Police seek to unlock murder victim's phone using 3D replica of fingertips2016/07/28
Lab printed prosthetic digit to help police try and unlock a murder victim’s smartphone, protected by a fingerprint scanner instead of a password.
Computer science professor Anil Jain spends most of his time researching and improving biometric systems, like fingerprint scanners and facial recognition software. Last month, however, law enforcement agents approached the Michigan State University academic with an unusual request: to create a 3D-printed replica of a dead man’s finger.
Police needed the prosthetic digit to try and unlock a murder victim’s smartphone, protected by a fingerprint scanner instead of a password.
“The authorities think that unlocking the phone could give them the identity of the murderer,” Jain said. “We are doing our social duty to assist in a criminal investigation.”
Law enforcement agents had seen a YouTube demonstration of a technique developed by Jain’s lab which could transform fingerprint scans into fake fingertips that could fool the sensors on smartphones.
The police supplied the team with a scan of the victim’s fingerprints taken while he was alive following a previous arrest. Jain then worked with his PhD student Sunpreet Arora to reverse engineer the fingers, as first reported by Fusion.
“We are not in the attack business. The 3D printing technique we developed is meant for calibrating fingerprint sensors, not nefariously unlocking someone’s phone without their knowledge,” Jain was eager to emphasize.
First, the two-dimensional fingerprint scans are converted into three dimensional fingerprints and these are then sent to a high resolution 3D printer, to make a physical replica in a soft plastic that retains the subtle ridges of the fingerprint while also distorting under pressure like skin.
Once printed, a micron-thick coating of metal – gold, copper or silver – is applied to the surface. This recreates the electrical conductivity found in human skin that is required to make modern capacitive fingerprint readers work. Plastic fingers aren’t conductive enough on their own.
Jain wouldn’t reveal the model of the smartphone they are dealing with, but most major manufacturers now use fingerprint authentication in their flagship devices, including Apple, Samsung, HTC and Microsoft.
How easy they are to penetrate depends on the model and manufacturer, he said. “Some have a stronger ability to detect spoofs.”
The team tested the accuracy of the technique by building models of their own fingers to unlock a similar make of phone. Prints of all 10 fingers of the murder victim will be passed on to police so they can apply them to the phone.
The approach is appealing to police as it allows them to potentially unlock devices without the help of the smartphone manufacturers. Had the San Bernardino gunman, Syed Farook, used an iPhone that had the Touch ID fingerprint scanner (he had an iPhone 5, which lacks this feature), the FBI could have tried this technique instead of engaging in such a high-profile battle with Apple. When Apple refused to grant access to the iPhone, the FBI went on to spend $1.3m hacking into it.
Although the idea of police creating prosthetic fingers seems creepy, there’s little in the way of regulation to protect citizens from doing this.
“Here we have a long history of taking fingerprints off glasses, taking pictures of people and doing facial recognition, taking hair samples. If we’re not extracting something from the individual themselves, it’s going to be tough to argue it’s improper,” said Albert Gidari, director of privacy at Stanford Law School’s Center for Internet & Society.
That said, law enforcement would still need to follow procedure and seek a warrant to search the device.
For Gidari, this case raises questions about the widespread collection of biometric data.
“These collections and databases need to be the subject of better oversight,” he said. “The government collects a huge amount of biometric data and we don’t have any rules around it. That’s the scarier part. For every one example like this there are 10 things you and I haven’t thought about that they could use [our biometric data] for.”
“There are serious privacy concerns but are there constitutional ones? Under existing law, like it or not, probably not.”