Erase Data Passcode

Originator:ben
Number:rdar://30553231 Date Originated:16-Feb-2017
Status:Open Resolved:
Product:iOS Product Version:
Classification:Security Reproducible:
 
Summary:
With recent developments in the United States surrounding the seizing of Sidd Bikkannavar’s phone and the pressure to give up his PIN, it has become clear that the advanced iOS protections of TouchID and longer passcodes are not sufficient if you can be pressured into divulging your passcode: https://xkcd.com/538/

I propose that an optional feature within the Touch ID & Passcode settings in iOS be introduced named “Erase Data Passcode”. This would be a user created passcode that, when entered, would securely wipe the device in the same fashion as the existing “Erase Data” option that wipes the device on 10 failed passcode attempts. It may also be prudent to be able to add an “Erase Data Fingerprint” which would perform the same operation (i.e. I might always use my right thumb to unlock my iPhone but if I use my left thumb it could trigger the erase feature).

Such an option would allow for device security as you can divulge the Erase Data Passcode safe in the knowledge the phone will be securely erased. It would be expected that the device would disable power-off options during the secure wipe so that the only way to stop it would be to remove the battery (which in most circumstances would take considerable time at which point the data would be erased).

Steps to Reproduce:
1. Travel to the US
2. Get detained by Customs and Border Patrol agents
3. Explain your phone has sensitive material belong to NASA and you are within your rights
4. Experience “pressure” from Customs and Border Patrol agents
5. Divulge passcode and have phone, containing your personal data, cloned by Customs and Border Patrol agents to do with what they please

Expected Results:
1. Travel to the US
2. Get detained by Customs and Border Patrol agents
3. Explain your phone has sensitive material belong to NASA and you are within your rights
4. Experience “pressure” from Customs and Border Patrol agents
5. Divulge erase data passcode at which point the phone wipes itself. Your personal data is secured.

Notes:
Apple goes to extraordinary lengths to protect user data and fight for the privacy of its customers. As it stands, the weakest point in the chain is the user and the fact that they can be pressured into giving up a passcode or fingerprint to give access to an entire life’s worth of data. Whilst I’ve used the real world example of Customs and Border Patrol agents going outside of their remit to gain access to a device, this could easily happen in other situations such as theft where there are already some protections such as Erase iPhone via Find my iPhone on iCloud.com (although if you have 2FA this is difficult to access quickly if your primary device has been stolen).

Related Links:
- http://www.theverge.com/2017/2/12/14583124/nasa-sidd-bikkannavar-detained-cbp-phone-search-trump-travel-ban
- https://sixcolors.com/link/2017/02/the-consequences-of-refusing-to-unlock-your-phone-at-the-us-border/
- https://medium.freecodecamp.com/ill-never-bring-my-phone-on-an-international-flight-again-neither-should-you-e9289cde0e5f#.q3vugqvt1
- https://bendodson.com/weblog/2017/02/16/erase-data-passcode-proposal

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!