Hackers vie for bounty in cracking fingerprint ‘Touch ID’ on new iPhone 5S
As consumers flocked to stores nationwide for Apple’s iPhone 5S release on Friday, hackers raced to claim a growing bounty for cracking the product’s “Touch ID” fingerprint reader.
Security researchers Nick Depetrillo and Robert David Graham
launched IsTouchIDHackedYet.com on Wednesday, wherein the pair
challenged anyone to offer video evidence of recreating one’s
fingerprint and using it to unlock that person’s iPhone 5S.
Depetrillo originally pledged US$100 to anyone who could
successfully prove the hack. Since his offer, others have added
cash rewards and bitcoins collectively approaching $20,000. Booze
and various other prizes have also been added to the pile.
“I put my money where my mouth is and it really took off,”
Depetrillo said.
Meanwhile, Sen. Al Franken has sent a letter to Apple asking how
the company’s new product will protect the privacy of users.
“The iPhone 5S reportedly stores fingerprint data locally ‘on
the chip’ and in an encrypted format,” Franken wrote to
Apple’s CEO Tim Cook. “It also blocks third-party apps from
accessing the Touch ID. Yet important questions remain about how
this technology works, Apple’s future plans for this technology,
and the legal protections that Apple will afford it.”
Franken posed pointed questions on whether fingerprint data could
be extracted - remotely or not - by third parties, if Apple will
allow third parties to use the data, and if Apple considers
fingerprint data to be a "tangible thing" as defined in
the Patriot Act.
Such fingerprint-based scanners have been cracked in the past
using the likes of gelatin and silly putty. Yet Apple maintains
its sensor is unique in its “liveness” verification
standards, so much so that even a severed finger could not be
used to unlock a phone, the company claims.
The “Touch ID” sensor is 170 microns thin and scans
sub-epidermal skin layers with 360-degree reliability, Apple
said. In addition, the company says fingerprints will be stored
in the device only - not in the cloud easily accessible to
hackers and government spies.
Facebook, Google, and other companies have in the past created
contests that pay users who “pinpoint security loopholes,”
though Apple has never offered prizes for flagging bugs.
"I think Apple is quietly amused," Graham told CNET.
"I'm sure their engineers are confident in their abilities to
address all conceivable weaknesses - yet worried about
inconceivable techniques hackers might come up with.”
Depetrillo said he started the idea not necessarily to see the
iPhone hacked, but more to show how difficult the fingerprint
sensor will be to invade.
“Basically people criticized the TouchId sensor as being
insecure, thinking it was a typical fingerprint sensor from five
years ago,” he wrote to Forbes. “In reality it’s a lot
harder, and I was part of a vocal minority of security
researchers who argued Apple did a good job.”
The pair said they are only responsible for their own pledges,
and the winner must go after the other bounties themselves,
though Depetrillo said he’s keeping track of any
“deadbeats” that may skip paying out.
But connected hackers could likely sell any information on how to
unlock the iPhone 5S for more than what is currently offered at
IsTouchIDHackedYet.com, Forbes reported.
“Nothing is hack proof,” Depetrillo said. “I honestly
don’t know if someone will claim it…If they do I’ll be pleasantly
surprised.”
