FBI agents forced a suspect to unlock their Apple iPhone using their face. While forcing you to provide an image of your face is akin to forcing you to provide a fingerprint, the end result is that law enforcement has an easy way to get into Apple devices. There is still something you can do about it though.
How to Keep the Police out of Your iPhone
Keeping the police from using your face or fingerprint to access your phone is a straight-forward process with your iPhone. Just turn your device off and back on again, but do not unlock it. You can turn off the newest iPhone models by pressing and holding the Volume Up Button and the Side Button at the same time.
Once the phone powers back on, the phone can only be accessed by entering your passcode. (Keep reading, we will tell you how to set a password that’s even stronger than the standard 6-digit code, and why you might want to do that.)
While that is a straight-forward concept, putting it into practice is a bit more difficult than you might imagine. For example, you may carry your insurance card on your phone. While that’s convenient, it will make it a lot harder to force the phone to require a passcode as the officer walks up to your vehicle. Similarly, do you know the number to your emergency contact if you are arrested? If you ask to use your phone to look up a number, you need to know that the police are not going to let you power off your device and reboot it. My advice? Carry a paper copy of your insurance card. Don’t rely on an image on your phone or your insurance providers app. Memorize a couple of numbers that you might need to call if you are arrested.
The Constitution, Cell Phones, and Cracking Passcodes
The Fourth Amendment protects individuals against unreasonable search and seizure by the government. Remember that in 2014, in Riley v. California, the Supreme Court ruled that law enforcement needs to get a warrant to search a cell phone in most cases.
The question becomes how do the police get into phones after they have a valid warrant. Assuming you’ve followed the advice in this article, the police should not be able to hold the phone up to your face or force you to provide your fingerprint to open your iPhone. Even with a warrant, the police cannot force you to testify against yourself, so they can’t force you to tell them your password.
Law enforcement officials can try a brute force attack, but that can be a time-consuming and expensive process. Modern iPhones have 256-bit encryption, support four-digit, six-digit, and arbitrary length alphanumeric passcodes.
By way of example, a computer could crack:
- a 4-digit passcode in 6 minutes and 34 seconds
- a 6-digit passcode in 10 hours 57 seconds, and
- a 12 character alphanumeric password with special characters: more than a trillion years.
While just under 11 hours may not seem long, remember how difficult it was to unlock the San Bernardino shooter’s phone? That is because Apple automatically disables the passcode after five attempts to enter a passcode incorrectly. If you have a six-digit passcode, it would take 22 hours to try all the possible combinations including the time-outs. A six-letter passcode made up of numbers and letters would take 5.5 years to crack with the time-outs. The difficulty in cracking a password by brute force goes up exponentially with the length of the passcode.
With the volume of cases that come in and limited resources, state and local agencies reserve brute force attacks for the most serious of cases. You should anticipate law enforcement will ask for a court to order that a defendant provide a fingerprint or a facial scan because doing so would not implicate the Fifth Amendment, and there is little intrusion into the person’s privacy that would prevent such an order under the Fourth Amendment. A judge faced with the decision of signing such an order would balance the intrusiveness of the request with the purposes of law enforcement. For example, a blood draw during a DWI investigation is considered highly invasive and requires a warrant. However, taking a buccal (cheek) DNA swab from someone who was arrested for a serious crime is considered a minimal intrusion and does not require a warrant.
Steps You Can Take to Keep the Police Out of Your iPhone
First, remember not to give consent to search your phone or any other electronic device, even if the agent says “we will get into it anyway.”
Second, if at all possible, turn your phone off and then back on if you are stopped by the police and have an iPhone. This will force the device to require a passcode to access the device instead of Face ID or Touch ID. (This has been our advice since 2014.)
AppleInsider reports that pressing the buttons on both sides will “will temporarily disable Face ID.” This might slow things down, but turning off your iPhone (for now) ensures that a passcode will be necessary no matter how long law enforcement waits to try accessing your phone again.
Third, use a secure passcode. A long alphanumeric password will make it extremely difficult for law enforcement to crack using brute force.
How to enable alphanumeric passcode in iPhone
1. Go to Settings
2. Go to Touch ID & Passcode
3. Click Change Passcode
4. Re-Enter Your Existing Passcode
5. Click Custom Alphanumeric Code
6. Enter your new passcode.
Also published on Medium.