- July 25, 2016
- Posted by: Kerry Tomlinson, Archer News
- Categories: Biometrics, Cyber Crime, Hacking, Mobile Devices, Posts with image
Death may not stop police from getting you to unlock your phone from the grave.
It is a first for a biometrics lab in Michigan. They are recreating a dead man’s finger—complete with fingerprint—so law enforcement can try to open his phone and find clues to who murdered him.
“It is true that what we saw in the movies and read in science fiction is now a reality,” said Professor Anil Jain, head of the biometrics research group at Michigan State University. “It is indeed possible to create a ‘spoof’ or replica of someone’s fingerprint and use it to unlock a device secured using fingerprint.”
Jain is saying little about the murder case, which is still under investigation. But Fusion reported that law enforcement gave his lab a full set of fingerprints from the victim so they could 3D print two hands’ worth of fingers.
“We don’t know which finger the suspect used,” doctoral student Sunpreet Arora told Fusion. “We think it’s going to be the thumb or index finger—that’s what most people use—but we have all ten.”
“We do it for the fun,” added Jain about the law enforcement request.
For fun & more
Police are not the only ones faking fingers to get inside phones, according to Jain.
“As the use of biometrics becomes part of our daily lives, and biometric-secured devices become commodity items, there will be more attempts to hack these devices,” Jain told Archer News.
That’s where Jain’s lab comes in—they try to find the hacks first, before thieves do.
“We have figured out how to replicate someone’s fingerprint using a ‘gummy’ finger, printing on a special conductive paper or a 3D fingerprint printed using a high-resolution 3D printer,” he said.
Mapping your fingers
In the past, you used ink and paper to capture your loops, ridges and whorls. Now bio-sensors use different methods, like light or electrical current.
Some are more difficult to trick than others. The optical sensor, using light, is easier to manipulate. The capacitative sensor, using electrical current, is harder to fool. The iPhone 6 uses this kind of sensor.
Jain’s lab workers have to fashion the fingers and prints in a way that will match the sensor used to record the original print.
“Some processes are very easy, as shown in our YouTube video and just need a printer and a special conductive paper, whereas others are more expensive, such as our method of printing 3D fingerprints,” Jain explained.
With a capacitive sensor—the one that uses electrical current—the lab coats the 3D-printed fingers with conductive materials.
Some labs use edible gold leaf to cover a fake finger when spoofing a capacitive sensor.
“Which process to use depends upon strength of the security mechanism we are trying to circumvent,” said Jain.
Murder & more
This project may do more than solve a murder.
“As a biometric researcher, my lab is bringing out some of the weaknesses in these biometric-secured devices in open literature,” Jain said. “Hopefully, this will incentivize the device manufacturers to fix these holes.”
How could manufacturers ward off 3D finger attacks, so that the bad guys don’t duplicate our digits and drain our bank accounts?
“One could modify the sensor to detect, e.g., ‘blood flow’ to detect a live vs. non-live finger that is being placed,” he suggested.
Police & prints
There could be a wrinkle in the plan to use 3D-printed fingers to open a phone. For example, the iPhone’s security guidelines say iPhones that have gone unlocked for more than 48 hours need more than a print—they also need the passcode. That could start a new legal battle over the phone and how to open it.
But Jain and his lab are still working to perfect the ten fingers of murdered victim, trying to find digital hacks before the bad guys do.
“This is like the proverbial ‘cat-and-mouse’ game,” said Jain. “This is true for our dollar bills, driver licenses and passports. The same is true with biometric devices, such as fingerprint readers embedded in mobile phones.”
“Mobile phones are special targets of interest because they are ubiquitous and a common man spends more time with their mobile phone than most other devices,” he added. “There is growing amount of personal data stored in mobiles [rather] than in notebooks and laptops.”
In other words, you might see bad guys harvesting finger patterns and arming themselves with 3D phone fingers, unless Jain and others in biometrics find ways to counter the hacks and protect your prints.
“There is always a race between security experts and hackers,” Jain said. “New security mechanisms are introduced, hackers find a way to circumvent it, security guys find a ‘fix,’ and the battle goes on.”