Slashdot Mirror
Cops Told 'Don't Look' at New iPhones To Avoid Face ID Lock-Out (vice.com)
As Apple continues to update its iPhones with new security features, law enforcement and other investigators are constantly playing catch-up, trying to find the best way to circumvent the protections or to grab evidence. From a report: Last month, Forbes reported the first known instance of a search warrant being used to unlock a suspect's iPhone X with their own face, leveraging the iPhone X's Face ID feature. But Face ID can of course also work against law enforcement -- too many failed attempts with the 'wrong' face can force the iPhone to request a potentially harder to obtain passcode instead. Taking advantage of legal differences in how passcodes are protected, US law enforcement have forced people to unlock their devices with not just their face but their fingerprints too. But still, in a set of presentation slides obtained by Motherboard this week, one company specialising in mobile forensics is telling investigators not to even look at phones with Face ID, because they might accidentally trigger this mechanism.
"iPhone X: don't look at the screen, or else... The same thing will occur as happened on Apple's event," the slide, from forensics company Elcomsoft, reads. Motherboard obtained the presentation from a non-Elcomsoft source, and the company subsequently confirmed its veracity. The slide is referring to Apple's 2017 presentation of Face ID, in which Craig Federighi, Apple's senior vice president of software engineering, tried, and failed, to unlock an iPhone X with his own face. The phone then asked for a passcode instead. "This is quite simple. Passcode is required after five unsuccessful attempts to match a face," Vladimir Katalov, CEO of Elcomsoft, told Motherboard in an online chat, pointing to Apple's own documentation on Face ID. "So by looking into suspect's phone, [the] investigator immediately lose one of [the] attempts."
"iPhone X: don't look at the screen, or else... The same thing will occur as happened on Apple's event," the slide, from forensics company Elcomsoft, reads. Motherboard obtained the presentation from a non-Elcomsoft source, and the company subsequently confirmed its veracity. The slide is referring to Apple's 2017 presentation of Face ID, in which Craig Federighi, Apple's senior vice president of software engineering, tried, and failed, to unlock an iPhone X with his own face. The phone then asked for a passcode instead. "This is quite simple. Passcode is required after five unsuccessful attempts to match a face," Vladimir Katalov, CEO of Elcomsoft, told Motherboard in an online chat, pointing to Apple's own documentation on Face ID. "So by looking into suspect's phone, [the] investigator immediately lose one of [the] attempts."
Simply outlaw personal use of cryptography, and require manufactured to provide a backdoor code. Then we won't need police officers jumping through a lot of hoops trying to get around privacy laws.
no it is not. the courts has ruled that a search warrant is needed to get pin numbers and passwords but one is not needed for fingerprints. The authorities believes the justification for not needing one for fingerprints is the same for face scans.
Have gnu, will travel.
How long before LEOs are issued with devices to cover iphone front cameras
...but not local LE who have not quite that level of gear or skill.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I use my dog's face to unlock my phone.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Trump can't use the iPhone... every time he stares into a digital camera, the CCD breaks!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
If you're going to call people out as stupid, you really ought to work on your spelling.
AC think back to pre PRISM. People still trusted big US brands not to be totally wide open to governments.
To ensure people still communicate and trust their big brand device after PRISM the big brand junk crypto has to be seen to work again.
Domestic spying is now "Benign Information Gathering"
Yep.
There are two classes of information involved in searches: Things you have and things you know.
Bio-metrics are things you have. Pass codes are things you know.
The things you have are subject to search. The things you know are protected by the 5rh amendment.
It little behooves the best of us to comment on the rest of us.
Yeah, these types of cases are why I wish Apple would offer two factor authentication: Either fingerprint and PIN or facial and PIN.
Fingerprint-only you might be able to game til the phone locks because the po-po don't know what fingers are registerd...but you only have one face.
How about "Hey Siri, lock the phone."
No idea if this works but it would make for a reasonably simple, non-intrusive solution.
the justification for not needing one for fingerprints is the same for face scans.
Correct. In Maryland v King the Supreme Court put DNA scans in the same category. No warrant or probable cause is needed.
From the ruling: "taking and analyzing a cheek swab of the arrestee's DNA is, like fingerprinting and photographing, a legitimate police booking procedure that is reasonable under the Fourth Amendment."
Where my phone would lock if it got more than 5 feet away from my Apple Watch.
Apple already has a system for detecting your Apple Watch for logging into Mac desktop/laptops, so this isn't much of a stretch.
To a Lisp hacker, XML is S-expressions in drag.
What I'd like to see is a double login: one for access, the other for self-destruct (or at least a wipe until iCloud restore).
So, for FaceID, blink three times and for touch, pinky and for PIN, an alternate.
When those are detected, it's brick time.
It little behooves the best of us to comment on the rest of us.
It's states right on the sticker, "Do not look at with remaining eye"
Wait, these cameras point at the user? Seriously? What kind of narcissist would want a camera that points at THEMSELVES? Would that not be some kind of mental disorder?
The iPhone requires that you look at it or give it attention. Can the police demand through a warrant that you look at the phone? Can a warrant even demand that?
"Sir, you are hereby ordered by a court of law to look at the camera". - I don't know if this is legal. A warrant allows the search and seizure, not compelling action.
I think if the police tried to make me look at my phone by force, id just shut my eyelids. If they try and force my eyelids open, their hands would just disqualify the read, and even then, id look as far away as possible.
Police: Don't look into the subjects phone so it doesn't lock you out.
or
Non-Police: Don't use biometrics ( face-id or fingerprints ) to unlock your phone in the first place.
If you just stick to a decent password, not only will it help those forgetful law enforcement types ( because it won't matter if they look at your phone or not ) but you also cannot be forced to give up a password ( in the US at least . . . . for now ) so it's a win-win for everybody :D
Personally, I think the phones should have an emergency user-configurable duress code. Key it in even once and the phone encrypts the entire phone ( just to be sure ) to some random key ( plausible deniability. . . . you truly won't know the passcode to unlock it at that point ) or just runs an embedded version of Bleach-Bit ( or similar ) that kills any hope of pulling any data from the device at all.
On that thought, I wonder if the App Store would even allow such an app to begin with.
Let's put their ' privacy for the consumer ' speeches to the test shall we ?
Can't the police come up with a trivial opaque 'evidence' sticker to immediately place over the front facing camera on Iphones? They could just make certain to all carry said stickers and be ready to use them.
Not sure how finicky the facial recognition is on these things, but couldn't you just stick out your tongue or something when registering your face ID? Whenever you wanted to unlock the phone, you would stick out your tongue again. If someone pointed your phone at you in an attempt to unlock it, you could just sit there and do nothing, and the phone would register a failed attempt, right?
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
Smart enough to figure out how to login, at least, Coward.
Clash song. Not D.K.
"Hey Siri, whose phone is this?" will require a passcode as long as the phone is locked when you ask the question.
Why wait for 5 attempts? just one failure and lock-out; even send some SoS for help. You know there is no reason someone should be looking into your phone [may be provide a exception set like for family]
I waffled between modding you up and replying saying that you are 100% correct. Hopefully someone else mods you up.
This is currently built into the phone and I just tried it on my personal 6S+ running iOS 12.0.1.
"Hey Siri, who's phone is this?" immediately prevents the phone from using TouchID. It gives contact info about the owner (the phone number), but also immediately prevented me from using my fingerprint. The only way back into my phone was the passcode.
I tried this 5 different times just to make sure my finger wasn't in a bad spot, every single time after asking Siri whose phone it was. My fingerprint was immediately disabled and I needed the passcode every time. I've never had my phone mistake my fingerprint more than once before unlocking, and each time after unlocking after asking Siri, I did lock the phone again and confirm my fingerprint was working.
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
There is no evidence destroyed. It is still there on the phone, it just requires a warrant to get it instead of ignoring the Constitutionally-protected right to remain silent by breaking into the phone without a warrant. This story illustrates yet another way cops routinely violate the rights of citizens.
People should not fear their government. Governments should fear their people.
The Dead Kennedys released the version that the OP was quoting. The Clash version said "I fought the law and the law won"
FC Closer
Then you didn't listen to the Dead Kennedys song the OP was quoting, you listened to a different version.
FC Closer
Dozens of groups have covered the Clash's song.
On Android just discreetly hold down the power button for a few seconds and it will shut down, disabling fingerprint/face unlock until the passcode is entered.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Have to be careful.
It is a crime ti toss evidence in a car chase.
Many times, the discards are guns and drugs.
Because there is probable cause, the actor knows that she is evading.
My iPhone will brick on the 11th failed passcode.
I could change that to 3, if I'm pretty sure I'll be stopped.
However, punching numbers to induce lock-out in the presence of LEO, under some circumstances, can be illegal.
An example is the immediate presence of danger to self or police or to the public.
It little behooves the best of us to comment on the rest of us.
I'm amazed nobody has mentioned this yet.
- Go to Settings->Emergency SOS
Make sure "Call with Side Button" is on (that's the default) and turn off Auto-Call.
On any iPhone with Face ID, pressing the side button 5 times will now activate Emergency SOS mode, which immediately disables Face ID. There's a similar mode on Touch ID devices.
So, any time you're going through TSA, a border crossing, or see a cop heading towards you, press the side button 5 times. The phone will vibrate twice to indicate it's working. You don't even need to take it out of your pocket.
I'm sure Android has something similar, but the process would be device/skin-specific.
The right to protest the State is more sacred than the State.
There is, just click the wake button 5 times
Yeah, but Dead Kennedy's did their version specifically to highlight the murder of Harvey Milk by a cop who said he ate too many Twinkies. The chorus "I Fought the Law and I won." is much different (as a previous poster pointed out) than The Clash version because DK wanted to highlight the injustice and ridiculous nature of the case. They also say "I AM the law so.... I won." that lyric points to the fact that the murderer was a local cop. Not to say I don't like The Clash's version, it's pretty great, it just didn't fit the occasion I was acting out in.