This article is reposted from FORBES in the same manner as it appears on their site.
FEB 18, 2016 @ 09:40 AM 178,647 VIEWS
FBI Can Use Dead Suspects’ Fingerprints To Open iPhones — It Might Be Cops’ Best Bet
By: Thomas Fox-Brewster ,FORBES STAFF
“I cover crime, privacy and security in digital and physical forms.”
As Apple makes iPhones increasingly secure, the FBI has found it more difficult to get at data within suspects’ iOS devices. Hence the All Writs Act 1789 order that landed earlier this week asking Apple to write a special version of iOS that could be installed on the iPhone of San Bernardino shooter Syed Farook. That unique operating system would allow the FBI to make unlimited guesses at his passcode, without any of the purposeful delays and data wiping normal users get as security measures.
But Apple CEO Tim Cook bit back, claiming the creation of such a hacking tool would threaten the security of all iPhone owners. It is, as Edward Snowden said, one of the most important privacy and security cases currently being fought between government and the technology industry.
Such is the level of security on iPhones, the government has been compelled to take legal steps to co-opt Apple. Indeed, the security is seemingly so tight, federal agencies will likely have to explore other avenues if Apple wins its appeal, whether that’s through hacking in or by biological means, using fingerprint copies or the real fingerprint from a suspect’s corpse. The latter might just be the key to future investigations.
Hacking into iPhones is expensive and hard
Before we get morbid, it’s important to note there are other, admittedly more challenging and costly ways the FBI can try to access iPhone data without having to co-opt Apple or rely on fingerprints. Former NSA staffer and now head of research at Synack, Patrick Wardle, told me the FBI could research its own attacks on iPhones.
They would need to develop a low-level exploit that can be triggered without the device being unlocked, and they would have to bypass Apple’s checks on firmware updates, namely the check for a valid signature on downloads from the Cupertino company. Wardle suggested law enforcement could exploit a USB driver, as there are some communications between the phone and computer that occur even when the phone is locked.
This would all require zero-day vulnerabilties – previously unknown, unpatched weaknesses in the operating system. As with jailbreaking, these would have to be “chained”, where an attack abuses a number of vulnerabilities in a row to take control of the device.
Cheaper and easier to force Apple to cooperate
But, said Wardle, it’s easy to see why the FBI wants to get Apple to play ball: it’d be far more reliable to have the manufacturer provide the police with a capability. The government is, like any good hacker, looking for the easiest and quickest way into a device.
It’s also much cheaper to force Apple to collaborate. Italian outfit Hacking Team sold its mobile spy kit to federal police for $775,000; that didn’t include anything that would get close to exploiting an iPhone prior to it being unlocked. A jailbreak like the one described above sells for around $1 million; again, that’s with the device unlocked and with some user interaction.
So the cost of contracting out the work the government wants Apple to do would be well over $1 million. All this extra work and cost is why the government is using a 225-year-old statute to order the firm to do it for free.
And despite suggestions Apple can’t facilitate this on iPhones, security experts say it can, even on the latest hardware. “Apple can provide a signed custom firmware image that can allow the FBI to bruteforce the PIN without having to worry about the phone wiping after 10 failed attempts,” Wardle noted, pointing towards an excellent blog at Trail of Bits.
That blog initially suggested newer iPhones than the iPhone 5C used by Farook would not be susceptible to the same kinds of “brute force” techniques the government wants to try. That was because later devices have what’s known as a “Secure Enclave”. The SE acts as a separate security mechanism that works on all devices with TouchID (i.e. not the 5C, but anything above and including the iPhone 5S).
Trail of Bits has a great explanation of what the enclave does: “When you enter a passcode on your iOS device, this passcode is ‘tangled’ with a key embedded in the SE to unlock the phone. Think of this like the 2-key system used to launch a nuclear weapon: the passcode alone gets you nowhere. Therefore, you must cooperate with the SE to break the encryption. The SE keeps its own counter of incorrect passcode attempts and gets slower and slower at responding with each failed attempt, all the way up to 1 hour between requests.”
The Enclave would slow the FBI’s brute force attacks, which would be carried out with the aid of a powerful processor, to such a degree that it wouldn’t be worth the cops’ time. Just nine attempts would result in a delay of an hour. If the San Bernardino shooter had a long, complex passcode using letters and numbers, it would take an extraordinarily long time. By Apple’s estimates, even on devices without SE, it would take more than five and half years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.
It was thought that if one attempted to rewrite the firmware for SE, it would wipe all existing keys stored within it and effectively make the device inaccessible to anyone. That would have meant any special version of iOS created by Apple for the FBI would not have helped on later models protected by SE.
But, according to the updated Trail of Bits post, Apple can modify the secure enclave with a firmware upgrade (the assumption is that Apple would also use a firmware upgrade if it had to include the brute force bypass).
“Apple can update the SE firmware, it does not require the phone passcode, and it does not wipe user data on update. Apple can disable the passcode delay and disable auto erase with a firmware update to the SE. After all, Apple has updated the SE with increased delays between passcode attempts and no phones were wiped,” the blog read.
Apple should therefore be able to provide the same hacker tool for all phones.
Using the finger of a cadaver
But, whether or not newer iPhones do offer more security from brute force attempts, they are less secure from government hacks in one crucial way: Apple’s TouchID fingerprint authentications can be bypassed with copies of people’s fingers. Researchers have repeatedly proven this is possible on the iPhone 6 and the 5S, using methods involving high-res images, glue and glycerol.
Of course, in the case of the San Bernardino shooter, the iPhone 5C did not have TouchID. But for future cases, where TouchID is in use, the federal police could take advantage of that prior research. Not only could they use the fingerprints of a living suspect, or create fake fingers using print marks, they’d have more chance of being able to legally use the print of a cadaver.
“Fingerprint evidence – unlike a password – is physical evidence that can be compelled with a court order, overriding the objections of an accused or the next of kin of an accused,” said Andrea Matwyshyn, Northeastern University professor of law and a visiting research collaborator at the Center for Information Technology Policy at Princeton University.
“Additionally, fingerprint data is frequently available through other government sources such as immigration registration databases or other government databases. Forensic examiners may also be able to lift fingerprints from the body of a phone itself for purposes of unlocking a device protected with a biometric password.” Lifting fingerprints is exactly what whitehat hackers did when creating their own fake fingers to bypass TouchID.
Marina Medvin, owner of Medvin Law, told me that though 4th Amendment privacy protections could cause an issue for a living person, ”once you are dead, you don’t have legal standing to assert a 4th Amendment privacy violation”.
“Stated more simply: Your privacy wasn’t violated, because you are dead. And you can’t stand before the court to assert such a concept, because you are dead. And your family can’t assert it on your behalf because the 4th Amendment cannot be invoked on behalf of someone else; it’s a personal privacy protection,” Medvin added.
The FBI would have to move fast to unlock the device, however. Any iPhone that hasn’t been opened with a fingerprint within 48 hours requires a passcode be entered. But as Medvin noted, it would be hard for anyone to contest a search of someone’s device when they’re deceased, so police could act swiftly without fear of a legal challenge.
If the FBI loses, it’ll have to use novel techniques like this to crack open Apple devices. Or it could benefit from employing better technical staff, says Matwyshyn. “Providing law enforcement with the resources needed to build up in-house expertise will result in more efficient and cost-effective investigations,” she added.
If Apple loses, however, and is forced to comply with the government’s request, any folk concerned about government snooping on their iPhones will want to disable TouchID and opt for as strong a passcode as possible.
UPDATE: As Snowden noted, it’s worth pointing out that the FBI claimed in a court filing that it could not determine any other way into the iPhone 5C in question without Apple’s help. See the screenshot below, which contains a claim from FBI computer forensics expert Christopher Pluhar that he was unable to determine how else to get into the device.