Touch ID Hack Pledges Near $20,000

A crowdsourced effort to spur interest in breaking Apple’s latest security enhancement to the iPhone – the Touch ID fingerprint sensor – has resulted in an ad hoc bounty programme that reached nearly $20,000 (£15,200) in less than two days.

As of Monday morning, Germany’s Chaos Computer Club claimed to have hacked Touch ID, but had not yet provided proof of their exploit sufficient to convince the prize programme’s creators.

Fingerprint identification

A series of bantering tweets between security researchers on 18 September evolved into a site, IsTouchIDHackedYet.com, that tracks the individual bounties pledged by people on Twitter. So far, 92 people have contributed to the fund, offering anything from $100 to bitcoins to alcohol to even a patent application on the resulting technique. As of noon Eastern Time on 20 September, the total of the cash and prizes stood near $20,000.

The trio who kicked off the effort – Nick Depetrillo, Robert Graham and a researcher who uses the moniker “The Grugq” – started by offering $100 each as a way to quiet critics who argued that hacking the Touch ID fingerprint sensor technology would be trivial, requiring no more effort than lifting a fingerprint off a champagne glass, as Nicolas Cage did in the film “National Treasure”.

“I will pay the first person who successfully lifts a print off the iPhone 5S screen, reproduces it and unlocks the phone in < 5 tries $100,” Depetrillo, a security researcher, tweeted on 18 September. “All I ask is a video of the process from print, lift, reproduction and successful unlock with reproduced print. I’ll put money on this.”

Announced earlier this month at the unveiling of the iPhone 5S, Apple’s Touch ID fingerprint sensor uses technology from AuthenTec, which Apple acquired last year. The technology does not digitise the fingerprint’s optical image but, rather, scans the subdermal layer for the unique details of the fingerprint, the company said in its presentation.

Anyone who is able to break the security of the technology will have deserved the money, Graham, chief executive of Errata Security and creator of the IsTouchIDHackedYet website, told eWEEK.

“The point is that we think it is going to be hard to crack,” he said. “Apple engineers are smart people, and this is not an optical reader.”

Serious funds

While the effort has quickly snowballed into a viral campaign, it became a serious bounty programme when Arturas Rosenbacher, a student and serial entrepreneur, pledged $10,000 in prize money. Rosenbacher, a founding partner at micro-investment venture firm I/O Capital Partners, said he wanted to incite more research interest in breaking the security of Apple’s fingerprint-sensing technology.

“It’s not necessarily about the money or the hacking,” he told eWEEK. “It is to give the initiative for others to take on this problem.”

Unlike with other bounty programmes that pay a single lump-sum prize, the winner of the Touch ID hacking bounty will have to collect from each individual, although Graham and Depetrillo have pledged to help track down any holdouts.

“If someone meets the requirements for hacking the Touch ID and claims the prize http://istouchidhackedyet.com/ will then track any dead beats!!” Depetrillo tweeted.

Do you know all about mobile operators in Britain? Take our quiz.

Originally published on eWeek.