Last month, Officials from MSU police’s cyber crime and digital forensics unit approached the biometric research department after realizing that research on how printed fingerprints can trigger mobile devices was being conducted on the same campus.
"I Googled ‘spoof fingerprint’ or something like that and came across [the research] as one of the results," Detective Andrew Rathbun said. "I read the research and noticed it was based out of MSU, much to my surprise. I simply emailed those who did the study and set up a meeting."
Police had obtained the victim’s prints from a previous arrest, and gave them to the lab to make a 3D print to try to unlock the Samsung Galaxy S-6. The lab printed 2D and 3D replicas of all 10 of the victim’s prints, as they were unsure what finger he had used to lock phone. None of the original prints worked, so the team enhanced them digitally by filling in valleys and broken ridges. Researchers then printed 2D models of the prints using a special conductive ink that recreates the electrical circuit needed to trigger the phone’s sensor. They felt this was a better option than the more expensive 3D model.
The team was finally able to unlock the phone with the 2D prints after multiple attempts, aided by the fact the phone did not require a passcode. One MSU spokesperson said there were plans to use digitally enhanced 3D models but this proved unnecessary, as the 2D prints were successful.
The leader of the MSU research team, Professor Anil Jain, says that their ability to unlock the device shows a "weakness" in the fingerprint identification technology in smartphones, and that he hopes their success will "motivate phone developers to create advanced security measures for fingerprint liveness detection."
"This shows that we need to understand what types of attacks are possible on fingerprint sensors, and biometrics in general, and how to fix them. If we don’t, the public will have less confidence in using biometrics. After all, biometric authentication was introduced in consumer devices to improve security," Jain added.
Another spokesperson said that this is the first time law enforcement has used this kind of research during an ongoing investigation, and that the lead detective "even contacted the company that was asked to help with [unlocking] the San Bernardino shooter’s phone and he kept getting the same answer: can’t do it, the tech doesn’t exist. Well, the tech exists now!"
Samsung said in a statement, "We are aware of the research from Michigan State University, but would like to remind users that it takes special equipment, supplies and conditions to simulate a person’s fingerprint, including actual possession of the fingerprint owner’s phone, to unlock the device. If there is a potential vulnerability or a new method that challenges our efforts to ensure security at any time, we will respond to issues as quickly as possible to investigate and resolve the issue."