When authorities confiscate your electronics: The fate of David Miranda's computer and phone

When authorities confiscate your electronics: The fate of David Miranda's computer and phone

Summary: Top security researchers and hackers on device spyhacks explain how UK police are hacking David Miranda's computer and phone, and what to do if it happens to you.


What if you are traveling through an airport, and authorities confiscate your laptop and phone?

In some countries, modifying confiscated devices in any way is either illegal or requires suspicion of serious crime. But in the UK hacking of random suspects and inserting malware on their computers became routine protocol as early as 2011.

authorities confiscate laptop

Electronics confiscation is exactly what happened to David Miranda, husband of Guardian newspaper journalist Glenn Greenwald, last Sunday August 18.

Under UK law, Mr. Miranda - who was not charged for any crime - is supposed to get his devices back seven days after confiscation. Update Friday, August 23, 5:47 PST: UK High Court has ruled UK authorities can keep Mr. Miranda's property for continued access to his electronics until Tuesday, August 27 - a total of ten days.

In the meantime, UK authorities have received judicial permission to hack Miranda's laptop, phone, and all of his electronic devices to their heart's content - as evidenced in yesterday's UK High Court order allowing British authorities to "continue investigating the materials" they seized from him on Sunday.

The Court ruled that British police don't have official permission to share or 'use' anything they find on his electronic devices.

But with what ZDNet has now learned about police hacking, the ruling is little more than lip service for privacy advocates.

Miranda's devices have most certainly been copied and all personal information extracted, and the Court did not prevent authorities from modifying the devices.

Security researcher Felix "FX" Lindner runs Berlin-based security consultancy Recurity Labs, and is well-known for exposing grave vulnerabilities in Huawei routers, as well as the famous default password list.

Lindner explained that the general classes of what authorities can do when a device is confiscated include:

  • Hardware modification
  • Firmware modification
  • Certificate material addition
  • Software changes (think apps)
  • Data dump (this is usually through the charger connection)

According to top security researchers on the topic of device spyhacks - interviewed for this article - typical targets of confiscation and remote police hacking include political activists, freedom fighters, terrorists, journalists connected to political topics, hackers and security researchers, political documentarians, academics (especially on political science connected or researching political activism or situations) and corporate personnel connected to interesting technology or large scale business decisions.

Finland-based F-Secure Senior Researcher Jarno Niemelä stated, "If you fall into one of the above groups you can expect pretty much anything.

hardware hacking

At the very least, he elaborated, victims of confiscation can expect that a full copy of their computer and phone will be made.

If the government officials decide to modify the device all bets are off.

There is a wide range of software that they could install to the device which provide full access to everything that the phone or PC is capable of doing.

This means that they can observe any phone calls or messages being sent from the device, see the devices physical location and manipulate whatever information they want in the device.

Authorities modify confiscated devices in a number of ways, and can do so with commercially available tools and software.

Niemelä added,

Typical example of consumer-grade spying tools would be Flexispy for mobile devices, and Realtime-Spy for PC's.

The government grade-software have a similar feature set, but they are provided only for limited distribution, which means that Antivirus and other security products are much less likely to detect them.

Anti-virus and other security software provide good detection against consumer-level spying tools, because researchers can obtain samples of them.

But real spy stuff is hard because we almost never receive a copy of them.

And what can authorities make your confiscated computer or phone do after it's returned to you? F-Secure's Niemelä detailed,


Phone calls, call records, SMS messages and SMS records, email messages, physical location, ability to use device as a listening bug, websites visited (and visit duration), screenshots of user activity, all windows interacted with, all internet connections made, all app usage (and use duration), all files used and deleted, all documents opened, all chatroom conversations, all computer usage sessions, etc.

Lindner explained in more direct terms, "However, just imagine I get your phone and computer and put every data point I can find in Maltego. The secondary and following layers reveal everything, especially if the authority doing it also has the power to go to the central service providers you use (Facebook, Twitter, Google)."

How can you tell if authorities hacked your laptop or phone?

If a computer or phone has been hacked by authorities, only in rare cases will there be any visible evidence that might reveal tampering.

Finland-based F-Secure Senior Researcher Jarno Niemelä tells ZDNet that also with phones,

There is an alternative way of doing espionage operations over a modified SIM card, which means that an operative replaces the phone's SIM with a cloned version that contains additional SIM Toolkit software which allows quite wide range of access to device information - all without modifying the phone at all.

I have feeling that the SIM card attack is used more often than we think. Mostly due to the fact that almost no-one knows how powerful they are and how easy it is for someone to make a SIM clone with government-level resources.

One thing I would recommend is mark the SIM card so that I can see if it has been replaced with modified version.

SIM Piggyback

In terms of visual evidence for phone tampering, a SIM-card "man in the middle" technique has been around for over five years. F-Secure's Security Advisor Sean Sullivan explained that "SIM piggybacks" are now much smaller and slimmer than the one in the photo at right, which F-Secure provided as an example.

Another phone hardware spy technique is swapping out a modified battery; in this instance, authorities replace the suspect's phone battery with a visually identical duplicate that houses a smaller battery and a range of possible surveillance tools (able to track physical location, intercept phone calls, activate software to record video, among other functions).

Still, the battery looks identical - and there is no visual reason for the person having their phone taken by authorities to suspect that anything has changed.

So-called 'piggyback SIM' card man-in-the-middle attacks, stealth battery swap, and more was confirmed by San Francisco based Rift Recon. Researchers interviewed for this article (such as Lindner) sent me to Rift's team for expert answers about physical tampering; evidence, methods of attack, and detection.

Rift Recon's team explained that computers and phones don't even need to be confiscated and kept in order for authorities to modify devices and insert silently running surveillance malware.

All authorities need to do, Rift explained, is to have your phone or laptop out of your sight for anywhere between a few seconds to a few minutes to insert a thumb drive that spoofs the device, copies the data, and inserts an undetectable piece of surveillance software.

Rift Recon Founder and CEO Eric Michaud confirmed that aside from a piggyback SIM, visual evidence of phone tampering is rare.

There will be no visual evidence if they utilized restricted law enforcement kits like the Cellebrite UFED- and there are many such restricted kits.

Most phones have a debug mode that is trivial to access and/or bypass, and then authorities can download the contents of the phone. This affects even modern devices like the iPhone 5 or Nexus devices from Google sold in the consumer market.

Miranda also had his hard drives confiscated. External drives are also targeted, and these prove difficult when trying to determine if they have been accessed.

A few vendors sell ones that require a password or fingerprint to activate, but most drives don’t offer much to go on in the way of tamper-evidencing. The problem here lies with the fact that there are open ports, and most commercial devices just power on and are ready for Read/Write almost immediately, and do not log access.

This is an especially acute issue with law enforcement data acquisition devices that do not write to the drives (which is required for logging).

If David Miranda's laptop and phone don't appear to be modified, it may display behaviors during normal operation that reveal ways in which the devices have been hacked - although, again, government malware typically evades anti-virus software and operates invisibly.

All of the researchers agreed that for both computers and phones, a good bet would be to monitor and document all network traffic. Niemelä, the Senior Researcher at F-Secure suggested,

The best way to detect tampering is to look for unexplained network connections.

Switch off all software that uses a network; Twitter, Facebook, Gmail, etc. and monitor if the device makes any sort of network connections, and if they do, to where. Best way to do this is to set up a WiFi router with which you can observe all traffic, either from logs or by using Wireshark, or another network sniffing tool.

Another option is a full forensic examination of the device. But this is very expensive. So traffic analysis is a sensible starting point.

At Berlin's Recurity Labs, Mr. Lindner provided a tip for people who have had their phones confiscated, or otherwise suspect phone modifications:

With cell phones, the key is battery life.

Review how the Etisalat BlackBerry trojan was found: The server died under load and everyone's BB drained its battery while trying to reach it. In similar modifications, the battery drain of a 5 minute call to person A is double or triple of that to person B.

Having surveillance done on a phone itself is hard, batteries are b*tches. The advanced version for phones is knowing someone with a faraday cage (or having access to a shipping container) and an IMSI-catcher. This will allow you to monitor communication over the GSM/3G interface. You can make calls and see how many channels are opened for voice etc.

Your computer and phone have been hacked and modified by British authorities. Now what?

All researchers agreed that device replacement is safest option, as long as with phones the SIM card is also replaced.

Most hackers told me that once your phone or laptop has been confiscated by authorities or modified by authorities on the fly, you should just think of them as pricey paperweights.

Not all of the researchers were quite so cynical, but across the board all were skeptical about being able to effectively clean any authority-tainted devices. Because, as Lindner put it, "Defense is >10 years behind attack research. Detection of compromise is only very slowly getting attention. Recovery from compromise is absolutely blank in terms of research."

F-Secure's Niemelä reminded me that there's a difference between what low-level (and low-budget) authorities will use to modify your devices and what budgeted police will use. "Of course if anti-virus detects the spying tool then running AV cleanup could be enough, but that is more effective against tools used by private investigators than government spies."

How can we keep our private property, private?

The researchers interviewed for this article described a few ways - in some cases, their own personal precautions - in which travelers can take precautions to keep the private lives and sensitive information stored on laptops and phones, private.

The Electronic Frontier Foundation has an excellent and detailed post, Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.

While focused on American borders (specifically digital travelers and U.S. law), it suggests a lot of techniques with which you can decide how you want to try and protect your data from authorities. The EFF's list of basic precautions in that post are invaluable.

David Miranda confiscated

F-Secure's Niemelä recommended, "If the device is encrypted and switched off when entering a checkpoint, the officials would have to be able to crack the encryption first before being able to tamper with the device. Which means that unless a SIM card attack is used, the user can feel quite safe even if the device is taken from their possession."

Recurity's Lindner also had great advice, more along the lines of having an OPSEC (operations security) philosophy. "Computers are cheap, stop using one for everything. If you are disciplined about that (OPSEC again), you always have a clear mental picture of what you lost when it's taken from you. Much like a wallet, basically. F*ck the Cloud - be one."

File encryption is a commonly prescribed precaution - but one hacker interviewed for this article who has worked in the infiltration and penetration field for two decades was adamant that file encryption was worthless in the face of some government tools. The EFF agrees that file encryption is not a complete solution. Even with file encryption there are attacks which can still access a device's operating system. The source exclaimed, "Once they access your OS, you're done."

According to this anonymous source, full disk encryption is the surest option because it prevents access to the operating system and suggestions included PointSec and Sophos.

Contents: unknown, and under pressure

Brazilian citizen Miranda was held for nine hours and all his electronic equipment including mobile phone, laptop, memory sticks and smart watch were taken and kept by British police.

Miranda, a 28-year-old university student, was traveling home to Brazil after visiting Germany, where he met with Emmy-nominated documentarian (and Freedom of the Press Foundation Board Member) Laura Poitras, who has worked with Greenwald and Edward Snowden while involved with her current docu about Wikileaks and whistleblowers. Greenwald said Miranda was carrying materials, but it is unknown what he was carrying.

I don't in any way intend to minimize the obviously deep bond between Mr. Greenwald and his husband with the following statement.

But I think that what is happening to David Miranda at the hands of British authorities should give every ordinary citizen of the world ice in their veins - especially those traveling through London Heathrow - when we're wondering if all we do to get detained, interrogated and have our lives violated in ways we're only starting to understand - is simply to fall in love with a journalist.

Hopefully Mr. Miranda will have all of his possessions returned to him this weekend.

Photo credit for "piggyback SIM" card - used with full permission and shot by Sean SullivanF-Secure. All other images: CNET. Hardware hacker in CNET photo: Limor Fried. Full disclosure: the author of this article is in a personal relationship with Rift Recon's Eric Michaud. On the basis of this disclosure, no conflict with the material was posed in regard to the subject's inclusion in the article.

Topics: Security, Google, Government US, Government UK, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • tech is disposable

    An sound advice for traveling to "dangerous" places like China, or the USA has always been: use disposable tech. Buy a new laptop and mobile phone/tablet before you go and destroy them when you are back.

    Now, one has to add the UK to the list...
    • It's back to carrying microfilm..

      and using morse code encrypted by old enigma tech, using simple circuits that change encryption constantly on the fly. For people in relatively free countries, they could get away with this; you could build the components from Radio Shack parts. Micro-dot microfilm is almost impossible to detect on a person and could even be swallowed in pill form to "recover" later. Of course I am just joking.

      Dissidents world wide already found a way to communicate by VPN using the bot net, so as not to be found out. The software/firmware for bot herding already circulates under ground. I suppose determined governments could decrypt the VPN using PRISM also, but it would be too late for actionable intelligence, and the end points constantly change anyway. Messages would be carefully crafted to be inane and indecipherable where only insiders could make sense of the message as well. Much of this depends on hand delivered messages to set up, or a trusted courier system; after that operations would only be interrupted by upgrading by regular courier service. Advance individuals in countries where such things aren't watched too closely, could deliver these important upgrades by very small computer directed UAV. These stealthy birds would be as small as a large RC toy, and self directed; a single burst GPS alarm sent out in 3G anytime flight is interrupted or completed to assure destination.

      Well now! My imagination is really going out of control here! :D
  • by the way

    It's interesting that one of the products, FlexySPY does not work on non-jailbroken iPhones. One more reason to not jailbreak your devices.

    It does happily work on any BlackBerry and Nokia phone... so much about those device's security.
    • Yeah, don't jailbreak you iOS device...

      ...except every iOS device that is not jailbroken has the same root password.
  • Re: Danbi

    Flexispy is consumer grade tech, it is very unlikely to be used by anything else than abusive/suspicious spouse or private investigator.
    • Re: Flexispy is consumer grade tech


      But why can it install on some phones and not on other? Android is not even mentioned, yet it's the wast majority of phones. Your cheating spouse is more likely to own one of these.
      • Android?

        Android is not even mentioned because it's irrelevant to the context of this article. Any advantage you see in one device over another is simply overwhelmed when government intelligence resourced are applied.
  • If you device is confiscated, assume it's been compromised.

    Sad state of affairs. Encrypt your data, wipe your deivce and put it on the cloud when traveling. Send your deivce by a different method and carry a dummy one loaded with honey pot data with you.
    • Can not wipe solid state memory

      Just to let you know. So you can not wipe your phone or tablet. Your data is there forever.
      • Not true

        You wipe digital memory by overwriting it. Unlike a magnetic disk drive, this leaves no "residue" for reading using sophisticated snooping tools.
  • Fortunately...

    the courts in the US have become less and less tolerant of the overreach of the NSA programs. I've quit calling it a "privacy" issue. That is a term for media chumps! These issues impact the 4rth, 5th, and 10th Amendment issues. Those are RIGHTS, by the way! Privacy? PHHSSsh!!!
    • So?

      What makes them admit to having taken it anyway?
      • This abuse can't go on forever...

        here in the US - we won't tolerate if for much longer - believe me.
        • i want my proctection right

          my laptops been confiscated during a search warrant along with 2 other laptops. they're gonna search through and do some kind of crime investigation that can lead them to a crime that doesnt even involve me!! and now the police wants to put or install some kind of tracking or spying device, but the judge says they have no right to do that. so now they have a guy working on it or something. working on what? installing spyware to my laptop? trying to convince the judge and get his apporval? even if they get the judges disapproval will they still try to secretly install spyware or whatever to my latop without me knowing? or will they give me a notice if they install some kind of spying device onto my laptop? what should i expect when they return my laptop back? should i be worry? now i'm scare for my life and privacy!! what the heck is a police database anyway!? i'm just an innocent student!! who happen to be there at the wrong time!! P.S. i live in the U.S.
          • This is simple, but not easy....

            You have multiple options. You can shred it, and buy a new one. Obviously if you wanted to do that, you would not even bother posting that comment.

            So, the second option. Take the laptop to someone who is competent with electronics, not just IT, and have them open it, and look for evidence of tampering. Look for small added circuit boards and soldered jumper wires, replace the battery, the hardrive and perhaps even the RAM and Wifi daughter boards, depending how paranoid or careful you want to be.

            Military grade malware can reside in any flash ROM chip in the system, not only the BIOS. Any flash memory (EPROM chip) for the modem, the UART chips, and the DVD ROM drive, and of course also the BIOS, and even some PCI controller chips. Extremely advanced hardware level tracking may actually replace some of the system chips themselves, you would have ot verify all the serial numbers and look for solder rework evidence.

            Unless you are a secret agent, of your family is known to be plotting treasonous events, I doubt you would have to fear that level of spying. The most simple method is wipe it, give it to someone else! ... and buy a new one ... LOL
            Kieron Seymour-Howell
    • Rights?

      The UK (and the rest of the world) aren't bound to honor US constitutional rights.
      • True..

        when was the UK really free anyway? They even gave up their guns! Or at least all of them save a few for the occasional farmer and sporting club. You can bet the fat cats still have them.
      • Tht may soon change, in an indirect manner:

        Global laws are trying to align. That means that what is illegal somewhere, may become automatically illegal everywhere else. It is simply a matter of time before the UN and other groups try to enforce or persuade countries and governments to all fall under a greater global legal system that gives them veto powers and other rights anywhere globally they wish. In fact the US only recently entered into an agreement that gives foreign troops legal rights to enforce martial law on US soil. Look these things up. Ignorance of the law is NOT a valid defence.
        Kieron Seymour-Howell
    • GovReply222h

      Your rights are what we say they are.

      We are the Government, we are here to help.
      • Seriously?

        Either you are:

        1) "trying" to be funny, which is only slightly working.
        2) Being a douche and looking for attention
        3) telling the truth and seriously need to mind your own business

        Pick one, write it down and swallow it. Don't bother replying to this, no one really cares.
        Kieron Seymour-Howell