Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government Iphone Privacy Technology

Cops Are Now Opening iPhones With Dead People's Fingerprints (forbes.com) 212

An anonymous reader shares a report: In November 2016, around seven hours after Abdul Razak Ali Artan had mowed down a group of people in his car, gone on a stabbing spree with a butcher's knife and been shot dead by a police officer on the grounds of Ohio State University, an FBI agent applied the bloodied body's index finger to the iPhone found on the deceased. The cops hoped it would help them access the Apple device to learn more about the assailant's motives and Artan himself.

This is according to FBI forensics specialist Bob Moledor, who detailed for Forbes the first known case of police using a deceased person's fingerprints in an attempt to get past the protections of Apple's Touch ID technology. Unfortunately for the FBI, Artan's lifeless fingerprint didn't unlock the device. In the hours between his death and the attempt to unlock, when the feds had to go through legal processes regarding access to the smartphone, the iPhone had gone to sleep and when reopened required a passcode, Moledor said. He sent the device to a forensics lab which managed to retrieve information from the iPhone, the FBI phone expert and a Columbus officer who worked the case confirmed. That data helped the authorities determine that Artan's failed attempt to murder innocents may have been a result of ISIS-inspired radicalization.

Where Moledor's attempt failed, others have succeeded. Separate sources close to local and federal police investigations in New York and Ohio, who asked to remain anonymous as they weren't authorized to speak on record, said it was now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhones, devices which have been wrapped up in increasingly powerful encryption over recent years. For instance, the technique has been used in overdose cases, said one source. In such instances, the victim's phone could contain information leading directly to the dealer.

This discussion has been archived. No new comments can be posted.

Cops Are Now Opening iPhones With Dead People's Fingerprints

Comments Filter:
  • Is this a problem? (Score:5, Interesting)

    by XxtraLarGe ( 551297 ) on Monday March 26, 2018 @12:34PM (#56328753) Journal
    I'm not sure there is a 4th amendment issue here if the suspect is dead, as they would no longer have an expectation of privacy, and the item was found after the commission of a crime. I'm open to the possibility that I'm wrong on this, looking forward to hear arguments.
    • by TWX ( 665546 )

      Pathologists already would, depending on the degradation of the corpse, basically take the skin of the fingers off of the body and either put it on a mandrel or else would put it over their own gloved hands as a human-glove to get fingerprints.

      I am not surprised in the slightest that investigators would attempt to unlock biometric locks with the biometrics of the deceased. I would be more surprised if they didn't try it. I also wouldn't be surprised if they have to develop techniques to duplicate someone'

    • by AmiMoJo ( 196126 )

      In the EU it would fall under privacy rules. Even dead people have privacy rights, and of course their surviving family members do.

      It depends on the circumstances but there could be issues there.

      • Agreed in that it's all about circumstances. If a person was randomly found dead and was unidentifiable, I think it's perfectly reasonable to do this to try and identify who they were, reach out to next of kin. Same with a murder victim in that the fingerprint could help lead to their killer. However, if this is someone gunned down by police, or they find a victim who they can identify, unless there is an immediate threat as defined by the law (e.g. a bomb is planted and about to go off), I don't think t
      • In the EU it would fall under privacy rules. Even dead people have privacy rights, and of course their surviving family members do.

        That's the issue for me here as well - when a person dies the police can't legally start confiscating their former property, so why would it be any different with personal effects?

    • I'm not sure there is a 4th amendment issue here if the suspect is dead, as they would no longer have an expectation of privacy

      That sounds to me like a rationale for looting the property of the deceased; I think next-of-kin would argue the point.

  • It would be nice if these devices automatically unlocked after some time limit, like 1 year. At least we could get into a device after someone died or after the police confiscated a device long enough, without having to hand over some backdoor keys that compromises the security of all our devices.

    There really is no perfect solution that protects our rights and provides security and allows law enforcement to do their job. Some reasonable compromise has to be found. I'm of the mind that our rights has the hig

    • You must be kidding. Why should anyone have access to anything you own after some arbitrary time limit? The mind boggles at the stupidity.
    • by mysidia ( 191772 ) on Monday March 26, 2018 @01:00PM (#56328941)

      It would be nice if these devices automatically unlocked after some time limit, like 1 year.

      That would imply an application Logic-based lock, but instead, these phones use cryptography so the passcode is required to decrypt the data; "Fingerprint" access only works while the key derived from the passcode is still in volatile memory, and once the phone sleeps or reboots or something, that memory is purged, and the decryption key needs to be supplied again.

      If they didn't encrypt the data ---- then everything on your phone could potentially be stolen by a criminal attacking either Apple's servers or the phone itself and finding a flaw in the Logic-based lock.

      • by OrangeTide ( 124937 ) on Monday March 26, 2018 @01:12PM (#56329033) Homepage Journal

        I used to do TPM drivers for embedded systems, it's not that far fetched of a feature to time out when your TPM already has an NVRAM. From NVRAM it's simple to embed an RTC (simple but not free, increases costs by several cents and creates supply chain disruption by introduction of a new variant). There are other ways to deal with this problems as well, and I'm not married to this idea.

        My main point is the solution that most of the people on slashdot demand is not really feasible. That solution being to do nothing to disrupt the status quo and lock devices down so that nobody, not even law enforcement, can get into the device. If you can't trust your police and legal system to not violate your rights on your cellphone, how can you trust them in any other aspect of your life? Fix the real problem of corruption and public distrust.

      • "It would be nice if these devices automatically unlocked after some time limit, like 1 year."

        This gives you an easy attack vector: just reset the clock.

        • by mysidia ( 191772 )

          I think you want to reply to the parent, as I have not suggested the time-based unlock is feasible in a secure smart phone.
          However, the issue of resetting the clock can be mitigated by requiring the phone to be unlocked to access those settings. Alternatively the "mechanism to unlock after 1 year" could require a digitally signed request that is also countersigned by multiple secure timestamping authorities possessiong X509 security certificates from trusted Root CAs holding the timestamping r

      • by Kjella ( 173770 )

        It would be nice if these devices automatically unlocked after some time limit, like 1 year.

        That would imply an application Logic-based lock, but instead, these phones use cryptography so the passcode is required to decrypt the data;

        Not really, the PIN is not the key and would not be needed if you could use brute force. And it enforces the timeouts somehow so it has a clock. If it doesn't work to have a one-year clock you have one "decrease unlock clock attempt" per day that always succeeds and if you do that 365 times it unlocks, technically it's not a problem to build it into the system But practically one year later is not a problem for somebody looking for celeb nudes on a stolen phone, the information is still valuable. All the pr

    • It would be nice if these devices automatically unlocked after some time limit, like 1 year. At least we could get into a device after someone died or after the police confiscated a device long enough, without having to hand over some backdoor keys that compromises the security of all our devices.

      The problem with that is that if someone wants to get your super-secret data, all they have to do is steal your phone, lock it in a safe for a year, and take it out and poof, it's unlocked. That doesn't sound very secure to me.

    • Include your passwords and PINs in a document that resides somewhere safe, like a safety deposit box. Your will confers access to it, and then your loved ones can unlock everything.

  • That's why I never use finger print scanners, albeit Apple wants to shove those down everyone's throat by asking for a fingerprint every time you download an app, if you happened to register 1 finger print at least once.
  • by Dallas May ( 4891515 ) on Monday March 26, 2018 @12:39PM (#56328787)
    Tell you what. If I'm murdered and the cops think there might be something on my phone that would tell them who murdered me, I'm cool with them using my finger to unlock it.
    • by Okian Warrior ( 537106 ) on Monday March 26, 2018 @12:43PM (#56328807) Homepage Journal

      Tell you what. If I'm murdered and the cops think there might be something on my phone that would tell them who murdered me, I'm cool with them using my finger to unlock it.

      Apropos of nothing, are you cool with them having an incentive for shooting you rather than taking you in, in order to get at your information?

      • While an extreme interrogation technique no doubt it would be used in some cases.
      • No. But that's a really, really, really low view of cops that I don't share. I'm cynical on a lot of things, and I understand that cops have a history of being a bit trigger happy, especially with minorities, but I'm not at a place where I think a typical cop would intentionally murder a person just to get evidence for a case. That's a significant step further.
        • But we aren't talking about a typical cop here, nor about a typical scenario of phones being unlocked, are we?

      • Why do you think they won't just order you to use your finger to unlock the phone when alive? Police are already adept at physically forcing you to do things.

      • by qbast ( 1265706 )
        They can just grab your finger and forcibly push it to the phone. Less mess and paperwork to clean up. And what are you going to do when cops testify that the phone was already unlocked when they took it?
      • Apropos of nothing, are you cool with them having an incentive for shooting you rather than taking you in, in order to get at your information?

        They can already use your fingerprint to unlock a phone while you are alive. They don't need to kill you to gain access.

    • by mysidia ( 191772 )

      Not only that.... but I would be happy to supply my passcode to an agent that would release it to only trusted individuals upon my death.
      If only such an agent could exist, and if only there were a place I could trust highly enough to secure my passcode with a strong assurance that the passcode could never be used against me or released prematurely, or against my wishes, or to anyone but highly-trustworthy individuals.....

      • AND would be resistant to court orders or warrants?

        Good luck finding a way to do that.

        • Court orders, warrants, and the informal "we can't compel you, but it would be such a shame if you were to be arrested for something" warrant.

        • Give it to your wife or husband.
          • by mysidia ( 191772 )

            Lots of people are single, including me. I have no wife or husband.

            And if I had one... I'm not sure it would be wise to entrust them with the passcode, since they would already be inherently trusted with almost everything else or soooo many other things, and there are things that exist called divorces and related risks of being betrayed; that there should be at least a FEW personal resources protected from a spouse... "just in case".

        • by Holi ( 250190 )
          Too bad there isn't a system in place, where you have someone trained in the law, who has a duty to their client, and very powerful protections of their communications built into our legal system.

          I mean if we did we should call them Law-ers or something.
          • by mysidia ( 191772 )

            and very powerful protections of their communications built into our legal system.

            It sounds great.... I don't know of any lawyers advertising an information filing/retention/release-on-event service that would make this possible though.

            Would you know of a service, where I could file documents with release instructions --
            and obtain said legal protections in addition to strong technical and physical access controls that would require 2 or 3 employees to be able to verify the authentic

    • Tell you what. If I'm murdered [...] I'm cool

      Yes. Yes you are.

  • by WindBourne ( 631190 ) on Monday March 26, 2018 @12:47PM (#56328831) Journal
    when I said that we should NOT do the fingerprint lock on the phone. I have to say that it will actually encourage somebody killing you, and taking your hand, or such as the police using it.
    HOWEVER, where it DOES make sense, is for app access. IOW, once you have unlocked the phone, but an app, say credit card needs to be unlocked again, the finger print makes sense. Kind of wish that we could do say 1-3 prints for the key. That would truly limit the likelihood of somebody being able to use it.
    • by jwhyche ( 6192 )

      Well, my first question would be. Has there ever been a documented case of any one being killed so someone can use their finger to unlock their phone?

      I believe in being secure. My phone is locked most of the time, unlocked with a pin and a finger print. I also have nova launcher set so that I can lock it and disable the finger print scanner. It also unlocks at my home and if my wireless headphones are attached.

      None of these will keep a dedicated police search out of my phone. But they will keep so

      • not sure about the first, however, in the Aurora, Co Mall, somebody had bought an iphone and another person running by grabbed it. Apparently, they tore a finger off the owner, and yet, the crook continued to run with it.
        Add to that, the fact that ppl DO have apps on the phones where they can access 100's of 1000s of $. Ppl kill for 100s of $, so, I would guess that if they know, or at least you look it, that you have 100,000+ accessible via your phone and all it takes is your finger to access it, it wil
      • by vux984 ( 928602 )

        "None of these will keep a dedicated police search out of my phone."

        Given that it unlocks itself at your home, I'd tend to agree.

        " But they will keep someone from wandering by and just going through my phone."

        Some of the people most likely to wander by and go through your phone are in your house (where its unlocked): family members, guests, roommates, your guests or THEIR guests.

        I'm not saying you should have any reason not to trust your wife, but your 16 your old's best friends' boyfriend my be less reliab

    • by mysidia ( 191772 )

      This is where careful selection of hardware comes.... For instance in the Android ZTE Axon7's fingerprint sensor they reportedly chose to use Goodix's solution that uses Infrared imaging of the print on tissue beneath the surface of the finger which verifies liveness of the finger, and that the print presented is not a simple cosmetic mockup or disembodied finger.

      The only concern then is forced access..... Wouldn't TWO-Factor make sense?
      Option A quick access: FINGER + 4-digit PIN

      Option B on

  • by SeaFox ( 739806 ) on Monday March 26, 2018 @01:09PM (#56329007)

    ...when you unlock it with my cold, dead hands.

  • by HeckRuler ( 1369601 ) on Monday March 26, 2018 @01:12PM (#56329031)

    I don't want my dead fingers to be more useful to the cops than my living fingers. That's a bad-mojo sort of incentive brewing right there.

    • by cogeek ( 2425448 )
      It wouldn't be more useful. Arrested criminals can already be forced to give up passwords despite the 5th amendment and it's been upheld by the Supreme Court. A living finger works a lot easier than a dead one. Cops might have to break a few of the unnecessary fingers to get compliance, but they'll get it unlocked whether the hand is alive or not.
    • I don't want my dead fingers to be more useful to the cops than my living fingers. That's a bad-mojo sort of incentive brewing right there.

      They can make you put your living finger on the scanner, so your dead fingers would be equally useful, not more useful.

      As for theories that they might shoot you because they don't have probable cause to arrest you, it's much easier to manufacture probable cause than it is to justify shooting. Even if their probable cause gets tossed later, they can still use whatever evidence they got from the device, just not against you. And of course if they kill you they can't use the evidence against you, because you

    • A lot of people seem to have forgotten that parallel construction [techdirt.com] is a thing.

  • Heh, this certainly gives new meaning to that expression!

  • Get a warrant (Score:5, Informative)

    by some old guy ( 674482 ) on Monday March 26, 2018 @01:21PM (#56329117)

    Body dead too long? Too bad. Get a warrant.

    Druggie too stoned to give consent? Get a warrant.

    Want to access my phone FOR ANY REASON? Get a fucking WARRANT.

  • You can't steal a password off someone's body, dead or alive.

  • Abdul Razak Ali Artan had mowed down a group of people in his car, gone on a stabbing spree with a butcher's knife and been shot dead by a police officer on the grounds of Ohio State University,

    Attention, you millennial ornate hexagonal crystals of dihydrogen monoxide! For how much longer are we going to let people ride around in these personal weapons of mass destruction, wielding kitchen utensils that can kill silently at any time? The UK is taking knives away from people now, and so can we. #CarsKillKnivesKillBusesForAll

  • Am I the only one who noticed?

    an FBI agent applied the bloodied body's index finger

    Uh... Perhaps using the thumbprint instead would have been better since that is what the iPhone uses?

    • Well, it can use any finger you register. I use a thumb and an index finger.

      Of course, you only get so many attempts (fewer than 10) so you can't go through all fingers without getting a lockdown.

  • What would happen if, say, during the commission of a crime, the suspects finger was lost (got ripped off ... something gross)? If the cops recovered it, could they use it to attempt an unlock? If that's the case, we are one step from suspects "accidentally" losing a finger, conveniently.
  • I don't care. If you're dead, you should have absolutely zero rights.

    • So, when you die, I should be able to just walk into your house and take your stuff? Claim your bank account?

  • High time too; thieves have been using Hands of Glory [wikipedia.org] for hundreds of years now, it's nice to see the police finally catching up with modern necromantic technology...

  • My phone is unlocked with no password required. If I had anything to hide it would be in plain sight.

Enzymes are things invented by biologists that explain things which otherwise require harder thinking. -- Jerome Lettvin

Working...