Crowdfunded Bounty For Hacking iPhone 5S Fingerprint Authentication

judgecorp writes "There's more than $13,000 pledged for a crowdfunded bounty for bypassing an iPhone 5S's fingerprint reader. The bounty, set up by a security expert and an exploit reseller, requires entrants to lift prints 'like from a beer mug.' It has a website — IsTouchIDHackedYet — and payments are pledged by tweets using #IsTouchIDHackedYet. One drawback: the scheme appears to rely on trust that sponsors will actually pay up." Other prizes include whiskey, books, and a bottle of wine.

Why bother.

[stewsters]

With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

Re:Why bother.

[alen]

if you live close to a wal mart chances are your victim will have a gun and can defend him or herself

One Word:

[Shakrai]

Gunblade [wikia.com]

Re:Why bother.

[i_ate_god]

Walmarts exist in Canada too

But then again you wouldn't expect a Canadian to do such a brazen hack. Rather the Canadian would ask the other Canadian politely if they could use their phone, then quickly hop on their moose and ride off with it.

Re:

[K. S. Kyosuke]

Bah. I find it fascinating that the family of the victim sued for $150k for their son having gotten mutilated and his eyes eaten, while two passengers apparently sued for $3M each for having witnessing it, which I'm sure is so much more damaging.

Re:

[Anonymous Coward]

but more likely shoot some innocent people in the area.

Re:

[Jeff Flanagan]

If only Walmart was still just a rural thing. They're everywhere these days.

Re:

[kruach aum]

Because subtlety and subterfuge offer advantages that brute force doesn't.

Re:

[h4rr4r]

Reports are wrong.
1. for several minutes it would be basically still alive
2. The threat of finger removal will get the phone unlocked in 99.99% of cases.
3. you can always skin the finger and wear it like a glove.

Re:

[Penguinisto]

Err, some thoughts here:

1) The vast majority of smartphone thefts are 'smash and grab' jobs - that is, some dude gets his phone jerked out of his hand by some criminal already moving at a high rate of speed.

1a) Why? Because every second spent threatening the victim, watching him fumble through the unlock, etc, is another second more that the criminal can be identified, remembered, etc (not just by the victim, but by companions and passerby). It's also one more second for the victim (if suitably armed) to re

Re:

[Plumpaquatsch]

Reports are wrong. 1. for several minutes it would be basically still alive 2. The threat of finger removal will get the phone unlocked in 99.99% of cases. 3. you can always skin the finger and wear it like a glove.

And then you'd have to enter the passphrase sooner or later anyway (as in no later than 48 hours).

Re:

[ShanghaiBill]

With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

Nope. The iPhone, like most modern fingerprint scanners, requires a pulse. A severed finger won't work.

Re:

[stewsters]

Doesn't matter. if you tell the person you are going to chop off their finger and have a machete on hand to do it, they most likely will want to reset their password for you.

Re:

[geek]

Yes, and if you hold a gun to their head and make them do things you'll have broken their security. Seriously? Apple is damned if they do and damned if they don't with people like you.

Yes people may force their victims to do this, no it's not likely to be common. The point of the finger print reader isn't to somehow, mystically prevent an armed robber from getting into your shit. Its to keep purse snatchers and pick pockets from getting in as well as keeping it moderately secure should you forget it at a ba

Re:

[mlts]

I wonder when devices will start having a duress code where if swiped one way, the device opens normally. Swiped another way, device opens, but yet calls the local popo and reports a holdup in progress.

Even my 13 year old house alarm has that.

Re:

[Quila]

That would be nice. Right thumb for normal operation, left middle finger (or one you'd never accidentally use) to come up with some generic looking data that'll get you off the hook, while your real data is wiping in the background.

Re:

[Kielistic]

I don't think anybody is damning Apple for this. Especially not the original post that was just making a pun on the word hack.

Re:

[ackthpt]

With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

Nope. The iPhone, like most modern fingerprint scanners, requires a pulse. A severed finger won't work.

Arr, ye be only needin' a batt'ry and wires fer ye pulse o' a sev'red finger, matey. ox)P-)

Re:

[ahem]

That was the most gratuitous, and yet somehow satisfying, execution of ITLAP Day [talklikeapirate.com].

Re:Why bother.

[CastrTroy]

Personally, living in Canada, I wish they would stop coming up with inventions that don't work in the winter. First, it's capacitive touch screens that won't work with regular gloves. Now we have special gloves with a special material on the fingertips so that you can use your tablet/phone with gloves. Then there's eBook readers, which advertise as being still readable in sunlight, but if the screen gets too cold, they don't refresh properly. Now they have fingerprint readers on the phone. So I have to take my gloves off, just to make a phone call. I'm tired of my hands getting cold!

Re:

[noh8rz10]

why don't you get those gloves that don't have fingers, or take a glove and cut off one finger?

Re:

[Kielistic]

You underestimate how cold it is in some places / times. Some times you want full-on mittens because gloves of any kind are too cold.

Re:

[noh8rz10]

you could have a mitten with a hole that you poke your finger through. I am having all the answers today!

Re:Why bother.

[Kielistic]

Holes are known for their efficiency at losing heat. If frostbite is a concern do not poke holes in your insulation!

Re:

[XxtraLarGe]

Holes are known for their efficiency at losing heat. If frostbite is a concern do not poke holes in your insulation!

Here you go, Nancy [sportsmansguide.com].

Re:

[Kielistic]

Exactly what I use in day-to-day outings actually. I live in a comparatively warm area though. Also I tend to use my thumb for most of my phone fiddling which those gloves do not help with. None of it really matters though because no matter how you are interacting with your phone bulky things over your hands is going to impede that.

Re:

[geek]

If it's so fucking cold outside then why are you sitting around reading an ebook in it?

Waiting for the bus...

[Anonymous Coward]

Probably :)

Re:

[holmstar]

Perhaps they are waiting for the bus?

Re:Why bother.

[hondo77]

What part of "Designed by Apple in California" don't you understand? :-)

Re:

[Dixie_Flatline]

You don't have to use the scanner. You can use the passcode any time you like. I keep my phone in my pockets in the winter as much as possible, personally. If I really need to make a phone call, well, it's probably pretty important to force me to contemplate doing it at -30C anyway, so I'll take my glove off for 3 seconds.

Re:

[cybertears]

If you're straight, wouldn't gay marriage be a new option?

Re:

[semi-extrinsic]

The new Samsung GS4 actually has a glove mode! It's not very advertised on the GS4 (it is on the "Active" version), but it is there, and it works with fairly thick lether gloves. I expect this to become a fairly standard future on Android in the future.

Re: Why bother.

[Anonymous Coward]

Obligatory XKCD [xkcd.com]
 

Re:

[l0ungeb0y]

A fingerprint is not all that is required, the appendage leaving the impression must also have a faint electric signature only found in living tissue.
So it seems a severed finger would only serve to smudge the glass display.

Re:

[Anonymous Coward]

No, all they have to do to defeat this, and, any other system, is threaten any of the above, with a reasonable belief that it's true.

Re:

[Plumpaquatsch]

Better yet, just go to Wal-mart and hack and shoot everyone showing off their new iphone.

The NRA has successfully lobbied for any mass-killing above 3 persons to be carried out only with firearms.

'like from a beer mug'

[Culture20]

Or from the iPhone itself.

Re:'like from a beer mug'

[De Lemming]

As was explained in the Apple keynote, a capacitive (not optical) sensor is used, which scans sub-epidermal skin layers. So lifting a fingerprint will not work.

Here is an extensive explanation [macworld.com] of the technologies used.

Re:'like from a beer mug'

[chihowa]

That's not an extensive explanation of how the technology works. The only description of how the sensor works from that article is this:

A capacitance fingerprint reader leverages a handy property of your skin: The outer layer of your skin (your dermis), where your fingerprint is, is non-conductive, while the subdermal layer behind it is conductive. When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

So it's still measuring your fingerprint as made up of ridges and troughs, just using conduction instead of optics. So you lift a fingerprint from a glass, etch it onto a conductive substrate (that matches the dermis roughly) and put it on the sensor.

The sensor is likely looking at a fairly wide range of relative conduction between the ridges and troughs, so that it will work if your fingers are oily or sweaty or cold, so you wouldn't need to perfectly match the conduction of the user's actual finger.

Re:

[Solandri]

My dad has abnormally dry hands and a thin (as in not very high) fingerprint ridge layer. He hates typing passwords so uses the same short password on everything. A few years ago I got him a Thinkpad with a fingerprint scanner in hopes of beefing up his security without much additional effort.

The scanner only works about 10% of the time on him. He doesn't use it because of the high failure rate. This tells me that although the tech may read some of its data from the interior structure of the finger,

Re:

[Dixie_Flatline]

If you're putting that much effort into hacking into my phone, well, you'd get my data no matter what I did. Frankly, I think you'd be better off packet sniffing my cellular traffic or something.

Why are you so interested in my phone that you want to lift my fingerprints onto a conductive substrate and force my phone open? What data do you think I keep on my phone that's worth so much? Once I notice my phone is gone I'm just going to remote wipe it anyway, and you can't turn THAT off without the code that I

Re:

[chihowa]

Well, "etch it onto a conductive substrate" sounds like a lot of effort right now, but we'll likely find out in the next article that gummy bears have the exact same conduction as the dermis and that the etching just involves licking the gummy bear before you press it on the fingerprint.

Personally, I don't care about the security of iPhones. I'm just annoyed at the over-the-top portrayal of this fingerprint reader as some sort of magical "doesn't read your fingerprint, but reads, like the inside of your fin

Citation does not back up your claim

[amaurea]

The source you site seems to be saying the opposite of what you claim:

When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

Those raised parts of the fingerprint are exactly the ones that deposit fat stains on every surface you touch.

Of course, it is possible that the macworld article is misleading, and that the fingerprint reader reads some other pattern after all. If so, it would be nice to see a source that backs that up. This has been brought up in previous slashdot discussions too, but I have never seen any evidence backing it up, even after explicitly as

Re:

[chihowa]

Here's your reference. [uspto.gov] It's reading a plain old fingerprint.

Re:

[citizenr]

sure sure, gummy bears work on those

Re:

[ModernGeek]

I'm not sure if it does this, but another good layer of security would be to require the passcode after maybe two failed fingerprint attempts.

Capactitive and RF sensors.

[westlake]

The sensor in the iPhone 5s utilizes two methods to sense and identify your fingerprint:

Capacitive -- A capacitive sensor is activated by the slight electrical charge running through your skin.

Radio frequency -- RF waves do not respond to the dead layer of skin on the outside of your finger -- the part that might be chapped or too dry to be read with much accuracy -- and instead reads only the living tissue underneath. This produces an extremely precise image of your print, and ensures that a severed finger is completely useless.

This means that the Touch ID sensor should be remarkably accurate for living creatures, but it also means that only a finger attached to a beating heart will be able to unlock it.

Why a disembodied finger can't be used to unlock the Touch ID sensor on the iPhone 5s [macworld.com]

Re:

[semi-extrinsic]

Not only does that article never discuss disembodied or severed fingers, but it also misses the huge issue with biometric ID: you're "broadcasting" it daily, and it can never be changed. Once someone gets your fingerprint associated with your name, do you have any idea how large the black-market value will be if biometric IDs like this become common? If your fingerprint can be used with your credit card, for instance? That is a much larger incentive for criminals than stealing your iphone passcode.

It's a

Re:

[Plumpaquatsch]

Not only does that article never discuss disembodied or severed fingers, but it also misses the huge issue with biometric ID: you're "broadcasting" it daily, and it can never be changed. Once someone gets your fingerprint associated with your name, do you have any idea how large the black-market value will be if biometric IDs like this become common? If your fingerprint can be used with your credit card, for instance? That is a much larger incentive for criminals than stealing your iphone passcode. It's also largely undetectable: sit at a coffee shop, pose like a hipster with your DSLR, wait until you can pick up someone's name, then take their glass and photograph it after they leave. If you think this is just paranoia, there were several people who were succesful in copying Angela Merkel's fingerprint a few years back. If they can do it to the prime minister of Germany, they can do it to you.

1. Steal Angela Merkel's fingerprints
2. ???
3. PROFIT!

Re:

[Plumpaquatsch]

It's been done.

Lift fingerprint. Print by a laser printer to make a mold. Pour jello onto the printout. Lift jello to have "finger" that works on "a capacitive (not optical) sensor."

https://www.google.ca/search?q=jello+mold+fingerprint

Now all you have to do is do that - and buy an iPhone 5s to test it. Then you will be $13,000 richer. Unless it doesn't work. Then you will have an iPhone 5s.

Morons

[Anonymous Coward]

Apple has already pointed out that the fingerprint sensor will deliver a false-positive approximately 1 time in 50,000 (which they correctly point out is five times more secure than a four digit passcode which can be guessed 1 time in 9,999 attempts). Further, it's already been covered to death that the fingerprint sensor does not read the outer layer of skin and thus lifting a fingerprint from a beer mug will NOT work (despite the internet's intent to claim that it will...).

There's so much stupid surroundi

Re:

[phantomfive]

Apple has already pointed out that the fingerprint sensor will deliver a false-positive approximately 1 time in 50,000

Presumably they are going to require repeatable results....

Re:

[K. S. Kyosuke]

the fingerprint sensor does not read the outer layer of skin and thus lifting a fingerprint from a beer mug will NOT work

You mean that it can correctly identify whether the shape it reads is a natural pattern on the finger or a living human being, or whether it's some sort of synthetic replacement, regardless of the millions of combinations of materials and structure that come to one's mind?

Re:

[FrankSchwab]

There's so much stupid surrounding this that it hurts my brain...

Well, as an expert in the field, I have to say that you've taken way too many internet postings as gospel.

This contest will be won quickly and easily. /frank

Caimed to death, but not backed up

[amaurea]

What is your source for claiming that the sensor reads a different pattern than the normal fingerprints you leave behind? A capacitive fingerprint reader works by measuring the difference in capacitance between the ridges and valleys of your fingerprint. In the ridges, the distance to the more conductive layers beneath the skin (the sub-dermal layers you've heard about) is greater than in the valleys, which gives these regions higher capacitance. I guess the pattern you get this way could be different from the visible fingerprint if the underside of the skin has a significant, different pattern than the overside, but I have not heard that that is supposed to be the case.

To simplify things a bit, the much touted sub-dermal layers work as a sort of capacitive back-light which highlights the differences in thickness of the fingerprint above it. It is, to the best of my knowledge, simply another way of measuring the same fingerprint we see when we look at our fingers.

Small correction

[amaurea]

Higher distance gives lower capacitance, not higher. This does not change the argument, though.

Re:

[glennrrr]

I wonder if the sensor could be trained to recognize an inanimate object like a casting of my finger. Then I could say "see this casting bypasses the security".

Re:

[noh8rz10]

yes, but only the cat can unlock it! actually i don't know, if one cat is registered can others unlock it as well?

Re:

[Plumpaquatsch]

yes, but only the cat can unlock it! actually i don't know, if one cat is registered can others unlock it as well?

Second paragraph: ". Note that no other paw pads would unlock the device, and that cats essentially have unique “fingerprints” just like people, so this doesn’t make the Touch ID sensor any less secure."

Re:

[noh8rz10]

Second paragraph: ". Note that no other paw pads would unlock the device, and that cats essentially have unique “fingerprints” just like people, so this doesn’t make the Touch ID sensor any less secure."

i don't worry so much about a cat paw fooling the sensor that it is a person's finger print. Just trying to make sure that my two cats won't be able to unlock each other's phones.

Re:

[Anonymous Coward]

I'm pretty sure the fingerprint sensor does not scan the outer layer of skin, but the sub-dermal layer. Why would you think that taking a cast of the outside of the finger would work?

Re:Broken on first day

[ShanghaiBill]

How long does it take to etch a PCB (mould) and how long does it take for gelatine to cool down (finger cast)? (The method that Mythbusters used)

The Mythbusters episode was from 2006, and was done on a sensor that was even older. Technology improves. In a decade, it can improve a lot. Their technique would almost certainly not work today. Apple's sensor requires a pulse, and detects deep skin layers that do not show up on a lifted fingerprint.

Re:

[Terrasque]

Didn't the manufacturer make similar claims about the Mythbusters lock too? That turned out to be hogwash.

Let's wait and see how it actually works.

Re:

[Megol]

False! If it requires a pulse (which I doubt) it would be simple to emulate this with a very easy circuit varying the capacitance which is the only thing a normal capacitive reader can sense. If it is a combination of a capacitive reader for the fingerprint and an IR oximeter for sensing pulse the solution is to have a pulsed IR lightsource. But it is unlikely that it's anything more than a flat capacitive reader possibly with a higher resolution than normal readers. But realistically this is the normal "A

Re:Broken on first day

[sootman]

> How long does it take to etch a PCB (mould) and
> how long does it take for gelatine to cool down
> (finger cast)?

I don't know. How long does it take to use Google and learn that your method won't fucking work? [tuaw.com]

Re:

[mrwolf007]

Hmm, so how many things did Apple patent that they didnt bother to implement?
And givent he fact that most testers probably wont find a test candidate to chop a finger off ill guess i just ... have to take your word for it?

Re:

[sootman]

> And givent he fact that most testers probably wont
> find a test candidate to chop a finger off ill guess i
> just ... have to take your word for it?

Logic much? How's this: if it won't get a reading at all, a match can't happen. So: find a cadaver. Press the finger onto the pad. No reading? No match possible.

Re:

[semi-extrinsic]

Oh dear god. As a physicist, skimming that article made me even more sure that people who write technology blogs about Apple are mindnumbingly stupid. To wit:

We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch.

If you fail that hard in your understanding of such a basic smartphone technology as capacitance, then your opinion on technical matters will be considered irrelevant and background noise. They then go ahead and fail at biology:

Once the tissue is dead -- which, in the case of someone chopping your finger off without your consent, should happen within a matter of minutes.

A chopped off human finger can be successfully re-attached to the person after 12 hours if kept warm and up to four days if ke

Re:

[Plumpaquatsch]

I would not be surprised if someone would have broken it within mere hours after they have become available.

How long does it take to etch a PCB (mould) and how long does it take for gelatine to cool down (finger cast)? (The method that Mythbusters used)

The iPhone 5s went on sale in Australia about 21 hours ago in Australia, shortly after that in China and Japan, More than 13 hours in Europe - still not hacked yet.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:You can just enter the passcode.

[maccodemonkey]

Didn't these clowns watch the keynote?

-jcr

I am totally shocked someone in the tech industry would launch a project without fully understanding the original problem. SHOCKED I SAY.

Re:

[thue]

The problem is that the fingerprint scanner could create a false sense of security.

Re:

[Sockatume]

The whole point of the scanner is that the 90% of iPhone users who don't even use a code because it wastes too much time, might turn it on because it's convenient.

Re:

[Internal Modem]

Exactly. The inclusion of the sensor is not about being 100% secure all the time, it's about encouraging the use of some level of security by the majority who currently have none. Since it is quicker to use the sensor than to swipe to unlock without a PIN, that is the metric to consider.

Re:

[Daniel_Staal]

Apple's been working on the dock port problem as well: IIRC, Recent OS updates will alert the user if you plug into a device that attempts to treat the phone as a USB storage device (instead of a battery), and require the user to allow it. (After unlocking the screen, of course, which means if it's locked and requires a password or fingerprint, you need the password or fingerprint.)

It's not a high-security device by any means, but the obvious pitfalls are being taken care of. I don't expect this bounty to

Re:

[Anonymous Coward]

No, because the iPhone 5S doesn't use an optical fingerprint scanner. It's using a capacitive sensor that measures capacitance of the skin and sub-epidermal layers of the finger. A simple image of the print won't fool it.

MacGyver already did it.

[Videospike]

Season 2 Episode 1, "The Human Factor". Mac scrapes some gypsum dust off of a wall and blows it across the reader (a hand print reader, if I remember correctly) like one would dust for fingerprints. Then he wrapped his hand and pressed the reader - voila! It should work as long as the phone's owner doesn't remember to wipe down their fingerprint reader each time they use it.

Macworld contradicts you

[amaurea]

From this macworld article [macworld.com] on the subject:

A capacitance fingerprint reader leverages a handy property of your skin: The outer layer of your skin (your dermis), where your fingerprint is, is non-conductive, while the subdermal layer behind it is conductive. When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

A capacitor [wikipedia.org] works by having an insulator sandwitched between two conductors. The thinner the insulator is, the higher the capacitance. In the case of a capacitive fingerprint reader, the conductors are the reader itself on one side, and the subdermal layers on the other side. In between them, the skin works as an insulator. Hence, by measuring the capacitance, one is effectively measuring the thickness of the skin. I.e. the pattern of ridges and valleys visible on y

Re:

[Quila]

And how does this defeat the RF scanner that looks only at the live tissue underneath?

Re:

[Overzeetop]

The one that doesn't actually exist (there is no RF scanner), or the theoretical RF scanner which can't tell the difference between a finger and a small tube of ketchup (or other mostly-water filled tube)?

Re:

[semi-extrinsic]

It seems a lot of uninformed appleblogs/fanboys think there is an RF scanner simply because Apple has patented one.

Better bounty needed

[Sponge Bath]

If someone could find a way around this, it would be worth a lot more than the stated bounty to criminals.

Re:

[Bob_Who]

Yeah, a whole hell of a lot better than honor among thieves and a low ball guarantee..

Crime pays better when dealing directly with Congress and lobbyists.

Easy hack

[deviated_prevert]

Just take close in photos of all the smudges on the "retinal" display screen extrapolate 3d from it and print it with a 3d printer. Presto access.

Laptops

[Kozar_The_Malignant]

Laptops have had fingerprint login authentication for years. Why all the fuss over what seems to be a more secure method than the one on my wife's four year old HP?

Re:

[guruevi]

Most laptop-fingerprint-thingies are basically very cheap camera's. They take a (very low resolution) picture and compare it with an existing (very low resolution) one. Easy to fool with a piece of paper or a superglue version of the fingerprint.

Other problems is (specifically with Windows) is that the Windows-based fingerprinting software (UPEK) stores the passwords pretty much plain text into the registry anyway.

Apparently the iPhone fingerprint scanner is not so easily fooled because otherwise there woul

Re:

[semi-extrinsic]

It can't be that specifically sensitive either, since then a wet, sweaty, greasy or dirty finger would not work. I'm fairly sure that Apple has realized that the most useless security technology is the one no-one bothers to use.

Re:

[Megol]

No the standard is capacitive scanning readers. The last camera based fingerprint reader I've seen was the Microsoft fingerprint reader that was released 9 years ago.

Why lock a phone?

[kubajz]

Assuming that you protect your phone from the random thief, I would recommend installing a tracing app and leaving the phone unlocked - a locked phone will just encourage the thief to hard reset it or turn it off immediately. Same with a laptop - I had some tracing software installed but unfortunately I forgot to enable the guest account so the thief could not use the laptop... and therefore never gave me a chance to locate it.