How to Arrest Someone with an iPhone
FBI Director Comey appears to think that an iPhone is a brick to law enforcement. This is not the case. I’ve been looking into iOS security, in order to develop techniques and protocols useful for activists in hostile countries. It is possible to configure an iPhone or iPad that makes it very hard to crack, but most do not.
So here’s how to take advantage of these usability weaknesses:
How To Arrest Someone with an iPhone
iPhone encryption is very solid: it needs to be. If it was weaker, every mugger or foreign intelligence service could happily have “mug someone day”, take those shiny phones, and use the resulting trove of information. But this does result in problems for an arresting officer, as a properly password protected iPhone is effectively a brick. But all is not lost.
Here’s the protocol I’d recommend:
Step 0: Have a warrant in place already for any electronic devices on or about the target (if possible). Don’t bring Riley (the Supreme Court decision requiring warrants to access cellphones) into it if you don’t have to.
Step 1: Wait to see if you can arrest when he’s looking at his phone. Dropped phones crack screens, but they still work and they don’t destroy data when it happens. If the phone is unlocked, great. However, if the suspect also has a computer during this process, it is more important that the computer is unlocked rather than the phone: the phone is almost certainly backed up on the computer.
Step 2: After arresting, see if the phone is locked by tapping on the bottom button quickly (and ideally with a pen, you don’t want to trigger the fingerprint reader). If its unlocked, great! Keep it that way, about every 30 seconds swipe back and forth until you can hook it up to whatever forensic reader you have, or simply a laptop running iTunes. Don’t go digging through the data if you don’t have a warrant, just a left/right swipe (the absolute minimum activity needed to keep the phone live)
Step 3: If its locked swipe it right to see the passcode entry screen. Is it a number pad or a keyboard? If it is a number pad, is there a fixed number of digits?
Step 4: Make sure the suspect’s hands are clean and dry (the fingerprint reader doesn’t work when dirty and locks out after 24 hours, so this needs to be done when you arrest someone, not sometime later). First press the right thumb, then the left thumb, then the dominant hand’s index finger on the button at the bottom to see if it unlocks (the fingerprint reader on iPhone starting with the 5S is located on the home button, but locks out after three failures). If it unlocks, great! Again, keep it that way.
Step 5: Hook it up to whatever reader you have to read out the contents of an unlocked phone. If you don’t have a warrant yet, call up the judge but do the download immediately! If it had a number pad on the lock screen and 4 digits, hook it up anyway, the forensics reader MAY be able to brute-force the PIN (depending on OS/version).
This IS exigent circumstances under Riley: The phone will otherwise autolock in a minute or two of inactivity, the fingerprint reader self-disables after 24 hours, and while the phone is connected to a network, someone authorized can send a remote wipe command.
You MUST NOT LOOK at any of the data that is being recovered until you have a warrant in hand: once the forensics download starts you no longer have exigent circumstances, but this is how you reliably disable the locking mechanism and ensure you have a copy so that once you do have a warrant, you can search away.
Finally, if using iTunes to read out the phone’s contents, create an “encrypted” backup with a known password. Encrypted backups on a computer read out information from the phone which is otherwise not backed up.
But what if things are still locked?
If you don’t have the phone unlocked by now, things are harder but its not game-over yet:
Step 6: Put the phone in a mylar sack with a extended battery. Ask the suspect for the password, if you are lucky, he’ll tell you anyway. Be polite. If not, you want to keep the phone powered on but NOT connected to the network, so it can’t be remote wiped.
Step 7: If the phone is still locked at this point, all is not lost. Get a search warrant and call Apple to see if there is a backup, and if so get it. I will have an upcoming analysis later, but iCloud backup is particularly weak.
Step 8: Get the suspect’s computer. If its unlocked, it too might have a backup of the phone.
This should work on most suspects because although the encryption on the iPhone is solid and then some, there are usability tradeoffs which someone needs to make to actually take advantage of these protections.
Thus people either use short crackable PINs, the fingerprint reader, and/or have a backup. Any of these can be used to potentially recover the information on the phone, as to actually use a strong password without the fingerprint reader is a usability nightmare, while a no-backups policy means any accident with the phone involves the potential for a massive data loss.
As a consequence, the iPhone, properly used, may be a “brick”, but, in practice, most suspects will not be using it in such a hard mode and there are straightforward ways to capture the data after you arrest someone.
About the author: Nicholas Weaver, Ph. D. is a researcher focusing on Computer Security at the International Computer Science Institute in Berkeley. He is not a lawyer and this should not be interpreted as legal advice.
Note: This is released under Creative Commons/Attribution/No Derivatives.
