Cracking crime just got a lot more innovative.
Police and biometrics researchers at Michigan State University have successfully unlocked the smartphone of a murder victim by using a digitally enhanced print-out of his fingerprint.
Officers from the digital forensics and cyber-crime unit at MSU’s police department approached the college’s biometrics research lab last month, having become aware of the team’s research (pdf) on how printed fingerprints can spoof mobile-phone sensors.
Police had the fingerprints of the murder victim from a previous arrest, which they gave to the lab to 3-D print in a bid to unlock the device—a Samsung Galaxy S6.
Unsure which finger was paired to the phone, the lab printed 2-D and 3-D replicas of all 10 of the slain man’s fingerprints. None of them unlocked the device, so the team then digitally enhanced the quality of prints by filling in the broken ridges and valleys. Rather than opting for a more expensive 3-D model, they printed new 2-D versions using a special conductive ink that would create an electrical circuit needed to spoof the phone sensor.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
After multiple attempts—thanks to the device not requiring a passcode after a certain number of efforts—the team successfully unlocked the phone with one of the digitally enhanced 2-D prints.
An MSU spokesperson told Quartz there were plans to print 3-D models to test on other devices—there was no need to do so for the victim’s phone, as the 2-D print was successful.
Professor Anil Jain, who led the research team at MSU, says the unlocking demonstrates “a weakness” in smartphones’ fingerprint authentication systems, and that he hoped it would “motivate phone developers to create advanced security measures for fingerprint liveness detection.” He added:
This shows that we need to understand what types of attacks are possible on fingerprint sensors, and biometrics in general, and how to fix them. If we don’t, the public will have less confidence in using biometrics. After all, biometric authentication was introduced in consumer devices to improve security.
According to MSU, this is the first time law enforcement has used such technology as part of an ongoing investigation. A spokesperson said the lead detective “even contacted the company that was asked to help with [unlocking] the San Bernardino shooter’s phone and he kept getting the same answer: can’t do it, the tech doesn’t exist. Well, the tech exists now!”
In a statement, Samsung said:
We are aware of the research from Michigan State University, but would like to remind users that it takes special equipment, supplies and conditions to simulate a person’s fingerprint, including actual possession of the fingerprint owner’s phone, to unlock the device. If there is a potential vulnerability or a new method that challenges our efforts to ensure security at any time, we will respond to issues as quickly as possible to investigate and resolve the issue.