Dead man’s touch can unlock iPhones
When seeking clues to a killer’s plans, time is of the essence
Texas shooter’s locked phone raises questions about corpses, biometrics
SAN FRANCISCO – Your shiny new smartphone may unlock with only your thumbprint, eye or face. But it turns out you don’t need to be alive to get past this unique security barrier, opening new frontiers for individual privacy and law enforcement.
The FBI is struggling to gain access to the iPhone of Texas church gunman Devin Kelley, who killed 25 people, including a pregnant woman whose unborn baby also died. The devastating tragedy has unearthed a gruesome idiosyncrasy of modern biometric technology: A living person isn’t necessary to unlock many devices.
It turns out the agency likely could have unlocked Kelley’s phone with his thumbprint, if he had enabled Touch ID to unlock it and officials had done so within 48 hours of Kelley’s death by his own hand. That time limit passed, and the phone remains locked, but it raises a question few buyers of the latest iPhone or Samsung typically consider — does someone need to be alive for today’s increasingly common biometric recognition systems to work?
In many situations they don’t, said Anil Jain, a professor of computer science at Michigan State University and expert on biometric technology.
Biometrics has to do with body measurements. In computer circles it’s about using specific individual body measurements as a way to confirm identity. These include fingerprints and facial recognition software. Beyond computers, some very sophisticated secure entryway systems make use of iris recognition, hand geometry and voice recognition.
In the case of Kelley’s iPhone, the limiting factor was the 48-hour clock on how long a fingerprint can be used to unlock the phone. This presumes Kelley had Touch ID enabled on his phone, which the FBI has not confirmed. However, about
80% of iPhone users do, according to Apple. Touch
ID has existed on all iPhones since the 5S was released in 2013 until the iPhone X, which replaces Touch ID with facial recognition.
Forty-eight hours after the last time an iPhone is unlocked with a fingerprint, the fingerprint function stops working and the user is required to tap in their passcode. If the FBI had tried in that 48hour period, would it have worked?
Decomposition and fingerprints
Probably, Jain said, depending on how decomposed Kelley’s body was. A rotting body changes shape, including the digits, which distorts fingerprints. How fast it rots depends on where it was found or stored. “Body parts under water and in very hot climate will decompose much faster,” Jain said.
A study done in 2016 at Oak Ridge National Laboratory found that both iris and fingerprint biometric data could be obtained from bodies up to four days after death in warmer seasons and for as many as 50 days in winter.
Optical or capacitive?
The other hurdle is what kind of fingerprint reader is being used: optical or capacitive. Optical systems, such as those used on iPhones, use images to build up specific digital maps of the ridges and whorls of the finger. There have been multiple reports of people using simple dental mold models of fingers to reproduce exact finger patterns and open smartphones. So it might have been possible for the FBI to simply make a cast of Kelley’s finger to attempt to open his phone.
More sophisticated systems use capacitive scanners that use the electrical properties of the human skin as part of the measurement. These are harder to spoof and generally require a living digit, as after death the conductive property of the skin is quickly lost. But it can be accomplished by making a conductive copy of the deceased’s finger, Jain said.
In his lab, researchers accomplished this by first making an impression of a
A 2016 study found that both iris and fingerprint biometric data could be obtained from bodies up to four days after death in warmer seasons and for as many as 50 days in winter.
finger using the same material dentists used to make molds of teeth. In their case, it’s the finger of a living student. Next, they put conductive silicone or gelatin inside the mold to make a cast. Once the fake finger is extracted from the mold, it can be used to spoof a conductive fingerprint scanner.
Eyes are the windows of the soul
The Samsung Galaxy 8 incorporates iris scanning as one identification option for users. This, too, can be thwarted, though it’s more difficult.
The same decomposition issues that face those trying to copy a finger are true for the iris, so time is of the essence. It’s also not possible to make a cast of the iris as it’s encased within the eyeball. But a good picture of the iris, which presumably could be taken soon after death, could be used to spoof.
A security researcher in Berlin reported being able to engage the Galaxy 8’s iris-recognition ID system simply by making a lifesize print of an image of an eye and then gluing a contact lens to the picture to give it depth. Others have been able to spoof iris-recognition systems with photos alone. So as long as a photo of the iris in question was taken before it began to decompose, it might be possible to get into some systems.
Show me your face
The new iPhone X replaces fingerprint recognition with Face ID. Modern facial recognition systems are harder to spoof in part because they build 3-D rather than flat digital models of the face. This is why when iPhone X users start facial recognition, they have to move their head around so the system can get multiple images from which to build its digital model of their face. A dead body makes this difficult.
“It would be hard to turn the head around because rigor mortis can occur as soon as four hours post mortem,” Jain said. One way to get around that might be to move the camera around the stationary head, he suggested.
Using a cast of the entire head to scam Face ID is something Apple has already thought of. On its Face ID Security page, the company explains that the Face ID system is specifically trained to spot and resist spoofing attempts to unlock phones with photos or masks.
Apple also allows users to engage an additional level of security that requires the user to look at the phone to unlock it to make it impossible to unlock a phone simply by pointing at the face of its sleeping user.