The Touch ID lock on your iPhone isn’t cop-proof

“The FBI’s feud with Apple over access to Syed Farook’s iPhone might never have happened if the San Bernardino, Calif., shooter had been carrying a 5S or newer,” Kartikay Mehrotra reports for Bloomberg Businessweek. “For the 250 million phones sold around the world with fingerprint authentication since 2013, law enforcement may be able to compel suspects to press their fingers to the devices and unlock them.”

“With minimal litigation on the books in the U.S., police and prosecutors require only a judge’s blessing on a warrant for a suspect’s fingerprints. So far they’ve used the power sparingly,” Mehrotra reports. “But as the number of fingerprint scanners in hip pockets grows, district attorneys across the country say the technology is poised to become a major engine of evidence-gathering.”

Mehrotra reports, “Fingerprint-scanning phones will become the majority within about two years, estimates researcher IDC. As the pile of warrant requests grows, the pressure will be on magistrate judges to draw a line between genuine seizures and fishing expeditions…”

Read more in the full article here.

MacDailyNews Take: Power down your iPhone at night. That would force a passcode if the phone is taken before you use it next.

You carry forever the fingerprint that comes from being under someone’s thumb. — Nancy Banks-Smith

To set a stronger alphanumeric passcode on your iOS device that cannot be easily brute-forced:
1. Settings > Touch ID & Passcode. On devices without Touch ID, go to Settings > Passcode
2. Tap Change Passcode
3. Tap Passcode Options to switch to a custom alphanumeric code
4. Enter your new, stronger passcode again to confirm it and activate it

SEE ALSO:
Should you disable Touch ID for your own security? – May 9, 2016
Apple supplier LG Innotek embeds fingerprint sensor into display – May 4, 2016
U.S. government wants your fingerprints to unlock your phone – May 1, 2016
Android fingerprint scanners fooled by inkjet printer – March 8, 2016
Android fingerprint sensors aren’t as secure as iPhone’s Touch ID – August 10, 2015
Apple files for patent to move Touch ID fingerprint scanner from home button to display – February 9, 2015

33 Comments

  1. Do not program in your dominate-hand thumb. That is the most obvious fingerprint to use when opening the phone. That way, if you are forced to offer up your fingerprint they will need to guess which finger you used. The odds are much better this way that you will be able to put the wrong fingerprint in and force a password request.

    1. More importantly, own an iPhone 5S or newer device as they have Security Enclave; the hack that FBI has paid for has only worked because it was an older device.

      1. The secure enclave won’t help if they force your finger to the phone. As he says, use a non-dominant finger. Your pinky finger if you are real paranoid, it’s the last one they’d try, by then you would exceed your max attempts.

    2. Aw, so what! This is how it should be. This is a compromise that I can live with. Bad guys have to give up their fingerprints to unlock their phones, good guys are susceptible to forced fingerprints (but unlikely to be troubled as they aren’t doing anything wrong.) I can live with this. I can’t live with government having back doors. Back doors have the potential to be activated remotely by any bad actor. Fingerprints require your physical presence, thus much, much safer. (at least not on the iPhone, I hear Android fingerprint readers can be compromised remotely.)

      Apple should leave things this way, it will keep the government off of their backs.

    3. “But, your honor, I gave them my fingerprints when they booked me into holding! All ten of them! Now you’re asking me to give my fingerprints again. Why? Can’t the cops unlock the phone with the fingerprints they have on file? If not, then why are you requiring me to REMEMBER which finger I use to unlock my phone, just like I must REMEMBER my passcode? Aren’t both mental processes?

    1. Typing in the password means someone could potentially spy on you and watch what you type. Touch ID avoids that security vulnerability, but has its own weaknesses (like being forced to unlock your phone, for example).
      I wish Apple gave us an option to require BOTH: you have to type in the passcode, and THEN also a fingerprint (or vice versa).

    2. Please tell us how TouchID can be “easily hacked?” You probably can’t because the article says no such thing.

      What it does say it can be opened by the owner in situations where they may have no choice in the matter, such as a court ordering them to do so.

      TouchID and the Secure Enclave that holds the data–as far as I have heard–is still remarkably secure because there’s no one else with the same fingerprint as you.

      1. I think that if they have a fingerprint, a mockup casting could be made to emulate it. I’ve thought of that and don’t use my “expected” fingers for it. Of course all that means is that someone(s) would have to do more work, but if I see a situation coming (not always possible) a quick Home+Power and that’s OK as I use a long, complex PW.

        1. Mocking up someone’s fingerprints is relatively exotic, and not nearly as easy to do as most movies make it seem.

          In other words, it’s not something most people will ever encounter in the real world.

          I don’t think that lifting a print–relatively easy to do with a little transparent tape–would work, though I wonder what would happen if you used an adhesive to make a copy of a print, and put in on your finger, then use TouchID.

          Though in the latter instance, there’s few ways that someone could do that without your knowledge, which defeats the purpose somewhat.

          As I understand it, TouchID and it’s Secure Enclave are one of the safest methods to block access to your device after all, if someone is able to force you to use your finger to open your phone, then they could do the same with your password.

  2. Has there been any success in unlocking a phone using a reproduced latent or law-enforcement-recorded fingerprint?

    Powering off your device at night is a silly idea that defeats one purpose of having a phone at all, and useful at protecting data from search only if the device is seized at night.

    Sad that privacy tech should be so task-focused on thwarting law enforcement, though, isn’t it? “backdoor” solutions are impractical for sure, but I do hope someone’s working hard to find the right compromise.

    1. Hey PC Apologist, good questions and observations.

      Has there been any success in unlocking a phone using a reproduced latent or law-enforcement-recorded fingerprint?
      – I’ve read a few articles that say hackers have done it and it doesn’t seem too unrealistic a possibility these days, especially for an organization that can toss a million bucks around.

      Sad that privacy tech should be so task-focused on thwarting law enforcement, though, isn’t it?
      – I believe that’s a misconception. Privacy tech is task-focused on thwarting everybody except the user. That’s what privacy is all about. I think you hear a lot about law enforcement because they are the ones trying to circumvent it, along with (other) criminals. Civilized, ethical, moral folks and organizations know understand and appreciate the value of privacy.

      There is no need to work hard for a compromise, just a need to work hard. There is a plethora of forensic and investigative possibilities out there available for use. You start listening and bending over for these compellers they’ll start demanding the moon, time travel so that they can go back and check out the details of the crime scene at the time, raising people from the dead so that they can compel them to confess, special resorts so that they can use torture to extract information….oh wait some of the compellers have already done that, with such success there might be a sequel.

      Tongue in cheek aside, i did enjoy your post.

      1. Right, I don’t mean the key focus of privacy tech is to stop law-enforcement, but circumstances pit the two against each other.

        The US Constitution has strong privacy protections baked in. The framers also permitted for a court to override that privacy with cause. If their intent was to make law enforcement’s job as difficult as possible and protect privacy at all costs, the courts would not have been granted that power to begin with.

        Broadly used data encryption thwarts more and more the power of the court to issue effective warrants. I agree there is an overreach of law/government into privacy, but the response seems to be what many consider an overreach of encryption.

        Got to find a middle ground that protects privacy and permits legal search.

  3. Gee when I hear “law enforcement may be able to compel suspects to press their fingers to the devices and unlock them.” coming from that nation I get the feeling that it’s an advertisement for the Guantanamo on the Bay Resort but of course they don’t send their own citizens there…. yet.

    MDN has a good suggestion, as long as the compellers invade your dwelling first thing in the morning. Otherwise, it’s a bit moot.

    The Touch ID fortunately could be programed do other things than unlock a phone. I think I’ve read someone comment that one finger print could be used to lock the phone thus requiring a pass code to open it. That would certainly make the compellers think twice, that is, if they can count that far and/or think.

    Of course another finger print followed by a pass code could cause all the information on the iphone to be totally erased. Give a whole new meaning to giving the finger.

  4. Please don’t put your iPhone in your hip pocket!
    A) You’ll sit on it and … *crunch*
    B) Anything in a hip pocket is asking to be stolen by pick pockets.

    I still see naive people putting wallets in hip pockets. Naughty!

    1. I quit carrying a wallet initially because my chiropractor told me to. Sitting on that thing is bad for your spine and overall health.

      Then I trimmed it down to a money clip. I *have* to keep it cleaned out and trimmed down now, and it is *so* much better than the old billfold was.

      And I have truly never understood those who put a phone in their hip pocket. More than a bit off topic here, but there it is. 🙂

  5. I had a very good friend who went in to hospital with a stroke and subsequently died . His wife desperately needed access to his iPhone 6 but did not know his access code and we managed to open the phone using his finger .
    So there are times when this function although not entirely voluntary , are beneficial .
    There are times when an individual can be compelled to open a phone by law enforcement without a search warrant . I am thinking specifically of when one crosses a border .

  6. The opening sentence of this article is completely wrong:

    “The FBI’s feud with Apple […] might never have happened if the San Bernardino, Calif., shooter had been carrying a 5S or newer”

    The writer implies that, had the phone been protected by the TouchID fingerprint, the FBI would have somehow been able to compel the shooter to unlock it with the fingerprint.

    There are two reasons why this is simply incorrect. First, unless FBI obtained that phone within 24 hours of its owner’s last access, TouchID would have been disabled and passcode would have been the only way to unlock. And second, the perpetrator was long dead by the time FBI found the phone. Dead fingers cannot unlock the TouchID (according to Apple).

    So, the opening paragraph was meant to attract readers to continue, because it referred to a well-publicised case, even though it was not really relevant.

    1. If dead guy was taken to the hospital and put on life support after failed resuscitation efforts, they could have used his “mostly dead” fingers to unlock the phone.

  7. They can make you unlock it with your finger print, but they can’t make you input a passcode, as that may become self incrimination, so you’re protected by the 5th Amendment.

  8. You don’t have to power down, just hold down the power button and the home button at the same time until the apple icon appears, this forces the next login to use the password instead of Touch ID.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.