UPDATED 00:04 EST / SEPTEMBER 23 2013

NEWS

iPhone 5S TouchID Fingerprint System Hacked – That Was Quick

Well, that didn’t take long.  On the heels of a pair of security bugs that circumvented the new phone’s lock screen and less than 72 hours after a bounty was put out on a hack for the new iPhone 5S TouchID system, it was announced that a hack of the fingerprint security system had been made.   A group based out of Germany known as Chaos Computer Club (CCC) revealed that it had defeated the system by replicating the owner’s fingerprints.  CCC demonstrated in a video of the hack in action.  It appears that the process involves reproducing lifted fingerprints and presenting it to the phone.  This type of hack is not entirely all that groundbreaking, given that many biometric devices are susceptible to this type of method, but what they have achieved however is that they have been able to find and breakthrough the limit of TouchID’s advanced technology.  Biometrics certainly have come a long way, but a defeat is a defeat.

Late last week ZDNet’s Violet Blue reported that an online contest had been started by hackers, with a growing reward on the line, a crowdsourced bounty in exchange for the first hack of this biometric lock.  All someone had to do to add to the bounty is tweet the amount and the #istouchidhackedyet hash tag.

The list at istouchidhackedyet.com is open to anyone who wants to join in offering a reward, and the amount total for doing the dirty deed is growing by the hour.

UPDATE 9/19 12:36 PDT: The total crowdsourced bounty for istouchidackedyet is now over $15,000 – VC firm and startup accelerator IO Capital has added $10,000 to the contest. Apple has not responded.

The iPhone 5S is already in “short supply” for Friday’s launch – and hackers are most certainly among those eager to get their hands on the premium phone.

The application of this methodology is not a surprise, as this type of tactic has been used elsewhere and hypothesized about in many places.  It’s also pretty clear that anytime such a new popular device hits the market that the infosec and hacker communities are going to try to verify just how secure that certain technology is.  Count on this:  the next thing the community is coming for is the hash.  That is the encrypted representation of the user’s fingerprint that is stored in the case of the iPhone 5S, on the phone’s processor.  If that is cracked and if it is something that can be reasonably reproduced, then the security benefits of this facet of the new phone is rather well defeated.

The prospects for that are hypothetically reasonable as the first challenge is getting access to the hash, probably the biggest piece of the puzzle.  From there is it possible to reverse engineer the system, and could malware be therefore written to exploit this?  How about leaking your unchangeable fingerprint to a third party?  Would it really be worth it or practical for any of this to happen?  We just don’t know.  Regardless of these workaround efforts and further attempts to defeat this phone’s security, there is an undeniable fact that prior to the introduction of iTouch, a significant percentage of people didn’t even lock their phones at all.  Therefore the option is still a huge advance in the security of Apple’s mobile phones, but as emphatically pointed out here, this does not mean that passwords will be replaced at least not in the enterprise.

http://www.youtube.com/watch?v=HM8b8d8kSNQ

 


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU