UK police turn to stealing in-use iPhones from suspects on the street, bypassing encryption

Posted:
in iPhone edited December 2016
U.K. law enforcement has turned to legalized "street robbery" to avail themselves of suspected criminals' iPhones, snatching them after the owner unlocks them to prevent contents from being irretrievable by forensics teams.




Metropolitan Police specializing in major fraud and organized crime online came up with the tactic, according to BBC News. A covert team obtained a warrant and trailed one suspect, Gabriel Yew, in June.

A team of officers grabbed the iPhone -- and Yew -- while he was actively using the device, and swiped through screens to prevent the phone from locking while processing the arrest.

"Officers had to seize Yew's phone from him in the street," said the leader of the operation, Detective Chief Inspector Andrew Gould. "This evidence was crucial to the prosecution."

As a result of the seizure, the phone gave up information on how Yew conducted his fake credit card business, as well as evidence leading to four convictions. Also gleaned from the phone were another 100 suspects in the ring.

The law, and compelling decryption

Presumably the U.K. investigators assumed that the Regulation of Investigatory Powers Act of 2000 (RIPA) would fail to induce Yew to give up the password or biometric information for Apple's Touch ID. Failure to comply with RIPA allows for a sentence of up to two years in jail -- Yew was given a five-year sentence as a result of his conviction earlier in December.

In the U.S., suspects' rights are potentially protected against mandatory password sharing by the Fifth Amendment to the Constitution, but a recent court order in Virginia allowed compulsion of a fingerprint or other information for biometric identification, such as Touch ID.

Law enforcement's persistent needs

iOS 8, 9, and 10 all offer full-disk encryption, making it nearly impossible for anyone --including Apple --to access data on a device without its owner supplying the passcode. On products with Touch ID the situation is even more complex --while a person can potentially be compelled to supply their fingerprint, there's a limited time window in which to do so, and physical hacks may run into problems with the Secure Enclave.

Bringing law enforcement's encryption problem to light, the FBI was unable to penetrate the data on the San Bernardino shooters' county-owned iPhone 5c, and lacked the tools to perform the task itself. It attempted to force Apple to develop software to break into the phone.

After a lengthy battle mostly in the court of public opinion, the FBI dropped its legal pursuit of Apple, and hired "grey-hat hackers," rumored to be Israeli firm Cellebrite, to break into the phone. No actionable data was found.

In November, Manhattan district attorney Cyrus Vance claimed that his office held 423 uncrackable Apple devices in evidence, with the iPhone 6 being the most prevalent. As recently as Sept. 2015, the office had around 100.
«1

Comments

  • Reply 1 of 37
    plovellplovell Posts: 826member
    I think the description should be "seize" rather than "steal". The police did have a warrant.
    randominternetpersonSoli[Deleted User]gatorguynetmagemobiusdysamoriabaconstangwatto_cobrajony0
  • Reply 2 of 37
    Rayz2016Rayz2016 Posts: 6,957member
    Oh no! Apple have screwed up again! 

    #RunOverToSuspectAndCoshHimBeforeHeCanLockHisPhoneGate
  • Reply 3 of 37
    SoliSoli Posts: 10,038member
    1a) We need a "poison finger" option to protect against thieves and unscrupulous governments* compelling us to use our fingerprints.
    1b) This is now doable with the new MacBook Pros by creating another account that will launch an app you make with Automator that will call the shell script:
    shutdown -h now
    2) With the number of snatch-and-grab videos of iPhones being stolen that I've seen over the years, I wish that that Apple had an option that will automatically lock your iPhone if it gets disconnected from your Watch. To wit, out of Bluetooth range.


    * Redundant statement.
    edited December 2016 netmageSpamSandwichlostkiwijony0
  • Reply 4 of 37
    macxpressmacxpress Posts: 5,940member
    Whats to stop someone from going into iCloud and remotely wiping the phone? The police cannot disable iCloud without the AppleID. I realize it may be seized and off any network, but if you're quick enough perhaps it could work. 

    This is also why you should password protect Notes. Even if they had the unlocked phone they couldn't access the secured notes without a password or fingerprint. 
    SpamSandwich
  • Reply 5 of 37
    clemynxclemynx Posts: 1,552member
    Here it is, a very simple and effective way of circumventing phone protection. There is no need to make encryption weaker.
    dysamoria
  • Reply 6 of 37
    macxpressmacxpress Posts: 5,940member
    Soli said:
    1a) We need a "poison finger" option to protect against thieves and unscrupulous governments* compelling us to use our fingerprints.
    1b) This is now doable with the new MacBook Pros by creating another account that will launch an app you make with Automator that will call the shell script:
    shutdown -h now
    2) With the number of snatch-and-grab videos of iPhones being stolen that I've seen over the years, I wish that that Apple had an option that will automatically lock your iPhone if it gets disconnected from your Watch. To wit, out of Bluetooth range.


    * Redundant statement.
    I'll start a shit storm here...

    If Trump gets his way...there will be no security on anything. Because...well thats more convenient to government and law enforcement rather than doing it by the book. 
    Solidysamoriajony0
  • Reply 7 of 37
    SoliSoli Posts: 10,038member
    clemynx said:
    Here it is, a very simple and effective way of circumventing phone protection. There is no need to make encryption weaker.
    I wouldn't exactly call it simple. It's primitive, but it's what's been possible since even before the iPhone existed and it requires a live person to actively use the device before it locks again.

    I know you can't change the password without entering the current one, but I do think you can change the duration between when it will auto-lock again. Personally, I've been wanting a passcode lock option on the Settings apps from the state (and now a passcode or Touch ID lock option).
  • Reply 8 of 37
    Could just hold the suspects finger, like while rolling his fingers on the ink pad for fingerprinting, and force him to unlock his phone. Home button, ink pad, fingerprint card. Done.
  • Reply 9 of 37
    macxpress said:
    Whats to stop someone from going into iCloud and remotely wiping the phone? The police cannot disable iCloud without the AppleID. I realize it may be seized and off any network, but if you're quick enough perhaps it could work. 

    This is also why you should password protect Notes. Even if they had the unlocked phone they couldn't access the secured notes without a password or fingerprint. 
    erm... being held in custody maybe? Unless an accomplice saw the whole thing, was unknown to police and also knew the suspects' iCloud log-in then they could do that if they were quick enough yes. I wouldn't be surprised if one of the first things they do upon seizure is activate Airplane Mode.
  • Reply 10 of 37
    calicali Posts: 3,494member
    "Legal robbery"
     Police are going to have fun with this one. 

    Soli said:
    1a) We need a "poison finger" option to protect against thieves and unscrupulous governments* compelling us to use our fingerprints.
    1b) This is now doable with the new MacBook Pros by creating another account that will launch an app you make with Automator that will call the shell script:
    shutdown -h now
    2) With the number of snatch-and-grab videos of iPhones being stolen that I've seen over the years, I wish that that Apple had an option that will automatically lock your iPhone if it gets disconnected from your Watch. To wit, out of Bluetooth range.


    * Redundant statement.
     I was thinking an option to lock the phone if an unregistered finger touches the home button. 



    netmagedysamoria
  • Reply 11 of 37
    crowleycrowley Posts: 10,453member
    adm1 said:
    macxpress said:
    Whats to stop someone from going into iCloud and remotely wiping the phone? The police cannot disable iCloud without the AppleID. I realize it may be seized and off any network, but if you're quick enough perhaps it could work. 

    This is also why you should password protect Notes. Even if they had the unlocked phone they couldn't access the secured notes without a password or fingerprint. 
    erm... being held in custody maybe? Unless an accomplice saw the whole thing, was unknown to police and also knew the suspects' iCloud log-in then they could do that if they were quick enough yes. I wouldn't be surprised if one of the first things they do upon seizure is activate Airplane Mode.
    Opening the camera app would prevent the phone from auto locking. Need to watch the battery though.
    lostkiwi
  • Reply 12 of 37
    Um ... convictions ... credit card fraud ... who're the good guys here? Perhaps the first thing to say should be 'well done' to the Metropolitan Police for smart thinking as they made a lawful arrest of a villain.

    Could be our credit cards next.
    edited December 2016 dysamoriabaconstanggatorguy
  • Reply 13 of 37
    MacProMacPro Posts: 19,851member
    Could just hold the suspects finger, like while rolling his fingers on the ink pad for fingerprinting, and force him to unlock his phone. Home button, ink pad, fingerprint card. Done.
    Or just remove the finger? (I'm kidding)
    macxpressbaconstang
  • Reply 14 of 37
    SoliSoli Posts: 10,038member
    cali said:
    Soli said:
    1a) We need a "poison finger" option to protect against thieves and unscrupulous governments* compelling us to use our fingerprints.
    1b) This is now doable with the new MacBook Pros by creating another account that will launch an app you make with Automator that will call the shell script:
    shutdown -h now
    2) With the number of snatch-and-grab videos of iPhones being stolen that I've seen over the years, I wish that that Apple had an option that will automatically lock your iPhone if it gets disconnected from your Watch. To wit, out of Bluetooth range.


    * Redundant statement.
     I was thinking an option to lock the phone if an unregistered finger touches the home button. 
    To be clear, that is what I mean by "poison finger."
  • Reply 15 of 37
    avon b7avon b7 Posts: 8,034member
    Could just hold the suspects finger, like while rolling his fingers on the ink pad for fingerprinting, and force him to unlock his phone. Home button, ink pad, fingerprint card. Done.
    This is why I see fingerprint sensors more as convenience technology than security technology. If you use it, it's like having one password that you never change. Using it in conjunction  with a typed password is better.

    My Honor 7 with Android 6 allows me to use different fingerprints to unlock the device and I can set a print to give 'guest' access to the unit, limiting access to certain areas but not the entire phone. The fingerprint sensor also supports gestures and is situated on the rear of the phone, making one handed use very simple.

    It would be simple for criminals with this setup to avoid these police tactics by making calls in guest mode and reserving full access to when they are in 'safe' environments

    Apple could take these ideas further.
  • Reply 16 of 37
    SoliSoli Posts: 10,038member
    avon b7 said:
    Could just hold the suspects finger, like while rolling his fingers on the ink pad for fingerprinting, and force him to unlock his phone. Home button, ink pad, fingerprint card. Done.
    This is why I see fingerprint sensors more as convenience technology than security technology. If you use it, it's like having one password that you never change.
    Touch ID is and always has been a convenience feature, not a security one. It only bridges security because without it most people didn't use any PIN and those that did were unlikely to have the device lock immediately.
    Using it in conjunction  with a typed password is better.
    :sigh: The passcode is a requirement for Touch ID. If you don't use it within a certain timeframe the passcode is required. If you have too many failed attempts with Touch ID the passcode is required.  If the device is restarted the passcode is required.
    My Honor 7 with Android 6 allows me to use different fingerprints to unlock the device and I can set a print to give 'guest' access to the unit, limiting access to certain areas but not the entire phone. The fingerprint sensor also supports gestures and is situated on the rear of the phone, making one handed use very simple.
    No.


    StrangeDayswatto_cobrawlym
  • Reply 17 of 37
    Could just hold the suspects finger, like while rolling his fingers on the ink pad for fingerprinting, and force him to unlock his phone. Home button, ink pad, fingerprint card. Done.
    Or just remove the finger? (I'm kidding)
    It's well-known that won't work.
  • Reply 18 of 37
    avon b7avon b7 Posts: 8,034member
    Soli said:
    avon b7 said:
    Could just hold the suspects finger, like while rolling his fingers on the ink pad for fingerprinting, and force him to unlock his phone. Home button, ink pad, fingerprint card. Done.
    This is why I see fingerprint sensors more as convenience technology than security technology. If you use it, it's like having one password that you never change.
    Touch ID is and always has been a convenience feature, not a security one. It only bridges security because without it most people didn't use any PIN and those that did were unlikely to have the device lock immediately.
    Using it in conjunction  with a typed password is better.
    :sigh: The passcode is a requirement for Touch ID. If you don't use it within a certain timeframe the passcode is required. If you have too many failed attempts with Touch ID the passcode is required.  If the device is restarted the passcode is required.
    My Honor 7 with Android 6 allows me to use different fingerprints to unlock the device and I can set a print to give 'guest' access to the unit, limiting access to certain areas but not the entire phone. The fingerprint sensor also supports gestures and is situated on the rear of the phone, making one handed use very simple.
    No.


    'No'

    Ha. Having used both systems, I can assure you that for phone use, the Huawei implementation is far more useful than Apple's. Not just a little. It is miles ahead.

    I fully expect Apple to take 'hints' from it in the future. 

    'Sigh'

    Ha again. Finger print for convenience in conjunction with a passcode for security.

    Example: online banking

    My online banking app gives me  the option to access my account using a passcode or directly if I have used the fingerprint sensor. 
  • Reply 19 of 37
    boredumbboredumb Posts: 1,418member
    I can't decide whether I'm increasingly surprised our U.S. legal system is based on Britain's...or not.
  • Reply 20 of 37
    macxpress said:
    Soli said:
    1a) We need a "poison finger" option to protect against thieves and unscrupulous governments* compelling us to use our fingerprints.
    1b) This is now doable with the new MacBook Pros by creating another account that will launch an app you make with Automator that will call the shell script:
    shutdown -h now
    2) With the number of snatch-and-grab videos of iPhones being stolen that I've seen over the years, I wish that that Apple had an option that will automatically lock your iPhone if it gets disconnected from your Watch. To wit, out of Bluetooth range.


    * Redundant statement.
    I'll start a shit storm here...

    If Trump gets his way...there will be no security on anything. Because...well thats more convenient to government and law enforcement rather than doing it by the book. 
    Congress creates the laws and the Supreme Court checks them for constitutional violations when cases are presented. It's no more possible for Trump to be a dictator than it was for Obama... and Obama has come closer than almost any president to acting completely outside the restraints of the office. 

    Trump has had conversations with Paul Ryan expressing that the office of the presidency has unbalanced the balance of power, so I find it less likely Trump will engage in the type of stuff you imagine.
    chris_ca
Sign In or Register to comment.