It is quite common to hear about smartphone compromises today: these intrusions allow access to data stored on the phone, or the installation of spyware. Today, it is in fact the complexity of smartphones that makes them so vulnerable to intrusions (architecture, operation) and so difficult to completely secure from a technical point of view.

The Pegasus scandal revealed to the general public in 2021 that telephone intrusions or attacks can be carried out remotely, when they have been used against journalists (from Mediapart in particular) on behalf of foreign governments. Even Jeff Besos , the CEO of Amazon, would have been hacked remotely by a simple video sent via WhatsApp messaging.

Conversely, the exploitation of vulnerabilities in secure telephones intended for criminals also allows law enforcement to dismantle major criminal networks – this is the case, for example, in the EncroChat affair , the trials of which are currently underway. course.

These examples illustrate the ongoing tension between the need to access protected data for investigations carried out to protect citizens, and the need to protect citizens against abuse of this access. So, should we make phones as secure as possible from a technical point of view, or on the contrary create “back doors” for the police and intelligence services?

Who has – and will – have the right to penetrate smartphones?

In France, the criminal procedure code and the internal security code respectively authorize the judicial police services and the intelligence services to capture computer data, that is to say to recover information as it appears on a person’s screen (or on external devices), without them being informed.

Since the law of March 23, 2019 on programming for 2018-2022 and reform for justice , it is even possible to use State means subject to national defense secrecy in order to record, preserve or transmit the data as stored in a computer system. Added to this is the possibility for the State to commission experts – in this case specialized private companies – in order to penetrate said systems.

In 2023, the Government once again attempted to increase the resources available to the police forces by inserting into the draft orientation and programming law of the Ministry of Justice 2023-2027 a provision relating to the activation remotely electronic devices without the knowledge of their owner or possessor in order to locate them in real time, activate the microphone or camera and recover recordings.

This very controversial provision was partly censored by the Constitutional Council on November 16, 2023. It considered that the remote activation of the microphone or camera of an electronic device constitutes a disproportionate attack on the right to respect for privacy, in particular because it allows third parties to be listened to or filmed who have no connection with the current case .

Only the possibility of geolocating a person in real time through the remote activation of their telephone or any other computer device such as vehicle dashboards has been declared to be in conformity with the Constitution.

How are intrusions technically possible?

Regardless of the legality of such an action, one can technically penetrate a smartphone by exploiting its “vulnerabilities”, that is, by using existing flaws at the hardware or software level .

The exploitation of vulnerabilities is today protean, as the intrusions are multiple and concern several levels. Attacks can be carried out remotely, across the network, or directly on the phone if it is physically accessible, for example a phone seized during a search. In this case, attackers use, for example, a “side channel attack” (the power consumption of a phone can in particular reveal information); create artificial errors (by “fault injection” ), or physically attack smart cards or microprocessors. These attacks make it possible to recover the encryption keys which allow access to the user’s data stored on the phone. This was the subject, for example, of the European project EXFILES .

If we progress through the layers of the phone , it is possible to exploit the flaws in the phone’s operating systems (their bugs, in other words). The more complex and functional a system is, the more difficult it is to secure it, or even to define the expected security properties .

Furthermore, in most cases, an attack alone is not enough to break into the target phone, which is why a modern exploit combines many vulnerabilities and techniques to circumvent the present countermeasures .

Finally, intrusions can target applications installed on the smartphone or communication protocols. In this case, critical phases of application use are targeted: such as key negotiation, device pairing or even over-the-air firmware updates . For example, in 2019, Google’s “Project Zero” team discovered remotely exploitable vulnerabilities on iPhones (even though they are known for their good level of security), which made it possible to take control of the phone with a simple SMS.

Like this team, many researchers and manufacturers discover and report vulnerabilities simply to have them fixed. On the other hand, other companies profit by creating “exploits” – sets of complex vulnerabilities and techniques, which allow phones to be exploited against their users and are sold to the highest bidder – including States – for sums of up to several million Euros .

Should we provide more security or, on the contrary, create “back doors”?

In 10 years, the level of security has evolved considerably. Private operators are increasing technical measures to ensure an increasingly high level of security, with new programming languages ​​for example, or high-level security modes, such as the “lockdown” mode on iPhones. , which disable many features, and therefore reduce the “attack surface” .

However, it is impossible to offer complex and 100% secure systems, particularly because the human factor will always exist. In some cases, the phone can be compromised in a way that is completely transparent to the user, this is a “zero click” attack. In others, user intervention is still required: clicking on a link or opening an attachment is considered a “one-click” attack. In any case, trickery , physical, psychological or legal coercion often remains an effective and rapid means of accessing data.

Human weaknesses sometimes represent the weakest link that is easiest to exploit in a cyberattack. xkcd , CC BY-NC

The increasing difficulties in penetrating smartphones are pushing the police services, notably through the voice of their minister in October 2023, to regularly request the establishment of “backdoors” which allow privileged access to telephones.

Thus, in the 1990s, the NSA wanted to impose on telecommunications manufacturers and operators an encryption chip, the “Clipper Chip” , which included such a back door allowing intelligence services to decrypt communications.

In the same vein, police forces sometimes contact manufacturers to give them access to equipment, which causes tensions with private operators. In 2019, Apple denied such access to the FBI , which ended up using a hardware attack on the phone in question.

More recently, in November 2023, many researchers opposed an article in the European eIDAS regulation that would force browsers to include certificates imposed by European governments. Such certificates would make it possible to intercept secure communications (HTTPS) of citizens, without browser publishers being able to revoke these certificates if they were used improperly.

We believe that reducing system security by introducing backdoors harms everyone’s security. On the contrary, increasing smartphone security protects citizens, especially in countries where individual freedoms are contested.

If mass surveillance and the insertion of backdoors into products are a danger to democracy, would exploiting existing vulnerabilities be a more “democratic” way of collecting information for judicial purposes? Indeed, these techniques are necessarily more targeted, their cost high… and if these flaws are massively exploited they are quickly detected and corrected. With the constant increase in phone security, how long will this be economically feasible for police and judicial services?

Indeed, although the elimination of all vulnerabilities is undoubtedly illusory, is the cost of their discovery and exploitation becoming exorbitant or will the evolution of vulnerability discovery techniques make it possible to reduce their cost  ?

Author Bios: Aurélien Francillon is Professor of IT security at EURECOM, Institut Mines-Télécom (IMT) and Noémie Véron is a Lecturer in Public Law at the University of Lille