How The FBI Could Hack An iPhone With A Corpse’s Fingerprint
All it takes is a dead body (and a little science) for law enforcement to hack into a deceased suspect's iPhone
There’s more than one way to hack an iPhone. Although Apple has refused to help the FBI break into a San Bernardino suspect’s old iPhone, that doesn’t mean law enforcement is out of options. They can let John McAfee do it for them (in his typical grandiose style, he claims it would take him three weeks, tops, or he’ll eat his shoe)—or they could just use a corpse’s fingerprint or some old prints on file to bypass the Lock screen. Hey, it could work.
The FBI would likely encounter little opposition to subpoenaing a deceased criminal’s fingers to unlock an iPhone’s biometric TouchID, according to Marina Medvin, lawyer and owner of Medvin Law. “Once you are dead, you don’t have legal standing to assert a 4th Amendment privacy violation,” she told Forbes. “Stated more simply: Your privacy wasn’t violated, because you are dead.”
Now, to be fair, the outdated iPhone implicated in San Bernardino doesn’t feature TouchID, so this strategy wouldn’t work for the FBI in this particular case. But scientists and white hat hackers have previously demonstrated that it isn’t terribly tricky to get past the iPhone 6’s biometric Lock screen—whether or not the owner’s fingers are readily available. All it takes is an old set of fingerprints, a laser printer and very, very steady hands.
“Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician,” writes Marc Rogers, the white hat hacker who first found a way past the iPhone 5S and iPhone 6’s TouchID. “Exploiting them was anything but trivial.”
Rogers didn’t go the corpse route, but instead mimicked CSI techniques to lift fingerprints from an iPhone screen and then expertly reconstruct those prints into fingertip “gloves”. The process involved using fingerprint powder and the fumes from super glue to capture the print on specialized fingerprint tape. “It is not easy,” he writes “Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original.”
Then, Rogers took a photograph of the print with a high resolution camera, edited out the unavoidable smudges and laser printed it onto transparency film. Finally, he smeared glue and glycerol onto the ink side of the print, which created a thin layer of glue that dried in the exact shape of the original fingerprint. After that, it was simply matter of placing the fake print onto the TouchID pad.
For the FBI, it doesn’t even need to be that complicated. First of all, many fingerprints are on file and easily accessible to the FBI, so they could skip most of those steps and simply print out a copy of the fingerprint. And even if they don’t have fingerprints on hand, it is much easier to get a court to order fingerprints than it is to compel someone to divulge his or her password as part of an investigation.
“Fingerprint evidence—unlike a password—is physical evidence that can be compelled with a court order, overriding the objections of an accused or the next of kin of an accused,” Andrea Matwyshyn, Northeastern University professor of law and visiting professor at Princeton, told Forbes. “Additionally, fingerprint data is frequently available through other government sources such as immigration registration databases or other government databases. Forensic examiners may also be able to lift fingerprints from the body of a phone itself for purposes of unlocking a device protected with a biometric password.”
In other words, TouchID lock screens are not all that secure, and the FBI probably can get into your new iPhone. In fact, the FBI can probably also get into your old iPhone using some other creative hack, even without Apple handing over the keys to the palace. But that’s a different subject altogether.