Ride the Lightning

Feds Force Suspect to Unlock iPhone With His Face

October 8, 2018

As reported by Forbes on September 30th, a child abuse investigation is the first known case in which law enforcement used Apple Face ID facial recognition technology to open a suspect's iPhone. This is the first known case anywhere in the world that this has been reported.

On August 10, the FBI searched the house of 28-year-old Grant Michalski, a Columbus, Ohio, resident who would later that month be charged with receiving and possessing child pornography. A federal investigator with a warrant told Michalski to put his face in front of the phone, which he did. That allowed the agent to look through the suspect's online chats, photos and whatever else he deemed worthy of investigation.

There have been multiple cases in which suspects have been told to unlock iPhones with their fingerprints, via Apple's Touch ID biometric login. The same technique was used on dead subjects. Earlier this year, Forbes disclosed the use of GrayKey, a $15,000-$30,000 tool that can break through the passcodes of the latest iOS models, including the iPhone X. Another contractor, Israel's Cellebrite, announced similar services.

Now Face ID is being used. While the investigator here had a warrant, and appeared to have done everything legally, there are serious concerns about the use of such tactics.

"Traditionally, using a person's face as evidence or to obtain evidence would be considered lawful," said Jerome Greco, staff attorney at the Legal Aid Society. "But never before have we had so many people's own faces be the key to unlock so much of their private information."

On the phone, there were conversations over chat app Kik Messenger in which users discussed abuse of minors, according to the affidavit's narrative. It was later discovered that Michalski had used Kik previously to talk with an undercover officer posing as a father interested in sex with children. Kik has had to deal with a vast number of child exploitation cases involving its platform, and promised to spend millions of dollars on fixing the problem.

Leading up to the seizure of the device, FBI special investigator David Knight had learned that Michalski had posted an ad on Craigslist titled "taboo," the investigator wrote. Emails were later shared between Michalski and another defendant William Weekley in which they discussed, amongst other things, incest and sex with minors, according to Knight's telling. That included sexual acts with a Jane Doe, whom Weekley referred to as his daughter. Both defendants await trial. No date has been set yet.

Though Knight may found some evidence of criminal activity when he manually searched the device, in one respect the forced Face ID unlock of the iPhone X was a failure. It wasn't possible to siphon off all the data within using forensic technologies. That was because the passcode was unknown.

In modern iPhones, to hook the cellphone up to a computer and transfer files or data between the two, the passcode is required if the device has been locked for an hour or more. And forensic technologies, which can draw out far more information more quickly than can be done manually, need the iPhone to connect to a computer.

It appears Knight didn't keep the device open long enough and so couldn't start pulling out data with forensic kits. He admitted he wasn't able to get all the information he wanted, including app use and deleted files. What Knight did get he documented by taking pictures.

But he wasn't to be frustrated entirely. In another revelation in the court filings, Knight noted he'd learned both the Columbus Police Department and the Ohio Bureau of Investigation had access to "technological devices that are capable of obtaining forensic extractions from locked iPhones without the passcode." The only two companies known to have provided such services this year are Cellebrite and Grayshift.

Both those companies have been doing big business with the U.S. government of late. Grayshift scored its biggest order to date earlier this month, scoring a $484,000 deal with the Secret Service. That followed a $384,000 contract with Immigration Customs Enforcement (ICE). The Secret Service spent $780,000 on Cellebrite in September too.

Michalski's lawyer Steven Nolder told Forbes the FBI wanted to use Cellebrite tools to extract data from the device, but hadn't been successful despite the Face ID unlock. "Consequently, at this moment, they've not found any contraband on the cellphone," Nolder said over email. "That's a Pyrrhic victory as there was contraband found on other devices but there would be no need to challenge the warrant's facial recognition feature as my client was not harmed by its use."

But Nolder said that the cops were now using boiler plate language in warrants to allow them to access iPhones via Face ID. "Law seems to be developing to permit this tactic," Nolder added.

To date, there has been no challenge to the use of Face ID in this case or others. But Fred Jennings, a senior associate at Tor Ekeland Law, said they could come via the Fifth Amendment, which protects individuals from incriminating themselves in cases.

In previous rulings, suspects have been allowed to decline to hand over passcodes, because the forfeiture of such knowledge would amount to self-incrimination. But because the body hasn't been deemed a piece of knowledge, the same rulings haven't been applied to biometric information, like fingerprints or face scans. That's despite the fact that the use of passcodes, fingerprints and faces on an iPhone has the same effect in each case – unlocking the device.

Jennings thinks that as long as there's no specific legislation dealing with this apparent conflict, courts will continue to hear arguments over whether forced unlocks via facial recognition is a breach of the Fifth Amendment.

There are various ways in which the latest iPhones can evade federal investigations, even if Apple didn't design features for that specific purpose. Beyond the passcode, thanks to a feature called SOS mode, it's possible to shut down Face ID and Touch ID with five quick clicks of the power button in older iPhones. In the iPhone 8 and X, the same is achieved by holding the side button and one of the volume buttons. And if the device hasn't been opened within 48 hours, a passcode is required to open it again.

"Additionally, a long and unique alphanumeric passcode will prevent any forensic imaging attempts from decrypting your phone's data," said Ryan Stortz, a security researcher at Trail of Bits. "However, SOS won't save you if the feds distract you and seize your phone out of your hand."

Apple's Face ID also requires a person's eyes to be open. Not only that, Apple's tech has "liveness detection" that attempts to determine if the visage looking at the device is alive.

So, unlike Touch ID, Face ID doesn't work with the dead. According to one source in the forensics community who asked to remain anonymous, New York narcotics cops have even tried on multiple occasions to open iPhone X devices of heroin overdose victims but without success.

Sorry for some of the slightly ghoulish and unpleasant content in this post, but we receive a ton of questions about this topic, and the Forbes article did a really good job of detailing what is and isn't possible – and the current legal status of law enforcement's attempt get access to smartphone data.

Thanks to Dave Ries.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson