30 comments

[ 3.1 ms ] story [ 47.2 ms ] thread
Something that could come in handy: You can put iPhones into passcode mode by holding down a volume button + the lock button (the poweroff/emergency mode sequence), and then cancelling.
dont just turn it off, physically disable it so the hardware aspect is unusable.
GrapheneOS has a nice feature where you can use both the fingerprint and a short passcode to avoid having to type out your longer/more valuable password all the time. Seems like a good solution to the problem.

Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?

How does that protect you from rubber hose decryption like in this case? You get beat enough, you’ll unlock your phone
Cannot you then be charged for interfering with the investigation or deleting evidences? It’s not like law enforcement will be “damn, we’ve been outsmarted, let’s move on”

(To be clear I’m not in support of anything close to the current state of affairs and wish we had way stronger privacy rights even in the case of police investigations)

My fingerprints regularly fail to get recognized, across multiple scanners. If you can be charged for doing it "accidentally on purpose", then I can be charged for doing it even if I were innocent.
Not a lawyer, but I wouldn’t be surprised if that’s actually the case :(
The iPhone has never had such a feature _exactly_.

However on iPhones that have the Emergency SOS feature biometry is disabled until you enter your passphrase/code when that feature is invoked.

Biometry is also disabled until re-authentication if you invoke the shutdown menu by holding the power/power+volume up button.

Neither of those will get you to the Before First Unlock state, however. That is the ideal if you are attempting to protect access to your phone’s data in any adversarial scenario. You must restart/shut down the phone to get back to that.

Same applies to iPads.

There may be vulnerabilities, of course. In Before First Unlock there is not enough cryptographic material available in memory to decrypt application data. The full set of keying material is both user and device specific.

The iPhone Lockdown feature- press power button 5 time to activate.
These phones need a kill expression or finger. If you touch a sensor with your left pinky or wink at the camera it nukes the phone.
People say this on every thread where this comes up.

If the phone is in your pocket and somebody puts a gun to your head and tells you not to move, you are not pressing anything on your phone.

Anyone in journalism should know not to be using biometrics. I use it, but know how to quickly disable it. If using fingerprint, you can always offer up the wrong digit, a few fails should make it fallback to pin.
So all an adversary/the police need to do is watch you unlock your phone once to know which finger to use? Trivial considering how often we unlock our phones and how many cameras exist.
How is this different, legally speaking, from forcing someone to reveal their password? or at least to type it in?
Orig title was fine: Washington Post Raid Is a Frightening Reminder: Turn Off Your Phone's Biometrics
That's the title I gave it when I submitted it, I thought you or dang changed it o_O
I've been genuinely depressed about how fast the country is descending into strong man rule while half the country cheers it on. Which I think is their point, they want their political opponents to suffer at all costs.
(comment deleted)
Could you get charged with destroying evidence if you provided the duress password wiping the device when asked for a password ? You technically followed orders and didn't even touch the device.
Don't use biometrics a pin has been shown to have more 5th amendment protections. Have your phone automatically reboot at a regular time every day. When your phone reboots a lot of the exploits that can get into your phone are locked out because they rely on reading the active memory.
I have always thought biometrics on phones is just another way so-called "tech" companies perform data collection ultimately to be used for commercial purposes or any purposes deemed appropriate by the companies or their business partners

The companies are secretive so who knows what they are up to that we dont know about. What we do know is that these companies do not tell the whole truth when explaining their publicly visible conduct, including their data collection practices

For example, a so-called "tech" company might claim they need a user's phone number for "security" purposes while the data actually serves other purposes for the company that the user might find objectionable if they knew about them (This actually happened)

The mobile phone has become a computer that the user cannot truly control. Companies can remotely install and run code on these computers at any time for any reason.^1 If the user stores data on the phone, the company tries to get the user to sync it to the company's computers

If there are promises, e.g., about "privacy", made by the companies, then these promises are unlikely to be enforceable. It's rather difficult if not impossible to verify such promises are kept, or to discover they have been breached. Unfortunately, when the promises are broken then there is no adequate remedy. It's too late

1. This unfettered access can be blocked but there's been a culture that has emerged around actively doing the opposite. That the so-called "tech" companies are the primary beneficiaries is surely a fortuitous coincidence

> biometrics on phones is just another way so-called "tech" companies perform data collection ultimately to be used for commercial purposes

No, sorry, that's just silly. Routine biometrics have made personal devices near-unhackable and almost un-stealable. They have turned automated password attacks into a historical memory. They are a huge boon to consumers. Yuge, even.

Can they be abused? Yeah, sure. I guess everything can. But to cynically claim they have no value, or negative value, is just detached from reality.

(comment deleted)
Face ID doesn't work with eyes closed, the warrant wasn't clear whether or not A Clockwork Orange-style setup would be allowed.
Samsung phones have the Secure Folder where you can use a different, more secure password. If you have the data encrypted it is very secure as the actual encryption key is stored in a secure element.
This is a reason to always use passwords instead of biometrics (fingers, face, palm, etc). A corrupt court cannot force a password to be revealed by the citizen.

Never speak with or offer any assistance to the police or government. It will come back to hurt you.

I have heard for years that this is a common tactic used by TSA when you get selected for special screening. Basically, they couldn't force you to divulge your unlock code. However, if you left your phone in a vulnerable state w/r/t biometrics, they could unlock your phone on your behalf without permission.

Mine gets a quick reboot for going into a checkpoint. This disables biometrics until I enter a passcode.