The six-week murder trial of South Carolina lawyer Alex Murdaugh mesmerized the nation earlier this year. Murdaugh, a member of a well-known legal family, was charged and later convicted of the June 2021 murders of his wife, Maggie, and his youngest son, Paul. The conviction was far from certain, as the evidence was circumstantial. The critical piece of evidence, according to the jury, was Paul’s cellphone video recovered by the U.S. Secret Service. This video had Alex’s voice yelling at one of their dogs just moments prior to the murders.

Murdaugh swore he was nowhere near the crime scene. During interviews the night of the murders and during all the legal proceedings leading up to the main trial, he stuck to that story. It was only in the days leading up to the main trial itself that the Secret Service was able to brute force its way into his deceased son’s phone and recover the video that blew apart Alex’s alibi. It was after this video revelation that Murdaugh had to admit that he was at the scene of the murders.

A brute force “attack” is a trial-and-error hacking method to gain unauthorized access to a device. There are several brute force methods. A simple attack is not using any special tools, but continually tries to log in using easily identified passwords such as ‘abc123’, ‘password123’ or birth dates.

Local law enforcement in South Carolina was unable to unlock Paul’s phone, but they reached out to the Secret Service for additional assistance. The agency then used a tool kit from an Israeli company, Cellebrite, which can unlock, decrypt and extract data on both iOS (software version 7 to 13.3) and Android devices.

The Cellebrite Premium kit comprises a laptop preloaded with specifically designed software, specialized adapters and licensing dongles that are required to allow the software to run. The capabilities include everything from accessing messages or photos, to full file systems access, which includes passwords stored on the devices themselves.

Cellebrite, founded in 1999, boasts a global presence, with more than 6,900 clients, many of which are public safety agencies. As the law-abiding citizen I know you are, you are probably thinking, this is interesting, but so what?

From what I’ve researched, the mobile device-cracking technology is limited to Cellebrite. One of the things you learn when it comes to cybersecurity, is that no matter how locked down a physical device or piece of software is, with enough time and resources, someone can figure their way around those safeguards.

Will anyone ever get their hands on this toolkit and reverse engineer how it all works? How long before it’s replicated and easily accessible to more nefarious individuals? Are your passwords appropriately configured on your phone so if someone gained access, they couldn’t immediately login to all of your other private applications, such as banking?

Here are a few steps to consider to better protect yourself:

Enable multifactor authentication where possible. This advice may sound like a broken record, but the annoyance of taking an extra few seconds to enter the second authentication can avoid a world of pain. If someone accesses your most sensitive information, you’ll wish you had enabled the extra log-in step.

Use longer passphrases. We have been accustomed to passwords between 8-12 characters. Most of those are not memorable and lead to reusing the same ones over and over. Consider using a longer passphrase that is much more difficult to crack, but significantly easier to remember. An example would be “In2023We’reGoingtotheBeach!”

Use a password manager such as 1Password or Bitwarden. A password manager can prevent reusing the same password on multiple websites, ensure the passwords are complex, and avoids using personal information as the password. Password managers also have the added ability to share with trusted family members that can access your accounts in the event of an emergency, such as a spouse.

Enable the longest PIN you can on your mobile device.

Ensure your mobile device screen is locked when you set it down.

If you manage a system where other people log in, make sure to limit the amount of failed login attempts and lengthen the character limit on what a password can be, and ensure old, unused accounts are disabled.