It wasn't long ago when biometric identification became common in smartphones. And it didn't take too long for people to start figuring out how to overcome it. Now, a new way is being tested with the help of 3D printing technologies and a bit of genius.
Many people consider fingerprint scanners in phones to be amazing in terms of both security and ease of use. After all, fingerprints are unique and you just need to put your finger onto the classy looking scanner in order to unlock your device.
In most cases, both statements are absolutely true. While somebody could guess your unlock passcode or pattern or simply watch you unlock your phone and memorizing it, this can't be done in the case of a fingerprint scanner. So this definitely eliminates the risk of someone accessing the content of your smartphone and on top of that makes your life easier.
But what about the scenarios where a person, an organization or an agency is REALLY curious about what your device might hide?... This is usually when cutting-edge technologies and genius minds come together.
3D printed fingerprints
On July 21, 2016, American writer Rose Eleveth shared a currently developing case in which the police got in touch with Anil Jain, a professor at Michigan State University and a biometrics expert, for the 3D printing of a murdered man's 10 fingers with his exact fingerprints in order to unlock his phone for clues who the killer might be.
Here's the backstory in brief, as told by Rose Eleveth:
"Jain and his PhD student Sunpreet Arora couldn’t share details of the case with me, since it’s an ongoing investigation, but the gist is this: a man was murdered, and the police think there might be clues to who murdered him stored in his phone. But they can’t get access to the phone without his fingerprint or passcode. So instead of asking the company that made the phone to grant them access, they’re going another route: having the Jain lab create a 3D printed replica of the victim’s fingers. With them, they hope to unlock the phone."
Of course, in order for the fingertips to be accurately recreated, they need to already exist as data. And they do and the police has it, probably from some early arrest of that person. What's more, the police has all 10 fingerprints on record, so it doesn't matter which finger the victim used to unlock his phone. Anyway, chances are pretty high that it's the thumb or index finger.
With that obstacle cleared, there comes another. Modern fingerprint scanners in phones don't just work with any matter laid onto them. Usually, they're capacitive and rely on the closing of tiny electrical circuits to work, which requires a specifically conductive tissue, like human skin. However, the normal 3D printing plastic isn’t conductive, so Arora coated the 3D printed fingers in a thin layer of metallic particles to become detectable by that phone's fingerprint scanner.
Rose Eleveth said the scientists are still refining and testing the technology. But "in a few weeks", after they're sure the method works well enough, the fingers will be handed over to the police.
Is this even legal?
It's always tricky when it comes to breaking into someone's device during an investigation. There are many aspects that make cases looking similar on the surface to be fundamentally different.
Maybe many of you will recollect the recent media buzz around the FBI trying to force Apple to unlock the iPhone of the deceased San Bernardino shooter, which was locked with a passcode.
Since both cases are in the U.S., it's easy to point out the differences. But first, let's get something straight - the Fifth Amendment.
“The Fifth Amendment protects against self-incrimination. Here, the fingerprints are of the deceased victim, not the murder suspect. Obviously, the victim is not at risk of incrimination,” commented security, law and technology researcher Bryan Choi.
And even if the phone reveals evidence of crimes committed by the victim, the man is dead, so he couldn't be prosecuted against.
In addition, biometric access and passcodes aren't treated the same way at court. While the first involves tangible bodily evidence like blood, DNA, and fingerprints, which is not protected by the Fifth Amendment, the latter is memorized contents of the mind, which is protected, Choi added.
So a memorized password may be protected by the Fifth Amendment but your fingerprints aren’t. In 2014, a Virginia court ruled that a suspect (not a victim!) can be required to unlock their phone using their fingerprint. But the judge in that case noted this would not apply to asking suspects to divulge their memorized passcodes.
Still, Choi argues that phones should be considered extensions of our minds and must always be protected under the Fifth Amendment (against self-incrimination) and not just the Fourth Amendment (against illegal search and seizure).
“We offload so many of our personal thoughts, moments, tics, and habits to our cellphones. Having those contents aired in court feels like having your innermost thoughts extracted and spilled unwillingly in public,” Choi said.
But let's go back to the current case, to point out one more important aspect - the police doesn’t need help from the phone company (whichever it may be, it's not publicly known yet).
So, to recap, there's a dead victim whose phone is locked via biometrics and could be unlocked with the help of specialists, not the manufacturer (or brand owner), which makes what the police is trying to do completely legal.
3D printing could soon become common in unlocking phones
If it works, we might hear a lot more about cases where the cops use 3D printing to unlock deceased or missing victim's phones. There's one more thing, tough, they'll need a court order. In 2013, the Supreme Court in the U.S. ruled that police needs to have a warrant to search the contents of a personal mobile phone.
There's just one more thing about fingerprint scanners in modern phones. As a security precaution, some devices will require a passcode anyway if you haven’t used the fingerprint unlock in over 48 hours. So the police might be able to unlock the phone with a 3D printed finger and then stumble upon a passcode request.
What about fingerprint theft?
Who says you have to be the police to acquire someone's fingerprints? Think about it - data is stolen all the time. And since fingerprints are data, they could be compromised just like any other type of information.
Do you think that every time you are required to have your fingerprints recorded they are stored securely? The safe bet is they aren't. And here's a good proof: the U.S. Office of Personal Management hack.
Maybe you've heard that in this attack the personal records of over 20 million U.S. government employees were stolen. But did you learn later on that the hackers also stole fingerprint files for 5.6 million of them?
Some may compare it to a huge theft of passwords, for example, but it's MUCH WORSE - a password can be changed in an instant, while fingerprints and many personal details are sure to stay the same for a lifetime. Now at least 5.6 million people have to live with that thought for the rest of their lives... Scary, right?
Fingerprints no longer exclusively belong to crime scenes. Today, they are now mixed with people's phones and their dearest personal information and secrets. And what about tomorrow? What other devices will use biometrics? ATMs? A hack like this could be devastating! And we promise you it won't be the last time you hear of such a crime.
Sure, companies are (hopefully) doing their best to make biometrics more secure and reliable, but this is usually a race against time. Cybersecurity researcher Bruce Schneier has expressed his opinion on this matter:
"Of course, it's not that simple. Fingerprint readers employ various technologies to prevent being fooled by fake fingers: detecting temperature, pores, a heartbeat, and so on. But this is an arms race between attackers and defenders, and there are many ways to fool fingerprint readers. When Apple introduced its iPhone fingerprint reader, hackers figured out how to fool it within days, and have continued to fool each new generation of phone readers equally quickly."
What can you do about it?
First and foremost of all - educate yourself constantly. Read, think, repeat. Make it your habit and you'll be better off compared to 99% of the entire population of the Earth.
And, in the context of this article, avoid sharing your biometric data with anyone unless you really have to. Because once it's gone, it's forever.
By the way, this is a very serious reason why we at Secure Group also avoid using fingertip scanners. Yes, it's so attractively easy, but we can't be ignorant.
Take our flagship Secure Phone, for example. Currently, it's based on two high-end phone models without such a scanner. This is just the dumbest place to make compromise. If you want it the easy way, get an iPhone. If you mean business and need real security and privacy, get as educated as it gets and then make up your mind. Because phones aren't just phones anymore, they're already mirrors of our life, they're extensions of who we are.