No joke, iPhone 5S Touch ID faces hack bounty

Apple's new fingerprint sensor Touch ID becomes the focus of a hack bounty, but with a twist. Rewards include cash, but also a patent application, some Scotch, and a book of erotica.

Play

The iPhone 5S won't hit the streets until tomorrow, but there's already more than $16,000 in cash offered to the first person to hack its Touch ID fingerprint sensor.

IsTouchIDhackedyet.com is the brainchild of Nick DePetrillo, an independent security researcher whose last major public research was 2010's Carmen San Diego Project .

Soon after DePetrillo promoted the Touch ID site on Twitter, he was joined by Robert David Graham, a security researcher at Errata Security who created one of the first personal firewalls, and most recently the sidejacking technique for "eavesdropping" on browser cookies. Graham manages the pledges and runs IsTouchIDHackedYet.com.

At the time of writing, the overall bounty is valued at more than $16,000. The cash bounty stands at $14,609 in US dollars, two-thirds of which comes from one researcher, and 8.151159 BitCoin, which currently converts to US$1,021. Other incentives include a free application from CipherLaw to patent the hack; several bottles of alcohol including Laphroaig, Maker's Mark, Argentine wine, Patron Silver, and Bulleit bourbon; a "dirty sex book," and an iPhone 5C.

To earn the bounty, DePetrillo spelled the rules out on Twitter. He wants to see video evidence of a successful iPhone unlock with a copied fingerprint. The video must show evidence of the fingerprint enrollment, the lifting of the print, the print reproduction, and phone unlock using the print.

Originally, Graham and DePetrillo believed that it would take a long time for the Touch ID sensor to get hacked. The rapidly-growing bounty, only two days old, has changed that.

"Now that it's up past $16,000, the problem may get solved sooner than we thought," Graham said. But, he said, Touch ID will be hacked independently of the bounty value.

"I'm guessing the amount of the bounty correlates more with how much press this gets, rather than the actual difficulty," he said. And difficult it is, they said, describing hacking the sensor as a "tough problem."

Apple did not respond immediately for comment. CNET will update the story when they get back to us.

Apple, said the researchers, is probably enjoying the attention the sensor is getting. "I think Apple is quietly amused," said Graham. "I'm sure their engineers are confident in their abilities to address all conceivable weaknesses -- yet worried about inconceivable techniques hackers might come up with," he said.

The bounty site got started when DePetrillo invited Graham to manage the bounty. DePetrillo chose Graham, whose grandfather was a World War II code-breaker, because he's "trustworthy, honest, intelligent and quite handsome," he told CNET.

Once Graham put the first four bounties offered on the site, they started using the eponymous hashtag. The bounty resembles one from a few years ago, when Adafruit Industries offered a bounty to hack the Kinect's motion sensor .

Assuming the sensor does get hacked, Graham and DePetrillo will pay out the bounties they've offered immediately. However, it will be up to the winner to collect the bounties from everyone else. So, if you're the lucky hacker who can crack the Touch ID sensor, you might wind up more of a literal bounty hunter than you expected.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments