What cops need to know about Apple’s iOS 8 lockout
Examining Apple’s claim that iOS 8 prevents investigators from getting subscriber data, the reality is that there’s more to it than that
In mid-September, Apple rolled out iOS 8 for users of the more recent models of the iPhone, iPad, and Mac computers. Among many changes was a statement from Apple CEO Tim Cook that Apple would no longer assist law enforcement agencies in unlocking iPhones and iPads.
Actually, Apple’s claim is that they cannot assist law enforcement in this way, because iOS 8 encrypts the data on the device with a key linked to the user’s passcode, and that passcode is not transmitted to Apple. This saves Apple from being in the middle of a subpoena/search warrant war, as they can’t give the police what they do not have. Privacy advocates lauded Apple for taking this position.
Analysis by iOS forensics experts indicates that Apple is speaking the truth. Apple doesn’t have the key to unlock a device running iOS 8. However, that doesn’t always mean that the cops can’t get access.
Different Levels of Security
All Apple devices can be set to require a passcode to unlock. The default “simple” passcode is four digits, but there is an option to enter a longer passcode of up to 90 characters, which can include letters, numbers, and special characters. The iPhone 5c, 5s, and 6 have a fingerprint sensor on the ‘home’ button that can also be used to unlock the phone.
Most people don’t set a passcode for convenience’s sake. If their phone is stolen, anyone capable of pushing the ‘home’ or power buttons can see everything stored there. People who are concerned about security will set at least the simple passcode to protect their phone and its data. Brute force attempts to crack the device using all possible passcodes will fail because the device will wipe all its data after ten unsuccessful attempts.
The device lock protects only the data stored in most of the native iOS applications, such as email and text messaging. Stored photos, podcasts, books, iTunes media, and most data stored in third-party applications can still be recovered with forensics tools like those from Cellebrite, Oxygen, AccessData, and Elcomsoft.
Forensics researcher Jonathan Zdziarski revealed the weaknesses in iOS’ security. Under most conditions, a locked iPhone running IOS 8 can still be unlocked without the cooperation of the owner. The key is to get control of the computer the phone was last synced with. Most people set up and back up their phones to a desktop or laptop computer. When this is done, a trusted pairing record is created on the backup computer. With this record and the appropriate computer forensics tools, the phone can be unlocked. This requires physical possession and a hardwired connection between the computer and phone, but most of the time, it can still be done.
Why “most of the time?” This is because the user can still take some measures to make accessing information more difficult for the police. If the user turns off the device before it is seized, the trusted pairing record method won’t work. Turning off the device means powering it down completely — requiring a reboot when power is restored.
The device must have been used at least once since it was rebooted. If your suspect is smart enough — and has enough time — to hold down the power button for a few seconds and slide his finger over the confirming power down prompt on the screen, the phone is really, really locked.
The other block is to encrypt the hard drive of the backup computer, and fully shut it down before it is seized. There are a variety of free encryption tools for this, including Microsoft’s BitLocker, which comes with some versions of Windows. If the computer is only in “sleep” or “hibernation” mode (which happens if a laptop user just closes the display and stuffs the computer in a bag, as many of us do), the drive might be accessible without the encryption key.
If it’s been fully powered down and it’s encrypted, you’re going to have a lot more difficulty getting in.
Leave “Dumb” to the Crooks
Of course, if your suspect hasn’t set a passcode for his device, all you have to do is turn it on and you’ll have the keys to the kingdom. Also, if you’re going to seize an iPhone or iPad for evidence, you’ll also want to try to seize any other computers or electronic devices in the suspect’s possession or at his home or business — before anyone else can get to them.
If the device is locked with a fingerprint and the Touch ID application, you can get in if you have access to the user’s fingerprints. This requires several steps to create a replica fingerprint to apply on the ’home’ button. Most people will enroll the index finger of their dominant hand to key the sensor, but keep in mind there is nothing to keep a user from using another finger.
There is a free application from Apple called Find My iPhone that allows you to see the phone’s location in real time, sound the ringer, lock the phone, or wipe it of all data. You can do this from any computer that allows you to log in to your online Apple account.