The dead can unlock iPhones
When seeking clues to a killer’s plans, time is of the essence
SAN FRANCISCO – Your shiny new smartphone may unlock with only your thumbprint, eye or face. But it turns out you don’t need to be alive to get past this unique security barrier, opening new frontiers for individual privacy and law enforcement.
The FBI is struggling to gain access to the iPhone of Texas church gunman Devin Kelley, who killed 25 people, including a pregnant woman whose unborn baby also died. The tragedy has unearthed a gruesome idiosyncrasy of modern biometric technology: A living person isn’t necessary to unlock many devices.
It turns out the agency likely could have unlocked Kelley’s phone with his thumbprint, if he had enabled Touch ID to unlock it and officials had done so within 48 hours of Kelley’s death by his own hand. That time limit passed, and the phone remains locked, but it raises a question — does someone need to be alive for today’s increasingly common biometric recognition systems to work?
In many situations they don’t, said Anil Jain, a professor of computer science at Michigan State University and expert on biometric technology.
Biometrics has to do with body measurements. In computer circles it’s about using specific individual body measurements as a way to confirm identity. These include fingerprints and facial recognition software. Beyond computers, some sophisticated secure entryway systems make use of iris recognition, hand geometry and voice recognition.
In the case of Kelley’s iPhone, the limiting factor was the 48- hour clock on how long a fingerprint can be used to unlock the phone. This presumes Kelley had Touch ID enabled on his phone, which the FBI has not confirmed. However, about 80% of iPhone users do, according to Apple. Touch ID has been on iPhones since the 5S was released in 2013 until the iPhone X, which replaces the Touch ID fingerprint with facial recognition.
If the FBI had tried in that 48- hour period, would it have worked?
Probably, Jain said, depending on how decomposed Kelley’s body was. A rotting body changes shape which distorts fingerprints.
A 2016 study at Oak Ridge National Laboratory found that both iris and fingerprint biometric data could be obtained from bodies up to four days after death in warmer seasons and for as many as 50 days in winter.
The other hurdle is what kind of fingerprint reader is being used: optical or capacitive. Optical systems, such as those used on iPhones, use images to build up highly specific digital maps of the ridges and whorls of the finger. There have been multiple reports of people using simple dental mold models of fingers to reproduce exact finger pattern and open smartphones. So it might have been possible for the FBI to simply make a cast of Kelley’s finger to attempt to open his phone.
More sophisticated systems use scanners that use the electrical properties of the human skin as part of the measurement. These are harder to spoof, as after death the conductive property of the skin is quickly lost.
Anil Jain, a professor of computer science at Michigan State University, created a conductive model of a finger, used to spoof a fingerprint ID system.