Hackers claim first iPhone 5s fingerprint reader bypass; bounty founder awaiting verification

Hackers claim first iPhone 5s fingerprint reader bypass; bounty founder awaiting verification

Summary: One hacker group claims to have bypassed the Apple iPhone 5s fingerprint reader. ZDNet spoke to the founder of a bypass-seeking bounty on how the alleged hack will be verified.

TOPICS: Security, Mobility
iPhone 5s' fingerprint reader, dubbed "Touch ID." (Image: Apple)

Hackers from the Germany-based Chaos Computer Club (CCC) claim to have bypassed the fingerprint reader in Apple's iPhone 5s, dubbed "Touch ID," just two days after the smartphone first went on sale.

In a statement on its website, the CCC confirmed that the bypass had taken place, adding: "A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with Touch ID."

The video posted online on Sunday shows one user enrolling their finger, while later accessing the device using a different finger with a high-resolution latex or wood glue cast. The group detailed in a blog post how it accessed the device using a fake print by photographing a fingerprint and converting it.

"Apple's sensor has just a higher resolution compared to the sensors so far," said CCC spokesperson Frank Rieger on the group's website. "So we only needed to ramp up the resolution of our fake."

The Chaos Computer Club is one of the longest-running hacking groups in the world. The CCC produces the world's oldest hacking conference, and this year will celebrate its 30th gathering ("30C3") in Hamburg, Germany, in December.

Bounty on deck, pending confirmation

Nick Depetrillo, who spoke to ZDNet on the phone on Sunday, explained how he set up a fingerprint reader bypass bounty as "putting my money where my mouth is." He submitting $100 of his own money into the crowdsourced pot.

Working in conjunction with cybersecurity expert Robert Graham, who added $500 out of his own pocket to the mix, the two set up the website istouchidhackedyet.com, which catalogs those who pledge money to cracking the iPhone 5s' security feature.

The website has been updated with a "Maybe!" message, confirming that a submission has been made by the hacker group, but noted that verification is still pending. To win the bounty, security researchers must video the lifting of a print, "like from a beer mug," and show it unlocking the phone, the website states.

Describing the collective bounty as an "honor system," Depetrillo's website has cataloged thousands of dollars in cash (and hundreds of dollars escrowed by independent law firm CipherLaw), numerous bottles of liquor, a book of erotica, and even an iPhone 5c.

But according to ZDNet's Violet Blue, who covered this story earlier in September, some are exploiting the high-profile bounty in a bid to generate press attention. One venture capitalist, who was understood to have contributed $10,000 to the bounty — though they declined to add it to a secure escrow account — reportedly misrepresented the project and spoke for the crowdsourced project "at every press opportunity."

Many major news outlets as a result mistakenly attributed the project to the venture capitalist and not Depetrillo and Graham.

Review and judging process

Depetrillo explained that he, along with Graham, will review and judge the verification process.

"The Chaos Computer Club [or any other submitter] will need to show us a complete video, documentation, and walkthrough lifting the print, re-creating the print, and having one human enrol their finger and another human somehow unlock that phone using the first person's print," he said.

Depetrillo confirmed that there have been no other submissions yet, but noted that he has a "lot of respect for the CCC." He told ZDNet that he was "not surprised" when the hacker group appeared to be the first to submit a possible solution.

"When we get complete documentation, we will review it and post our own technical justifications why we think this is a winning solution," he added. "If we clearly see and understand this is a sufficient and satisfactory winning solution, we will declare them the winner.

"We want to convince everybody, not just ourselves, so that others could accept it as such. And everyone is free to debate it — and disagree with it. But if we believe there is a winner, we will hand over our promised money."

Depetrillo said this is a one-time bounty on his part, but noted that others are welcome to start their own crowdsourced efforts for any additional hacks or bypasses.

"But I look forward to sending my $100 to the winner," he said.

Related stories:

Topics: Security, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Proofread your articles!!

    For the love of god, will someone over there either teach this kid how to write, or edit the corrections? Reads like a bunch of 6 yr old Russians put it through google translate :-/
    • That's why the world needs to stick with

      MS WORD!
  • It would be nice…

    If those reporting on this would also point out the additional security the 5s has. For example, if TouchID isn't used in 48 hours, or if the phone is rebooted, it reverts to requiring a passcode. If the phone is wiped, it requires apple account verification to reactivate it.

    TouchID is good to prevent someone from picking up or stealing your phone and immediately gaining access to it. Its been known for a long time that finger print scanners can be defeated. But someone isn't going to pick up your phone off the table at starbucks, lift the print off the screen and gain access while sitting there. Most likely if someone swipes the phone they'll shut it off to prevent tracking, in which case TouchID is disabled. You're also more likely to report the phone stolen and initiate a remote wipe before someone is able to defeat the scanner.

    It's good that someone figured out how to bypass it, but most people don't seem to read up or understand the full extent of the security (ok granted, there is currently a passcode bug, but that will get fixed. This basically just creates the usual hate game.
    • Also

      It is not yet clear if the fingerprint sensor has been properly trained. According to Apple the sensor re-trains itself after each next use and with each next use improves the fingerprint scan precision.

      Having the phone for less than 48 hours and spending most of this time to produce the latex print is not really 'hacking' the sensor. Especially considering the target would be iPhone users who use it regularly.

      Otherwise yes, having physical possession of your device, 48 hours to build fake fingers and access to your original fingerprints -- could let someone in.

      But then... if the iPhone hasn't been unlocked in 48 hours with a fingerprint, it will require the passcode and, even if the device owner hasn't wiped it by then, with physical access you can do anything to get the data off the device anyway. No need to hack that sensor.
  • Color me unimpressed

    So in order to breach the security of my iPhone 5s a hacker needs to gain physical possession of it?

    I'll take my chances. I'll begin to worry if someone manages a wireless hack.
  • Slow news day?

    It must be a slow news day.
  • Laughable ...

    Well gee ... if they had a 2400 dpi scan of my 12 digit secure alphanumeric password, I am almost sure they could gain access too.
  • Police Access

    What happens if you are arrested or questioned by the police with out a warrant. This can be used to obtain probable cause based on who you know or who you have been calling. The supreme court has ruled the police can access an unlocked phone without your permission. But if it locked you can refuse to give the access code based on the 5th amendment. What now? The courts have ruled finger prints to be public entities that can be obtained off of various surface without a warrant. Can they now unlock your phone with out your permission. Can they force you to push a button? This is a gray legal area that has not been properly discussed.
    • Police Access


      Or you could turn your iPhone off before surrendering it to the police upon request. Now a password is needed to access which is protected against unreasonable search which should work unless they waterboard you ;)
    • A thought about Police Access

      You have been arrested or have priors the cops have your finger prints. Use the same process, fait accompli.
      Not the first time 5th amendment been violated
  • knocked out

    What about when a thief knocks out the victim and uses ther finger to unlock the phone and restore to factory settings. They might even cut the finger off. how about the person who gets to drunk or gets slipped a roofie while the thief uses their finger. These scenarios can't happen with a pass code. A guarantee you will hear about one or more of these scenarios on the news.
  • Not a hack, but...

    This already reinforces what the IT security industry knew about biometrics. Biometrics is not a suitable stand-alone security measure. CCC pointed this out on the included link. This was not a hack but an already established cloning technique to foil biometrics. Biometrics are only effective when used in combination with a passcode (which is as easily breakable through social engineering) or smart card or other tool. Don't "secure" your smart phone with a fingerprint, period. If Apple wants to beef it up, they can add a step in the screen lock setting to add passcode to fingerprint. You should always enable complex pass codes, wipe and Find My iPhone and never store sensitive information on those things.