Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID

Posted:
in iPhone edited January 2014
Even as the iPhone 5s sells out in stores, a collaboration between a micro venture capital firm and a group of security researchers is offering a mix of cash, alcohol, and other goods to the first hacker that can crack the biometric security feature built into the device's Touch ID sensor.



The website istouchithacketyet.com is aimed at getting the hacking community devoted to demonstrating a method to "reliably and repeatedly break into an iPhone 5s by lifting prints (like from a beer mug)." To that end, a number of contributors have pitched in hundreds of dollars in cash, Bitcoins, wine, patent applications, whiskey, tequila, and books as an incentive to crack Apple's security feature.

The largest donation, according to Reuters, comes from Arturas Rosenbacher, founding partner of Chicago's IO Capital. Rosenbacher has pledged $10,000 to the competition, and he says his aim is noble.

"This is to fix a problem before it becomes a problem," Rosenbacher said. "This will make things safer."

Since it was unveiled, the Touch ID biometric sensor has been the subject of much speculation and commentary. A number of public advocates and officials have expressed concern over the privacy implications inherent in using fingerprints to secure a device.

"There are reasons to think that an individual's fingerprint is not 'one of the best passwords in the world,'" Senator Al Franken (D-Minn.) wrote in a letter to Apple CEO Tim Cook. "Passwords are secret and dynamic; fingerprints are public and permanent. If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it ? as many times as you want. You can't change your fingerprints."

Apple has already detailed the technology behind its biometric sensor, noting that it does not send gathered data to Apple servers, instead keeping it in a secure enclave in Apple's A7 SoC. Apple also points out that the device is not perfect, and it may give inaccurate readings due to moisture, conductive debris, and scarring on fingers.

Touch ID is not the only target for hackers and tinkerers, though. One recent finding showed that the iOS 7 lockscreen can be bypassed relatively easily due to a new iOS 7 feature, potentially giving up access to a user's Mail, Photos, and Twitter apps. Apple has promised a fix for the vulnerability in the near future.
«134

Comments

  • Reply 1 of 68

    Well that's bound to happen.

     

    I guess it's better to have a group that's not necessarily criminals working on this in the open. I hope Apple appreciates all the hard work that they're getting for free! 

     

    We will see..

  • Reply 2 of 68
    drblankdrblank Posts: 3,385member
    Anyone hack into the Fingerprint sensor?
  • Reply 3 of 68
    Wow.

    this is the measure of success.

    I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?

    Who's behing the front? Samsung? Google?

    Sheesh.

    Anything can be hacked. Anything.

    But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?

    And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.

    So funny how I never see this kind of thing happen to MS, Google, etc.

    Probably because then, nobody would even care. It's expected of them to fail.
  • Reply 4 of 68
    Quote:

    Originally Posted by 9secondko View Post



    Wow.



    this is the measure of success.



    I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?



    Who's behing the front? Samsung? Google?



    Sheesh.



    Anything can be hacked. Anything.



    But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?



    And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.



    So funny how I never see this kind of thing happen to MS, Google, etc.



    Probably because then, nobody would even care. It's expected of them to fail.

     

    Anything can be hacked. Including fingers!

     


    Sorry, couldn't resist. 


     


    I think you're right, our (the public) perception of Apple is 'better' and when MS or any of the Droid stuff have mis-steps it seems to be a much less of a 'big deal.' Heck, I'd say a lot of the public expect MS to suck now... in anything else but X-Box. Why they don't do a Toyota/Scion move and leverage x-box I don't know. X-box should make their next phone. 
  • Reply 5 of 68
    This seems unlikely to me based on descriptions of how the enclave works. Besides which how do you get the hacking software onto the device without physical or admin access?

    Even then, the enclave will not communicate with anything other than the hardware of the sensor itself, so you'd have to get software on the device that can somehow present itself as a fake hardware sensor and communicate with the enclave.

    Even then, what you'd get out is a bunch of hashed encrypted data, not actual fingerprint images at all.

    It would be easier to create a "fake finger" than it would be to hack into the enclave in the traditional manner of hackers.
  • Reply 6 of 68
    gatorguygatorguy Posts: 24,176member
    I guess it's better to have a group that's not necessarily criminals working on this in the open. I hope Apple appreciates all the hard work that they're getting for free! 

    I'm guessing Apple may be behind the site, which is a smart effort if so. There's questions about how secure TouchID is and putting up a challenge is a great way to prove it.
  • Reply 7 of 68
    asciiascii Posts: 5,936member
    Quote:
    Originally Posted by 9secondko View Post



    But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?

    Anandtech said it was a learning sensor, that if login failed, but then succeeded right after, it would take the failure as really you, but the side of your finger or something. 

     

    The solution in the case you mention might be, wait outside the bathroom, and when you see them come out, run back to their desk and scan the side of your finger. It will fail. Then they come back soon after, log in correctly to see if they got any messages while in the bathroom, and the system "learns" the side of your finger is the side of their finger, and later you log in as you please.

     

    It all depends on the detail really, nothing to do but buy one and experiment.

  • Reply 8 of 68
    Quote:

    Originally Posted by 9secondko View Post



    Wow.



    this is the measure of success.



    I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?



    Who's behing the front? Samsung? Google?



    Sheesh.



    Anything can be hacked. Anything.



    But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?



    And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.



    So funny how I never see this kind of thing happen to MS, Google, etc.



    Probably because then, nobody would even care. It's expected of them to fail.

     

    It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.

     


    There's also another somewhat related concern here that centers around data seizure by law enforcement. If the police / government are able to extract (or force Apple to extract) your fingerprint data for your phone, that's again another significant issue for the reasons above. Equally, if they can somehow get log data from your phone that says "Fingerprint #2 unlocked this device on 04:11:23 10/10/13" then that lets them prove who unlocked the phone. 


     


    It's important to know what data is stored by Touch ID, and whether any of it can be accessed by outside parties. Both so that people know what they're getting into, and so that any issues can be fixed.


     


    And probably the reason you "never see this happen to MS, Google etc." is because none of them are authenticating users via biometrics yet. When they are, then you will.
  • Reply 9 of 68
    Al Franken is just as funny as he was on SNL, only now he doesn't realize that he's being funny.

    "If you don't tell anyone your password, no one will know what it is." - No one has ever had their password stolen? Might as well say that as long as you don't ever use your password it's totally secure

    "If someone hacks your password, you can change it ? as many times as you want." - Wait a minute. Didn't he just tell me my password was safe as long as I didn't tell anybody? Now I'm confused. At least his solution makes sense - close the gate [B]after[/B] the cows get out (and I can close the gate again [B]after[/B] every time they get out). Great.

    I'm glad he found work in comedy again.
  • Reply 10 of 68
    Quote:

    Originally Posted by DarkLite View Post

     

     

    It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.

     


    There's also another somewhat related concern here that centers around data seizure by law enforcement. If the police / government are able to extract (or force Apple to extract) your fingerprint data for your phone, that's again another significant issue for the reasons above. Equally, if they can somehow get log data from your phone that says "Fingerprint #2 unlocked this device on 04:11:23 10/10/13" then that lets them prove who unlocked the phone. 


     


    It's important to know what data is stored by Touch ID, and whether any of it can be accessed by outside parties. Both so that people know what they're getting into, and so that any issues can be fixed.


     


    And probably the reason you "never see this happen to MS, Google etc." is because none of them are authenticating users via biometrics yet. When they are, then you will.


     

    PCs have had fingerprint scanners for awhile and even other cell phones. I think the NSA leaks have really brought this to the front of everyone's attention as well as Apple being one of if not the biggest consumer electronics companies.

     


    I look forward to the results, it will be interesting to see what all they can do.
  • Reply 11 of 68
    Quote:

    Originally Posted by DarkLite View Post

     

     

    It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.

     


    There's also another somewhat related concern here that centers around data seizure by law enforcement. If the police / government are able to extract (or force Apple to extract) your fingerprint data for your phone, that's again another significant issue for the reasons above. Equally, if they can somehow get log data from your phone that says "Fingerprint #2 unlocked this device on 04:11:23 10/10/13" then that lets them prove who unlocked the phone. 


     


    It's important to know what data is stored by Touch ID, and whether any of it can be accessed by outside parties. Both so that people know what they're getting into, and so that any issues can be fixed.


     


    And probably the reason you "never see this happen to MS, Google etc." is because none of them are authenticating users via biometrics yet. When they are, then you will.


     

    I have seen fingerprint readers on portables, haven't I? They're like a strip and you drag your finger across them. Not the same thing as the 5s, but they're out there.

     


    There seems to be a concern about fingerprints that's bigger than just 'Apple' this time around. Why this didn't happen with the laptops with the finger print strip is beyond me, perhaps the iPhone is simply more ubiquitous. 
  • Reply 12 of 68
    Quote:
    Originally Posted by DarkLite View Post

     

     

    It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. 


     

    The second part of your question is irrelevant. Of course you can extract fingerprints with physical access to the iPhone. It's called dusting for prints. In fact you can extract fingerprints with physical access to anything you touched.

     

    The government has been through this already with the PIV standard. Perhaps Al Franken should ask why the government fingerprints all of their workers and contractors and stores their fingerprint images, and in some cases retinal scans, on their RFID cards.

  • Reply 13 of 68
    Quote:

    Originally Posted by ascii View Post

     

    Anandtech said it was a learning sensor, that if login failed, but then succeeded right after, it would take the failure as really you, but the side of your finger or something. 

     

    The solution in the case you mention might be, wait outside the bathroom, and when you see them come out, run back to their desk and scan the side of your finger. It will fail. Then they come back soon after, log in correctly to see if they got any messages while in the bathroom, and the system "learns" the side of your finger is the side of their finger, and later you log in as you please.

     

    It all depends on the detail really, nothing to do but buy one and experiment.


     

     


    It's not about a complete failure, it's more a less "it could be the same finger, but not sure - I need another look" type of thing. And if it can verify that is from the same finger, it'll "learn" that new position just as it did when you originally scanned your finger and saved it.


     


    The sensor doesn't just guess at what's going on, it still has to verify that it is the same finger based on previous scans, therefor, you can't use another finger to trick it. Something about that other finger has to match what's in the sensor's database. The system intelligently pieces together all scans into one big print. If this latest "piece" doesn't fit anywhere with what's already been pieced together, then it will fail, if it does fit, then the system will "learn" it by filling in more of the print. This is how forensics today can match a print even if it's just a partial print, but there has to be a minimum "hit" percentage before it can even be considered to be a possible match.
  • Reply 14 of 68
    malaxmalax Posts: 1,598member

    You know, if I wanted to "steal your fingerprint" (presumably so I could use it to hack into something else secured by your fingerprint) I wouldn't need to (somehow) extract the data from the chip I would... lift it off the device that has your fingerprint all over it.  Or from your mouse or keyboard or door handle etc. etc.

  • Reply 15 of 68
    Do not do it for money.
  • Reply 16 of 68

    In all probability the folks at NSA could "hack" the sensor in no time at all.  They may not want to inform whomever that they did it, no matter how much cash, wine, or Bitcoins are offered.

  • Reply 17 of 68

    I think the key would be to make the sensor read a fingerprint even though there isn't a human finger there.

     

    So, basically you need a material that is moldable into a fingerprint like plastic and yet mildly conductive and fools the sensor into thinking it is a human finger. This depends on how exactly the RF in the sensor detects that it is the sub-epidermal, and then finding a way to fool it.

     

    It is probably possible if enough effort is put in. Will be interesting to see how long it takes.

     

    BTW, hackers will probably just stick to breaking your password which is easier than trying to fake the fingerprint. So, then will just give 5 false fingerprint readings, and then work on the lock screen that comes up after that.

  • Reply 18 of 68

    Assuming someone can break the code, what can they do with it? get into your iTunes account or your iPhone?  Unless there is a wide adoption of this fingerprint tech by apps, there are not much use for it.

  • Reply 19 of 68
    asciiascii Posts: 5,936member
    Quote:
    Originally Posted by mjtomlin View Post

     

     

     


    It's not about a complete failure, it's more a less "it could be the same finger, but not sure - I need another look" type of thing. And if it can verify that is from the same finger, it'll "learn" that new position just as it did when you originally scanned your finger and saved it.


     


    The sensor doesn't just guess at what's going on, it still has to verify that it is the same finger based on previous scans, therefor, you can't use another finger to trick it. Something about that other finger has to match what's in the sensor's database. The system intelligently pieces together all scans into one big print. If this latest "piece" doesn't fit anywhere with what's already been pieced together, then it will fail, if it does fit, then the system will "learn" it by filling in more of the print. This is how forensics today can match a print even if it's just a partial print, but there has to be a minimum "hit" percentage before it can even be considered to be a possible match.


     

    That may be so, I got the impression from the Anandtech article that temporal proximity made it more forgiving than usual,

    "I deliberately picked a weird angle and part of [my emphasis] my thumb to unlock the 5s, which was immediately rejected. I then followed it up with a known good placement and was successful. I then repeated the weird attempt from before and had it immediately succeed."




     


    But as I said there's nothing to do but experiment, and try and try until you find a way that works.
  • Reply 20 of 68
    iaeeniaeen Posts: 588member
    ascii wrote: »
    That may be so, I got the impression from the Anandtech article that temporal proximity made it more forgiving than usual,
    "I deliberately picked a weird angle and part of [my emphasis] my thumb to unlock the 5s, which was immediately rejected. I then followed it up with a known good placement and was successful. I then repeated the weird attempt from before and had it immediately succeed."
    http://www.anandtech.com/show/7335/the-iphone-5s-review/8
     
    But as I said there's nothing to do but experiment, and try and try until you find a way that works.

    The piece of article you quoted does not imply temporal proximity. For all we know the process could have been exactly as mjtomlin described.

    Now if they were able to teach the sensor to recognize a different finger altogether (not just the same one at a different angle) then that would imply temporal proximity.
Sign In or Register to comment.