Win Bitcoins, booze and cash! Be the first to crack the iPhone's Touch ID fingerprint sensor...

Filed Under: Apple, Featured, Vulnerability

The fingerprint sensor on Apple's new iPhone 5s could well be the device-within-a-device that brings biometrics into the everyday mainstream.

(There's good and bad in that. The good news is that if you paid extra for a laptop, years ago, because it had a fingerprint scanner you could never get to work, you'll no longer be seen as a technology sucker but as an early adopter.

The bad news is that any hope of arguing for the end of fingerprint scanners in US immigration lines will be lost forever. Heck, if you can do it for Apple, you can do it for Uncle Sam!)

For all that I recently wrote - this very morning, in fact - that convenience is "one of security's mortal enemies," Apple's Touch ID might end up as a blessing in disguise entirely on account of its ease of use.

People who are too lazy to bother with proper passwords or even four-digit passcodes on their phones (like Marissa Mayer, CEO of Yahoo!, no less) might be willing to use Touch ID, since it makes it slicker for them to get back into their phone one-handed.

But one burning question still remains, and in common with many Naked Security readers, you're probably asking it yourself: "How safe is it?"

Could you defeat it with a gelatin mould, for example?

Well, if you're willing to put Touch ID to the test, you might find yourself in line for some crowdsourced prizes.

Numerous individuals have so far pledged a mixture of cash, booze and patent application payments if you can clone someone's fingerprint (it can be one of your own, which simplifies the experimentation) and unlock an iPhone 5s.

Actually, the rules are a little stricter than that: you have to "lift" a fingerprint off something else the user has touched, so you're not allowed to press your finger into a Gummi Bear and then swipe the confectionery over your iPhone.

A Gummi Bear hack would be cool if it worked, but it wouldn't be enough to walk off with what currently amounts to about US$15,000 in cash, several litres of spiritous liqour, roughly 20 Bitcoins in various fragmentary sizes, "one free patent application covering the hack", and more.

Here's what you need to do:

It sounds like an interesting and amusing experiment, and I look forward to seeing if anyone can find a way to defeat the sensor reliably.

The touch ID sensor isn't supposed to work with a severed finger, which is a modest comfort, although ironically it implies that a genuinely desperate and violent criminal would need to threaten you with worse than merely cutting off your finger to force you to unlock your phone against your will.

On the other hand, we know Touch ID doesn't actually need a finger, or even a human being, as Darell Etherington over at TechCrunch discovered "after commandeering a cat."

Fancy giving it a try? (Cloning a fingerprint, not commandeering a cat.)

Go for it, although if you succeed, you'll have another set of problems to solve: actually getting your prizes out of the crowdsourcers.

According to the website, even the terms and conditions are "up to each individual bounty offerer," which sounds as though things might get labyrinthine.

And the lion's, or at least the cat's, share of the prize money so far ($10k of it) has been put up by a startup venture capital startup that seems to be having trouble paying to keep its website running right now, let alone coming up with ten large ones for left-field experiments into fingerprint trickery:

But you won't be doing it for the money, I'm sure - you'll do it for the fame, right? (That's listed as one of the prizes.)

Image of fingerprint on main page courtesy of Shutterstock.

, , ,

You might like

4 Responses to Win Bitcoins, booze and cash! Be the first to crack the iPhone's Touch ID fingerprint sensor...

  1. spryte · 306 days ago

    I'm in !!

    Who's providing the phones to work on??

  2. Chris · 306 days ago

    this isn't gonna work, because apparently the sensor detects a pulse.
    the same reason that you can't cut off someone's finger to use their iphone.

    • Paul Ducklin · 306 days ago

      Does a severed finger fail to work because it has no pulse, or for some other reason?

      Capacitance, conductivity, coercivity, clamminess, colour, and so on?

      Are you sure about "detecting a pulse"? Sounds unlikely to me...

  3. Anyone got a phone I can borrow? I think I have a pretty good idea of how I can do this with a piece of packing tape, a gummy bear, a scissors and an iPod stylus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog