Dead men tell no tales, but their phones might.
Early last month, two detectives walked into the lab of Anil Jain, a professor of computer science and engineering at Michigan State University. They had heard of Jain’s cutting-edge work in fingerprint recognition and wanted his help in a murder investigation.
The detectives brought the victim’s locked Samsung Galaxy S6 phone and a copy of his fingerprints, as he had been previously arrested. The investigators said they believed his phone might hold clues to who killed him and asked Jain to help them get inside the phone by overcoming the fingerprint scanner lock.
Jain and his team — doctoral student Sunpreet Arora and postdoctoral student Kai Cao — spent the following several weeks tinkering with a solution. This week, they found one that worked.
Plans A, B And C
Setting off to create a successful fingerprint key, Jain knew that the models would have to be able to conduct electricity. Real human skin is conductive, similar to copper or silver.
Jain says that the differences in the ridges and valleys in our fingerprints create different electrical currents, which can be converted into unique images on the sensors of our phones — this is what powers the new biometric phone locks.
“The fingerprints they provided us were just ink on paper, which doesn’t have a conductive property,” Jain says. “So the first thing we tried was to print the fingerprints on a special conductive paper, just like a photographic paper.”
The conductive paper prints didn’t work, so the researchers moved to plan B: create 10 3-D printed replicas of the victim’s fingertips, complete with copies of his fingerprints embedded onto them. To make them conductive, another machine was used to apply a micron-level coating of silver or copper to test which would work the best.
This method was much more expensive and time-consuming than the 2-D alternative. It took 40 minutes per finger on a $250,000 machine to print each fingertip, Jain says. From there, the fingertips went into a $600,000 machine to get the metallic coating.
Despite the high price tag, the 3-D fingertips didn’t work, either. Jain says the simple, conductive paper prints were still on his mind.
“That idea appealed to us, so we said let’s try to see how we can improve the quality of the fingerprints that the police gave us,” Jain says.
For their third attempt, the researchers used an image-enhancement algorithm specific to the unique flow pattern of fingerprints and created more precise representations of each print. They printed the high-quality fingerprints on the same conductive paper and called the detectives in for a test.
On Monday afternoon, the detectives and the researchers stood over the replica fingerprints laid out on a table and tested the final copies on the victim’s phone. Jain and his team had printed all 10 digits just in case, but the phone unlocked after they tried the first, most common one, the right thumb.
There was a moment of awed silence before the detectives broke into cheers.
Concerns For The Future
Jain says he was happy to help the police, but he also hopes this achievement will show the limits of fingerprint locks on mobile phones. He says this may prompt improvements in biometric security.
“Hopefully the phone companies are watching this and they will make fingerprint devices more robust against such simple attacks,” Jain says. “Unless you first show the weakness, you cannot strengthen it.”
Of course, with this technology, there are also legal considerations.
Because this particular phone belonged to a victim rather than a suspect — and one who is no longer alive — accessing the information on the phone wouldn’t trigger the Fifth Amendment’s protection against self-incrimination.
But the method could have implications for future criminal cases.
In 2014, the Supreme Court unanimously agreed that police need to get a warrant before they can search a suspect’s cell phone.
The same year, a Virginia Circuit Court ruled that suspects in that state “cannot be compelled [by the police] to produce his passcode to access his smartphone, but he can be compelled to produce his fingerprint to do the same.”
The distinction lies in the nature of the key. A passcode is an intangible thought in someone’s mind, whereas a fingerprint is considered physical evidence, like blood and DNA.
Did Jain and his team crack both the phone and the case? He says he’ll leave that to the detectives; he doesn’t know whether the phone contained anything helpful — and he doesn’t want to know.
“I think that’s the best way to deal with it,” Jain says. “They brought us the phone and requested us to unlock it. In a sense, our job ends now.”
Riley Beggin is an intern with NPR’s investigations unit.