Experts split on whether police can use dead bodies to unlock an iPhone
Security and biometrics experts are said to be divided on the question of whether police -- or the FBI -- could have used the body of Sutherland Springs shooter Devin Kelley to unlock his rumored iPhone.
Nominally, the "liveness detection" features of Apple's Touch ID would have prevented that, Mashable noted on Wednesday. The company's fingerprint sensors use RF waves to test the skin underneath the outer layer, and are also capacitive, relying on an electrical charge living people generate.
"If the fingerprint technology is equipped with what is called liveness detection, or in professional terms 'Presentation Attack Detection,' it will with a high security reject false fingerprints," said Daniel Edlund of Precise Biometrics, a company making fingerprint authentication software. "It doesn't matter if it is a copy of a fingerprint, such as a rubber, silicon or plastic replication, or a dead finger."
A senior staff attorney for the Electronic Frontier Foundation's digital civil liberties group, Nate Cardozo, said that he understood Touch ID will work with dead body, but that Face ID on the iPhone X won't because of attention detection.
"Touch ID, definitely," added Phobos Group researcher Dan Tentler. "Face ID? Hard to say, you could probably get it done if you had the body, and were able to open the person's eyes. But then again, there was that one guy who shaved his beard and Face ID quit working, so it's hard to say."
UnifyID CEO John Whaley suggested that both Touch ID and Face ID could be bypassed with enough effort.
"It is certainly possible to authenticate with biometrics even without user consent, or the person even being alive," he remarked. "This is especially true if the factor they use is static, like a fingerprint or a face. One attempt to combat this is to use a liveness check, but even those are often easily spoofable."
A week ago, a report claimed that investigators failed to talk to Apple during a crucial 48-hour window before Touch ID demands a passcode to reinitialize. Instead Apple ended up reaching out after a press conference, by which time it was already too late. It's not yet known if the FBI has secured a warrant for Kelley's possible iCloud account.
Nominally, the "liveness detection" features of Apple's Touch ID would have prevented that, Mashable noted on Wednesday. The company's fingerprint sensors use RF waves to test the skin underneath the outer layer, and are also capacitive, relying on an electrical charge living people generate.
"If the fingerprint technology is equipped with what is called liveness detection, or in professional terms 'Presentation Attack Detection,' it will with a high security reject false fingerprints," said Daniel Edlund of Precise Biometrics, a company making fingerprint authentication software. "It doesn't matter if it is a copy of a fingerprint, such as a rubber, silicon or plastic replication, or a dead finger."
A senior staff attorney for the Electronic Frontier Foundation's digital civil liberties group, Nate Cardozo, said that he understood Touch ID will work with dead body, but that Face ID on the iPhone X won't because of attention detection.
"Touch ID, definitely," added Phobos Group researcher Dan Tentler. "Face ID? Hard to say, you could probably get it done if you had the body, and were able to open the person's eyes. But then again, there was that one guy who shaved his beard and Face ID quit working, so it's hard to say."
UnifyID CEO John Whaley suggested that both Touch ID and Face ID could be bypassed with enough effort.
"It is certainly possible to authenticate with biometrics even without user consent, or the person even being alive," he remarked. "This is especially true if the factor they use is static, like a fingerprint or a face. One attempt to combat this is to use a liveness check, but even those are often easily spoofable."
A week ago, a report claimed that investigators failed to talk to Apple during a crucial 48-hour window before Touch ID demands a passcode to reinitialize. Instead Apple ended up reaching out after a press conference, by which time it was already too late. It's not yet known if the FBI has secured a warrant for Kelley's possible iCloud account.
Comments
These articles always present biometric security as the one and only way to get into a phone once it is set.
Stupid FaceID has cause so many problems since release. /s
Apple hasn't advertised retinal blood flow as being required.
Our discussion here is all academic/entertainment, though, isn't it? Isn't it?
Don't think blood flow in the eye is needed for FaceID, since it's hard to measure from a distance. Body temperature might, which could be hard to fake, depending on how long they've been dead, and whether you have access to a big enough oven. Blood flow, at least in a general sense, under the skin is easier to do, just by mapping the fluctuation in temperature and subtle movement of vessels near the surface, but I don't know if FaceID does that. TouchID is supposed to require blood flow in the finger, but I don't know how well that's been tested.
As has been said before, if you're worried that someone might unlock your phone when your not paying attention, or use your corpse, use a passcode. At least then they have to do some actual work to get at it. And if they didn't shoot you already, they have a reason to keep you alive, at least for now.
Cpsro is right regarding the eyes. Whether FaceID has any mechanism to sense life is up for debate. I haven't seen any specs indicating such capabilities, but I can't rule it out. I've seen descriptions of iris scanners that detect the pulsations caused by blood flow, but I doubt faceID has the resolution to do so. As far as warmth, Touch ID works when my fingers are ice-cold (assuming they're not shriveled up, too,) and FaceID needs to work whether you're in Arizona in the summer or in Minnesota in the winter, so I doubt that's a factor either.
Where face ID fails is intent. Does the user have the intent to unlock by their desire to do so? i.e. free will
So whatever security you have set up is pretty much bypassed as soon as they pull a gun.