Apple iPhone 5s fingerprint sensor hacked

CBC

A German hacker will collect a bounty worth thousands of dollars and several bitcoins after creating a fake finger from a photo of a fingerprint that was able to foil the Touch ID fingerprint sensor on Apple’s new iPhone 5s and unlock the device.

“It's official. Starbug of the CCC has been declared the winner of #istouchidhackedyet http://www.istouchidhackedyet.com Congrats! Video to come soon,” tweeted Nick DePetrillo, one of the two U.K.-based computer security researchers who founded the bounty, around 2 p.m. ET.

The Chaos Computer Club posted a video of the phone being unlocked using the fake finger and posted a description of the technique in a news release Saturday. That likely makes them eligible to collect a crowdfunded bounty worth thousands of dollars, which was started by a group of computer security researchers to award to the first person to hack Touch ID.

The Chaos Computer Club’s method involves the following steps:

The method is not new – the group had published the instructions online in 2004.

The only difference with Apple’s fingerprint sensor is its resolution is higher than that of previous sensors, requiring a higher resolution fake, the group reported.

“"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token,” said Frank Rieger, a spokesman for the group, in a statement.

The Chaos Computer Club has submitted their work to a contest that is offering a bounty to anyone who can hack Touch ID.

IsTouchIDHackedYet.com was launched by DePetrillo and fellow internet security specialist Robert David Graham on Sept. 18, two days before the new iPhones hit store shelves. DePetrillo and Graham each committed $100 to the bounty, which now sits at several thousand dollars, a few bitcoins and several bottles of booze.

It declared Starbug the winner around 2 p.m. ET Monday, after the technique was reproduced by several other people, confirming that it worked.

However, Jim Denaro, an intellectual property lawyer who is supporting the bounty with the offer of a free patent of the hacking technique, noted on Twitter that each bounty contributor “retains complete discretion whether to award it based on the hack.”

Denaro’s Washington, D.C.-based firm, CipherLaw, is safeguarding some of the bounty money that has already been paid until it can be awarded.

Arturas Rosenbacher, a founding partner at Chicago-based IO Capital, which committed $10,000 to the bounty, announced Monday that he will contribute the money only for a software or hardware solution, rather than lifting prints. His name has been crossed out on the bounty page with the words “reneged, won’t pay.”

  • Up next
  • Up next
  • Up next
  • Up next

Latest Stories