Graphic images Everyone knows the trope. The baddies smash their way in and gun down the guard standing in front of the vault. "Dammit," says the lead bad guy, "it's a biometric scanner, we'll never get in!" His most grizzled henchman turns round, holding up the dead guard's lifeless arm. "Oh yes we will…"
A Reg reader recreated this scene in real life (bits of it) using his Samsung Galaxy A20 phone – and the severed tip of his index finger, parted from his hand thanks to an industrial accident involving a crane.
Kieran Higgins, a semi-retired auditor living in Spain, showed El Reg that his phone's fingerprint sensor read his two-weeks-dead fingertip's print and happily unlocked the device.
"I devised a cunning plan to register the fingerprint on my brand new shiny whatsit," said Higgins, who assured us that no alcohol was consumed during the bizarre scheme thanks to the cocktail of post-amputation painkillers he was taking. "I extracted [the fingertip] from its grave of medicinal alcohol, dried it off and... eureka! ... managed to register my dead finger on my phone."
We expressed disbelief. So Higgins got on a video call with your correspondent, two weeks to the day after the crane accident, and the horrible shrivelled pale thing, with a hole down the centre where the bone used to run ("it was crushed," explained Higgins), unlocked the phone.
We didn't believe him. So he did it again and unlocked the phone again. And again. Then he showed us a closeup of the digit.
It might be incautious of us to state categorically that this is genuine but short of flying out to Higgins' rural Spanish abode we can't do more than watch him perform the awful act over Skype. We think it's credible.
Naturally, though, this extraordinary thing raises questions. First and foremost: why would you keep your severed fingertip? Why not bury it decently or simply toss it in the bin?
"So keeping evidence and stuff is always a good idea," said Higgins, who told us he spent most of his career dealing with insurance companies and PCI-DSS compliance. "You never know when it's gonna turn nasty. So I kept it in case anybody asked me first... because insurance companies never like to pay out."
How did he keep it? Surely the hospital tried to reattach it and then would have disposed of it for him? As Higgins explained, the accident happened in rural Spain, where he lives. The nearest medical facility was a pharmacy, to which he (perhaps unwisely) drove himself, in pain from the "bleeding stump".
Unprepared for medical emergencies, the pharmacy "wrapped it in paper" and told him to go to hospital; after a 20km drive our man was able to get proper treatment. Doctors treated the stump of his finger, bandaged it and dispensed painkillers and antibiotics.
"And then as I suppose sitting in the hospital waiting, I put my hand in my pocket and found a finger in my glove with the little finger piece in the tip," said Higgins, who is currently recuperating at home. "And they said it was too badly damaged because the cable had crushed it."
The fingertip currently resides in a jar of "medicinal" alcohol.
"I thought it was gone," Higgins admitted. "I thought it had been completely mashed by the hook because I wasn't too sure whether it was the hook of the crane or the cable that got it, I just wanted to deal with the injury."
We understand his wife wanted it buried ASAP.
Samsung, manufacturer of the Galaxy A20, which read a dead severed fingertip and unlocked accordingly, did not respond to a request for comment.
Liveness detection by machines
Lucas Francese, biometric devices manager at Thales, however, had no such qualms and told us: "In this instance there is no technical issue; the finger used for the identity enrolment for that specific phone is the same used for the authentication, so the system performed well."
That's alright then. Or is it? Surely biometric tech exists that can tell whether the appendage it's scanning is alive or dead?
Francese said: "The standard terminology in the market is 'Liveness Finger Detection', which stops fake fingers, such as those made by rubber or gelatine, but enables real fingers, dead or alive, to work. Currently there is no technology deployed in consumer devices that can detect if fingers are live or not; however, these do exist. Take our AI-based liveness detection solution for instance, it has been independently tested and verified, to ISO/IEC 30107-3 standard, and can detect a biometric presentation attack detection should the finger be real or fake."
We'll allow him that plug in exchange for the snippet that consumer-grade biometrics can indeed be fooled by the dead.
The Biometrics Institute agreed with Thales, showing The Register internal briefing papers for its members about "presentation attack detection" (spoofing biometrics, in other words). One of these said:
The use of PAD within a system provides a higher level of security but comes with increased complexity. Ultimately, the need for PAD is determined by the risk of an active attack against the system and the financial and reputational impact this attack would have. PAD is important, therefore, where security rather than just convenience is a priority.
It seems that the modestly priced Samsung Galaxy A20 series is unlikely to opt for this more complex (and expensive) tech. The handsets themselves are powered by 1.6GHz Exynos 7884 octa-core processors paired with 3GB of RAM and running Android v9 (Pie), while the fingerprint scanner in question is rear-mounted.
Third-party replacement scanners to fit the SM-A205 series of Samsung handsets are available through the usual online tat bazaars for between £2 and £5. The brand names linked to these are the typical here-today-gone-tomorrow Chinese stockists so it doesn't seem likely that such components would include top-end tech.
Consumer-grade fingerprint recognition tech doesn't tend to include signs-of-life detectors. Twenty years ago people were using gummy bear sweets to defeat fingerprint readers but as far as we on The Register's dead-flesh-triggering-biometric-sensors desk can tell, nobody's ever done this before and publicly admitted to it.
Unlocking phones with dead people's hands has been tried before, most notably in 2018 when two Florida police workers somehow got into a morgue and pulled a corpse out of a refrigerator to try and use it to unlock a mobile phone.
As for Kieran's ex-digit, we understand it was due to be committed to the hereafter (or possibly the gullets of rural Spanish wildlife) last weekend.
You've read about it and seen it in films countless times – but on the balance of probabilities, it seems to be possible. You can indeed unlock a Samsung Galaxy A20 using a dead finger. Enjoy your lunchtime sausage roll – and if anyone tries talking to you about World Password Day, don’t forget to mention that even biometrics aren’t infallible. ®