The FBI has a new trick up its sleeve for getting into locked iPhones. The agency hired Anil Jain, a professor at Michigan State University, to 3D print the fingers of a murder victim. The idea is to use the 3D prints to unlock the device. Should it work, it will open up new avenues for law enforcement and pose new threats to everyone, everywhere.
According to Fusion, who first reported on the issue, Professor Jain’s field of study is biometric identifiers. Think fingerprints, tattoo matching, and other areas in this field. More importantly, his usual focus is making devices more secure, rather than figuring out how to crack them.
Nonetheless, the FBI sought out the professor’s expertise in getting into a smartphone owned by a murder victim. They believe it might contain information about his murderer. The FBI has his fingerprints—all eight of them, plus both thumbs—but they need them in a form that a fingerprint sensor will recognize.
Professor Jain and his students have been working on 3D printing those prints as fingers. That’s just half the process, however, as they then had to coat them with, “a thin layer of metallic particles” designed to activate the galvanic sensors in the fingerprint scanner.
Timing Is Always Everything
The story is fascinating, but here’s where it starts getting truly interesting to me. It’s not clear what kind of device is involved in this case. If it’s an iPhone—which seems likely—this process is pointless. iPhones require a passcode after 48 hours, but Professor Jain and his students will end up taking weeks to complete their efforts. Again, if it’s an iPhone, it won’t work, even if the 3D printed fingers otherwise work flawlessly.
Of course, it could be an Android device, and I’m not up on current fingerprint security on Android devices to offer an opinion on the subject.
But it’s almost irrelevant, because you have to start somewhere on projects like this. If the professor and his team can make these fingers in weeks, it is likely they—or someone else—can eventually find a way to make them in days, or even hours.
And that’s where it gets tricky. If the FBI can find a way to artificially produce fingers that unlock suspects’ smartphones, they will use it. And so will the police. That would bypass any self-incrimination protections suspects have, assuming any apply at all.
One federal judge has already ruled the police can use force to make you unlock your smartphone. Law enforcement can already get your prints when you’re arrested. It could easily become just a matter of form before the next step is routinely reproducing those prints as artificial fingers and opening up your devices.
But these are all scenarios involving law enforcement where due process protections still apply. The thing is that once legitimate law enforcement in the U.S. can employ such a method, it’s only a matter of time before foreign governments and criminal organizations get their mitts on the same technology.
I’m not arguing that the FBI shouldn’t pursue such means. It frankly seems like a logical progression—legally, technically, and philosophically.
But it may mean that fingerprints have a limited lifespan for usefulness. With databases of fingerprints existing all over the world, this technology could eventually be used by authoritarian regimes and criminals alike to target individuals for surveillance, extortion, or even petty crime.
Five years from now, imagine a criminal gang stealing the possessions of John Smith. Confronted with a smartphone they could sell, they turn to a database on the dark web where they can order Mr. Smith’s prints for less than US$2. They then turn to Illicit 3D Printing, LLC, where they can get those prints made into a finger in fifteen minutes, no questions asked.
Boom! They can now sell the smartphone, the tablet, and the MacBook Pro they stole from Mr. Smith, because in five years all of those devices will feature Touch ID.
Security is always a game of whack-a-mole. Make something secure, and someone will figure out how to crack it. No matter how many security measures we invent, they never stand the test of time.
This will be just as true with Touch ID as any other security feature that came before it. And the reality is that Touch ID has always been more about convenience than security. There could come a day, however, when fingerprints turn into an area of actual insecurity.