The recent federal raid on the home of Washington Post reporter Hannah Natanson isn’t merely an attack by the Trump administration on the free press. It’s also a warning to anyone with a smartphone.
Included in the search and seizure warrant for the raid on Natanson’s home is a section titled “Biometric Unlock,” which explicitly authorized law enforcement personnel to obtain Natanson’s phone and both hold the device in front of her face and to forcibly use her fingers to unlock it. In other words, a judge gave the FBI permission to attempt to bypass biometrics: the convenient shortcuts that let you unlock your phone by scanning your fingerprint or face.-
It is not clear if Natanson used biometric authentication on her devices, or if the law enforcement personnel attempted to use her face or fingers to unlock her devices. Natanson and the Washington Post did not respond to multiple requests for comment. The FBI declined to comment.
Use GrapheneOS so you can “unlock” your phone and enter the wipe code instead.
Even better, set it to 1234567890 or 00000000 or similar easy to guess pin, and change it to the length of your actual pin, now if someone tries to bruteforce your phone it will instantly wipe and you can make a case that it was the law enforcement who destroyed any “evidence” by their own actions if in comes up In court.
This sounds like a convenient way to have all your locally saved photos wiped by your kid
These practices and tips are not for everyday people but for high targets and work devices
Don’t they make a copy of the phone before they go about trying to unlock it?
This kind of security is only going to work against a careless or incompetent atta-- oh. I see…
That requires USB connection to even be possible with a locked phone.
I use biometrics to access some of the apps on my phone. But my home screen requires a password to unlock.
Good advice, thanks.
hold the device in front of her face and to forcibly use her fingers to unlock it. In other words, a judge gave the FBI permission to attempt to bypass biometrics
This isn’t bypassing biometrics. This is using biometrics as intended. Bypassing implies this was an unexpected side effect when every security researcher ever has warned that biometrics is intrinsically vulnerable and a terrible password substitute for this exact reason.
Or at the very least; turn your phone entirely off (shutdown) whenever you expect or encounter police contact.
Biometrics only work when the device is already running. Mobile devices are in their most locked down/secure state when ‘at rest’, ie shutdown.
In android; there is also a ‘lockdown’ mode you can quickly activate from the power off screen, that disables Biometrics until next unlock with a pin/pattern, but doesn’t fully shutdown so you can still quickly access things like the camera. This has to be explicitly enabled in settings first and will not offer much protection from various lockscreen bypass software available to law enforcement.
In android; there is also a ‘lockdown’ mode you can quickly activate from the power off screen, that disables Biometrics until next unlock with a pin/pattern, but doesn’t fully shutdown so you can still quickly access things like the camera. This has to be explicitly enabled in settings first and will not offer much protection from various lockscreen bypass software available to law enforcement.
2 things. Unless I accidentally enabled this setting, it’s on by default. And what do you mean by lockscreen bypass software. What would be the point of lockdown if its not effective against law enforcement trying to brute force your privacy?
it’s on by default
It may well be on by default now. I just know I had to enable it the last time I looked at this.
what do you mean by lockscreen bypass software
Tools such as those provided by Cellebrite and similar.
Lockdown mode is mainly to disable biometrics, to prevent someone on the street forcibly using them to unlock your device. It’s not going to stop an entire agency with more sophisticated tools.
Also, don’t take your phone to protests. ACAB.
Wear clothing that can’t identify you. Hide tattoos and anything that might make you stand out. Get clothes from a free giveaway place, without cameras.
I’ve been debating buying a burner phone for protests, leaving my main phone elsewhere, and only powering on the burner when it’s needed. Probably the only way to bring a phone to a protest.
You can also buy faraday bags, if you want a phone available but not online. But it’s still there physically so burner would still be a good choice.
Just test it first. I got a faraday bag of Amazon and it didn’t work.
100%. I tested mine with calls and making sure the wifi and Bluetooth didn’t go through.
In android; there is also a ‘lockdown’ mode you can quickly activate from the power off screen, that disables Biometrics until next unlock with a pin/pattern
On iOS, with a locked device, quickly press the lock button five times to do the same, it should bring up the power off/SOS screen, which you can dismiss.
This can also be done by holding down both power and volume up buttons for a few seconds.
TIL thanks!!!
What if you take your dick and use that on the fingerprint scanner, do you think the cops would make you whip it out
Probably, although they probably can’t force you to reveal it’s your dick that unlocks the phone.
What if I compromise and reveal that it’s a dick that unlocks it, but not whose?
then they’d probably punch you in the dick
Jesus fucking christ.
I don’t use my phone for anything other than directions, phone calls, and texting my wife. Partially because I’m not going to carry around something with tons of shit that can be used against me.
This is fucking insane.
It does not matter. The phone still uses you, no matter how much you use it.
For directions you can use a separate GPS navigation tool. Phone and text calls -> just get a dumb phone.
Just know that SMS and regular phone services are inherently insecure and to not use them for any conversations you wouldn’t want broadcasted to the whole world.
Fair point, what’s then the safest?
I don’t think there’s necessarily a safest, thats a moving target and everyone’s threat level is different. There’s a number of open source E2EE encrypted messaging apps though and lots of resources comparing their pros and cons. I can try to find you a link a bit later when I have more time if you’d like.
Simplex is probably the safest.
But I would say signal is very safe while being more convenient.
On iPhone say “Hey Siri, who’s phone is this?” to disable biometric unlock temporarily.
On Android press the power and volume up buttons to open the power off screen, then press “lock down”.
On the iPhone you can also press both the upper left and right button. It will enable that you can only log in with a password, even if you have Face ID/Touch ID.
You can also establish that if there are too many false attempts to log in, the phone will delete all data. I could imagine that if you kept most phone data on the phone itself, rather than in the cloud, this can be useful. E.g. insert the password wrongly multiple times.
And if you’re feeling really concerned, you can make a Faraday cage (preventing it from sending data altogether). Wrap a plastic bag around, then aluminium foil tightly without gaps, then plastic… repeat three times.
Alternatively, put it in a microwave. Or a stainless trash can with a tight lid, lining the inside with (optional: cardboard first, then…) plastic wrap, maybe more foil. Phone also foiled.
That’s a great idea but let’s not forget that this administration and it’s poorly-trained attack dogs might try and justify the password hammer
That’s why something like the duress password exists for GrapheneOS - just keep a backup of the important stuff at a separate location away from your pockets.
*an encrypted backup
@Truscape@lemmy.blahaj.zone
or second factor PIN
I prefer grapheneos’s numeric pin+fingerprint or alphanumeric password. Plus I get to brag that I have MFA on my phone login (even if you can use only the password).
Don’t forget the duress password and the protections in BFU state! :)
I only enable duress password when I may need it. With my luck I’ll wipe my phone putting it in my pocket.
I only use a 10-digit pin number I’m guaranteed to never forget. I type it in every time. But, I don’t spend much time on my phone, sometimes I even forget it when I leave the house.
iOS biometrics is on the phone on an encrypted chip, and Face ID does not work if your eyes are closed… also if you press power 5 times it disable the face id unlock.
Face ID does not work if your eyes are closed
And then they hit you with a five dollar wrench until you open them. Not good opsec.
They could do the same and ask for your password
GrapheneOS duress password says hello.
Yeah they’re kinda missing the point of the $5 wrench example there
