Crane horror Reg reader uses his severed finger to unlock Samsung Galaxy phone

On the other hand he was fine


Graphic images Everyone knows the trope. The baddies smash their way in and gun down the guard standing in front of the vault. "Dammit," says the lead bad guy, "it's a biometric scanner, we'll never get in!" His most grizzled henchman turns round, holding up the dead guard's lifeless arm. "Oh yes we will…"

A Reg reader recreated this scene in real life (bits of it) using his Samsung Galaxy A20 phone – and the severed tip of his index finger, parted from his hand thanks to an industrial accident involving a crane.

Kieran Higgins, a semi-retired auditor living in Spain, showed El Reg that his phone's fingerprint sensor read his two-weeks-dead fingertip's print and happily unlocked the device.

"I devised a cunning plan to register the fingerprint on my brand new shiny whatsit," said Higgins, who assured us that no alcohol was consumed during the bizarre scheme thanks to the cocktail of post-amputation painkillers he was taking. "I extracted [the fingertip] from its grave of medicinal alcohol, dried it off and... eureka! ... managed to register my dead finger on my phone."

Kieran captured just before his phone unlocked. We watched this in realtime so you don't have to

We watched this in realtime so you don't have to (click to enlarge)

We expressed disbelief. So Higgins got on a video call with your correspondent, two weeks to the day after the crane accident, and the horrible shrivelled pale thing, with a hole down the centre where the bone used to run ("it was crushed," explained Higgins), unlocked the phone.

We didn't believe him. So he did it again and unlocked the phone again. And again. Then he showed us a closeup of the digit.

The offending digit, with proprietor Kieran Higgins

The offending digit, with proprietor Kieran Higgins

It might be incautious of us to state categorically that this is genuine but short of flying out to Higgins' rural Spanish abode we can't do more than watch him perform the awful act over Skype. We think it's credible.

Naturally, though, this extraordinary thing raises questions. First and foremost: why would you keep your severed fingertip? Why not bury it decently or simply toss it in the bin?

"So keeping evidence and stuff is always a good idea," said Higgins, who told us he spent most of his career dealing with insurance companies and PCI-DSS compliance. "You never know when it's gonna turn nasty. So I kept it in case anybody asked me first... because insurance companies never like to pay out."

How did he keep it? Surely the hospital tried to reattach it and then would have disposed of it for him? As Higgins explained, the accident happened in rural Spain, where he lives. The nearest medical facility was a pharmacy, to which he (perhaps unwisely) drove himself, in pain from the "bleeding stump".

Unprepared for medical emergencies, the pharmacy "wrapped it in paper" and told him to go to hospital; after a 20km drive our man was able to get proper treatment. Doctors treated the stump of his finger, bandaged it and dispensed painkillers and antibiotics.

"And then as I suppose sitting in the hospital waiting, I put my hand in my pocket and found a finger in my glove with the little finger piece in the tip," said Higgins, who is currently recuperating at home. "And they said it was too badly damaged because the cable had crushed it."

The reverse of the severed fingertip. Kieran said the bone was crushed, which explains the void

The reverse of the severed fingertip. Kieran said the bone was crushed, which explains the void

The fingertip currently resides in a jar of "medicinal" alcohol.

"I thought it was gone," Higgins admitted. "I thought it had been completely mashed by the hook because I wasn't too sure whether it was the hook of the crane or the cable that got it, I just wanted to deal with the injury."

We understand his wife wanted it buried ASAP.

Samsung, manufacturer of the Galaxy A20, which read a dead severed fingertip and unlocked accordingly, did not respond to a request for comment.

Liveness detection by machines

Lucas Francese, biometric devices manager at Thales, however, had no such qualms and told us: "In this instance there is no technical issue; the finger used for the identity enrolment for that specific phone is the same used for the authentication, so the system performed well."

That's alright then. Or is it? Surely biometric tech exists that can tell whether the appendage it's scanning is alive or dead?

Francese said: "The standard terminology in the market is 'Liveness Finger Detection', which stops fake fingers, such as those made by rubber or gelatine, but enables real fingers, dead or alive, to work. Currently there is no technology deployed in consumer devices that can detect if fingers are live or not; however, these do exist. Take our AI-based liveness detection solution for instance, it has been independently tested and verified, to ISO/IEC 30107-3 standard, and can detect a biometric presentation attack detection should the finger be real or fake."

We'll allow him that plug in exchange for the snippet that consumer-grade biometrics can indeed be fooled by the dead.

The Biometrics Institute agreed with Thales, showing The Register internal briefing papers for its members about "presentation attack detection" (spoofing biometrics, in other words). One of these said:

The use of PAD within a system provides a higher level of security but comes with increased complexity. Ultimately, the need for PAD is determined by the risk of an active attack against the system and the financial and reputational impact this attack would have. PAD is important, therefore, where security rather than just convenience is a priority.

It seems that the modestly priced Samsung Galaxy A20 series is unlikely to opt for this more complex (and expensive) tech. The handsets themselves are powered by 1.6GHz Exynos 7884 octa-core processors paired with 3GB of RAM and running Android v9 (Pie), while the fingerprint scanner in question is rear-mounted.

Third-party replacement scanners to fit the SM-A205 series of Samsung handsets are available through the usual online tat bazaars for between £2 and £5. The brand names linked to these are the typical here-today-gone-tomorrow Chinese stockists so it doesn't seem likely that such components would include top-end tech.

Consumer-grade fingerprint recognition tech doesn't tend to include signs-of-life detectors. Twenty years ago people were using gummy bear sweets to defeat fingerprint readers but as far as we on The Register's dead-flesh-triggering-biometric-sensors desk can tell, nobody's ever done this before and publicly admitted to it.

Unlocking phones with dead people's hands has been tried before, most notably in 2018 when two Florida police workers somehow got into a morgue and pulled a corpse out of a refrigerator to try and use it to unlock a mobile phone.

As for Kieran's ex-digit, we understand it was due to be committed to the hereafter (or possibly the gullets of rural Spanish wildlife) last weekend.

You've read about it and seen it in films countless times – but on the balance of probabilities, it seems to be possible. You can indeed unlock a Samsung Galaxy A20 using a dead finger. Enjoy your lunchtime sausage roll – and if anyone tries talking to you about World Password Day, don’t forget to mention that even biometrics aren’t infallible. ®

Similar topics


Other stories you might like

  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading
  • Microsoft Azure to spin up AMD MI200 GPU clusters for 'large scale' AI training
    Windows giant carries a PyTorch for chip designer and its rival Nvidia

    Microsoft Build Microsoft Azure on Thursday revealed it will use AMD's top-tier MI200 Instinct GPUs to perform “large-scale” AI training in the cloud.

    “Azure will be the first public cloud to deploy clusters of AMD's flagship MI200 GPUs for large-scale AI training,” Microsoft CTO Kevin Scott said during the company’s Build conference this week. “We've already started testing these clusters using some of our own AI workloads with great performance.”

    AMD launched its MI200-series GPUs at its Accelerated Datacenter event last fall. The GPUs are based on AMD’s CDNA2 architecture and pack 58 billion transistors and up to 128GB of high-bandwidth memory into a dual-die package.

    Continue reading
  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading

Biting the hand that feeds IT © 1998–2022