Hacking TouchID Could Bring a Bounty of Almost $20,000

 
 
By Robert Lemos  |  Posted 2013-09-21
 
 
 
hacking

A crowdsourced effort to spur interest in breaking Apple's latest security enhancement to the iPhone—the TouchID fingerprint sensor—has resulted in an ad hoc bounty program that reached nearly $20,000 in less than two days.

A series of bantering tweets between security researchers on Sept. 18 evolved into a site, IsTouchIDHackedYet.com, that tracks the individual bounties pledged by people on Twitter. So far, 92 people have contributed to the fund, offering anything from $100 to bitcoins to alcohol to even a patent application on the resulting technique. As of noon Eastern Time on Sept. 20, the total of the cash and prizes stood near $20,000.

The trio who kicked off the effort—Nick Depetrillo, Robert Graham and a researcher who uses the monicker "The Grugq"—started by offering $100 each as a way to quiet critics who argued that hacking the TouchID fingerprint sensor technology would be trivial, requiring no more effort than Nicolas Cage lifting a fingerprint off a champaign glass in the movie "National Treasure."

"I will pay the first person who successfully lifts a print off the iPhone 5S screen, reproduces it and unlocks the phone in < 5 tries $100," Depetrillo, a security researcher, tweeted Sept. 18. "All I ask is a video of the process from print, lift, reproduction and successful unlock with reproduced print. I'll put money on this."

Announced earlier this month at the unveiling of the iPhone 5S, Apple's TouchID fingerprint sensor uses technology from AuthenTec, which Apple acquired last year. The technology does not digitize the fingerprint's optical image but, rather, scans the subdermal layer for the unique details of the fingerprint, the company said in its presentation.

Anyone who is able to break the security of the technology will have deserved the money, Graham, CEO of Errata Security and creator of the IsTouchIDHackedYet Website, told eWEEK.

"The point is that we think it is going to be hard to crack," he said. "Apple engineers are smart people, and this is not an optical reader."

While the effort has quickly snowballed into a viral campaign, it became a serious bounty program when Arturas Rosenbacher, a student and serial entrepreneur, pledged $10,000 in prize money. Rosenbacher, a founding partner at micro-investment venture firm I/O Capital Partners, said he wanted to incite more research interest in breaking the security of Apple's fingerprint-sensing technology.

"It's not necessarily about the money or the hacking," he told eWEEK. "It is to give the initiative for others to take on this problem."

Unlike with other bounty programs that pay a single lump-sum prize, the winner of the TouchID hacking bounty will have to collect from each individual, although Graham and Depetrillo have pledged to help track down any holdouts.

"If someone meets the requirements for hacking the Touch ID and claims the prize http://istouchidhackedyet.com/ will then track any dead beats!!" Depetrillo tweeted.

Rocket Fuel