Using Bluetooth & NFC as a Smartphone Backdoor

Guest Blogger: Chief Todd A. Faulkner, Hinsdale Police Department

One of the biggest barriers for every investigator is locked devices. We hear countless suggestions that are about tools, but what about adjustments in techniques for seizure that can work with any tool. For example, with Android version 5.0 Lollipop, the “Smart Lock” was included in this update and the issues start there with unlocking these devices. However, it did not lock out paired devices with the smartphone.

This online quick training will walk you through the process that is used by Paraben Corporation in the E3 Platform of using the Authentication Data collected to import the cloud credentials associated with a variety of apps. Since many of the most popular smartphone apps have moved to the cloud for their data storage, this is a crucial step that shouldn’t be overlooked when processing a device.

This link can give us just the backdoor we are looking for to use that connection as a method to get into the locked device. Both Bluetooth and NFC can work for this pairing backdoor that can help with being able to process the device. It is important to note that you would want to have the acquisition method on scene with you so you can use this option whenever possible.

The process works like this: when an Android device is connected initially to a Bluetooth device it will ask the owner if they want to allow the device to remain unlocked when connected to the “trusted” device. It will warn the user that by doing so they are at risk of other people having access to their phone if it is connected to the trusted device. While that connection is active typically it allows the device to remain unlocked and you can connect to it through cable connection and process it with any of the tools out there. The device being with the “trusted” Bluetooth device tells Android that it is safe to unlock and remain unlocked. This can be from anything such as a smartwatch, headphones, car Bluetooth, to computer system. One of the main devices that we have seen more regularly “trusted” is the headphone. The user often does not want to have to unlock their phone every time they change songs, etc. during their workout, etc. So, before you leave the scene don’t forget to grab those Beats or iFrogz. It is important to note that unless the Bluetooth is already activated on the target device it will require the passcode (gesture, PIN, biometric, etc.) before the Bluetooth can be activated and it will be able to connect to another device.

This can also be true for a device with an NFC tag. The difference here is an NFC tag must be touched to the device to unlock it and the device will re-lock when the set lock time elapses. Please note that if you use this device, you will need to change the time out settings to ensure the device does not keep relocking on you while it is being processed.

The other items to note is that you won’t know if the device is a trusted device until you try it so grabbing all of the devices that are Bluetooth can be very beneficial. You also will want to include the suspect’s vehicle in your quest for Bluetooth and include wording that allows you to do a live connection and unlock of the device should you need to with the vehicle. Understand that this will require a live image, on-scene, as you won’t be able to disable the passcode with the Bluetooth unlock and will merely be able to process it while it feels it is still in a trusted environment. I do not worry about vehicle year anymore as there are so many aftermarket radios and devices for car handsfree capabilities the argument of “it’s not a new enough car to support Bluetooth” goes right out the window.

There are some special considerations that allow this process to work; you will need to maintain power to the unit and possibly the Bluetooth device (watch, etc.) so that you don’t lose the connection. It is recommended you work on scene if possible to guarantee you can exploit this pairing option for the unlock.

My department has validated this on several devices and it really can be helpful and save some serious headaches, but ultimately getting the suspect to give up the password is the most ideal option. Sometimes it can be just as simple as the adjustment to the seizure and making sure you gather accessories and know that those accessories can work to help you get around some locks.

User Setup of Trusted Device



Add Trusted


Smart Lock