Your shiny new smartphone may unlock with only your thumbprint, eye or face. But it turns out you don't need to be alive to get past this unique security barrier, opening new frontiers for individual privacy and law enforcement.
The FBI is struggling to gain access to the iPhone of Texas church gunman Devin Kelley, who killed 25 people in a shooting rampage.
The devastating tragedy has unearthed a gruesome idiosyncrasy of modern biometric technology: a living person isn't necessary to unlock many devices.
It turns out the agency likely could have unlocked Kelley's phone with his thumbprint, if he had enabled Touch ID to unlock it and officials had done so within 48 hours of Kelley's death by his own hand.
That time limit passed and the phone remains locked, but it raises a question few buyers of the latest iPhone or Samsung typically consider – does someone need to be alive for today's increasingly common biometric recognition systems to work?
In many situations they don't, said Anil Jain, a professor of computer science at Michigan State University and expert on biometric technology.
Biometrics has to do with body measurements. In computer circles it’s about using specific individual body measurements as a way to confirm identity.
These include fingerprints to open phones and computers and facial recognition software that can now open PCs and Macs. Beyond computers, some very sophisticated secure entryway systems make use of iris recognition, hand geometry and voice recognition.
In the case of the iPhone that belonged to Kelley, the limiting factor was the 48-hour clock on how long a fingerprint can be used to unlock the phone.
This presumes Kelley had Touch ID enabled on his phone, which the FBI has not confirmed. However about 80% of iPhone users do, according to Apple. Touch ID has existed on all iPhone since the 5S was released in 2013 until the iPhone X, which replaces the Touch ID fingerprint with facial recognition.
Forty-eight hours after the last time an iPhone is unlocked with a fingerprint, the fingerprint function stops working and the user is required to tap in their passcode. If the FBI had tried in that 48-hour period, would it have worked?
Decomposition and fingerprints
Probably, said Jain, depending on how decomposed Kelley's body was. A rotting body changes shape, including the digits, which distorts the fingerprints.
How fast the body rots depends on where it was found or stored. “Body parts under water and in very hot climate will decompose much faster,” Jain said.
A study done in 2016 at Oak Ridge National Laboratory found that both iris and fingerprint biometric data could be obtained from bodies up to four days after death in warmer seasons and for as many as 50 days in winter.
The other hurdle is having something that the fingerprint scanner can read. Some older systems used optical scanners, which were relatively easy to spoof.
Most systems today use capacitive systems which use the electrical properties of the human skin to build up a highly specific digital map of the ridges and valleys of the finger. Despite that, there have been reports of people making simple dental mold models of fingers to reproduce exact print pattern and using them to open smart phones. So it might have been possible for the FBI to simply make a cast of Kelley's finger to attempt to open his phone.
More sophisticated systems are harder to spoof and generally require a living digit, as after death the conductive property of the skin is quickly lost.
But it can be accomplished by making a conductive copy of the deceased's finger, said Jain.
In his lab, researchers have accomplished this by first making an impression of a finger using the same material dentists used to make molds of teeth. In their case, it's the finger of a living student. Next they put conductive silicone or gelatin inside the mold to make a cast.
Once the fake finger is extracted from the mold, it can be used to spoof a conductive fingerprint scanner. Jain said the lab has unlocked multiple devices using this technology.
The eyes are the windows of the soul
The Samsung Galaxy 8 smart phone incorporates iris scanning as one identification option for users. This, too, can be thwarted, though it's more difficult.
The same decomposition issues that face those trying to copy a finger are also true for the iris, so time is of the essence. It’s also not possible to make a cast of the iris as it’s encased within the eyeball.
However a good picture of the iris, which presumably could be taken soon after death, could be used to spoof a system.
A security researcher in Berlin reported being able to engage the Galaxy 8's iris-recognition ID system simply by making a life-size print of an image of an eye and then gluing a contact lens to the picture to give it depth.
Others have been able to spoof iris-recognition systems with photos alone. So as long as a photo of the iris in question was taken before it began to decompose, it might be possible to get into some systems.
Show me your face
The new iPhone X replaces fingerprint recognition with Face ID. Modern facial recognition systems are harder to spoof in part because they build 3D rather than flat digital models of the face. This is why when iPhone X users start facial recognition, they have to move their head around so the system can get multiple images from which to build its digital model of their face.
A dead body makes this difficult. “It would be hard to turn the head around because of rigor mortis, which can occur as soon as four hours post mortem,” said Jain.
One way to get around that might be to move the camera around the stationary head, he suggested.
Using a cast of the entire head to scam Face ID is something Apple's already thought of. On its Face ID Security page, the company explains that the Face ID system is specifically trained to spot and resist spoofing attempts to unlock phones with photos or masks.
Apple also allows users to engage an additional level of security that requires the user to look at the phone to unlock it, to make it impossible to unlock a phone simply by pointing at the face of its sleeping user.