Fingerprint sensors, it turns out, are only as impregnable as the fingers which secure them. In what appears to the first case of law enforcement bypassing biometric security in an active investigation, police in Michigan recently used a 3D print of a murder victim’s finger to unlock an iPhone.
Fusion reports that police recruited Anil Jain, a professor of computer science at Michigan State University specializing in biometric security, to produce the mold. Using fingerprints of the victim taken while he was alive, Jain and a PhD student were able to produce ten plastic digits using a 3D printer.
That only solved half the problem. Fingerprint sensors rely on the conductive properties of skin to work: the ridges of your finger complete a microscopic series of circuits within the sensor, producing a unique electrical pattern. To approximate the effect on non-human hands, Jain applied metallic particles that could carry similar currents on the surface of the plastic molds.
The artificial fingers haven’t left the lab, yet, and Jain said the technology is still being “refined.” But the technique isn’t dissimilar to others that have been used in the past to fool biometric sensors. In May, security firm Vkansee demonstrated a simple fingerprint sensor workaround by taking an impression of a fingerprint in play-dough and applying it to a scanner. (It fooled both the Galaxy S6 and iPhone 6.)
And the National Science Foundation’s Center for Identification Technology Research (CITER) developed a method that goes further: specialized software that can produce a 3D-printed mold of a person’s fingerprint from nothing more than a high-resolution image.
Proponents of biometrics argue that fingerprints, speech patterns, our irises, and other physical identifiers represent far more secure alternatives to passwords. But that may not actually be the case. Although the Fifth Amendment to the U.S. Constitution gives people the right to avoid self-incrimination, recent court rulings have come down against extending that protection to biometric information. In May, for instance, a Los Angeles judge ordered a woman convicted of identity theft to unlock an iPhone protected by fingerprint. And in 2014, a Virginia court ruled that police officers can force criminal suspects to unlock their phonea with a fingerprint scanner.
Controversies over smartphone security reached a boiling point earlier this year, when, following a terrorist attack in San Bernardino, California, the FBI claimed it was unable to access information “relevant” to its investigation on the alleged shooter’s passcode-protected iPhone 5C. The agency initiated legal proceedings against Apple, arguing that its refusal to produce a tool allowing agents to bypass the phone’s protections amounted to investigative interference.
Apple maintained that such a tool would threaten the privacy and security of its users. Eventually, the FBI paid a team of anonymous hackers more than $1 million to implement an alternative backdoor.
If the shooter’s iPhone had been secured with a fingerprint, presumably, the agency wouldn’t have encountered nearly the same level of difficulty. The FBI maintains a database with over 100 million fingerprint records, and the Department of Defense retains the fingerprint records of those enlisted in the military. And separately, the U.S. Department of Homeland Security collects fingerprints from non-US citizens between the age of 14 and 79 as they enter the country. Those databases, needless to say, represent a treasure trove of biometric keys at investigators’ disposal.
Those who lock most of their devices with fingerprint can take comfort in knowing that some devices, like the iPhone, require the use of a passcode in tandem with a fingerprint, and that thanks to a 2013 Supreme Court ruling, police need a warrant to search the contents of a cell phone. But the fact remains that the means by which that content is protected is, at least legally and technologically speaking, frighteningly easy to sidestep.