As consumers flocked to stores nationwide for Apple’s iPhone 5S release on Friday, hackers raced to claim a growing bounty for cracking the product’s “Touch ID” fingerprint reader.
Security researchers Nick Depetrillo and Robert David Graham
launched IsTouchIDHackedYet.com on Wednesday, wherein the pair
challenged anyone to offer video evidence of recreating one’s
fingerprint and using it to unlock that person’s iPhone 5S.
Depetrillo originally pledged US$100 to anyone who could successfully prove the hack. Since his offer, others have added cash rewards and bitcoins collectively approaching $20,000. Booze and various other prizes have also been added to the pile.
“I put my money where my mouth is and it really took off,” Depetrillo said.
Meanwhile, Sen. Al Franken has sent a letter to Apple asking how the company’s new product will protect the privacy of users.
“The iPhone 5S reportedly stores fingerprint data locally ‘on the chip’ and in an encrypted format,” Franken wrote to Apple’s CEO Tim Cook. “It also blocks third-party apps from accessing the Touch ID. Yet important questions remain about how this technology works, Apple’s future plans for this technology, and the legal protections that Apple will afford it.”
Franken posed pointed questions on whether fingerprint data could be extracted - remotely or not - by third parties, if Apple will allow third parties to use the data, and if Apple considers fingerprint data to be a "tangible thing" as defined in the Patriot Act.
Such fingerprint-based scanners have been cracked in the past using the likes of gelatin and silly putty. Yet Apple maintains its sensor is unique in its “liveness” verification standards, so much so that even a severed finger could not be used to unlock a phone, the company claims.
The “Touch ID” sensor is 170 microns thin and scans sub-epidermal skin layers with 360-degree reliability, Apple said. In addition, the company says fingerprints will be stored in the device only - not in the cloud easily accessible to hackers and government spies.
Facebook, Google, and other companies have in the past created contests that pay users who “pinpoint security loopholes,” though Apple has never offered prizes for flagging bugs.
"I think Apple is quietly amused," Graham told CNET. "I'm sure their engineers are confident in their abilities to address all conceivable weaknesses - yet worried about inconceivable techniques hackers might come up with.”
Depetrillo said he started the idea not necessarily to see the iPhone hacked, but more to show how difficult the fingerprint sensor will be to invade.
“Basically people criticized the TouchId sensor as being insecure, thinking it was a typical fingerprint sensor from five years ago,” he wrote to Forbes. “In reality it’s a lot harder, and I was part of a vocal minority of security researchers who argued Apple did a good job.”
The pair said they are only responsible for their own pledges, and the winner must go after the other bounties themselves, though Depetrillo said he’s keeping track of any “deadbeats” that may skip paying out.
But connected hackers could likely sell any information on how to unlock the iPhone 5S for more than what is currently offered at IsTouchIDHackedYet.com, Forbes reported.
“Nothing is hack proof,” Depetrillo said. “I honestly don’t know if someone will claim it…If they do I’ll be pleasantly surprised.”