Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Printer Security Crime Encryption Government Iphone Privacy Software News Hardware Technology

Police 3D-Printed A Murder Victim's Finger To Unlock His Phone (theverge.com) 97

An anonymous reader quotes a report from The Verge: Police in Michigan have a new tool for unlocking phones: 3D printing. According to a new report from Flash Forward creator Rose Eveleth, law enforcement officers approached professors at the University of Michigan earlier this year to reproduce a murder victim's fingerprint from a prerecorded scan. Once created, the 3D model would be used to create a false fingerprint, which could be used to unlock the phone. Because the investigation is ongoing, details are limited, and it's unclear whether the technique will be successful. Still, it's similar to techniques researchers have used in the past to re-create working fingerprint molds from scanned images, often in coordination with law enforcement. This may be the first confirmed case of police using the technique to unlock a phone in an active investigation. Apple has recently changed the way iOS manages fingerprint logins. You are now required to input an additional passcode if your phone hasn't been touched for eight hours and the passcode hasn't been entered in the past six days.
This discussion has been archived. No new comments can be posted.

Police 3D-Printed A Murder Victim's Finger To Unlock His Phone

Comments Filter:
  • So... (Score:5, Funny)

    by Doug Otto ( 2821601 ) on Thursday July 21, 2016 @04:22PM (#52557075)
    The scientists are giving them the finger?
    • The scientists are giving them the finger?

      Pretty much giving the finger to privacy...

      And Jain said he was happy to help when they got in touch: "We do it for the fun."

      • It's a cool use of 3D Printing; but couldn't just putting the victim's finger on the phone work?
        • Re: (Score:2, Informative)

          by saloomy ( 2817221 )
          Capacitive touch (the metal ring around the iPhone's home button) only works if you are alive. That's [wikipedia.org] what turns on the fingerprint reader so its not constantly checking if there is a finger pressed against it. Capacitive touch detects micro-electric currents that flow through your body, and unfortunately, don't work once you are dead.
          • Re: (Score:3, Funny)

            by idontgno ( 624372 )

            Wat.

            3d-printed plastic fingers are... alive?

            O_o

          • by narcc ( 412956 )

            Capacitive touch (the metal ring around the iPhone's home button) only works if you are alive [...] Capacitive touch detects micro-electric currents that flow through your body

            No.

            The very first line from your own link:

            In electrical engineering, capacitive sensing (sometimes capacitance) is a technology, based on capacitive coupling, that can detect and measure anything that is conductive or has a dielectric different from air.

          • Capacitive touch (the metal ring around the iPhone's home button) only works if you are alive.

            This is not true. It only works for materials that are suitably capacitive. There are lots of alternatives that work aside from living flesh.

        • Re:So... (Score:5, Insightful)

          by Wycliffe ( 116160 ) on Thursday July 21, 2016 @05:15PM (#52557387) Homepage

          It's a cool use of 3D Printing; but couldn't just putting the victim's finger on the phone work?

          If you would have read the article, it states that the body was too decayed. Another possibly scenario would be where the body hasn't been found yet and they find the phone in the victim's apartment, along side the road, etc... There are plenty of situations where you might have a prerecorded fingerprint but not a body.

          Oh, and call me cynical but my guess is that one of the reasons it's being tried in this case is to set a precedence in a "safe" case so they can later use it against living people with a search warrant.

          • by Anonymous Coward

            There is already a precedent for living people.. they can and will order your finger against the scanner...

            http://thinkprogress.org/justice/2016/05/02/3774385/court-forces-woman-to-unlock-phone-with-finger-id/

          • by AmiMoJo ( 196126 )

            So the important questions to ask are:

            1. How long does it take to create a fake finger to unlock a phone?

            2. Can I set the time-out that requires entering an unlock code to be less than that?

      • Beware the long finger of the law!

    • Hmmm... can I copyright my fingerprint and then charge the government some exorbitant price for keeping it in a database, or copying it anywhere else?
      • by Anonymous Coward

        Hmmm... can I copyright my fingerprint and then charge the government some exorbitant price for keeping it in a database, or copying it anywhere else?

        Right! Charge them with going up against the DMCA and sue the shit out of their grandmother for 10 billion in damages ! Good one!

    • but is it??

      https://www.youtube.com/watch?... [youtube.com]
      The worlds First unlocked iPhone 5s with The penis

    • So they had the victims finger prints why not just take the phone down to the Morgue and scan the corpse? it can't be that difficult to warm up a finger (Assuming the scanner even checks for thermal)
  • by Anonymous Coward

    ...please don't try to unlock my phone. To me, having my privacy interfered with is a greater fear than being murdered.

    • by Anonymous Coward

      It should be since in your hypothetical you'd already be dead.

    • Don't be a criminal or get murdered and you won't have an issue.

    • Once I'm dead, one of two things will happen. I will either no longer exist and therefore wouldn't care about my privacy anymore, or I will live on in some mystical realm and wouldn't care about my corporeal privacy anymore.

      Either way, privacy would be the last thing on my mind.

      • You obviously haven't watched enough silly TV, or you'd realize the third option is that you will haunt your phone until someone does a documentary about it.

  • by Anonymous Coward

    iPhones give you only 48 hours to use a fingerprint before reverting to passphrase (and less than eight hours if you haven't unlocked by passcode within the last six days)

    • by guruevi ( 827432 )

      On mine it's 12h (I think, it may be 8, I do it every morning and sometimes after a long day out) and I have a >4 character code. Also whenever the device restarts or anything (base band) is updated.

  • by PinkyGigglebrain ( 730753 ) on Thursday July 21, 2016 @04:25PM (#52557107)

    How long till they use 3D printing or such to replicate someones face or retina scan?

    One more reason for me to never use or trust bio-metric authentication.

    And now I have something I can point to and say "See?" when someone tries to convince me how great Bio-metrics are.

    • Whatever happened to "Demolition Man" old school, put eyeball on a pen or cut off finger

    • At some point your synaptic connections will be scanned so that anything you memorized can be used against you

    • by JustAnotherOldGuy ( 4145623 ) on Thursday July 21, 2016 @05:12PM (#52557371)

      The only biometric signature hardware that I've seen that I would consider seriously difficult to spoof would be the deep-vein reader:

      http://www.fujitsu.com/us/solu... [fujitsu.com]
      http://www.m2sys.com/palm-vein... [m2sys.com]

      They use "Palm Vein Authentication" and this seems like it would be really, really tough to trick. I think it would be very hard to recreate the sensor signature, probably harder than a retinal scan.

      • by Anonymous Coward

        I don't think so. All you need to do is to provide something that'll generate the inputs in the sensor that the back-end wants to see. Since biometrics are inherently fuzzy, you always have some leeway. And the sensor can only see so much. In fact the back-end first runs some processing step to abstract out what the designers thought were the high points, to try and reduce noise in the input. This happens with fingerprints, but with facial recognition also. Distorting those is what those facepaint tricks do

        • I don't think so. All you need to do is to provide something that'll generate the inputs in the sensor that the back-end wants to see.

          Not only would you have to come up with this "something" that'll generate the inputs, you'd also have to get the "live palm signature" of the person to be impersonated with all of the correct biometric markers.

          Yes, it'll probably be possible to spoof it someday, but I think that day is quite a ways off. By then I suspect it'll have been enhanced with DNA sensing and who knows what else.

          The fact is that technology like this is rapidly making it more and more difficult to fool these kinds of "deep-sensing" au

    • by Aighearach ( 97333 ) on Thursday July 21, 2016 @05:14PM (#52557385) Homepage

      The good news is that this might mean it is better for the thieves to just scan your finger, instead of needing to cut it off. They'll get one that doesn't need refrigeration that way. Unfortunately, this can only be done with fancy custom academic prototype 3d printing, not off-the-shelf models, so for now the answer for thieves of biometric-protected items is still to cut the finger off and apply an electric current.

      My solution is simpler: I don't put anything on a mobile device that needs strong protection. Just because it is possible to bank from a phone app doesn't automatically mean there is a great use case for it. Internet banking from a physically secure desktop computer seems like a much better setup to me. But I've had that since the 90s.

      If I really, really wanted to check my balance from my phone, I could actually just call the 800-number and have a computer read it to me. And it is much safer, because I can't do transactions that way; only check the balance.

      • by AmiMoJo ( 196126 )

        Has there ever been a case of a thief actually cutting someone's finger off and then applying an electric current just to get into their mobile banking app? Seems much more likely they would just steal your wallet and phone, and maybe force you to withdraw some cash or tell them the credit card PIN number.

        Thieves are usually quite unsophisticated and the ones with half a brain try to avoid making contact with their victims at all, e.g. by using card skimmers at ATMs and payment terminals.

        The really stupid t

    • by TRRosen ( 720617 )

      Actually both of those usually only require a high res photo.

  • by Anonymous Coward

    I mean if the guy is dead, why not just go down to the morgue and swipe his finger across the phone?

    • I think it requires a pulse.

      • It depends on the sensor. There are sensors available that can look for a pulse, appropriate temperature, even the presence of subcutaneous blood vessels imaged in the infrared. But those are expensive and bulky sensors, and not the sort you find on phones, which are comparatively crude devices.

        • What is "appropriate temperature" for a finger? My SO regularly manages to get her hands (and feet) below ambient temperature...

      • They have some indication other than the whole body, like a large pool of blood or video footage of the murder that doesn't show enough detail to identify the murderer, that the phone's owner has been killed.
      • The phone was not found until after the victim's body was buried or cremated, and even if it was buried it has been long enough that decomposition would prevent the actual finger from working.
      • The police have the body, but the fingers were mutilated beyond the capability of the fingerprint sensor to rec
    • by guruevi ( 827432 )

      Because humans tend to swell up when they decompose, not sure about the rate in morgue fridges (they don't deep freeze you) but I think over time someone (usually family) would eventually want to burry or burn you.

    • There must be a reason - probably one of the things not released as this is an ongoing investigation. Maybe they don't have the body, or they have but it was disposed of in a way that destroyed the prints, or it wasn't found for some weeks and is to decayed to read.

  • by Frosty Piss ( 770223 ) * on Thursday July 21, 2016 @04:32PM (#52557147)

    Here's the interesting part...

    A 3D printed finger alone often canâ(TM)t unlock a phone these days. Most fingerprint readers used on phones are capacitive, which means they rely on the closing of tiny electrical circuits to work. The ridges of your fingers cause some of these circuits to come in contact with each other, generating an image of the fingerprint. Skin is conductive enough to close these circuits, but the normal 3D printing plastic isnâ(TM)t, so Arora coated the 3D printed fingers in a thin layer of metallic particles so that the fingerprint scanner can read them.

    • it's unclear whether the technique will be successful

      The headline is misleading. They haven't actually unlocked the phone, they just think they might have a way. If not they'll need to call the FBI.

      • by Anonymous Coward

        "But Arora said that in a few weeks, once he’s tested the fingers enough in the lab, he’ll hand them over."

        In a few weeks? WTF! That's why anything for gov't costs an arm and a leg !
        Wouldn't 'testing' take like 5 minutes?

  • by Anonymous Coward on Thursday July 21, 2016 @04:36PM (#52557169)

    This is a logical enough move, though I'm pretty sure you can do it without an actual 3d printer. We already know that fingerprints can be duplicated with very little effort indeed. But the problem for our esteemed LEO bunch here is that LEOs are now admitting this reality. And that brings up important sticky sticking points.

    For, if they start to routinely duplicate fingerprints, what value do fingerprints found on the scene retain?

    Also, now it turns out they're sitting on gigantic databases of other people's access keys, in the form of earlier taken fingerprints. You can trust them with that, can't you? They're totally trustable, right?

    • by Aighearach ( 97333 ) on Thursday July 21, 2016 @05:23PM (#52557441) Homepage

      Also, now it turns out they're sitting on gigantic databases of other people's access keys, in the form of earlier taken fingerprints. You can trust them with that, can't you? They're totally trustable, right?

      That's the real kicker. They don't even need a new scan. Even if you're not paranoid about the police directly, the identity thieves have already proven that they have an easy time planting people on the inside of government agencies that have access to identity data, like the DMV. And the amount of drugs that are smuggled into prisons shows that criminal elements have fully penetrated the prison guards. So there is already black market access to this information. You can't just avoid new scans to avoid it.

      It isn't viable to protect the secrecy of your fingerprints, so it isn't viable as an authentication mechanism. The main thing you can do to protect yourself is not to rely on authentication mechanisms; don't think that putting your fingerprint into your phone lock screen means that it is safe to store secrets (like banking access) on a phone. Don't think that having a fingerprint scanner on a door means that nefarious persons can't enter through that door. Don't think that a fingerprint scanner on a car ignition will keep thieves from driving away in it. Etc.

  • well, for 5 seconds it was
  • by mmell ( 832646 ) on Thursday July 21, 2016 @05:06PM (#52557337)
    the police can put my fingerprint anywhere they want? Conceivably to be "found" later on and used as evidence against me?

    Prosecutor: "Can you explain how your fingerprints came to be on the murder weapon?"

    Defendant: "I don't know. I never touched it. Never seen it before. Maybe the police put it there? Since we know they can, experience has shown that they will."

    • The judge will most likely not allow the jury to hear that.

  • Technically legal (Score:3, Insightful)

    by WillAffleckUW ( 858324 ) on Thursday July 21, 2016 @05:19PM (#52557411) Homepage Journal

    Live people have far more privacy protections than dead people do.

    • My question is, wouldn't this still fall under the Computer Fraud and Abuse Act? The LEOs/anybody else are not allowed users of the device, and it is a computer on a network.....

  • Fingerprint authentication has never been, and will never be, adequately secure.

  • by ooloorie ( 4394035 ) on Thursday July 21, 2016 @07:49PM (#52558103)

    You don't need to 3D print a finger to fabricate a fingerprint, a simple laser printer is enough:

    http://www.instructables.com/i... [instructables.com]

  • by Anonymous Coward

    And in the process they've proven that because a finger print is found at a crime scene doesn't mean that their suspect was there. If I were a defense attorney I'd keep a copy of this case in my briefcase and whenever a prosecutor used finger prints as evidence I'd pull it out and say "I have a case right here where POLICE faked a finger print so if the prosecutor could please prove that these fingerprints were used actually came from my client"

  • by xrayspx ( 13127 ) on Thursday July 21, 2016 @11:58PM (#52558875) Homepage
    My phone dies with me. I'm sure many of my accounts die with me. I spend enough of my time keeping anyone, cops, bad guys, whoever, anyone, from reading my stuff. If they're going to /copy biometrics/ just to get access to some moron who kills me? No. I'm dead, doesn't matter anymore. Just leave me alone in death in the way you wouldn't in life.

    I guess I'm glad everything's password and I have a really, really good memory and very fast fingers.
  • by samantha ( 68231 ) * on Friday July 22, 2016 @03:49AM (#52559301) Homepage

    There is no way to spoof a fingerprint sensor with a 3D printer. It would take extremely precise printing, far better than any 3D printer the local cops are like to have and a very precise fingerprint. And a sensor that has no ability to note discrepancy with living tissue. So I am claiming complete bullshit pretense of far more powers than cops have.

    Heck, I have to recalibrate my iThing fingerprint patterns every month or so to get it to recognize the real thing.

  • by Antique Geekmeister ( 740220 ) on Friday July 22, 2016 @07:46AM (#52559913)

    The original presentation on beating fingerprint sensors with ordinary laser printer printed copies of fingerprinters, laid on gelatin, published in 2002, is available at:

                  http://web.mit.edu/6.857/OldSt... [mit.edu]

    It's quite a good presentation, and was verified by MythBusters in 2011.

                  https://www.youtube.com/watch?... [youtube.com]

    Mythbusters even demonstrated that simply printing a fingerprint on paper, and _licking the paper_, created a fake fingerprint good enough to defeat most sensors. There's little reason to think that the commercial fingerprint sensors have gotten any better, though I'd welcome a modern retest with modern cell phone and computer keyboard based sensors.

    Basically, the "fuzziness" of fingerprint sensors which allows to identify real fingers with real sensors is enough "fuziiness" to allow them to be beaten with even casually made fake fingerprints. I've seen no good evidence that the necessarysensor and computational "fuzziness" has ever been worked around with even the most expensive modern sensors: I'd welcome any evidence with honestly done tests showing otherwise.

    • by phorm ( 591458 )

      For non-phone devices, you could probably at least come up with something that requires a finger-shaped input (e.g. requires finger inserted, pushes a button at the end to toggle the snapshot) and maybe a heat-sensor.
      That might not exclude warm gelatin, but at least it'll beat a laser-printed print affixed to the end of a pencil etc.

  • Your fingerprint is not protected by the Constitution, whether you are dead or alive, while password is protected.
  • The DNC should be able to just reach in the federal NSA database and tell the IRS who they should start punishing.

    It's time for the government to modernize and silence all of this counter-revolutionary free market, open democracy, free speech stuff.

A physicist is an atom's way of knowing about atoms. -- George Wald

Working...