Passcodes can be hacked, but now it seems that fingerprints can be hacked too. A pair of detectives asked Anil Jain, a professor of computer science and engineering at Michigan State University, to help them unlock a phone that was evidence in a murder investigation. The victim’s Samsung Galaxy S6 phone required fingerprint identification to unlock. The detectives already had the victim’s fingerprints (he had been arrested before) on plain printer paper. However, human skin is conductive and the whorls and ridges on our fingerprints create unique conductive patterns that biometric use. So the computer scientists tried printing copies of the fingerprints onto special conductive paper (similar to photographic paper). After some trial and error, the team was able to digitally enhance a victim’s fingerprints and print these improved images onto conductive paper, successfully giving detectives access to his phone.
What gave me pause toward the end of the article was the distinction between an alphanumeric passcode and a fingerprint passcode in the courts. A passcode is considered an intangible thought in the owner’s mind and so police can’t order a suspect to reveal his or her password. But a fingerprint is physical evidence, like blood, so the suspect can be ordered to produce his or her fingerprints. By this logic, a person who is concerned about the police requisitioning their phone should always use an alphanumeric passcode as a precaution. You can be legally forced to unlock your phone if you use a fingerprint passcode so an alphanumeric passcode would protect you from that situation. Yet breaking that passcode is much simpler – watch the person enter the code, see if there is a pattern on the glass, guessing birthdays or other common passwords, etc.
For the detectives, the phone they were trying to access belonged to a deceased man. Since he was the victim, the detectives were allowed to access his phone. The victim’s fingerprints were already on file so the detectives didn’t need to request his fingerprints. But what should the average person do if they are concerned about the privacy of their phone after their death? In the interest of preserving privacy, should people request that their phone password be changed to an alphanumeric code by a trusted loved one before they die? This would preserve their phone from being used by any law enforcement and would give the loved one access to the phone. Or should a person use a fingerprint passcode, which would allow the police access to their phone but would restrict their friends and family from accessing the phone? In a way, I suppose it depends on what kind of secrets your phone holds and who you’re trying to keep them from: the police or your loved ones.