I doubt very much that you could do it with a 3d print at all. Even direct casts from fingerprints have proved difficult to use to defeat the scanner. I don't think a 3d print would have the necessary resolution.
>I don't think a 3d print would have the necessary resolution.
I bought and run a Projet 3500(http://www.3dsystems.com/3d-printers/professional/projet-350...) at my day job. In the highest resolution mode, which is all we really use, it's 750x750x1600 DPI. You could definitely print an accurate finger with fingerprints on it.
No it's not overkill, and no, fingerprints are not 2D. The fingerprint scanners on iPhones (and I believe other phones as well) are capacitive, meaning they rely on the physical ridges in your fingerprint.
Fingerprints aren't 2D, but the sensor is. The sensor does not directly measure the height of the epidermal ridges. Rather, the varying thickness of the epidermic vary the dielectric between the conductive dermis and sensor. So you can replace the ridges with something completely 2 dimensional but with the same dialectic pattern. A normal home printer ought to be able to do that.
indeed the iphone fingerprint does check if the objects are capacitive though, but that's a separate check. the "scan" is still just iirc. a infrared 2d cam
It should be noted that these are the same researchers in both articles. I would guess that the inkjet method didn't work otherwise they are just ripping off the police department?
Could just be that the police don't know this, and they'll get a rude surprise when they go and try it.
Not that it's important, but I believe it's 48 hours, and 8 hours if you haven't entered your passcode in the last six days. You also only get five tries, so a finger that is sometimes recognized but not with great reliability would still probably fail.
Well, does the OS or the fingerprint TPM handle the timeout?
If the OS handles it (and potentially if the OS files themselves aren't completely and fully encrypted) then you can trick the OS into thinking it hasn't been 24-48 hours - all you need is for the fingerprint TPM to keep returning 'success'. If the TPM handles it then it is slightly harder to do.
Which, IMHO, is perfectly reasonable. Your fingerprints are used by the government for /identification/, just like your driver's license. It's not a password. You are required to surrender your fingerprints when you are arrested. It's not compelled speech because it's an identification marker, not a password.
If you do have a runin with the police, just reboot your phone by holding down the power and home button for 10 seconds. Or, if you actually have something to hide, just don't use Touch ID.
Maybe if the key was the dead man's finger, and the house contained swathes of the dead man's private life including correspondances, photos, friends/family, all analyzable in mere seconds.
Come to think of it: Police asks 3D printing lab to recreate a dead man's fingers to unlock phone.
>and the house contained swathes of the dead man's private life including correspondances, photos, friends/family,
Based on the tone of your comment, it seemed that you implied that these wouldn't be in someone's house? They certainly would be for many people I know...
Swathes? Maybe not a strong enough word. Do an inventory and compare it to what's in your phone. Even amongst the least technical people I know, some of them have thousands of emails, their facebook correspondances are filled with personal details, their SMS/chat history is a perfectly timestamped history of their past few years, etc.
Yeah there's a few hundred, or even maybe thousands of photos in my mother's house. I'm sure there's a lot of unread magazines, too. All of that, accumulated over decades. I think it's still a safe bet there is more data in her phone would than in the combined homes of the entire neighbourhood.
My complete guess based is that the body is either already cremated, or in the hands of the family of the deceased. And they wouldn't exactly be jumping at the opportunity to let the police mess with their dead relative.
And they probably want something they could reliably continue to unlock the phone with. Sure, they could just remove all authentication once they're in, but maybe they want to tamper with the phone and its settings as little as possible.
I suspect deformation due to decomposition. Without doing any research I'd say that the decomposition process may rapidly change finger prints enough to no longer be recognized.
Alternatively, and possibly more likely, as a murder victim there's any number of ways his fingerprints could have been obliterated.
In that case, couldn't they just coat the finger with the same stuff they're coating the 3D printed replica with? Actually, how are they getting around the RF issue?
Well, I prefer to think of it as "passwords with a narrower threat model". They protect against randos at a party, petty thieves, and even close friends from getting into your data, but not well-funded governments or people willing to cut off your hand.
That may be a good enough for your use case, esp since you don't have to remember it.
Thank you very much for saying that without the "they are usernames" that usually accompanies it. Fingerprints are something different from either, with their own properties, and trying to shoehorn them into the existing username/password system means you'll get things wrong.
Pretty sure a simple suggestion of "don't think of an open lock" would do the trick. Or showing an animation of a lock opening. Even if the required image isn't of a lock, but of a "password image," the suggestion of "don't think of your password image" will probably conjure it up for most.
You can detect strong signals with current consumer technology. One easy pattern is the SSVEP[1], which shows up as a spike in the brain signal's FFT at the frequency of a flashing light that the subject is looking at. Interestingly, it also seems to work with binaural audio.
It might be hard to tell peoples' signals apart with the confidence of a strong password, but individuals do respond pretty differently in terms of how long it takes to appear, how quickly it grows, how much of a spike is observed, small offsets, etc.
Yeah, SSVEP has it's uses[1], but I don't think it would work well enough to identify various users with any sort of confidence. It would likely be easier to do with showing an image (or series of such) that would present people with a very different emotional responses. This could be loved ones, childhood homes, etc.
If you are curious in this stuff, I am pretty familiar with this stuff, and my startup[2] uses consumer EEG's regularly. Our single largest concern is actually signal correction due to movement / other environment factors[3].
If you want to take something to the grave, you'll have to be more creative than simply assuming nobody is going to go through your stuff when you die.
That's just not permanent or fail-deadly, maybe something like HCl over your documents on death. The thermite might get spread around or fail to ignite.
This seems very problematic, since of course going forward they'll be doing this with live suspects. Police stations and other law enforcement agencies are known locations. It wouldn't that be hard to write an app that has a database of GPS coordinates for these locations and puts the phone in passcode required mode the moment the phone enters one of these zones.
Fingerprints should not be considered to be a password. They are a username. You can't rotate your fingerprints like you can rotate a password, and what is more you leave your fingerprints on everything you touch.
The numbers on the keypad appear in a random order so you’re touching different parts of the screen each time, even though you’re entering the same code.
The police aren't providing the dead man's fingers, just a fingerprint scan. Without more, I have to admit the possibility that the police aren't telling the truth, that this is an attempt to unlock a live person's phone. If the person was in custody then there would be no need. They can force his finger onto the phone. Perhaps they have the phone but not the man?
Christ almighty. That fucking website's moble responsive bullshit is intolerable.
Stupid shitty buttons need to fuck off permanently, please!
No, I'm not going to be emailing anything. No, I am not going to tweet your shit. No, I am not going to facebook your shit. No, I am not going to fucking whatsapp whatever the fuck that even means.
But wow, can I fucking READ the fucking website?
No! Because all the fucking shitty useless buttons are in the fucking way, so I can't even SCROLL THE FUCKING PAGE WHETHER IT'S FUCKING PORTRAIT OR LANDSCAPE. GOD WHAT THE FUCK IS THE PROBLEM WITH YOU PEOPLE???
Worth noting that Mythbusters did an experiment with spoofing fingerprint scanners. They didn't use a 3D printer, but etched a copper plate. It looks like the fingerprint reader technology is not the same, but it seems like the ballistics gel version they made might have similar capacitance to a human finger and could work.
This was several years ago when fingerprint scanners were cameras under glass, they are a lot more sophisticated now and harder to fool. These techniques will get you no where on a current Apple device.
Reminds me of the story about the 3D copier that somebody 3D copied, but they had their thumb on the scanner when they copied it, so all descendent copies of that 3d copier had a copy of their thumb on the scanner.
87 comments
[ 5.9 ms ] story [ 93.1 ms ] threadSubmitters: please submit original sources, especially when there's an obvious one. This is in the HN guidelines (https://news.ycombinator.com/newsguidelines.html).
I bought and run a Projet 3500(http://www.3dsystems.com/3d-printers/professional/projet-350...) at my day job. In the highest resolution mode, which is all we really use, it's 750x750x1600 DPI. You could definitely print an accurate finger with fingerprints on it.
Some FDM printers apparently have resolutions in the low 10s of microns.
This laboratory probably isn't using off-the-shelf consumer-grade 3d printer
http://qz.com/631697/a-regular-inkjet-printer-can-spoof-a-fi...
"The spoof worked on the Samsung and Huawei handsets, but not the Apple and Meizu ones"
cough graphite powder cough
>Fingerprints aren't 2D
http://qz.com/631697/a-regular-inkjet-printer-can-spoof-a-fi...
http://torkjel.com/projects/attacking_fingerprint_sensors.pd...
Creating PCBs can be with very short turn around times or even in house.
A bigger question is, why do they need the fingerprint... The phone has a passcode too.
Not that it's important, but I believe it's 48 hours, and 8 hours if you haven't entered your passcode in the last six days. You also only get five tries, so a finger that is sometimes recognized but not with great reliability would still probably fail.
• Not unlocked for 8 hours after not having used passcode for 6 days
• Not unlocked for 48 hours otherwise
• Restarted
• 5 failed fingerprints
• Enrolling new fingerprints
If the OS handles it (and potentially if the OS files themselves aren't completely and fully encrypted) then you can trick the OS into thinking it hasn't been 24-48 hours - all you need is for the fingerprint TPM to keep returning 'success'. If the TPM handles it then it is slightly harder to do.
[1]http://www.theatlantic.com/technology/archive/2016/05/iphone...
If you do have a runin with the police, just reboot your phone by holding down the power and home button for 10 seconds. Or, if you actually have something to hide, just don't use Touch ID.
Come to think of it: Police asks 3D printing lab to recreate a dead man's fingers to unlock phone.
Based on the tone of your comment, it seemed that you implied that these wouldn't be in someone's house? They certainly would be for many people I know...
Yeah there's a few hundred, or even maybe thousands of photos in my mother's house. I'm sure there's a lot of unread magazines, too. All of that, accumulated over decades. I think it's still a safe bet there is more data in her phone would than in the combined homes of the entire neighbourhood.
Alternatively, and possibly more likely, as a murder victim there's any number of ways his fingerprints could have been obliterated.
I imagine there are some Frankensteinian ways to create the necessary current to activate the RF sensor, but… well, Frankenstein
http://www.theregister.co.uk/2014/09/23/iphone_6_still_vulne... - glue fingerprint replica sufficient
http://www.iphonehacks.com/2016/02/iphone-touch-id-hacked-wi... - PlayDoh, dental paste
That may be a good enough for your use case, esp since you don't have to remember it.
That being said, give it a couple decades
It might be hard to tell peoples' signals apart with the confidence of a strong password, but individuals do respond pretty differently in terms of how long it takes to appear, how quickly it grows, how much of a spike is observed, small offsets, etc.
[1] https://en.wikipedia.org/wiki/Steady_state_visually_evoked_p...
If you are curious in this stuff, I am pretty familiar with this stuff, and my startup[2] uses consumer EEG's regularly. Our single largest concern is actually signal correction due to movement / other environment factors[3].
[1] http://synaptitude.me/blog/a-quick-intro-to-ssvep-steady-sta...
[2]http://synaptitude.me/
[3] http://synaptitude.me/blog/using-computer-vision-to-improve-...
Well, unless the cops use neural jammers or something. How cyberpunk.
If you want to take something to the grave, you'll have to be more creative than simply assuming nobody is going to go through your stuff when you die.
All the reasons it will require a secondary method[1]:
• When your fingerprint isn't recognized after a few tries
• After restarting your device
• After switching to a different user on the device
• After more than 48 hours have passed since you last unlocked using your backup method
[1] https://support.google.com/nexus/answer/6285273?hl=en
http://www.extremetech.com/computing/51228-gummy-fingers-foo...
oh well
2. Open mirror image of fingerprint in photoshop and maximize contrast, crop to fingerprint alone
3. Print finger print mirror image to UV-stencil-type material
4. Etch into UV-material w/ UV printer
5. Pour rubber/plastic-type material over UV etching
6. Remove rubber thumb, apply to fingerprint detector, voila..
I am always skeptical of these kinds of statements.
The police aren't providing the dead man's fingers, just a fingerprint scan. Without more, I have to admit the possibility that the police aren't telling the truth, that this is an attempt to unlock a live person's phone. If the person was in custody then there would be no need. They can force his finger onto the phone. Perhaps they have the phone but not the man?
Stupid shitty buttons need to fuck off permanently, please!
No, I'm not going to be emailing anything. No, I am not going to tweet your shit. No, I am not going to facebook your shit. No, I am not going to fucking whatsapp whatever the fuck that even means.
But wow, can I fucking READ the fucking website?
No! Because all the fucking shitty useless buttons are in the fucking way, so I can't even SCROLL THE FUCKING PAGE WHETHER IT'S FUCKING PORTRAIT OR LANDSCAPE. GOD WHAT THE FUCK IS THE PROBLEM WITH YOU PEOPLE???
https://www.youtube.com/watch?v=3Hji3kp_i9k
tldw: http://www.discovery.com/tv-shows/mythbusters/mythbusters-da...