Police in Lansing, Mich., had a problem – investigators had a smartphone, belonging to a homicide victim, that could contain key evidence. But they couldn’t get into it. It was locked, and to open it, they needed more than a password. A fingerprint was required to get into the phone.
It was a situation more and more law enforcement agencies face: how to see what’s behind increasing layers of encryption and security in electronic devices. In this case, they were looking at a victim’s phone. In other cases, law enforcement is trying to get into the phones of those suspected of crimes.
And while police have been able to get warrants allowing them to use suspects’ fingerprints to open smartphones, it appears using a deceased victim’s fingerprints to open a locked phone had never been done before.
Lansing knew Michigan State University had a detective on the campus police force who specialized in digital forensics. So they asked him to get involved.
But Detective Andrew Rathbun had an issue. He couldn’t sort through the Samsung Galaxy S6 without being able to open the password lock, and none of his software could do anything with fingerprints. So he did an online search for spoofing fingerprints.
“I was just trying to be creative in finding a way to access the phone,” Rathbun said.
It worked. He came across videos of an expert who was able to unlock fingerprint phones.
The expert, Anil Jain, was less than a five-minute walk away in the MSU computer science and engineering department.
Rathbun got Jain on the phone and asked the professor for help.
Jain broke out his bag of tricks. They couldn’t use the victim’s fingers, because the lock needed to sense electrical conductivity, something a corpse doesn’t have. So they got a set of the victim’s fingerprints and printed them on special paper.
That didn’t work.
They tried a couple of other things. They enhanced the fingerprints, filling in missing ridges and valleys, just like people see on TV cop shows, Jain said. Then they printed a set of them on a 3D printer, which would allow someone to wear the fingerprints. Jain and his team then called the police, who brought over the phone, which never left police custody.
The 3D fingerprints didn’t work.
So they printed the enhanced 2D fingerprints and got ready to try those.
But they still faced a challenge. Which finger to use?
They decided to try the right thumb, figuring that was the natural one based on how a person holds a phone. They applied it to the sensor.
And it worked.
“There was silence for a few minutes,” Jain said. “We were all wondering, ‘Did it really work?’ “
Police quickly disabled the fingerprint lock and assigned the phone a simple passcode.
That was on July 25. Now police are going through the phone to see whether there is anything to help them with the homicide investigation.
As phones become more important in people’s lives, storing credit cards and other financial information, security on them is becoming a big deal, Jain said.
“It’s very easy to guess a passcode if I know a little bit about you,” Jain said. “Biometric security is much safer, and I think you’ll see more and more of those measures added to all kinds of devices.”
As smartphone manufacturers ramp up security measures to protect customers’ information from hackers, identify thieves and other nefarious people, their efforts are pitting them against law enforcement. Police and federal law enforcement agencies want smartphone manufacturers, such as Apple, to build back doors into devices so police can access them in criminal investigations.
Earlier this year, Apple fought legal efforts by the FBI, which wanted the company to build back-door software to allow investigators to access an encrypted iPhone owned by one of two attackers who shot and killed 14 people and wounded 22 others in San Bernardino, Calif., last year. A court battle on privacy rights that would have likely ended up before the U.S. Supreme Court was avoided when the FBI got help from an outside expert to access the phone, and then withdrew legal action against Apple.
Apple and other companies have maintained that building back-door access for law enforcement would make the phones vulnerable to hacking by others. The company also noted that it could be also forced by foreign governments to use the back door to break into encrypted phones in instances in which it might not be in the best interests of the U.S.