Kevin Bostic
Even as the iPhone 5s sells out in stores, a collaboration between a micro venture capital firm and a group of security researchers is offering a mix of cash, alcohol, and other goods to the first hacker that can crack the biometric security feature built into the device's Touch ID sensor.
The website istouchithacketyet.com is aimed at getting the hacking community devoted to demonstrating a method to "reliably and repeatedly break into an iPhone 5s by lifting prints (like from a beer mug)." To that end, a number of contributors have pitched in hundreds of dollars in cash, Bitcoins, wine, patent applications, whiskey, tequila, and books as an incentive to crack Apple's security feature.
The largest donation, according to Reuters, comes from Arturas Rosenbacher, founding partner of Chicago's IO Capital. Rosenbacher has pledged $10,000 to the competition, and he says his aim is noble.
"This is to fix a problem before it becomes a problem," Rosenbacher said. "This will make things safer."
Since it was unveiled, the Touch ID biometric sensor has been the subject of much speculation and commentary. A number of public advocates and officials have expressed concern over the privacy implications inherent in using fingerprints to secure a device.
"There are reasons to think that an individual's fingerprint is not 'one of the best passwords in the world,'" Senator Al Franken (D-Minn.) wrote in a letter to Apple CEO Tim Cook. "Passwords are secret and dynamic; fingerprints are public and permanent. If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it — as many times as you want. You can't change your fingerprints."
Apple has already detailed the technology behind its biometric sensor, noting that it does not send gathered data to Apple servers, instead keeping it in a secure enclave in Apple's A7 SoC. Apple also points out that the device is not perfect, and it may give inaccurate readings due to moisture, conductive debris, and scarring on fingers.
Touch ID is not the only target for hackers and tinkerers, though. One recent finding showed that the iOS 7 lockscreen can be bypassed relatively easily due to a new iOS 7 feature, potentially giving up access to a user's Mail, Photos, and Twitter apps. Apple has promised a fix for the vulnerability in the near future.
Charles Martin
Amber Neely
Sponsored Content
AppleInsider Staff
Malcolm Owen
Oliver Haslam
68 Comments
Well that's bound to happen.
I guess it's better to have a group that's not necessarily criminals working on this in the open. I hope Apple appreciates all the hard work that they're getting for free!
We will see..
Anyone hack into the Fingerprint sensor?
Wow. this is the measure of success. I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards? Who's behing the front? Samsung? Google? Sheesh. Anything can be hacked. Anything. But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)? And even so, the scanner is an alternative to password. And Apple has already said it is not perfect. So funny how I never see this kind of thing happen to MS, Google, etc. Probably because then, nobody would even care. It's expected of them to fail.
Wow.
this is the measure of success.
I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?
Who's behing the front? Samsung? Google?
Sheesh.
Anything can be hacked. Anything.
But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?
And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.
So funny how I never see this kind of thing happen to MS, Google, etc.
Probably because then, nobody would even care. It's expected of them to fail.
Anything can be hacked. Including fingers!
This seems unlikely to me based on descriptions of how the enclave works. Besides which how do you get the hacking software onto the device without physical or admin access? Even then, the enclave will not communicate with anything other than the hardware of the sensor itself, so you'd have to get software on the device that can somehow present itself as a fake hardware sensor and communicate with the enclave. Even then, what you'd get out is a bunch of hashed encrypted data, not actual fingerprint images at all. It would be easier to create a "fake finger" than it would be to hack into the enclave in the traditional manner of hackers.