Probably not. If you're dead, they probably have your fingers. If you're alive, they can compel you to unlock the device with your fingerprint.
The only point I'm making is that Apple already designed a cryptosystem that resists court-ordered coercion: as long as your passcode is strong (and Apple has allowed it to be strong for a long time), the phone is prohibitively difficult to unlock even if Apple cuts a special release of the phone software.
Using a strong pin is pretty annoying, and a relatively visible signal when using the phone on the street etc, So it can be a good filter(maybe via street cams) to filter suspicious people - which isn't a bad goal for law enforcement.
That sounds good until you remember the Bayesian Base Rate Fallacy: there are very few terrorists (the base rate of terrorism is very low), so filtering on "people with strong passphrases" is going to produce an overwhelming feed of false positives.
Be careful not to take the base rate fallacy too far, with enough difference in likelihood even a small base rate won't prevent an effect from being significant, and regardless of the base rate you'll still get some information out of it, it might just not be as much as you wanted.
Nobody cares that you're using an alphanumeric passcode on your iPhone.
Some corps require or strongly encourage it. My employer does.
And most parents I know use alphanumeric to keep their kids from wiping their phones and iPads just by tapping the numbers. (A four digit number code auto-submits on the 4th tap, so all it takes is 40 toddler taps. An alphanumeric code can be any length and won't submit unless the actual submit button is tapped.)
Corporate email profiles on BYOD phones often enforce a long passcode requirement, so you've got a lot of Fortune 500 sales guys to screen out if you're stopping and searching anybody with a suspiciously long password.
I'm at a loss as to how alphabet agency can determine a weak passcode vs strong passcode was used. how does a pin get stored on the phone? surely, not plain text of a 4 digit pin. if they do any encryption to the 4 digit pin, how would it appear any different than a significantly stronger passcode?
Except that with Touch ID, you only have to enter it when you reboot the phone, or if you've mis-swiped 5 times. I've had a strong pin for a couple of years, and really don't find it even a slight inconvenience (in the way that I use a super-weak password for Netflix, as entering passwords on an Apple TV is a real pain)
If they have access to a live finger for the TouchID, sure they can bypass - but they could do that with the $5 guaranteed coercion method as well [1].
Copying a good fingerprint from a dead finger or a randomly placed print is not easy [2]. It's hard, doable but you get 5 tries so if you screw up, you have thrown away all the hard work of the print transfer.
All bets are off if the iPhone is power-cycled. Best bet if you're pulled over by authorities or at a security checkpoint is to turn off your iPhone (and have a strong alphanumeric passcode).
> All bets are off if the iPhone is power-cycled. Best bet if you're pulled over by authorities or at a security checkpoint is to turn off your iPhone (and have a strong alphanumeric passcode).
Excellent advice. Even better, if you're about to pass through US customs and border patrol, backup the phone first, wipe, and restore on the other side. Of course, this depends on your level of paranoia. I am paranoid.
If you're paranoid, making a complete copy of all your secrets on some remote Apple or Google "cloud" where the government can get at it trivially is the exact opposite of what you want to be doing.
Well, yeah, if you back it up with a 3rd party backup tool, you are trusting the 3rd party.
I recommend you make a backup to your laptop, which you then encrypt manually. That way the trust model is: you trust yourself. Then you can do whatever you want with the encrypted file. Apple's iCloud is perfectly fine at this point.
The real challenge is to find a way to restore that backup, because you have to be on a computer you trust. If you decrypt the backup on a "loaner" laptop, your security is broken.
If you decrypt the backup on your personal laptop but the laptop has a hidden keylogger installed by the TSA or TAO, your security is broken.
It would be necessary to backup the phone on the _phone_ _itself_. Then manually encrypt the file (easy to do). Then upload to iCloud. At this time, no such app exists for iOS.
Since you plan to restore the backup to the phone anyway, it's no problem to decrypt a file on the phone before using it for the restore.
> I recommend you make a backup to your laptop, which you then encrypt manually.
You mean your laptop that was manufactured by a 3rd party, with a network card that was manufactured by a 3rd party? And you're using encryption software that, even if it's open source, you probably aren't qualified to code review. I'm not downplaying the benefit of being careful, but unfortunately you can keep doing that pretty much forever.
Probably not. FB is doing the same thing. In most cases your app or service does not actually know if the remote service it is talking to is local or in another DC. Yes, you can find out if you need to, but that requires contacting another service and introduces some delay and latency. Use a service router to try to keep the calls local to a rack or a DC, but you know that if there are problems with local cells you might get routed across the country so start with the assumption that _all_ connections get encrypted even if the connection is to localhost.
Wiping the phone doesn't help you. Using the strong password renders the information inaccessible, at least as inaccessible as your phone backup is. Touch ID isn't re-enabled until the phone's passcode is used. Presumably if the authorities have access to your phone's memory they also have access to your laptops, and neither will do them any damn good.
And it's paranoia if there's a legitimate threat, that's just called due diligence. ;)
> Touch ID isn't re-enabled until the phone's passcode is used.
Do the docs confirm that there is no way around this? I'd guess generating the encryption key requires the passcode, which is discarded immediately, and Touch ID can only "unlock" a temporarily re-encrypted version which never leaves ephemeral storage?
From the iOS Security Guide - How Touch ID unlocks an iOS device;
If Touch ID is turned off, when a device locks, the keys for Data Protection class
Complete, which are held in the Secure Enclave, are discarded. The files and keychain
items in that class are inaccessible until the user unlocks the device by entering his
or her passcode.
With Touch ID turned on, the keys are not discarded when the device locks; instead,
they’re wrapped with a key that is given to the Touch ID subsystem inside the Secure
Enclave. When a user attempts to unlock the device, if Touch ID recognizes the user’s
fingerprint, it provides the key for unwrapping the Data Protection keys, and the
device is unlocked. This process provides additional protection by requiring the
Data Protection and Touch ID subsystems to cooperate in order to unlock the device.
The keys needed for Touch ID to unlock the device are lost if the device reboots
and are discarded by the Secure Enclave after 48 hours or five failed Touch ID
recognition attempts.
TouchID I believe unlocks the passcode so the phone can use it to login, but TouchID itself is not enabled until you enter it once, presumably because it isn't actually stored on the device in a readable way.
Could the "code equivalent" of your fingerprint be stolen by a rogue app if it's allowed to read it? I don't have a touchId phone but have wondered what would happen if your "print" is stolen -- passwords can at least be changed.
Speaking as an App Developer, we cannot touch stuff like that. We're allowed to ask Touch ID to verify things and process the results, but we don't actually get to use the Touch ID system. It's similar to how the shared keychain is used: We can ask iOS to do things, but then must handle any one of many possible answers. We don't actually see your fingerprint in any way.
Wouldn't surprise me if true, iOS as a whole is built in a very modular fashion when it comes to the different components of the OS and developers only get access to what Apple deems us worthy of, hehe. Not that I want access to Touch ID, I much prefer to not have access to that...
Depends on if they're at a border crossing or in the interior of the country. Laws apply to citizens and non-citizens alike. If you haven't been admitted to the country, about the most they can do is turn you away at the border checkpoint and put you on the next flight back to your home country.
We wrote about this in our border search guide and concluded that there is a risk of being refused admission to the U.S. in this case (in the border search context) because the CBP agents performing the inspection have extremely broad discretion on "admissibility" of non-citizens and non-permanent residents, and refusing to cooperate with what they see as a part of the inspection could be something that would lead them to turn someone away. (However, this is still not quite the same as forcing someone to answer in the sense that they don't obviously get to impose penal sanctions on people for saying no.)
" they don't obviously get to impose penal sanctions on people for saying no"
I wonder if there is any negative effects associated with being refused entry by a CBP? Could it be the case that if you are refused entry once, that in the future they will be more likely to refuse you entry? If so, that's a fairly significant penalty/power that the CBP person has.
> I wonder if there is any negative effects associated with being refused entry by a CBP? Could it be the case that if you are refused entry once, that in the future they will be more likely to refuse you entry? If so, that's a fairly significant penalty/power that the CBP person has.
Yes, some categories of non-citizen visitors (I don't remember which) are asked on the form if they have ever been refused entry to the U.S. (and are required to answer yes or no). If they're using the same passport number as before, CBP likely also has access to a computerized record of the previous interaction.
Plenty of countries will ask if you've ever been refused entry to any country. And you're also generally automatically excluded from any Visa Waiver Programme from then on too. So it's a major issue.
> If they're using the same passport number as before, CBP likely also has access to a computerized record of the previous interaction.
(They might also be able to search their database by biographical details such as date of birth, so getting a different passport may not prevent them from guessing that you're the same person.)
It is not a good bet if you're pulled over by the authorities to be doing something with your hands that they can't reliably identify as different from preparing a weapon. Particularly if not white.
> "Copying a good fingerprint from a dead finger or a randomly placed print is not easy [2]. It's hard, doable but you get 5 tries so if you screw up, you have thrown away all the hard work of the print transfer."
You get plenty of tries to perfect the technique, before using it on the actual device.
You acquire identical hardware and "dead finger countermeasures" (does the iphone employ any? Some readers look for pulses and whatnot, I don't know if the iphone does). You then practice reading the fingerprint on that hardware until you are able to reliably get a clean print and bypass any countermeasures. Only then do you try using the finger on the target phone.
You might still fuck it up, and you only get 5 chances on the target hardware. But with practice on the right hardware, I see no reason why you couldn't get it.
Is it only five fails on TouchID to delete data? I don't have the option to delete the data enabled on my iPhone... but it often takes more than five tries to just get it to work on my finger that is legitimately registered in touchID.
After five failures the you cannot use Touch ID to unlock and will instead need the passcode to access the phone again. This means that any approach to fooling the fingerprint reader will need to be done within five tries.
Of course you can. As long as the courts can be persuaded that there is no causal nexus between the torture and the evidence, or if the torture actually isn't legally torture. That assumes that the defendant can show (or is even aware) the torture actually took place.
Examples:
* prolonged solitary confinement: not legally torture
* fellow prisoner violence: not legally torture, no nexus
* prolonged pre-trial confinement: not really torture, but we may as well include it
* waterboarding/drowning: not legally torture? (Supreme Court declined to rule)
Sure, you can. It all depends on who gets to define "torture."
If they can find a judge who believes the iron maiden isn't torture while the anal pear is, then guess what... the government will use the iron maiden.
Even if they can't find such a pliable jurist, they'll have no problem getting a John Yoo to write an executive memo that justifies whatever they want to do to you, and let the courts sort it out later. There's no downside from their point of view.
The memos didn't provide de iure indemnity. There is no constitutional basis, in fact the proposition that a memo can supersede the Constitution is idiotic on its face.
The failure is the de facto doctrine of absolute executive immunity. It has two prongs: 1. "When the president does it, that means that it is not illegal." 2. When the perpetrator follows president's orders, also not illegal.
Nevertheless, since there is no legal basis, there is nothing preventing the next government from prosecuting them.
The memos didn't provide de iure indemnity. There is no constitutional basis, in fact the proposition that a memo can supersede the Constitution is idiotic on its face.
Yes, and that's what I meant by "let the courts sort it out later." The Constitution's not much help either way, being full of imprecise, hand-waving language and vague terms like "cruel and unusual." It was anticipated by the Constitution's authors that it would be of use only to a moral government.
Nevertheless, since there is no legal basis, there is nothing preventing the next government from prosecuting them.
I wonder if that's ever happened in the US? Does anyone know?
I would disagree. The Constitution is a bulwark against tyranny. The US have successfully prosecuted waterboarding in the past.
It usually only happens when the rule of law is suspended and then resumed. You're a young country, so maybe it hasn't happened before. Robert H. Jackson was an American, though ;-)
No, although I'd love to see a HealthKit app that uses your Apple Watch as a dead man's switch, and disables Touch ID or powers the phone off in the event the watch is removed or your pulse is no longer detected.
If you take the watch off, it automatically locks. I wouldn't mind it also automatically locking my phone and requiring a passcode instead of TouchID.
There is a VERY limited amount of time in which you can take the watch off and switch to another wrist (like milliseconds, you have to practically be a magician to switch wrists (which I do throughout the day)).
Apple has the watch, they could use it to beef up security for those that want it.
Is this true even if you use Touch ID?