Sign in with
Sign up | Sign in

iPhone Fingerprint Reader Already Hacked

By - Source: Tom's Guide US | B 15 comments

UPDATED 4:15 p.m. ET Monday with confirmation of method and awarding of contest winnings.

Has the new iPhone's Touch ID fingerprint reader been cracked?

It might have been, say the security researchers running a contest to see who can fool it first, but they need a little more proof.

"Yes," read the IsTouchIDHackedYet.com website this morning (Sept. 23), after changing its message from an earlier "Maybe" that was posted last night (Sept. 22).

"The Chaos Computer Club in Germany may have done it! Awaiting video showing them lifting a print (like from a beer mug) and using it to unlock the phone. If so, they'll win."

Meanwhile, an Indiana venture capitalist who pledged $10,000 to the contest pool waffled on his donation, suddenly deciding that he would set his own contest rules. That reduces the IsTouchIDHackedYet contest prize to about $7,500, plus several bottles of liquor.

MORE: 15 Best iOS 7 Apps

Lifting prints to hack the iPhone 5s

Members of Berlin's Chaos Computer Club hacker group yesterday (Sept. 22) posted two YouTube videos that appear to show phony fingerprints imprinted on plastic sheets unlocking an iPhone 5s.

The first video shows a man, presumably lead hacker "Star Bug," registering his right index finger with Touch ID, then sticking a piece of plastic on his middle finger to unlock the phone.

Hacking Touch ID, Part 1

The second video shows what appears to be the same man again registering his right index finger, but this time, a second man using a plastic sheet over his own right index finger unlocks the phone.

Hacking Touch ID, Part 2

By using real fingers to apply the fake fingerprints, the users would defeat the electrical sensor built into the Touch ID reader that makes sure a living finger is touching the phone.

"A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID," read an English-language post on the Chaos Computer Club's website. "This demonstrates — again — that fingerprint biometrics is unsuitable as access control method and should be avoided."

The club also posted detailed instructions on how to fake the fingerprint.

"First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution," a summary of the instructions said. "The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting.

"Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone."

The resulting video is almost, but not quite, enough to satisfy the organizers of the IsTouchIDHackedYet.com contest.

"They say they are imaging the print, which is the missing bit we want on video," tweeted contest organizer Robert David Graham, co-founder and chief technology officer of Errata Security in Atlanta. "I'm probably gonna call the CCC video 'good enough' no matter what — but I'm still gonna hate them :)"

Graham has put $500 into escrow for the prize, as have several other hackers and security researchers, for a total of $900.

Others have pledged about $6,000 in cash, half a dozen bottles of expensive liquor and 10.41 Bitcoin, currently worth about $1,300.

Meanwhile, other ways to unlock an iPhone running iOS 7 have appeared, including one that uses Siri to talk through the phone's normal security barriers.

MORE: Is iPhone Fingerprint Security Secure At All?

Withdrawal of funds

Not included in the total is the $10,000 initially pledged by Bloomington, Ind.-based investor Arturas Rosenbacher, principal of I/O Capital Partners.

After allegedly telling several news organizations Friday that he was one of the organizers of the contest (he wasn't), Rosenbacher over the weekend decided that the contest wasn't for him.

"I/O Capital Partners will not and has not escrowed any amount of money or goods in relation to any stated or non-stated winner of the competition," Rosenbacher wrote on his company's website yesterday. "With this amount of money, stated at Ten Thousand Dollars and Zero Cents ($10,000.00), all financial transactions and releases will be fully internal within I/O Capital Partners, under its own Terms & Conditions, fully separate from any other entity, including the #IsTouchIDHackedYet competition and all representatives."

ZDNet writer Violet Blue documented that Rosenbacher had given interviews to CNBC, Bloomberg TV, the London Telegraph and other outlets in which he seemed to be speaking for the contest organizers.

"By having a competition like this we're only making the software more secure, and we're only making the hardware that much harder to penetrate," Rosenbacher told Mashable.

But, as someone pointed out on Twitter to Rosenbacher, who was "we"?

"Let me make this clear," wrote contest organizer Nick de Petrillo, a Washington, D.C.-based security researcher, on Twitter yesterday. "@arturas is not reviewing anything nor is he a judge in @ErrataRob and my Touch ID Hack challenge. He is misleading."

Rosenbacher has deleted all his tweets in which he refers to the contest.

That's one way to use Touch ID

Meanwhile, de Petrillo may have found a sure-fire way to secure his iPhone 5s.

"I just enrolled my penis in Touch ID on my iPhone and successfully unlocked it with my penis," he tweeted Saturday. "Am I the first to have tested this? #notjoking"

"Now no one will ever, ever steal your phone," replied security researcher Andrew Ruef. "[Is this] the secret to the correct use of Touch ID?"

UPDATE: The organizers of the IsTouchIDHackedYet contest confirmed at about 2:30 ET today (Sept. 23) that the method demonstrated on YouTube by Starbug of the Chaos Computer Club does indeed work. Starbug will receive the prize winnings.

"We don't have exactly the video we wanted from him, but others have confirmed it," wrote contest organizer Robert David Graham on the IsTouchIDHackedYet.com website. "We are in contact with Starbug — he's working on the video for us (apparently he's got a day job that delays things), but since we have several confirmations, it's pointless to hold things up."

Graham wrote that Starbug will be donating his winnings to Raumfahrtagentur ("Space Travel Agency"), a hacker space in Berlin. The IsTouchIDHackedYet.com posting includes Bitcoin, Paypal, bank-transfer and physical-address information for anyone who wants to donate pledged money directly to Starbug.

Others who duplicated Starbug's results included legendary hacker Peiter "Mudge" Zatko, a founder of the 1990s L0pht hacker collective in Boston, former research official at the Pentagon's Defense Applied Projects Research Agency and current Google employee, and Marc Rogers, a security researcher at Lookout Mobile Security in San Francisco.

Fake fingerprint unlocks iPhone 5s

Woman unlocks iPhone 5s enrolled with husband's thumbprint

Rogers posted two videos on YouTube yesterday that more or less echoed Starbug's, with non-enrolled fingers, one belonging to Rogers' wife, unlocking an iPhone that had been "enrolled" with Rogers' right thumbprint.

Graham posted a brief analysis of the contest results on his company's blog.

"What does this mean?" Graham wrote. "First, of all, it means Nick de Petrillo and I were wrong. We claimed it'd be harder."

But it's about much more than just losing money, Graham added.

"Many people claim this hack is 'too much trouble.' This is profoundly wrong," he wrote. "Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband. Or the neighbor's kid. Or an FBI agent.

"As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right," Graham added. "This sort of stuff is easy, easy, easy — you just need to try."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 10 Hide
    michael908 , September 23, 2013 9:55 AM
    All you need is a camera, laser, printer and children's glue. And people criticize androids security flaws.
  • 10 Hide
    S Brideau , September 23, 2013 9:52 AM
    There is a reason they removed it from computers. Apple is late on technology, again.
Other Comments
  • 7 Hide
    InvalidError , September 23, 2013 9:29 AM
    The MythBusters were a few years ahead on the fingerprint security busting scene. I'm betting the scan-cleanup-print process CCC used was lifted straight from the show.
  • Display all 15 comments.
  • 10 Hide
    S Brideau , September 23, 2013 9:52 AM
    There is a reason they removed it from computers. Apple is late on technology, again.
  • 1 Hide
    Krisk7 , September 23, 2013 9:54 AM
    The last method takes some courage in public places. Technology giants like Apple are leading us in strange directions these days.
  • 10 Hide
    michael908 , September 23, 2013 9:55 AM
    All you need is a camera, laser, printer and children's glue. And people criticize androids security flaws.
  • 2 Hide
    back_by_demand , September 23, 2013 9:57 AM
    Well, I lost my bet, I estimated 24 hours from release - but still an epic iPhail
  • 0 Hide
    S Brideau , September 23, 2013 10:00 AM
    There is a reason they removed it from computers. Apple is late on technology, again.
  • 0 Hide
    MANOFKRYPTONAK , September 23, 2013 10:16 AM
    I knew that the finger scanner was just a joke. But the A7 seems descent, I just can't find any benchmarks. I was impressed with 3g family build, but not the 4 family... Im not sure about this build quality either, ifixit said they were not sure about its build quality.
  • 0 Hide
    digiex , September 23, 2013 10:21 AM
    The problem with this tech. is that if you get robbed for your iPhone, your hands had to go with it. ouch!
  • 0 Hide
    hector2 , September 23, 2013 12:45 PM
    What's the whole point of all this ? The bottom line is that the fingerprint lock method should work just fine 99.9% of the time. Anyone doing a quick grab and run with someone's iPhone will get only a short time use of it and will be unable to re-sell it
  • 0 Hide
    house70 , September 23, 2013 3:03 PM
    1. meet sucker in a bar
    2. hijack one of the shot glasses for the print
    3. hijack the phone
    4. profit!
  • 0 Hide
    NightLight , September 23, 2013 3:03 PM
    no matter what you tell apple sheep, they'll still buy it. it will become a nuisance after 2 hours of using it, and they'll go back to the normal locking screen.
  • 1 Hide
    brettms71 , September 23, 2013 4:32 PM
    Why bother stealing the glass or other objects. The phone will probably come with all the fingerprints you need anyway!
  • -4 Hide
    otacon , September 23, 2013 5:37 PM
    @hector2 Exactly....don't tell the Fandroids that though. 99.99% of the people stealing cell phones are looking to turn a quick profit. They will steal it, can't unlock it and toss it. Make sure you all fandroids talk smack about Samsung when they release the same thing in the S5. They are already copying Apple's activation lock feature. Here's a thought...maybe the S5 will have more than 50% of the RAM available...one can only hope.
  • 0 Hide
    Jose P , October 12, 2013 5:56 PM
    ya..ok. this is exactly like passcode, either one can be cracked. the dumbest thing ever. who is gonna take the time to get a billion supplies and open my phone. sure. maybe if i lost it. but if im right next to the person thats trying to unlock my phone. i dont think the persons gonna try to use a ton of supplies to get into my phone. oh. wait till the s5 gets the fingerprint sensor. its the exact same thing in everyphone. not every phone is perfect
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS