Police can't force you to unlock your phone with face, finger or any biometrics

A judge in California ruled that law enforcement officials can’t force people to unlock their smartphones with a finger or thumbprint, facial recognition, or even an iris.

Police can't force you to unlock your phone with face, finger or any biometrics
Thinkstock

Hey, hey, there’s actually some good news for privacy! A judge in California ruled that feds can’t force people to unlock their smartphones with a finger or thumbprint, facial recognition, or even an iris. Although the government had shown probable cause to search a property in Oakland, California, U.S. Magistrate Judge Kandis Westmore said the government’s expectation to seize all devices and force people at the house to unlock them with their biometrics “runs afoul of the Fourth and Fifth Amendments.”

“The challenge facing the courts is that technology is outpacing the law,” Judge Westmore wrote. The government’s request to force the unlocking of all biometrically-locked devices at the property was “overbroad.” She added, “The Government cannot be permitted to search and seize a mobile phone or other device that is on a non-suspect's person simply because they are present during an otherwise lawful search.”

Westmore ruled:

“If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device,” the judge wrote.

“The undersigned finds that a biometric feature is analogous to the 20 nonverbal, physiological responses elicited during a polygraph test, which are used to determine guilt or innocence, and are considered testimonial.”

Other cybersecurity news

Hackers can exploit flaws to remotely take control of industrial machinery

Trend Micro discovered flaws and vulnerabilities in radio frequency (RF) remote controllers “can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories.” The company confirmed that attackers can remotely manipulate connected industrial equipment deployed at construction sites, factories, and transportation businesses.

Last year for DerbyCon

It’s sad to see this happening, but DerbyCon is throwing in the towel; its final security conference will be held in September 2019. Press F to pay respects.

Tesla Model 3 open for hacking at Pwn2Own

Pwn2Own will have a Tesla Model 3 on hand this year as part of an automotive category. Successfully hacking it could pay out between $35,000 to $250,000. In addition, ZDI said, “Along with the prize money, the first-round winner in this category will win a Tesla Model 3 mid-range rear-wheel drive vehicle.”

PoC for zero-day disclosed after Microsoft fails to patch

After Microsoft failed to issue a patch as it promised to do in October, ZDI and researcher John Page released advisory details and proof-of-concept code for a zero-day flaw in Windows processing of vCard files. As noted by ZDNet’s Catalin Cimpanu, “The good news is that this vulnerability can lead to remote code execution, but is not remotely exploitable, as it requires user interaction first.”

Flaws made web-hosting platforms Bluehost, Dreamhost, HostGator, OVH, and iPage easy to hack

Host any websites on Bluehost, Dreamhost, HostGator, OVH, or iPage? If so, security researcher Paulos Yibelo has bad news for you, as he discovered “all can be easily hacked.” There was “at least one client-side vulnerability in all the platforms we tested, allowing account takeover when the victim clicks a link or visits a malicious website.”

TechCrunch reported, “In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost’s one million domains and OVH’s four million domains — totaling some seven million domains.” All web host providers except OVH confirmed to TechCrunch that the bugs were fixed.

Other roundup tidbits

 Starting on April 11, new amendments to a Massachusetts law go into effect to better protect consumers from security breaches.

 CyberArk Labs explained how it hacked Play-with-Docker and remotely ran code on the host.

 Researcher Avinash Jain has a good writeup about an exposed NASA server leaking employee and project data.

 The Intercept warned Amazon Ring security camera owners that strangers might also be watching. Ring denied ever giving engineers or employees access to any live feeds.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!