Cracker of Apple’s Touch ID fingerprint recognition to win booze, cash, and bitcoins

“A prize of more than $13,000 (£8,120) in cash, bitcoins and booze is being offered to the first hacker to crack the fingerprint scanner on Apple’s newly released iPhone 5S,” Katie Collins reports for Wired UK.

“The contest is being run by a micro venture capital firm and a group of security researchers and requires the hacker who wins to the prize to “reliably and repeatedly break into an iPhone 5s by lifting prints (like from a beer mug)”, according the website istouchidhackedyet.com,” Collins reports. “It’s not just for kicks that the hacking of Touch ID is being encouraged. Finding and exposing flaws in new technologies and softwares is vital in order to ensure loopholes can be closed before they can be exploited by anyone with dishonourable intentions. ‘This is to fix a problem before it becomes a problem,’ says Arturas Rosenbacher, founding partner of Chicago’s IO Capital, which donated $10,000 (£6,250) to the hacking contest, speaking to Reuters. ‘This will make things safer.'”

MacDailyNews Note: As per that $10,000, website currently states, “May be fake: refuses to escrow, so consider it high risk.”

Collins reports, “Apple seems pretty sure that Touch ID is secure, but independent research is often the best way to confirm such claims… For now the status on istouchidhackedyet.com remains a bolded “No!”, and it’s still impossible to say whether it will change over time. One thing we can be sure of is that there are plenty of people out there trying their hardest to ensure it does.”

Read more in the full article here.

Related articles:
How soon until Apple’s Touch ID comes to iPad and Mac? – September 21, 2013
U.S. Senate Democrat Al Franken demands answers from Apple CEO Tim Cook over iPhone 5s’ Touch ID – September 20, 2013

63 Comments

      1. There’s a video out there with a cat paw and it works. I’m going to try this with my Shih-Tzu once my phone arrives. What next though, are they going to steal our pets instead of slicing off our fingers?🐶

    1. By the way, to be exact, they will not really try to crack TouchID per se (not really feasable), they are going to find a vulnerability to sidestep whole process altogether.

  1. Even if this is possible, you’d STILL have to “lift” the user’s fingerprint (and hope you have the right finger) AND have access to the user’s phone. It’s not like a Hollywood movie, where the finger print scanner is permanently mounted to the wall next to a locked door.

    In the real world, it is far easier to guess the passcode (through logic or brute force), making Apple new tech MUCH more secure.

    1. Bullshit. You need to provide clear and convincing evidence of the probabilities of cracking an iPhone protected by finger print scanning and alphanumeric code. Do you have these data?

          1. You asked for probabilities. I’m not saying Jaz44’s numbers are correct, but think about what you’re asking for.

            If a brute force attack were given on an iPhone using a standard 4 digit pin (although longer pass codes are possible), the maximum number of combinations is 10^4.

            While that can’t be brute forced by hand, it could conceivably be done by hack, although nobody has demonstrated this. It should be noted that it is rather trivial to get access to an iPhone’s user directory data without entering a pin (I’m not sure if this has changed with iOS 7). More so, a PIN based phone is more susceptible to intelligent guesses, or even observation of PIN entry by the user.

            Back on point, while the PIN gives you a 10^4:1 (10,000) probability of brute force entry with limited tries. The fingerprint sensor relies on more data giving you a 50,000:1 probability.

            However, you can’t just brute force by changing your finger prints and trying again. Likewise, the finger prints can’t be your birthday, ATM pin, 1234 or whatever. Finger prints can’t be observed, and then entered.

            Most importantly, this device isn’t a finger print reader. It’s a sensor. It uses a combination of actual finger prints as well as sub-dermal electrical readings to form a match. The data in the iPhone would be incapable of printing out a finger print (even if you could decrypt the data).

            Because of the sub-dermal part, you can’t just use someone’s fingerprints (lifted from a glass or even previously scanned/printed).

            I’m not saying that this can’t be hacked, but I wouldn’t go betting money that it could be, and even if it is that the process would be reasonably replicable.

            It’s also worth noting that the finger print sensor is an optional feature that can be used in addition to your PIN.

            Where it’s really adding security is that people who don’t use PINs now don’t have an excuse to at least use this. Those who use PINs but set very long time-outs can continue to do so, but use this as an additional security layer.

            1. What about the idea if apple improving it by only allowing 3 attempts to unlock the phone with the finger just like the 4 digit pass code?

              In other words use the wrong finger 3 times and the phone is locked down.

              Wouldn’t that reduce the odds even more of successfully hacking into the phone?

            2. It already has certain circumstances where the PIN is required… like after a restart or when it hasn’t been unlocked in a while.

              I’m not sure you’d want the same “locked down” as an incorrect PIN repeated error gives. The problem would be that any false input to the sensor would trigger an attempt.

            3. Your comment is lacking basics in reality. You say that the sub-dermal scanner cant’ be fooled by lifiting a print of a glass, but that is exactly what has happened. So did apple just BS the entire part of that presentation, were they lied to by the company they purchased to get the reader? Which was it, because apple claimed that this hack was not possible, but it only took a day or so to show that wasn’t the case.

              So did Apple lie or were they tricked because the scanner is not scanning anything but the surface.

            4. @pellegew,

              My comment was posted prior to the report/video by Germany’s Chaos Computer Club.

              Much of what I wrote remains correct, but apparently, if that report/video is accurate, the sub-dermal part I was referencing is inaccurate.

              That said, I have yet to see the process replicated and verified by an independent source from Chaos. I would hold off on any claims until we see such confirmation.

              If it is confirmed, then I do think there was some misleading/inaccurate information out of Cupertino.

              Although *that* being said, it wouldn’t give me a second thought from using it exactly as I otherwise would have… in addition to a PIN as I mentioned in my comment.

  2. This sounds entirely stupid and FAIL. I’m referring to this PARTICULAR piece of BS.

    Meanwhile, SERIOUS attempts to crack Touch ID continue. And I can’t blame the hackers! It’s what hacking is for. Tough if the industry doesn’t like it. They should have done the same hack testing themselves.

    From what Apple has stated, this is a locked system with no chance of leaked ‘in the clear’ data. But as ever: We Shall See!

    Hi McDruid! 🙂

    1. Oh and I forgot my rant:
      *rant*
      Using a fingerprint alone to log into anything is idiotic. You use it IN ADDITION TO a diabolical password. It’s called Multi-Factor Authentication. Go read about it then implement it. Hey Apple, don’t cave in to the LUSERS. Just force multi-factor authentication and put moan filters in your ears. It’s The Right Thing To Do™ and any security expert knows it. And that’s my MF-authentication rant for the day. You can go back to sleep now. /rant

      http://en.wikipedia.org/wiki/Multi-factor_authentication

      1. MF is truly a basic. I love the idea of a fingerprint scanner and we’ll see how it works out. The problem with passwords is that they are too short and are often predictable. Passwords should always be a minimum of 12 (15 is better) randomly chosen characters,numbers and letters in upper and lower case. It’s difficult but necessary. Doing something correctly is never simple.

          1. “A Child’s Garden of Grass” LP quote? If only the aggressive folks of this planet could stop for a moment, suck down a sizable toke (of ganja smoke), and listen to this record. The world could be a better place, I’m clear and convinced of it.

            1. There is a rumor that the Firesign Theatre produced the album. I certainly heard “I say live it or live with it” from FST.

              Oddly, I am hyper sensitive to this ‘grass’ and never understood people who’d sit around toking it. More than one or two drags and I was having a not-enjoyable time. An allergy? Anyway, I’m happy to be happy without chemical diversions.

      2. It appears that Apple is touting the finger print scan as the only security method. I agree that using both finger print scans and an alphanumeric code is the best method, but many people are too stupid or too lazy to use both.

      3. You can enter a long alphanumeric pass code containing numbers and letters in iOS 7. Just visit Settings>Passcode Lock>Turn off Simple Passcode. With that and Touch ID, the proud owner of a new iPhone 5S thus can set up a strong two factor authentication. Actual business and security consultants have already noticed this, and time it is we did the same.

    2. Yes, but those nipples are LIVING TISSUE. A lifted fingerprint is not. – – I still want to see that story verified, before I go to the trouble of learning how to reanimate the dead.

      Meanwhile: Wow, two more anatomical patterns useful for logging into an iPhone! That’ll shut up the critics who complain that they only have 20 fingers and toes.

      I’m actually kind of surprised this worked after Apple’s blether about categorizing fingerprints into three types. If I was Apple I’d have Touch ID recognize when someone is scanning a nipple, then have Siri pop up and say ‘Nice tits baby!” Yeah, that could happen.

        1. Yes indeed. But Apple claims it’s not simply detecting the ridges of the fingerprint, which is all you’re recreating with a 3-D printer. Apple is using capacitance of the finger tissue as well, somehow or other. That specific feature of living human fingers is what would make this fingerprint scanner better than the crappy old things we’re used to from the past.

          No doubt, we will soon see plenty of hacker testing of exactly this.

        1. There we go! That’s really, really BAD.

          Next step: Can you put the latex copy of the fingerprint on a manikin and have it work?

          Who cares?!

          Really, really bad. That’s what I’m talking about. It’s easier to copy a fingerprint off someone that to read their mind and dig out their diabolical password.

          Sum total = WEAKER security than a decent password. OMG Apple, what hath thee wrought? Extremely unimpressive.

          Now if Apple FORCED fingerprint scanning WITH a passcode/password, then I’d shut up and smile with glee. 😀 😀 😀 – All three of me! (o_0)

  3. Goodness gracious! What do y’all have on your phones that even Tom Cruise with his laser beams, trapeze harnesses, and ski masks can’t break into. When he puts laxative in your coffee then all bets are off.

    1. Oh, I got you all right…You troll these boards, spouting FUD about the beautiful iOS 7 interface. I bet you cried like a big baby when Mac OSX replaced your precious Mac OS 9…from the retro 1990s.

  4. Keep trying, they’ll never hack it. All the iPhone’s biometric data is encrypted, in a secure enclave, inside an electromagnetic forcefield, guarded by ninjas, out of phase with normal matter, under a magic cloak, behind deadbolts, in a separate secure quantum universe – and there’s a decoy.

  5. 1. Hold gun to phone owner’s temple
    2. Politely say “would you mind pressing this button and holding it for two seconds, sir?”
    3. Cue ominous backgound score.

    Note to all Hollywood studios: this post constitutes prior art. Pay me!

  6. Wow, yea I guess this was bound to happen. Some people can’t stay away from trying to break and destroy everything Apple does. On the other hand, if they find something it’s actually good. Also, in security it’s almost always when security will be broken, not if. Finger print sensors have been fooled before. Of course, you still need the finger print.

    1. Yeah its so easy. All you have to do is this and some Photoshop whatever skills to fix it up…even grandma can do it right? LOL:

      “First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.”

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.