The law lags badly behind technology in a great many areas. One area where there is still huge uncertainty is whether the Fifth Amendment right against self-incrimination protects someone who refuses to disclose the passcode to their phone.
We’ve seen conflicting rulings in the past, and a Miami report shows that rulings may even vary between courts in the same state …
The Florida Court of Appeals has ruled that a suspect must tell police the passcode for his iPhone 5, overturning the original ruling that Fifth Amendment protections applied. This contradicts a Virginia court ruling in a separate case that a suspect can be forced to unlock a phone with their fingerprint, but cannot be forced to reveal their passcode as this would contravene the Fifth Amendment right against self-incrimination.
Something that has been bugging me for some time is that my iPhone, normally unlocked with Touch ID, asks for my passcode way more often than it ought to. That mystery has now been solved by a bullet-point that Apple added to its iOS Security Guide earlier this month – though the behavior has been there a lot longer.
Previous versions of the document said that iOS devices should only ask Touch ID users for their passcode in one of five circumstances. I found I was frequently asked for my passcode when none of these applied, but a sixth, recently-added bullet-point explains it …
Early this morning, we told you about a new iPhone 6s passcode bypass vulnerability that allowed handlers to access photos and contact details without needing to verify with a passcode or Touch ID. The Lock screen vulnerability was made possible by Siri, and let users bypass the security provided by the Lock screen passcode and/or Touch ID.
If there’s a positive spin to put on such a vulnerability, it’s that fixes can be implemented server side without the need for an iOS update. Apple today has fixed the passcode bypass method by forcing Siri to request your Lock screen passcode whenever a user tries to search Twitter via Siri while at a secured Lock screen Expand Expanding Close
There have been an increasing number of reports from iPhone users running iOS 9.1 that Touch ID is proving slow or unreliable. The issue was first spotted by Forbes earlier this week.
The complaints are similar: users running iOS 9.1 find Touch ID either refuses to recognise a user’s fingerprint, has become highly unreliable or doesn’t even register a fingerprint pressed against it. Users have tried hard resets (holding in the power and home button for 10 seconds) and complete factory resets without any success.
The issue appears to be affecting a small minority of users, but enough to suggest that it is more than coincidence … Expand Expanding Close
Backing up Apple Watch doesn’t work exactly like your iOS device, and some of the data on the watch— like Workout and Activity calibration data, for example— won’t be included in your backup. Head below to learn exactly how to back up your Apple Watch, what to expect when doing so, and how to access the data if need be. Expand Expanding Close
Security company MDSec has been testing a black box device that manages to gain access to iPhones running up to iOS 8.1 by brute-forcing the passcode over a USB connection to simulate keypad entry. Normally, trying every possible 4-digit PIN would be prevented by automated lockout or data wipe after ten incorrect attempts, but the IP Box manages to bypass this.
The IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory.
After each attempt, it measures light levels on the screen to see whether it got access to the homescreen; if not, it restarts the phone fast enough that the PIN counter doesn’t get updated.
It’s not a very practical means of attack in the real world. Restarting the phone after every single attempt means that testing every single PIN would take around 111 hours, and thus take an average of around 55 hours to get access. You need physical access to the phone for those 55 hours, and need to have stopped it from gaining any kind of network access in that time to prevent the owner using Find My iPhone to remotely wipe it. But it’s an interesting proof of concept.
Apple appears to have fixed the vulnerability in iOS 8.1.1, as companies selling the kit note that it is not compatible with this version of iOS.
Although this isn’t something to worry about, it’s still good practice to use a complex passcode–not a great hardship on a recent iPhone, where you’ll be using Touch ID most of the time. Just go into Settings > Touch ID & Passcode and slide off the Simple Passcode switch.
[Ed. note: Jason Stern is a Criminal Defense Attorney in private practice in New York City]
8:34 am. A college professor receives a text message threatening to blow up the history building. The professor immediately contacts law enforcement, who trace the origin of the call to a student who lives off-campus.
When FBI agents arrive at the student’s residence, they arrest the student and seize his smartphone. In an attempt to search the device to recover evidence of the crime (and perhaps stop other related crimes), they find the smartphone is protected by fingerprint security measures.
With the suspect in handcuffs, the agent swipes the student’s finger across the phone to access his call history and messages. Once the FBI swipes the suspect’s finger and bypasses the biometric security, the phone asks for the student’s passcode. The FBI agent asks for his password but the student refuses to speak. How can the FBI agent access the phone? Whereas a fictional Federal Agent like Jack Bauer would simply pull out his gun, jam it in the suspect’s mouth and scream, “WHERE IS THE BOMB?”, in our example, the FBI agent would hit the proverbial brick wall.
Yes, the phone could be brought back to the lab for analysis and hacking by forensics personnel, but the suspect in this case could not be forced to disclose the password on the phone… Expand Expanding Close
Update 6/30: It appears iOS 7.1.2 has resolved the issue: A state management issue existed in the handling of the telephony state while in Airplane Mode. This issue was addressed through improved state management while in Airplane Mode.
A new lock screen bypass has been discovered in iOS 7 that allows anyone to skip the default authentication method. The shocking part about this bypass is that it can be done in under five seconds. This isn’t the first time that lock screen security on iOS has been compromised, but this does require very specific conditions in place in order to work.
Reeva Steenkamp, shot dead by Oscar Pistorius (photo: India Times)
The International Business Times reports that three detectives investigating the killing of Oscar Pistorius’s girlfriend Reeva Steenkamp have flown to Apple’s HQ in Cupertino to seek assistance in accessing the athlete’s iPhone.
Prosecutors want to access its SMS and WhatsApp messages as evidence for the trial.
South African police have been struggling to gain access to the phone for months, one of several handsets found in the double-amputee athlete’s Pretoria villa on the night he shot girlfriend Reeva Steenkamp.
Pistorius has claimed that he cannot remember the passcode … Expand Expanding Close
According to a report from German language blog iFun, Apple is preparing to release iOS 6.1.2 early next week to address the much talked about Microsoft Exchange bug and passcode vulnerability. Apple already confirmed that both issues would be fixed in an upcoming software update, but iFun confirmed the update would land sometime before Feb. 21 based on its checks with carriers.
iFun accurately predicted the launch of iOS 6.1.1 through the same sources earlier this month. In addition, the report appears to claim the enhancements to maps in Japan that Apple introduced in the recent 6.1.1 beta would reach consumers in the coming weeks as iOS 6.1.3.
Apple provided a statement to AllThingsD about the passcode vulnerability earlier this week:
Reached for comment, Apple said it is hard at work on a fix. “Apple takes user security very seriously” spokeswoman Trudy Muller told AllThingsD. “We are aware of this issue, and will deliver a fix in a future software update.”
Late last month, we reported Swedish security firm Micro Systemation claimed its “XRY” application was capable of cracking an iOS device’s passcode, logging keystrokes, and accessing data like GPS, call logs, contacts, and messages. The video showing the app in action is now removed, but the firm’s claims are coming under scrutiny by at least one fellow hacker. Will Strafach, better known in the jailbreaking community as “@chronic,” just posted his summary of what is really happening with the software to clarify the issue.
While explaining XRY does not use exploits similar to jailbreak programs, as claimed by many covering the story, Strafach clarified the tool is “simply loading a custom ramdisk by utilizing the publicly available ‘limera1n’ exploit by George Hotz. The ramdisk is not even very special, because anyone could put together their own using open source tools.” He continued by explaining the “two-minute” claim of Micro Systemation is only true if a passcode is “0000.” The time increases when a more complex passcode is set.
Chronic also noted XRY cannot be used on iPhone 4S, iPad 2, and third-gen iPads, something most publications are not reporting. Here is his explanation: