Skip to content
Naked Security Naked Security

Police use dead man’s fingers to try to unlock his iPhone

In the first known instance of this technique, police tried using a dead man's fingerprints to get past the protection of Apple's Touch ID.

The dead have no privacy rights.
Corpses can’t assert privacy rights in courts. But they can unlock their iPhones with fingerprint authentication, and that comes in mighty handy when police need to investigate who killed them or who convinced them to go on a stabbing spree with a butcher’s knife.
Forbes has published a report of what it says is the first known case of police using a dead man’s fingerprints in their efforts to get past the protection of Apple’s Touch ID authentication technology.
Note that a previous case from July 2016 involved police making a cast from a dead man’s prints, but not from his actual fingers. They asked for 3D prints to be made from fingerprints they already had on file from having previously booked him.
The landmark case involving actual dead fingers is that of Abdul Razak Ali Artan, an 18-year-old Somali immigrant who plowed his car into a group of people on the Ohio State University campus, attacked victims with a butcher’s knife, and was shot dead by police in November 2016.


FBI forensics specialist Bob Moledor told Forbes that about seven hours after the attacker was killed, an FBI agent pressed Artan’s index finger to the iPhone they found on his dead body. Law enforcement hoped that it would give them access to the phone so they could learn more about the attacker and his motives: namely, had he been radicalized by Islamic State?
It didn’t work. Too much time had elapsed, and the iPhone, an iPhone 5 model, had gone into sleep mode. They’d need a passcode to unlock it.
So Moledor sent the phone to a forensics lab. The lab succeeded in retrieving information from the device, which helped them determine that the failed murders may indeed have been inspired by Islamic State’s radicalization campaign.
Of course, it’s no surprise that the lab succeeded. There are now multiple outfits promising that they can hack iPhones. The most prominent name is that of Cellebrite, widely believed to be the firm that broke into the iPhone 5C belonging to dead San Bernadino terrorist and mass murderer Syed Rizwan Farook.
As Forbes reported last month, Cellebrite recently updated its marketing to claim that it can break the security of…

Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.

A source in police forensics also told Forbes that Cellebrite told him it could unlock the iPhone 8. The source also said that he believed the company could crack the iPhone X, given that security across Apple’s newest devices worked in much the same way. Then too, there’s US startup GrayShift selling a $15,000 device called GrayKey that promises to unlock the iPhone 8 and X.
That’s pricey. Cellebrite is pricier. As The Intercept has reported, a US Drug Enforcement Administration procurement record shows that as of September 2016, a premium unlocking subscription service cost $250,000 a year in the US. One-off hacks were selling for about $1,500 per phone.
Dead people’s fingerprints are a steal.
Marina Medvin, owner of Medvin Law, told Forbes that it’s “entirely legal” for police to try out fingerprints of corpses, if not entirely ethical. Once somebody’s dead, they lose privacy interest in their own body, she said, which takes away their standing in court to assert privacy rights.
Survivors are also likely out of luck trying to stop the police from using the deceased’s fingerprint or other biometrics, Medvin said:

Once you share information with someone, you lose control over how that information is protected and used. You cannot assert your privacy rights when your friend’s phone is searched and the police see the messages that you sent to your friend. Same goes for sharing information with the deceased – after you released information to the deceased, you have lost control of privacy.

Besides the failed attempt to use Artan’s fingerprints to unlock his iPhone, separate sources have told Forbes that it’s now a “relatively common” procedure to press dead people’s fingers to their phones. It’s been used in overdose cases, for example, as police have sought drug dealers.
What’s next up? Likely hacking Face ID with dead people’s faces.
In theory, Apple’s Face ID authentication is supposed to require eye movement to work. But Marc Rogers, researcher and head of information security at Cloudflare, told Forbes that he’s recently discovered that photos of open eyes work just fine.
A few months ago, Vietnamese researchers did the same thing. With a mask.
So much for liveness checks!


5 Comments

Still kind of curious about whether they are brute-forcing passcodes and bypassing the normal restrictions on guesses, or exploiting some other unpublished vulnerability in iOS.
Brute forcing passcodes would be exponentially more difficult if the phone owner used an arbitrarily long passphrase (which is supported in iOS).

It’s very likely not brute-forcing given the exponentially increasing delay on incorrect attempts (up to hours of lockout) and/or the erase on 10 incorrect attempts option potentially being on.

1: Unlock your phone!
2: No
Bang
1: and we slide the finger here….
(not liking this biometrics thing myself)

Jokes aside, it’s well known that your fingerprint can be compelled upon arrest whereas a passcode cannot. The convenience certainly comes at a price. If you don’t want people unlocking your phone without your intervention, create a long passcode and disable TouchID (at least for unlocking the phone). Oh, and per recent articles also disable that leaky little voice assistant…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?