iPhone 5s draws hackers’ attention with fingerprint ID
Hackers are gearing up for today’s iPhone 5s release with a contest to crack the device’s first-ever fingerprint scanner, a high-tech feature that Apple says makes users’ data more secure.
A micro venture capital firm joined a group of security researchers to offer more than $13,000 in cash along with bottles of booze, Bitcoin currency, books and other goodies to the first hacker who breaks the device in a contest promoted on the website istouchidhackedyet.com.
Arturas Rosenbacher, founding partner of Chicago’s IO Capital, which donated $10,000 to the hacking competition, said that the effort will bring together some of the hacking community’s smartest minds to help Apple identify bugs that it may have missed.
“This is to fix a problem before it becomes a problem,” he said. “This will make things safer.”
Find out more
iPhone 5s and iPhone 5c contracts compared
Among those getting ready for the hacking contest is David Kennedy of TrustedSec. “I am just waiting to get my hands on it to figure out how to get around it first,” the founder of the DerbyCon hacking conference told the Thomson Reuters Global Markets Forum this week. “I’ll be up all night trying.”
Kennedy said he needs to examine the new iPhone to figure out how to best attempt an attack. He said his choices include hacking the software that analyses the fingerprint data, or physically opening up the phone and connecting it to a custom-built device that would impersonate Apple’s fingerprint reader.
He added that it might be possible to lift a user’s fingerprint from elsewhere on the device and somehow make a clone of it.
Security experts worry about the implications of using the module to grant access to sensitive data on the phone and potentially enabling mobile purchases.
Security engineer Charlie Miller, known in hacking circles for uncovering major bugs in the iPhone as well as circumventing security in Apple’s App Store, said it could take fewer than two weeks for Kennedy or some other smart hacker to get around the new lock.
Once they’re in, they could gain access to the cornucopia of data typically stored on a user’s iPhone and might potentially be able to buy goods from iTunes and Apple’s App store. Miller declined to comment on the hacking contest or potential security vulnerabilities in the fingerprint reader.
This is definitely something to target and something people will want to go after
Indeed, experts say they know of nothing intrinsically wrong with Apple’s fingerprint reader, based on what the company has so far disclosed.
The reader’s sapphire crystal sensor is embedded in the phone’s home button and reviews the fingerprint as a user touches it to verify his or her identity.
Data used for verification is encrypted and stored in a secure enclave of the phone’s A7 processor chip. No information is sent to any remote servers, including Apple’s iCloud system.
HD Moore, a hacking expert and chief researcher with the security software maker Rapid7, said such protections mean “the bar is a little bit higher,” but that certainly won’t discourage hackers from trying to break the new technology.