Last week Apple hosted one of its grand launch events at their newly opened Steve Jobs Theatre in Cupertino. Along with the expected announcement of the new iPhone 8 and the assorted musings on Apple TV and Apple’s retail outlets (or “Town Squares” as we’re apparently supposed to call them now), came the unveiling of the new “iPhone X” and the “Apple Watch Series 3”. These two devices have some features which piqued the interest of the analysts here at CCL, as we watched the livestream huddled around the warm glow of our iMac. The Apple Watch Series 3’s embedded SIM, which gives it access to the cellular phone network, and the iPhone X’s “Face ID” unlock feature, are particularly interesting.

Apple Watch Series 3

The Apple Watch Series 3 is for all intents and purposes a 4G-enabled smart phone shrunk down to the size of a watch, meaning that you can finally live out your Dick Tracy fantasies and make phone calls by talking to your wrist. One of the decisions that Apple has made in order to avoid bloating the watch to an uncomfortable arm-breaking size is to eschew the traditional replaceable SIM card in favour of an embedded SIM.

Apple Watch Series 3
Source: Apple

Since its introduction in 1991 in the credit card sized format (ISO/IEC 7810 ID-1), the SIM card has seen its size reduce a few times. The iPhone 4 and the iPhone 5 introduced the micro-SIM and nano-SIM form factors which are common today. The next step in the evolution of the SIM card is the eSIM (embedded SIM) or eUICC, which is a small integrated circuit soldered directly on to the circuit board. In recent years, these non-removable eSIMs have showed up in some IoT devices, such as the Samsung Gear S2 smartwatch. At CCL, we have also encountered eSIMs installed in vehicle telematics modules, such as the ones used in the BMW X Series.

SIM Cards
Source: GSMA

Whereas switching carriers might have previously been as simple as replacing a physical SIM card, now a software eSIM profile has to be downloaded and installed on the device. This service isn’t yet offered by any of the main UK mobile networks, so devices (such as the Gear S2 and S3) tend to be locked to a single provider. This “Remote SIM Provisioning” does have some interesting implications which we’ll discuss in a future article.

One of the features highlighted by Apple is that the LTE version of the Watch Series 3 can use the same phone number as the owner’s iPhone to make and receive phone calls. This capability relies on the cellular network provider supporting this feature, and whereas in the United States AT&T, Sprint, T-Mobile and Verizon all offer this feature already, here in the UK, EE is the only network to offer the LTE version of the new Apple Watch at launch. That being said, the pressure that Apple can apply to service providers isn’t to be underestimated: there are clear precedents already for service providers implementing or supporting features on their networks in response, at least in part, to the requirements of Apple products.

When this feature becomes available in the UK, there will be clear implications for investigations which revolve around linking a phone number to a person at any one time. Will the billing records provided by network providers distinguish events forwarded to a secondary device? The analysis of billing records will require extra care to note that the phone number may be associated with two devices which need not be in the same location.

Even identifying the identity of the subscriber (bill payer) from the Apple Watch may prove to be a challenge. The traditional route to do so is to remove the SIM from the device and obtain identification numbers from it. This is going to be difficult when the SIM is both tiny and soldered directly to the circuit board (unless you plan to be very invasive and do not mind damaging the device!). We may need to explore developing new methods to capture subscriber information in a lab environment.


With the “iPhone X”, Apple is not only jettisoning the “home button,” which has for so long been one of the defining hardware features of the iPhone family, it has also removed “Touch ID”, the fingerprint-based locking system that has been present on most new iPhone and iPad models since 2013’s iPhone 5S. To replace it, Apple has created a new mechanism to streamline the locking and unlocking of the device called “FaceID”. Apple’s new facial recognition system utilises the iPhone X’s high-tech camera and sensor array at the top of its screen in conjunction with neural networks to detect the face and unlock the phone when the owner looks at the screen.

Source: Apple

The fingerprint-based Touch ID system did create an opportunity for investigators when it came to gaining access to iPhones. In the USA for example, fingerprints are not considered to be protected by 5th amendment rights. Unlike a passcode which is regarded as testimony, a fingerprint in this context is considered as physical evidence, more akin to a conventional key. Fingerprints are also less likely to be conveniently forgotten by the device’s owner. Besides it has also been shown in practice that the system can be fooled with copies of fingerprints lifted from other evidence.

Apple has apparently put a lot of effort into securing the Face ID system, including working with masks and models of faces to ensure that only a real human face will be able to unlock the device. Because the face is scanned in 3D and various other sensors are used, a photograph of a face should not fool the system – a weakness exhibited by facial recognition systems on some other devices. We’ll have to wait and see if Apple’s implementation is as good as they claim it is.

It is worth noting that Face ID is treated much like how Touch ID is on older devices, and is subject to similar restrictions. The biometric information is stored in a special secure coprocessor. Enabling “SOS mode” by pressing the buttons on both sides of the iPhone X will disable Face ID temporarily. Tapping the power button 5 times has the same effect on devices which have Touch ID. Touch ID is also disabled if that feature has not been used for 48 hours, so it’ll be interesting to see if Face ID works the same way.

Nevertheless, gaining access to a phone just by the owner looking at it seems like another step along the same road that Touch ID started out on. It remains to be seen quite what the law says about legally compelling someone to look at a phone. Furthermore, the owner does have to actually open their eyes and look at the device for the feature to work. Could someone stubborn enough keep their eyes shut for long enough that device falls back to requiring a passcode to unlock? Also (with apologies in advance for the morbid thought) one factor that Apple was unlikely to have tested directly, but that could be an issue during some investigations, is whether the system requires a living person to unlock! Another interesting angle to consider is the possibility to use this feature to positively identify the owner of the device at the point of seizure.

As with every major technology release, we will be ordering the new hardware as soon as they become available and testing the new features thoroughly. Make sure to keep an eye on our website for more updates.

New product announcements portend both challenges and opportunities for investigators. If we can help you to obtain or explain digital evidence, please get in touch.

Arun Prasannan

Principal Analyst (Research & Development)