updated 07:20 pm EDT, Sun September 22, 2013
Hacker group offering unusual reward for breaking iOS authentication
A group in German claims to have successfully worked around Apple's new Touch ID biometric system, albeit using an extremely elaborate system to do so, involving a high-resolution lifted fingerprint and creating a "fake finger" that mimics a real one that has the lifted fingerprint printed onto latex milk or wood glue and then applied -- and of course physical access to the iPhone that utilizes that particular fingerprint. A different hacker group is offering a reward for such a solution, including cash, Bitcoins, liquor and books as a reward.
The German group issued a statement criticizing the biometric industry for making false claims about how secure fingerprint-based locking is, CNN reports. For most people, however, the group would seem to have undermined its own arguments with the elaborateness and extent of the work involved to bypass the Touch ID lock.
Apple automatically disables the Touch ID system and reverts back to a (simple or complex) passcode if the finger hasn't been used to unlock the iPhone within the last 48 hours. This means thieves would have to obtain the iPhone and the fingerprint, make the "fake finger" sheet and get it to the point where it could successfully unlock the phone very quickly.
Users who actually have classified or highly-sensitive information on their iPhone are likely to use complex passcodes, remote management or wipe, Activation Lock, Find My iPhone and many other safeguards in addition to Touch ID. Such measures make the possibility of an actual "sensitive" iPhone getting bypassed in this manner even more remote -- though the group makes a fair point that fingerprints can often be recovered fairly easily in real-world situations and aren't an end-all solution for security (nor has Apple attempted to market the Touch ID feature in that manner).
Senator Al Franken noted some shortcomings of using fingerprints as passwords in his letter to Apple CEO Tim Cook, saying that while passwords can be secret and easily changed if they are discovered, fingerprints are permanent and public." Franken's letter included some other questions regarding the future of the technology (such as whether it would be available to third parties, which would introduce further risks).
However, Franken's letter didn't acknowledge that Apple has already published safeguards and explanations of how the technology works, including fallbacks -- and the fact that TouchID is not required nor warranted to be foolproof. It is simply designed to be another obstacle for potential thieves and hackers to overcome compared to the security built into most other modern smartphones.
It is unclear if the workaround devised by the German group qualifies for the $16,000 prize from istouchidhackedyet.com, but the site has said that it seeks a reliable and repeatable way to "break into an iPhone 5s by lifting prints." with the community offering items and cash to sweeten the prize. Reuters reports that a venture capital firm has put up $10,000 towards the reward, saying it wants to help fix any problems found with Touch ID "before it becomes a problem" and that the competition will help "make things safer." The co-founder of the istouchidhackedyet website has said that he believes Apple has done a good job on making the new technology secure, but wants to engage the hacker community to be sure.
But lest anyone believe that the technology is impervious, a Minnesota man has posted a video setting the record straight. The Touch ID system works with animals as well as humans, he discovered, demonstrating that a chihuahua with a captured "pawprint" can also unlock the iPhone 5s
Neither group has shown any interest in trying to unlock the captured digital image information captured by the sensor, which is said by Apple to be stored in a "secure enclave" within the A7 processor. Presuming the data is strongly encrypted as Cook has said, it should be nearly impossible for even those with sufficient time and unlimited access to the workings of the chip to recreate the fingerprint data -- though ironically it may be possible to lift at least a partial high-resolution print of the users' preferred digit right from the sapphire glass used to protect the sensor on the iPhone 5s' home button.