Apple iPhone 5s fingerprint sensor hacked - Action News
Home WebMail Wednesday, November 13, 2024, 06:58 AM | Calgary | -0.3°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

Apple iPhone 5s fingerprint sensor hacked

A German hacker will collect a bounty worth more than $7,000 and a few bitcoins after creating a fake finger from a photo of a fingerprint that was able to foil the Touch ID fingerprint sensor on Apples new iPhone 5s and unlock the device.

Starbug of Chaos Computer Club wins bounty worth thousands

A hacker who calls himself Starbug fooled Apple's Touch ID fingerprint sensor by laser printing out a photograph of a fingerprint and using it as a mould to create a fake finger. (Andy Wong/Associated Press)

A German hacker will collect a bounty worth thousands of dollars and several bitcoins after creating a fake finger from a photo of a fingerprint that was able to foil the Touch ID fingerprint sensor on Apples new iPhone 5s and unlock the device.

It's official. Starbug of the CCC has been declared the winner of #istouchidhackedyet http://www.istouchidhackedyet.com Congrats! Video to come soon, tweeted Nick DePetrillo, one of the two U.K.-based computer security researchers who founded the bounty, around 2 p.m. ET.

The Chaos Computer Club posted a video of the phone being unlocked using the fake finger and posted a description of the technique in a news release Saturday. That likely makes them eligible to collect a crowdfunded bounty worth thousands of dollars, which was started by a group of computer security researchers to award to the first person to hack Touch ID.

The Chaos Computer Clubs method involves the following steps:

  1. The fingerprint of the iPhones owner is photographed with a 2400 dpi resolution. Sprinkling it with coloured powder makes it more visible to the camera.
  2. The image is cleaned and inverted, so that the parts of your fingerprint that are normally raised appear white, and the valleys appear dark. The image is laser printed at 1200 dpi resolution onto a transparent plastic sheet with a thick toner setting.
  3. A substance such as white wood glue is smeared over the laser printed image on the transparent sheet, filling the spaces between the toner.
  4. After it dries into a single film, the fake finger is peeled off the plastic sheet.
  5. It is moistened slightly with a persons breath and then can be used to unlock the phone.
A graphical illustration of how to fake a fingerprint, according to the process used by the hacker collective the Chaos Computer Club, which was able to fool the fingerprint sensor on the new iPhone 5S. (CBC)

The method is not new the group had published the instructions online in 2004.

The only difference with Apples fingerprint sensor is its resolution is higher than that of previous sensors, requiring a higher resolution fake, the group reported.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you cant change and that you leave everywhere every day as a security token, said Frank Rieger, a spokesman for the group, in a statement.

The Chaos Computer Club has submitted their work to a contest that is offering a bounty to anyone who can hack Touch ID.

IsTouchIDHackedYet.com was launched by DePetrillo and fellow internet security specialist Robert David Grahamon Sept. 18, two days before the new iPhones hit store shelves. DePetrillo and Graham each committed $100 to the bounty, which now sits at several thousand dollars, a few bitcoinsand several bottles of booze.

It declared Starbug the winner around 2 p.m. ET Monday, after the technique was reproduced by several other people, confirming that it worked.

However, Jim Denaro, an intellectual property lawyer who is supporting the bounty with the offer of a free patent of the hacking technique, noted on Twitter that each bounty contributor retains complete discretion whether to award it based on the hack.

Denaros Washington, D.C.-based firm, CipherLaw, is safeguarding some of the bounty money that has already been paid until it can be awarded.

Arturas Rosenbacher, a founding partner at Chicago-based IO Capital, which committed $10,000 to the bounty, announced Monday that he will contribute the money only for a software or hardware solution, rather than lifting prints. His name has been crossed out on the bounty page with the words reneged, wont pay.