
Police asked 3D printing lab to recreate a dead man’s fingers to unlock phone - theandrewbailey
http://fusion.net/story/327145/3d-print-dead-mans-fingers-to-unlock-his-phone/
======
trjordan
Privacy expires at death.
[http://www.nytimes.com/2001/11/26/opinion/l-privacy-after-
de...](http://www.nytimes.com/2001/11/26/opinion/l-privacy-after-
death-341860.html)

If you want to take something to the grave, you'll have to be more creative
than simply assuming nobody is going to go through your stuff when you die.

~~~
mey
Deadman's switch attached to a thermite pile?

~~~
zapu
[https://www.youtube.com/watch?v=-bpX8YvNg6Y](https://www.youtube.com/watch?v=-bpX8YvNg6Y)
Might be harder than it looks/sounds.

~~~
tucaz
Just "lost" an hour of my life. Thanks! :)

------
NathanKP
Fingerprints should not be considered to be a password. They are a username.
You can't rotate your fingerprints like you can rotate a password, and what is
more you leave your fingerprints on everything you touch.

~~~
LastZactionHero
Yup. If I look at my phone right light, I can see the key to unlock the phone
on the glass.

~~~
heartsucker
Cyanogenmod has a feature that lets you randomize the numbers on the keyboard
each time you try to unlock it, if you use a PIN.

~~~
pelario
can you explain this a little bit more?

~~~
dan1234
The numbers on the keypad appear in a random order so you’re touching
different parts of the screen each time, even though you’re entering the same
code.

------
tlrobinson
Why kind of phone is this? I believe iPhones don't allow unlocking with
TouchID after 24 hours of inactivity, presumably for this reason...

~~~
mikeash
Could just be that the police don't know this, and they'll get a rude surprise
when they go and try it.

Not that it's important, but I believe it's 48 hours, and 8 hours if you
haven't entered your passcode in the last six days. You also only get five
tries, so a finger that is sometimes recognized but not with great reliability
would still probably fail.

~~~
socceroos
Well, does the OS or the fingerprint TPM handle the timeout?

If the OS handles it (and potentially if the OS files themselves aren't
completely and fully encrypted) then you can trick the OS into thinking it
hasn't been 24-48 hours - all you need is for the fingerprint TPM to keep
returning 'success'. If the TPM handles it then it is slightly harder to do.

~~~
russjr08
IIRC the Secure Enclave handles it.

------
scigeek42
I have to ask the morbid question, why couldn't they use the dead man's
fingers directly?

~~~
Eric_WVGG
In addition to the capacitive sensor, there's an RF sensor that apparently
responds to living tissue, but not dead tissue.
[http://fortune.com/2013/09/16/apple-touch-id-and-the-fear-
ha...](http://fortune.com/2013/09/16/apple-touch-id-and-the-fear-having-your-
finger-chopped-off/)

I imagine there are some Frankensteinian ways to create the necessary current
to activate the RF sensor, but… well, Frankenstein

~~~
FireBeyond
Yeah, I'd take some of that with a grain of salt:

[http://www.theregister.co.uk/2014/09/23/iphone_6_still_vulne...](http://www.theregister.co.uk/2014/09/23/iphone_6_still_vulnerable_to_touchid_fingerprint_hack/)
\- glue fingerprint replica sufficient

[http://www.iphonehacks.com/2016/02/iphone-touch-id-hacked-
wi...](http://www.iphonehacks.com/2016/02/iphone-touch-id-hacked-with-play-
doh.html) \- PlayDoh, dental paste

------
klodolph
I was under the impression that a 3D print was overkill, that you could do
this much more easily. Have the sensors gotten that much better?

~~~
TrevorJ
I doubt very much that you could do it with a 3d print at all. Even direct
casts from fingerprints have proved difficult to use to defeat the scanner. I
don't think a 3d print would have the necessary resolution.

~~~
palunon
You can almost 3d print at the atom level with the right kind of machinery...

Some FDM printers apparently have resolutions in the low 10s of microns.

This laboratory probably isn't using off-the-shelf consumer-grade 3d printer

------
kirykl
I'd like to see brainwaves being used as passwords. And the fun accompanying
the government forcing suspects to think "unlock"

~~~
lettergram
You'd need one hell of an accurate EEG in similar conditions to do this
consistently.

That being said, give it a couple decades

~~~
leggomylibro
You can detect strong signals with current consumer technology. One easy
pattern is the SSVEP[1], which shows up as a spike in the brain signal's FFT
at the frequency of a flashing light that the subject is looking at.
Interestingly, it also seems to work with binaural audio.

It might be hard to tell peoples' signals apart with the confidence of a
strong password, but individuals do respond pretty differently in terms of how
long it takes to appear, how quickly it grows, how much of a spike is
observed, small offsets, etc.

[1]
[https://en.wikipedia.org/wiki/Steady_state_visually_evoked_p...](https://en.wikipedia.org/wiki/Steady_state_visually_evoked_potential)

~~~
lettergram
Yeah, SSVEP has it's uses[1], but I don't think it would work well enough to
identify various users with any sort of confidence. It would likely be easier
to do with showing an image (or series of such) that would present people with
a very different emotional responses. This could be loved ones, childhood
homes, etc.

If you are curious in this stuff, I am pretty familiar with this stuff, and my
startup[2] uses consumer EEG's regularly. Our single largest concern is
actually signal correction due to movement / other environment factors[3].

[1] [http://synaptitude.me/blog/a-quick-intro-to-ssvep-steady-
sta...](http://synaptitude.me/blog/a-quick-intro-to-ssvep-steady-state-
visually-evoked-potential/)

[2][http://synaptitude.me/](http://synaptitude.me/)

[3] [http://synaptitude.me/blog/using-computer-vision-to-
improve-...](http://synaptitude.me/blog/using-computer-vision-to-improve-eeg-
signals/)

------
justinlardinois
Just a reminder that fingerprints are not passwords.

~~~
SilasX
Well, I prefer to think of it as "passwords with a narrower threat model".
They protect against randos at a party, petty thieves, and even close friends
from getting into your data, but not well-funded governments or people willing
to cut off your hand.

That may be a good enough for your use case, esp since you don't have to
remember it.

------
downandout
This seems very problematic, since of course going forward they'll be doing
this with live suspects. Police stations and other law enforcement agencies
are known locations. It wouldn't that be hard to write an app that has a
database of GPS coordinates for these locations and puts the phone in passcode
required mode the moment the phone enters one of these zones.

~~~
realo
this is an awesome idea, but the other way around... only allow fingerprint in
white listed locations.

~~~
downandout
Even better - great idea!

------
DonHopkins
Reminds me of the story about the 3D copier that somebody 3D copied, but they
had their thumb on the scanner when they copied it, so all descendent copies
of that 3d copier had a copy of their thumb on the scanner.

~~~
gourou
got a link for this absurd story?

------
sandworm101
Question: Can we trust that the person is dead?

The police aren't providing the dead man's fingers, just a fingerprint scan.
Without more, I have to admit the possibility that the police aren't telling
the truth, that this is an attempt to unlock a live person's phone. If the
person was in custody then there would be no need. They can force his finger
onto the phone. Perhaps they have the phone but not the man?

------
sickbeard
Police asked locksmith to recreate a dead man's key to unlock house.

~~~
scrollaway
Maybe if the key was the dead man's finger, and the house contained swathes of
the dead man's private life including correspondances, photos, friends/family,
all analyzable in mere seconds.

Come to think of it: Police asks 3D printing lab to recreate a dead man's
fingers to unlock phone.

~~~
hueving
>and the house contained swathes of the dead man's private life including
correspondances, photos, friends/family,

Based on the tone of your comment, it seemed that you implied that these
wouldn't be in someone's house? They certainly would be for many people I
know...

~~~
scrollaway
Swathes? Maybe not a strong enough word. Do an inventory and compare it to
what's in your phone. Even amongst the least technical people I know, some of
them have thousands of emails, their facebook correspondances are filled with
personal details, their SMS/chat history is a perfectly timestamped history of
their past few years, etc.

Yeah there's a few hundred, or even maybe thousands of photos in my mother's
house. I'm sure there's a lot of unread magazines, too. All of that,
accumulated over decades. I think it's still a safe bet there is more data in
her phone would than in the combined homes of the entire neighbourhood.

------
jeffbush
Worth noting that Mythbusters did an experiment with spoofing fingerprint
scanners. They didn't use a 3D printer, but etched a copper plate. It looks
like the fingerprint reader technology is not the same, but it seems like the
ballistics gel version they made might have similar capacitance to a human
finger and _could_ work.

[https://www.youtube.com/watch?v=3Hji3kp_i9k](https://www.youtube.com/watch?v=3Hji3kp_i9k)

tldw: [http://www.discovery.com/tv-shows/mythbusters/mythbusters-
da...](http://www.discovery.com/tv-shows/mythbusters/mythbusters-
database/fingerprint-scanners-unbeatable/)

~~~
urbanarson
This was several years ago when fingerprint scanners were cameras under glass,
they are a lot more sophisticated now and harder to fool. These techniques
will get you no where on a current Apple device.

------
JustSomeNobody
> ... and the police think there might be clues to who murdered him stored in
> his phone.

I am always skeptical of these kinds of statements.

------
delinka
Wouldn't this[1] be easier? If they have the print on file, I can't imagine
why they'd need to go all 3D-printer-happy.

[http://www.extremetech.com/computing/51228-gummy-fingers-
foo...](http://www.extremetech.com/computing/51228-gummy-fingers-fool-
fingerprint-readers)

------
davidhariri
Important privacy matters aside, would this even work? I didn't realize that
3D printing had improved to the resolution of a fingerprint.

------
cloudjacker
Got a high school dropout trying to play McNulty and be clever

oh well

------
restlessmedia
Sounds like a new Pirates of the Caribbean film. "Pirates of the Caribbean:
Dead man's fingers"

------
dang
Url changed from [http://www.theverge.com/2016/7/21/12247370/police-
fingerprin...](http://www.theverge.com/2016/7/21/12247370/police-
fingerprint-3D-printing-unlock-phone-murder), which points to this.

Submitters: please submit original sources, especially when there's an obvious
one. This is in the HN guidelines
([https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)).

