Cracking crime just got a lot more innovative.
Police and biometrics researchers at Michigan State University have successfully unlocked the smartphone of a murder victim by using a digitally enhanced print-out of his fingerprint.
Officers from the digital forensics and cyber-crime unit at MSU’s police department approached the college’s biometrics research lab last month, having become aware of the team’s research (pdf) on how printed fingerprints can spoof mobile-phone sensors.
Police had the fingerprints of the murder victim from a previous arrest, which they gave to the lab to 3D print in a bid to unlock the device—a Samsung Galaxy S6.
Unsure which finger was paired to the phone, the lab printed 2D and 3D replicas of all 10 of the slain man’s fingerprints. None of them unlocked the device, so the team then digitally enhanced the quality of prints by filling in the broken ridges and valleys. Rather than opting for a more expensive 3D model, they printed new 2D versions using a special conductive ink that would create an electrical circuit needed to spoof the phone sensor.
After multiple attempts—thanks to the device not requiring a passcode after a certain number of efforts—the team successfully unlocked the phone with one of the digitally enhanced 2D prints.
An MSU spokesperson told Quartz there were plans to print 3D models to test on other devices—there was no need to do so for the victim’s phone, as the 2D print was successful.
Professor Anil Jain, who led the research team at MSU, says the unlocking demonstrates “a weakness” in smartphones’ fingerprint authentication systems, and that he hoped it would “motivate phone developers to create advanced security measures for fingerprint liveness detection.” He added:
This shows that we need to understand what types of attacks are possible on fingerprint sensors, and biometrics in general, and how to fix them. If we don’t, the public will have less confidence in using biometrics. After all, biometric authentication was introduced in consumer devices to improve security.
According to MSU, this is the first time law enforcement has used such technology as part of an ongoing investigation. A spokesperson said the lead detective “even contacted the company that was asked to help with [unlocking] the San Bernardino shooter’s phone and he kept getting the same answer: can’t do it, the tech doesn’t exist. Well, the tech exists now!”
In a statement, Samsung said:
We are aware of the research from Michigan State University, but would like to remind users that it takes special equipment, supplies and conditions to simulate a person’s fingerprint, including actual possession of the fingerprint owner’s phone, to unlock the device. If there is a potential vulnerability or a new method that challenges our efforts to ensure security at any time, we will respond to issues as quickly as possible to investigate and resolve the issue.