such as directions to my child’s school when leaving the house, directions home after dropping him off, connecting to the podcast I was last listening to, and directions to my gym at lunchtime. If one were to analyze this data, it would not be difficult to obtain various pieces of information from this to identify who the user is behind the "anonymous" user ID. From my example, my name, home address,
email address, phone number, associates name and address, and behavior patterns are all stored by Apple. I do not consider myself to be a heavy Siri user, so I imagine more individuals would have even more personal data available behind a user ID.
So how does law enforcement obtain access to this data? That is the very difficult question. The relationship between Apple and law enforcement is strained. In addition, one cannot subpoena Apple with the user ID the company assigns to anonymize the Siri data. However, a lot of this information can be found on an individual’s computer or iCloud account. When a user backups their iPhone to iTunes, this data is stored on the computer hard drive. Unless the user encrypts the backup, not a default option, this data is available to extract from the hard drive with various software’s available. This information is also available in a user’s iCloud account. Although the data is encrypted, when the user stores data or backs up their phone to the iCloud, the keys are maintained by Apple. This means they can decrypt the data and provide it to law enforcement. For example, the FBI attempted this during the investigation of the San Bernardino terrorist attack. By connecting the iPhone to a known Wi-Fi network and triggering an iCloud backup, the FBI could have subpoenaed Apple to provide this iCloud data. However, a technical error of resetting the password on the account disabled this ability.
Despite the encryption phones have today, a locked apple and android phone should not dissuade law enforcement from trying to obtain the data the phone contains. While individuals are notorious for failing to back up their data to a separate device, it does occur and could enable an investigator to receive some of the data stored on the phone. This data could also include proactive Siri data. As obtaining phone records in most cases have become the norm, the move to a data based communication in all aspect of our lives require a shift to conduct forensics on all phones. Education begins with what data is available, shortcuts the phone may have to provide some user information, and how to protect the phones from being maliciously destroyed remotely. Contact us today for all your cell phone device training needs.