For hackers, the iPhone 5s’s Friday release marks the start of a race to crack its new fingerprint reader. Now a few dozen of them are raising the stakes.
On Wednesday afternoon security researcher Nick Depetrillo and Robert David Graham launched IsTouchIDHackedYet.com, a website designed to crowdfund a reward for the first person to demonstrate in a video that he or she can lift a fingerprint from any surface, reproduce the print, and use it to unlock the owner of that fingerprint’s iPhone 5s. As of Wednesday night, the total bounty had already risen to close to $2,500, along with nearly $500 worth of the cryptocurrency Bitcoin and sundry extras including a bottle of tequila, a lockpicking tool, and a “dirty sex book.”
Depetrillo says he decided to start collecting the bounty not because he wants to see Apple’s new fingerprint reader hacked, but because he hopes to show how difficult spoofing TouchID may turn out to be. “Basically people criticized the TouchId sensor as being insecure, thinking it was a typical fingerprint sensor from five years ago,” he writes to me. “In reality it’s a lot harder, and I was part of a vocal minority of security researchers who argued Apple did a good job.”
So Depetrillo announced on Twitter that he’d give $100 to the first person to prove him wrong, and Graham created the IsTouchIDHackedYet site, as first noted by Cnet. “I put my money where my mouth is and it really took off,” Depetrillo says. Anyone can informally add their own pledge by tweeting it with the hashtag #istouchidhackedyet. The pool so far seems to be based on an honor system, though Depetrillo is noting the pledges and says he’ll “track any deadbeats.”
Until the new iPhone hits stores Friday, just how secure its fingerprint reader may be remains clear. In the past, researchers have cracked various fingerprint readers with silly putty, gelatin, corpse fingers, and on one episode of the television show Mythbusters, even a printed fingerprint on a sheet of paper. But Apple promises that its reader can sense beyond the top layer of a user’s skin, and includes a “liveness” test that prevents even a severed finger from being used to access a stolen phone.
While companies like Facebook, Google, and most recently Microsoft all shell out thousands of dollars in rewards to hackers who report security flaws in their products, Apple has never offered such “bug bounties.” But any well-connected hacker who does crack TouchID may be able to sell their work for more than a few thousand dollars and a dirty paperback. Some government agencies pay tens or even hundreds of thousands of dollars for information about previously unknown vulnerabilities in software and hardware. A single exploit that can allow an attacker to remotely gain full control of an iPhone, for instance, can sell for as much as $250,000.
Given what Depetrillo describes as Apple’s thoughtful implementation of its fingerprint reader, he says he’s not sure whether IsTouchIDHackedYet.com’s bounty will ever grow large enough to incentivize a hacker to find and reveal a successful attack against it.
“Nothing is hack proof,” admits Depetrillo. “I honestly don’t know if someone will claim it…If they do I’ll be pleasantly surprised.”
And he’ll also be out a hundred dollars.