From fingerprints, to facescans, to possibly even sweat analysis, biometrics have become the default way many of us secure our data and unlock our smart devices. But with that ubiquity also comes risk, as security researchers have demonstrated time and time again that many of these supposed safeguards are susceptible to multiple-step hacks.
But what about, you know, single step hacks? Like, for example, hacking off someone's thumb? The question of whether or not a dead body or missing limb could be used to unlock a phone is not a new one, and has been asked since at least the release of Apple's Touch ID. And yet, despite the years of coverage, no one has been able to agree on an answer.
SEE ALSO:So how worried should we be about Apple's Face ID?The rather morbid debate popped back into the public consciousness this month after the tragic November 5 mass shooting at a Texas church. USA Today subsequently reported that the FBI was attempting to gain access to the shooter's iPhone, and that, if Touch ID was enabled, a specialized reproduction of his dead finger would likely have sufficed to unlock it — assuming it was used within a 48-hour window of the last time the phone was unlocked.
This claim, based on the expertise of Anil Jain, a professor of computer science at Michigan State University, adds a confusing layer to the reporting of numerous outlets — including this one — that a dead hand itself would notbe sufficient to bypass Touch ID. That's because the Apple-developed biometric uses radio frequency waves to check the skin underneath a finger's outer layer, a trick that supposedly prevents a dead one from being used. What's more, the tech also relies on a capacitive sensor which is activated by an electrical charge in living skin. No living skin, no luck.
So can smartphones make a distinction between the living and the dead, or not? The answer matters. If the fingers, eyes, or face of a deceased victim be used either by law enforcement or criminals to unlock a smartphone, then biometric locks have a brutally defined shelf-life. This, of course, would stand in contrast to a strong alphanumeric password which can't (at least yet) be pried from your ever-so-quickly decaying body, and would suggest yet another reason that the security conscious should avoid biometrics like a privacy-violating plague.
Credit: BRITTANY HERBERT/MASHABLEMashable repeatedly asked Apple, Google, and Samsung for comment on the matter, but received not a single response to our numerous inquiries. We also reached out to a host of biometric security experts, hackers, digital law experts, and forensic pathologists in an attempt to get to the bottom of what has passed from the realm of dark thought experiment to serious inquiry, but the responses (or lack thereof) only further muddied the waters.
It's almost as if, when it comes down to it, there's no agreement on whether or not a dead body could pass the biometric test.
There are, of course, many different forms of biometric security. Different devices rely on varying hardware and software solutions for purposes of authentication, and some of those have shown to be substantially less robust than others.
Daniel Edlund of Precise Biometrics, a company that makes and sells software for fingerprint authentication, told Mashable that the dead-body question comes down to a feature known as "liveness detection."
"If the fingerprint technology is equipped with what is called liveness detection, or in professional terms 'Presentation Attack Detection,' it will with a high security reject false fingerprints," he explained over email. "It doesn't matter if it is a copy of a fingerprint, such as a rubber, silicon or plastic replication, or a dead finger."
Touch ID, which relies on the aforementioned capacitive sensor and RF waves, would seem to fall in that category. It's less clear with Face ID, which Apple claims is "attention-aware." However, according to the company, that simply means the phone "recognizes if your eyes are open and looking towards the device." As the 1993 modern American classic Demolition Manmakes clear, an eye doesn't necessarily need to be attached to a living head to fulfill that requirement.
Nate Cardozo, Senior Staff Attorney on the Electronic Frontier Foundation's digital civil liberties team, had a different take based upon his technical knowledge of the systems in question.
"It's my understanding that while Touch ID does work [with a deceased individual], Face ID won't because it detects 'attention' from the user."
Face ID doing its thing.Credit: appleThis sentiment was partially echoed by Phobos Group security researcher Dan Tentler, who likewise gave a conditional response when asked about using the dead to unlock a smartphone.
"Touch ID, definitely," he observed over email. "Face ID? Hard to say, you could probably get it done if you had the body, and were able to open the person's eyes. But then again, there was that one guy who shaved his beard and Face ID quit working, so it's hard to say."
Yet another expert, UnifyID co-founder and CEO John Whaley, went even further. His company specializes in behavioral biometrics — a way to "authenticate you based on unique factors like the way you walk, type, and sit" — and his assessment of dead bodies and biometrics suggests that your digital secrets won't die with you.
"It is certainly possible to authenticate with biometrics even without user consent, or the person even being alive," he explained. "This is especially true if the factor they use is static, like a fingerprint or a face. One attempt to combat this is to use a liveness check, but even those are often easily spoofable."
In other words, in Whaley's mind, even the latest and supposed greatest in biometric security —Face ID — is likely capable of being unlocked with the face of a deceased individual.
Manufacturers around the world love to brag about the biometric locks built into their smartphones, claiming to have found that sweet spot between security and convenience. However, short of someone conducting an extremely unethical experiment, the "severed finger test" is one that companies like Apple and Google may never have to take — let alone prove they can pass.
That won't matter for most consumers, who, if presented with the possibility of having their hand lobbed off by a criminal trying to break into their phone, will likely be more concerned about their digits than their documents. However, as time passes and biometric sensors are added to more and more of the devices that surround us, a new question is presented: who has access to our identity — and our data — after we die?
Much like whether or not a corpse can be used to unlock an iPhone, that question still remains very much unanswered.
TopicsAppleCybersecurityGoogleiPhoneSamsung
(责任编辑:熱點)