How police could get your data without unlocking your phone
Apple once again is finding itself at the center of a debate around law enforcement and encryption.
On Thursday, Deputy Attorney General Rod Rosenstein cited the recent Texas mass shooting as an example of why encryption backdoors — or ways to circumvent security and privacy protocols — are necessary.
The tech company said it offered to help the FBI after the agency said it could not unlock the phone of Texas shooter Devin Kelley. He is accused of killing 26 people and then himself at the First Baptist Church in Sutherland Springs, Texas on Sunday.
“Our team immediately reached out to the FBI after learning from their press conference on Tuesday that investigators were trying to access a mobile phone,” Apple said in a statement. “We offered assistance and said we would expedite our response to any legal process they send us.”
A source familiar with the matter confirmed the phone was an iPhone. The FBI declined to comment.
The source told CNN that law enforcement agencies did not contact Apple for help within 48 hours after the shooting. Consequently, investigators may have lost crucial time that could have helped them investigate the shooter’s phone.
The 48-hour window
In theory, law enforcement could have used the shooter’s fingerprint, even if deceased, to unlock the device in the hours following the incident. Researchers have previously shown it’s possible to easily spoof the fingerprint sensor if you have a clay replica of the person’s finger.
The FBI would not need Apple’s assistance to unlock the phone in this manner. If the the agency had called Apple, the company may have suggested this method. However, it’s unclear whether the shooter had Touch ID enabled.
But the fingerprint scanner no longer works if the iPhone hasn’t been unlocked for 48 hours — Apple then requires users to input a passcode. Some Android phones have similar time limits before requiring a passcode to unlock.
Apple has featured the 48-hour time limit since rolling out Touch ID in 2013. Its decision to frequently require the passcode helps people remember the security key. iPhone users must also enter the passcode to do things like update their software.
Some security experts have speculated the Texas incident could further the debate on encryption backdoors. California Senator Dianne Feinstein reportedly wants to revisit proposed legislation to require tech firms to share encrypted messages if given a warrant, according to a Politico report.
The encryption issue came to a head in 2015 following the San Bernardino terror attack. Apple CEO Tim Cook very publicly pushed back on the FBI’s order to create software that could unlock one of the shooter’s iPhones.
“In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession,” Cook wrote in a letter.
Ultimately, the FBI found an alternative solution to get the information needed: it paid around $1 million to hack that iPhone. Anyone, including law enforcement, can buy hacking tools to break into phones and computers. But, as witnessed in the case of the iPhone hack, these tools can be expensive.
Security experts believe the Texas shooting case is different. There is no suggestion of co-conspirators and it won’t end up in court, said Nicholas Weaver, lecturer in the computer science department at UC Berkeley.
Weaver said there are other ways for law enforcement to get similar data to what you would get unlocking an iPhone.
For example, law enforcement can compel Apple to provide iCloud backups of information stored on the phone and disable the remote wipe feature. Tech companies such as Facebook and Twitter can also provide chat logs or other information when compelled by law enforcement.
Further, cell phone providers can hand over data related to location and with whom a criminal is exchanging texts. Law enforcement can also get information from message recipients.
Another workaround: If someone backs up a phone to a computer, it’s possible to get the data from the computer instead. Weaver said computers tend to be weaker in terms of preventing analysis without a password.
Apple said the company works with law enforcement every day. Its latest transparency report said law enforcement requests range from asking for information about stolen credit cards to account purchase history.
The report also revealed law enforcement submitted 4,479 device-based requests and 1,692 account requests from Apple during the first half of 2017. The company provided data 80% of the time for device requests and and 84% for account inquiries.
During the same time frame, Twitter received 2,111 account information requests from the U.S. government and turned over at least some information 77% of the time.
“We offer training to thousands of agents so they understand our devices and how they can quickly request information from Apple,” the company said in a statement.