September 20, 2013 -
Apple’s iPhone 5S goes on sale today, and there’s already an award for the first person to successfully hack the device.
Specifically, a group of hackers have created a twitter-fuelled crowdfunding campaign to rack up rewards for the first person to spoof the TouchID sensor. The winner must enroll a print on the device, lift that some print from somewhere else, reproduce it and then use the reproduction to unlock the iPhone without being locked out.
The campaign is being spread through the hashtag #istouchidhackedyet and istouchidhacketyet.com. So far the rewards have been piling up, totalling more than $15,000. Typically unconventional, rewards offered to the campaign range from dollars, to euros, to bitcoin and even books and bottles of bourbon. IO Capital has added $10,000 to the contest and Apple reportedly has yet to respond.
“To be clear, the main reason Nick and I are doing this is because we think it’s harder than most people think,” Robert David Graham, an organizer of the campaign told ZDNet Thursday.
Though it has yet to be seen if the sensor can really be hacked with a lifted fingerprint, Graham is likely right. Considering the TouchID sensor looks beyond ridge patterns and scans subdermal layers, a gummy bear attack isn’t a feasible approach to spoofing.
Reportedly previously in BiometricUpdate.com, some concerns have already been raised about the new iPhone, including the proprietary nature of the Touch ID system, as well as the high price-tag of the new fingerprint-enabled phone.
As it stands, Apple says third-party apps won’t have access to the fingerprint sensor and that it will only be used to unlock the device and authorize iTunes purchases. That being said, it’s been widely speculated that Apple will wait for another smartphone — almost certainly an Android – to launch a phone with an open and accessible sensor and then make a determination about how to allow access to its sensor, based on the experience from these other device launches.
Though it doesn’t represent a vulnerability for the new sensor, TechCrunch posted a video yesterday of a cat’s paw unlocking the device. Though on the surface – pun definitely intended – this makes the device look easy to hack, all this shows is the sensor’s ability to recognize unique pieces of skin. A different cat’s paw probably wouldn’t unlock the device, but this does show that owners could feasibly authorize their pets as trusted users.