Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID
Even as the iPhone 5s sells out in stores, a collaboration between a micro venture capital firm and a group of security researchers is offering a mix of cash, alcohol, and other goods to the first hacker that can crack the biometric security feature built into the device's Touch ID sensor.
The website istouchithacketyet.com is aimed at getting the hacking community devoted to demonstrating a method to "reliably and repeatedly break into an iPhone 5s by lifting prints (like from a beer mug)." To that end, a number of contributors have pitched in hundreds of dollars in cash, Bitcoins, wine, patent applications, whiskey, tequila, and books as an incentive to crack Apple's security feature.
The largest donation, according to Reuters, comes from Arturas Rosenbacher, founding partner of Chicago's IO Capital. Rosenbacher has pledged $10,000 to the competition, and he says his aim is noble.
"This is to fix a problem before it becomes a problem," Rosenbacher said. "This will make things safer."
Since it was unveiled, the Touch ID biometric sensor has been the subject of much speculation and commentary. A number of public advocates and officials have expressed concern over the privacy implications inherent in using fingerprints to secure a device.
"There are reasons to think that an individual's fingerprint is not 'one of the best passwords in the world,'" Senator Al Franken (D-Minn.) wrote in a letter to Apple CEO Tim Cook. "Passwords are secret and dynamic; fingerprints are public and permanent. If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it ? as many times as you want. You can't change your fingerprints."
Apple has already detailed the technology behind its biometric sensor, noting that it does not send gathered data to Apple servers, instead keeping it in a secure enclave in Apple's A7 SoC. Apple also points out that the device is not perfect, and it may give inaccurate readings due to moisture, conductive debris, and scarring on fingers.
Touch ID is not the only target for hackers and tinkerers, though. One recent finding showed that the iOS 7 lockscreen can be bypassed relatively easily due to a new iOS 7 feature, potentially giving up access to a user's Mail, Photos, and Twitter apps. Apple has promised a fix for the vulnerability in the near future.
The website istouchithacketyet.com is aimed at getting the hacking community devoted to demonstrating a method to "reliably and repeatedly break into an iPhone 5s by lifting prints (like from a beer mug)." To that end, a number of contributors have pitched in hundreds of dollars in cash, Bitcoins, wine, patent applications, whiskey, tequila, and books as an incentive to crack Apple's security feature.
The largest donation, according to Reuters, comes from Arturas Rosenbacher, founding partner of Chicago's IO Capital. Rosenbacher has pledged $10,000 to the competition, and he says his aim is noble.
"This is to fix a problem before it becomes a problem," Rosenbacher said. "This will make things safer."
Since it was unveiled, the Touch ID biometric sensor has been the subject of much speculation and commentary. A number of public advocates and officials have expressed concern over the privacy implications inherent in using fingerprints to secure a device.
"There are reasons to think that an individual's fingerprint is not 'one of the best passwords in the world,'" Senator Al Franken (D-Minn.) wrote in a letter to Apple CEO Tim Cook. "Passwords are secret and dynamic; fingerprints are public and permanent. If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it ? as many times as you want. You can't change your fingerprints."
Apple has already detailed the technology behind its biometric sensor, noting that it does not send gathered data to Apple servers, instead keeping it in a secure enclave in Apple's A7 SoC. Apple also points out that the device is not perfect, and it may give inaccurate readings due to moisture, conductive debris, and scarring on fingers.
Touch ID is not the only target for hackers and tinkerers, though. One recent finding showed that the iOS 7 lockscreen can be bypassed relatively easily due to a new iOS 7 feature, potentially giving up access to a user's Mail, Photos, and Twitter apps. Apple has promised a fix for the vulnerability in the near future.
Comments
Well that's bound to happen.
I guess it's better to have a group that's not necessarily criminals working on this in the open. I hope Apple appreciates all the hard work that they're getting for free!
We will see..
this is the measure of success.
I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?
Who's behing the front? Samsung? Google?
Sheesh.
Anything can be hacked. Anything.
But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?
And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.
So funny how I never see this kind of thing happen to MS, Google, etc.
Probably because then, nobody would even care. It's expected of them to fail.
Wow.
this is the measure of success.
I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?
Who's behing the front? Samsung? Google?
Sheesh.
Anything can be hacked. Anything.
But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?
And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.
So funny how I never see this kind of thing happen to MS, Google, etc.
Probably because then, nobody would even care. It's expected of them to fail.
Anything can be hacked. Including fingers!
Even then, the enclave will not communicate with anything other than the hardware of the sensor itself, so you'd have to get software on the device that can somehow present itself as a fake hardware sensor and communicate with the enclave.
Even then, what you'd get out is a bunch of hashed encrypted data, not actual fingerprint images at all.
It would be easier to create a "fake finger" than it would be to hack into the enclave in the traditional manner of hackers.
I'm guessing Apple may be behind the site, which is a smart effort if so. There's questions about how secure TouchID is and putting up a challenge is a great way to prove it.
But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?
Anandtech said it was a learning sensor, that if login failed, but then succeeded right after, it would take the failure as really you, but the side of your finger or something.
The solution in the case you mention might be, wait outside the bathroom, and when you see them come out, run back to their desk and scan the side of your finger. It will fail. Then they come back soon after, log in correctly to see if they got any messages while in the bathroom, and the system "learns" the side of your finger is the side of their finger, and later you log in as you please.
It all depends on the detail really, nothing to do but buy one and experiment.
Wow.
this is the measure of success.
I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?
Who's behing the front? Samsung? Google?
Sheesh.
Anything can be hacked. Anything.
But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?
And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.
So funny how I never see this kind of thing happen to MS, Google, etc.
Probably because then, nobody would even care. It's expected of them to fail.
It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.
"If you don't tell anyone your password, no one will know what it is." - No one has ever had their password stolen? Might as well say that as long as you don't ever use your password it's totally secure
"If someone hacks your password, you can change it ? as many times as you want." - Wait a minute. Didn't he just tell me my password was safe as long as I didn't tell anybody? Now I'm confused. At least his solution makes sense - close the gate [B]after[/B] the cows get out (and I can close the gate again [B]after[/B] every time they get out). Great.
I'm glad he found work in comedy again.
It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.
PCs have had fingerprint scanners for awhile and even other cell phones. I think the NSA leaks have really brought this to the front of everyone's attention as well as Apple being one of if not the biggest consumer electronics companies.
It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.
I have seen fingerprint readers on portables, haven't I? They're like a strip and you drag your finger across them. Not the same thing as the 5s, but they're out there.
It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple.
The second part of your question is irrelevant. Of course you can extract fingerprints with physical access to the iPhone. It's called dusting for prints. In fact you can extract fingerprints with physical access to anything you touched.
The government has been through this already with the PIV standard. Perhaps Al Franken should ask why the government fingerprints all of their workers and contractors and stores their fingerprint images, and in some cases retinal scans, on their RFID cards.
Anandtech said it was a learning sensor, that if login failed, but then succeeded right after, it would take the failure as really you, but the side of your finger or something.
The solution in the case you mention might be, wait outside the bathroom, and when you see them come out, run back to their desk and scan the side of your finger. It will fail. Then they come back soon after, log in correctly to see if they got any messages while in the bathroom, and the system "learns" the side of your finger is the side of their finger, and later you log in as you please.
It all depends on the detail really, nothing to do but buy one and experiment.
You know, if I wanted to "steal your fingerprint" (presumably so I could use it to hack into something else secured by your fingerprint) I wouldn't need to (somehow) extract the data from the chip I would... lift it off the device that has your fingerprint all over it. Or from your mouse or keyboard or door handle etc. etc.
In all probability the folks at NSA could "hack" the sensor in no time at all. They may not want to inform whomever that they did it, no matter how much cash, wine, or Bitcoins are offered.
I think the key would be to make the sensor read a fingerprint even though there isn't a human finger there.
So, basically you need a material that is moldable into a fingerprint like plastic and yet mildly conductive and fools the sensor into thinking it is a human finger. This depends on how exactly the RF in the sensor detects that it is the sub-epidermal, and then finding a way to fool it.
It is probably possible if enough effort is put in. Will be interesting to see how long it takes.
BTW, hackers will probably just stick to breaking your password which is easier than trying to fake the fingerprint. So, then will just give 5 false fingerprint readings, and then work on the lock screen that comes up after that.
Assuming someone can break the code, what can they do with it? get into your iTunes account or your iPhone? Unless there is a wide adoption of this fingerprint tech by apps, there are not much use for it.
That may be so, I got the impression from the Anandtech article that temporal proximity made it more forgiving than usual,
The piece of article you quoted does not imply temporal proximity. For all we know the process could have been exactly as mjtomlin described.
Now if they were able to teach the sensor to recognize a different finger altogether (not just the same one at a different angle) then that would imply temporal proximity.