The fingerprint sensor on Apple’s new iPhone 5s could well be the device-within-a-device that brings biometrics into the everyday mainstream.
(There’s good and bad in that. The good news is that if you paid extra for a laptop, years ago, because it had a fingerprint scanner you could never get to work, you’ll no longer be seen as a technology sucker but as an early adopter.
The bad news is that any hope of arguing for the end of fingerprint scanners in US immigration lines will be lost forever. Heck, if you can do it for Apple, you can do it for Uncle Sam!)
For all that I recently wrote – this very morning, in fact – that convenience is “one of security’s mortal enemies,” Apple’s Touch ID might end up as a blessing in disguise entirely on account of its ease of use.
People who are too lazy to bother with proper passwords or even four-digit passcodes on their phones (like Marissa Mayer, CEO of Yahoo!, no less) might be willing to use Touch ID, since it makes it slicker for them to get back into their phone one-handed.
But one burning question still remains, and in common with many Naked Security readers, you’re probably asking it yourself: “How safe is it?”
Could you defeat it with a gelatin mould, for example?
Well, if you’re willing to put Touch ID to the test, you might find yourself in line for some crowdsourced prizes.
Numerous individuals have so far pledged a mixture of cash, booze and patent application payments if you can clone someone’s fingerprint (it can be one of your own, which simplifies the experimentation) and unlock an iPhone 5s.
Actually, the rules are a little stricter than that: you have to “lift” a fingerprint off something else the user has touched, so you’re not allowed to press your finger into a Gummi Bear and then swipe the confectionery over your iPhone.
A Gummi Bear hack would be cool if it worked, but it wouldn’t be enough to walk off with what currently amounts to about US$15,000 in cash, several litres of spiritous liqour, roughly 20 Bitcoins in various fragmentary sizes, “one free patent application covering the hack”, and more.
Here’s what you need to do:
It sounds like an interesting and amusing experiment, and I look forward to seeing if anyone can find a way to defeat the sensor reliably.
The touch ID sensor isn’t supposed to work with a severed finger, which is a modest comfort, although ironically it implies that a genuinely desperate and violent criminal would need to threaten you with worse than merely cutting off your finger to force you to unlock your phone against your will.
On the other hand, we know Touch ID doesn’t actually need a finger, or even a human being, as Darell Etherington over at TechCrunch discovered “after commandeering a cat.”
Fancy giving it a try? (Cloning a fingerprint, not commandeering a cat.)
Go for it, although if you succeed, you’ll have another set of problems to solve: actually getting your prizes out of the crowdsourcers.
According to the website, even the terms and conditions are “up to each individual bounty offerer,” which sounds as though things might get labyrinthine.
And the lion’s, or at least the cat’s, share of the prize money so far ($10k of it) has been put up by a startup venture capital startup that seems to be having trouble paying to keep its website running right now, let alone coming up with ten large ones for left-field experiments into fingerprint trickery:
But you won’t be doing it for the money, I’m sure – you’ll do it for the fame, right? (That’s listed as one of the prizes.)