Forgot your password?
typodupeerror
Iphone Security

Crowdfunded Bounty For Hacking iPhone 5S Fingerprint Authentication 148

Posted by Unknown Lamer
from the good-luck-with-that dept.
judgecorp writes "There's more than $13,000 pledged for a crowdfunded bounty for bypassing an iPhone 5S's fingerprint reader. The bounty, set up by a security expert and an exploit reseller, requires entrants to lift prints 'like from a beer mug.' It has a website — IsTouchIDHackedYet — and payments are pledged by tweets using #IsTouchIDHackedYet. One drawback: the scheme appears to rely on trust that sponsors will actually pay up." Other prizes include whiskey, books, and a bottle of wine.
This discussion has been archived. No new comments can be posted.

Crowdfunded Bounty For Hacking iPhone 5S Fingerprint Authentication

Comments Filter:
  • Why bother. (Score:3, Funny)

    by stewsters (1406737) on Thursday September 19, 2013 @01:13PM (#44895561)
    With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.
    • by alen (225700) on Thursday September 19, 2013 @01:16PM (#44895595)

      if you live close to a wal mart chances are your victim will have a gun and can defend him or herself

    • Because subtlety and subterfuge offer advantages that brute force doesn't.

    • With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

      Nope. The iPhone, like most modern fingerprint scanners, requires a pulse. A severed finger won't work.

      • Doesn't matter. if you tell the person you are going to chop off their finger and have a machete on hand to do it, they most likely will want to reset their password for you.
        • by geek (5680)

          Yes, and if you hold a gun to their head and make them do things you'll have broken their security. Seriously? Apple is damned if they do and damned if they don't with people like you.

          Yes people may force their victims to do this, no it's not likely to be common. The point of the finger print reader isn't to somehow, mystically prevent an armed robber from getting into your shit. Its to keep purse snatchers and pick pockets from getting in as well as keeping it moderately secure should you forget it at a ba

          • by mlts (1038732) *

            I wonder when devices will start having a duress code where if swiped one way, the device opens normally. Swiped another way, device opens, but yet calls the local popo and reports a holdup in progress.

            Even my 13 year old house alarm has that.

            • by Quila (201335)

              That would be nice. Right thumb for normal operation, left middle finger (or one you'd never accidentally use) to come up with some generic looking data that'll get you off the hook, while your real data is wiping in the background.

          • I don't think anybody is damning Apple for this. Especially not the original post that was just making a pun on the word hack.
      • by ackthpt (218170)

        With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

        Nope. The iPhone, like most modern fingerprint scanners, requires a pulse. A severed finger won't work.

        Arr, ye be only needin' a batt'ry and wires fer ye pulse o' a sev'red finger, matey. ox)P-)

    • Re:Why bother. (Score:4, Interesting)

      by CastrTroy (595695) on Thursday September 19, 2013 @01:55PM (#44895973) Homepage
      Personally, living in Canada, I wish they would stop coming up with inventions that don't work in the winter. First, it's capacitive touch screens that won't work with regular gloves. Now we have special gloves with a special material on the fingertips so that you can use your tablet/phone with gloves. Then there's eBook readers, which advertise as being still readable in sunlight, but if the screen gets too cold, they don't refresh properly. Now they have fingerprint readers on the phone. So I have to take my gloves off, just to make a phone call. I'm tired of my hands getting cold!
      • by noh8rz10 (2716597)

        why don't you get those gloves that don't have fingers, or take a glove and cut off one finger?

        • You underestimate how cold it is in some places / times. Some times you want full-on mittens because gloves of any kind are too cold.
          • by noh8rz10 (2716597)

            you could have a mitten with a hole that you poke your finger through. I am having all the answers today!

            • Re:Why bother. (Score:4, Interesting)

              by Kielistic (1273232) on Thursday September 19, 2013 @03:27PM (#44896783)
              Holes are known for their efficiency at losing heat. If frostbite is a concern do not poke holes in your insulation!
              • Holes are known for their efficiency at losing heat. If frostbite is a concern do not poke holes in your insulation!

                Here you go, Nancy [sportsmansguide.com].

                • Exactly what I use in day-to-day outings actually. I live in a comparatively warm area though. Also I tend to use my thumb for most of my phone fiddling which those gloves do not help with. None of it really matters though because no matter how you are interacting with your phone bulky things over your hands is going to impede that.
      • by geek (5680)

        If it's so fucking cold outside then why are you sitting around reading an ebook in it?

      • Re:Why bother. (Score:5, Insightful)

        by hondo77 (324058) on Thursday September 19, 2013 @02:05PM (#44896049) Homepage
        What part of "Designed by Apple in California" don't you understand? :-)
      • You don't have to use the scanner. You can use the passcode any time you like. I keep my phone in my pockets in the winter as much as possible, personally. If I really need to make a phone call, well, it's probably pretty important to force me to contemplate doing it at -30C anyway, so I'll take my glove off for 3 seconds.

      • The new Samsung GS4 actually has a glove mode! It's not very advertised on the GS4 (it is on the "Active" version), but it is there, and it works with fairly thick lether gloves. I expect this to become a fairly standard future on Android in the future.
    • by Anonymous Coward

      Obligatory XKCD [xkcd.com]
       

    • by l0ungeb0y (442022)

      A fingerprint is not all that is required, the appendage leaving the impression must also have a faint electric signature only found in living tissue.
      So it seems a severed finger would only serve to smudge the glass display.

  • by Culture20 (968837) on Thursday September 19, 2013 @01:14PM (#44895569)
    Or from the iPhone itself.
    • by De Lemming (227104) on Thursday September 19, 2013 @01:29PM (#44895729) Homepage

      As was explained in the Apple keynote, a capacitive (not optical) sensor is used, which scans sub-epidermal skin layers. So lifting a fingerprint will not work.

      Here is an extensive explanation [macworld.com] of the technologies used.

      • by chihowa (366380) on Thursday September 19, 2013 @02:04PM (#44896039)

        That's not an extensive explanation of how the technology works. The only description of how the sensor works from that article is this:

        A capacitance fingerprint reader leverages a handy property of your skin: The outer layer of your skin (your dermis), where your fingerprint is, is non-conductive, while the subdermal layer behind it is conductive. When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

        So it's still measuring your fingerprint as made up of ridges and troughs, just using conduction instead of optics. So you lift a fingerprint from a glass, etch it onto a conductive substrate (that matches the dermis roughly) and put it on the sensor.

        The sensor is likely looking at a fairly wide range of relative conduction between the ridges and troughs, so that it will work if your fingers are oily or sweaty or cold, so you wouldn't need to perfectly match the conduction of the user's actual finger.

        • by Solandri (704621)
          My dad has abnormally dry hands and a thin (as in not very high) fingerprint ridge layer. He hates typing passwords so uses the same short password on everything. A few years ago I got him a Thinkpad with a fingerprint scanner in hopes of beefing up his security without much additional effort.

          The scanner only works about 10% of the time on him. He doesn't use it because of the high failure rate. This tells me that although the tech may read some of its data from the interior structure of the finger,
        • If you're putting that much effort into hacking into my phone, well, you'd get my data no matter what I did. Frankly, I think you'd be better off packet sniffing my cellular traffic or something.

          Why are you so interested in my phone that you want to lift my fingerprints onto a conductive substrate and force my phone open? What data do you think I keep on my phone that's worth so much? Once I notice my phone is gone I'm just going to remote wipe it anyway, and you can't turn THAT off without the code that I

          • by chihowa (366380)

            Well, "etch it onto a conductive substrate" sounds like a lot of effort right now, but we'll likely find out in the next article that gummy bears have the exact same conduction as the dermis and that the etching just involves licking the gummy bear before you press it on the fingerprint.

            Personally, I don't care about the security of iPhones. I'm just annoyed at the over-the-top portrayal of this fingerprint reader as some sort of magical "doesn't read your fingerprint, but reads, like the inside of your fin

      • The source you site seems to be saying the opposite of what you claim:

        When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

        Those raised parts of the fingerprint are exactly the ones that deposit fat stains on every surface you touch.

        Of course, it is possible that the macworld article is misleading, and that the fingerprint reader reads some other pattern after all. If so, it would be nice to see a source that backs that up. This has been brought up in previous slashdot discussions too, but I have never seen any evidence backing it up, even after explicitly as

      • by citizenr (871508)

        sure sure, gummy bears work on those

      • I'm not sure if it does this, but another good layer of security would be to require the passcode after maybe two failed fingerprint attempts.
      • The sensor in the iPhone 5s utilizes two methods to sense and identify your fingerprint:

        Capacitive -- A capacitive sensor is activated by the slight electrical charge running through your skin.

        Radio frequency -- RF waves do not respond to the dead layer of skin on the outside of your finger -- the part that might be chapped or too dry to be read with much accuracy -- and instead reads only the living tissue underneath. This produces an extremely precise image of your print, and ensures that a severed finger is completely useless.

        This means that the Touch ID sensor should be remarkably accurate for living creatures, but it also means that only a finger attached to a beating heart will be able to unlock it.

        Why a disembodied finger can't be used to unlock the Touch ID sensor on the iPhone 5s [macworld.com]

        • Not only does that article never discuss disembodied or severed fingers, but it also misses the huge issue with biometric ID: you're "broadcasting" it daily, and it can never be changed. Once someone gets your fingerprint associated with your name, do you have any idea how large the black-market value will be if biometric IDs like this become common? If your fingerprint can be used with your credit card, for instance? That is a much larger incentive for criminals than stealing your iphone passcode.

          It's a
          • Not only does that article never discuss disembodied or severed fingers, but it also misses the huge issue with biometric ID: you're "broadcasting" it daily, and it can never be changed. Once someone gets your fingerprint associated with your name, do you have any idea how large the black-market value will be if biometric IDs like this become common? If your fingerprint can be used with your credit card, for instance? That is a much larger incentive for criminals than stealing your iphone passcode. It's also largely undetectable: sit at a coffee shop, pose like a hipster with your DSLR, wait until you can pick up someone's name, then take their glass and photograph it after they leave. If you think this is just paranoia, there were several people who were succesful in copying Angela Merkel's fingerprint a few years back. If they can do it to the prime minister of Germany, they can do it to you.

            1. Steal Angela Merkel's fingerprints
            2. ???
            3. PROFIT!

  • by Anonymous Coward

    Apple has already pointed out that the fingerprint sensor will deliver a false-positive approximately 1 time in 50,000 (which they correctly point out is five times more secure than a four digit passcode which can be guessed 1 time in 9,999 attempts). Further, it's already been covered to death that the fingerprint sensor does not read the outer layer of skin and thus lifting a fingerprint from a beer mug will NOT work (despite the internet's intent to claim that it will...).

    There's so much stupid surroundi

    • Apple has already pointed out that the fingerprint sensor will deliver a false-positive approximately 1 time in 50,000

      Presumably they are going to require repeatable results....

    • the fingerprint sensor does not read the outer layer of skin and thus lifting a fingerprint from a beer mug will NOT work

      You mean that it can correctly identify whether the shape it reads is a natural pattern on the finger or a living human being, or whether it's some sort of synthetic replacement, regardless of the millions of combinations of materials and structure that come to one's mind?

    • There's so much stupid surrounding this that it hurts my brain...

      Well, as an expert in the field, I have to say that you've taken way too many internet postings as gospel.

      This contest will be won quickly and easily. /frank

    • by amaurea (2900163) on Thursday September 19, 2013 @02:23PM (#44896173) Homepage

      What is your source for claiming that the sensor reads a different pattern than the normal fingerprints you leave behind? A capacitive fingerprint reader works by measuring the difference in capacitance between the ridges and valleys of your fingerprint. In the ridges, the distance to the more conductive layers beneath the skin (the sub-dermal layers you've heard about) is greater than in the valleys, which gives these regions higher capacitance. I guess the pattern you get this way could be different from the visible fingerprint if the underside of the skin has a significant, different pattern than the overside, but I have not heard that that is supposed to be the case.

      To simplify things a bit, the much touted sub-dermal layers work as a sort of capacitive back-light which highlights the differences in thickness of the fingerprint above it. It is, to the best of my knowledge, simply another way of measuring the same fingerprint we see when we look at our fingers.

  • Didn't these clowns watch the keynote?

    -jcr

    • by maccodemonkey (1438585) on Thursday September 19, 2013 @01:35PM (#44895795)

      Didn't these clowns watch the keynote?

      -jcr

      I am totally shocked someone in the tech industry would launch a project without fully understanding the original problem. SHOCKED I SAY.

    • by thue (121682)

      The problem is that the fingerprint scanner could create a false sense of security.

      • by Sockatume (732728)

        The whole point of the scanner is that the 90% of iPhone users who don't even use a code because it wastes too much time, might turn it on because it's convenient.

        • Exactly. The inclusion of the sensor is not about being 100% secure all the time, it's about encouraging the use of some level of security by the majority who currently have none. Since it is quicker to use the sensor than to swipe to unlock without a PIN, that is the metric to consider.
  • Season 2 Episode 1, "The Human Factor". Mac scrapes some gypsum dust off of a wall and blows it across the reader (a hand print reader, if I remember correctly) like one would dust for fingerprints. Then he wrapped his hand and pressed the reader - voila! It should work as long as the phone's owner doesn't remember to wipe down their fingerprint reader each time they use it.
  • If someone could find a way around this, it would be worth a lot more than the stated bounty to criminals.
    • by Bob_Who (926234)

      Yeah, a whole hell of a lot better than honor among thieves and a low ball guarantee..

      Crime pays better when dealing directly with Congress and lobbyists.

  • Just take close in photos of all the smudges on the "retinal" display screen extrapolate 3d from it and print it with a 3d printer. Presto access.
  • Laptops have had fingerprint login authentication for years. Why all the fuss over what seems to be a more secure method than the one on my wife's four year old HP?
    • by guruevi (827432)

      Most laptop-fingerprint-thingies are basically very cheap camera's. They take a (very low resolution) picture and compare it with an existing (very low resolution) one. Easy to fool with a piece of paper or a superglue version of the fingerprint.

      Other problems is (specifically with Windows) is that the Windows-based fingerprinting software (UPEK) stores the passwords pretty much plain text into the registry anyway.

      Apparently the iPhone fingerprint scanner is not so easily fooled because otherwise there woul

      • It can't be that specifically sensitive either, since then a wet, sweaty, greasy or dirty finger would not work. I'm fairly sure that Apple has realized that the most useless security technology is the one no-one bothers to use.
      • by Megol (3135005)
        No the standard is capacitive scanning readers. The last camera based fingerprint reader I've seen was the Microsoft fingerprint reader that was released 9 years ago.
  • Assuming that you protect your phone from the random thief, I would recommend installing a tracing app and leaving the phone unlocked - a locked phone will just encourage the thief to hard reset it or turn it off immediately. Same with a laptop - I had some tracing software installed but unfortunately I forgot to enable the guest account so the thief could not use the laptop... and therefore never gave me a chance to locate it.

What this country needs is a dime that will buy a good five-cent bagel.

Working...