iPhone Fingerprint Reader Already Hacked

UPDATED 4:15 p.m. ET Monday with confirmation of method and awarding of contest winnings.

Has the new iPhone's Touch ID fingerprint reader been cracked?

It might have been, say the security researchers running a contest to see who can fool it first, but they need a little more proof.

"Yes," read the IsTouchIDHackedYet.com website this morning (Sept. 23), after changing its message from an earlier "Maybe" that was posted last night (Sept. 22).

"The Chaos Computer Club in Germany may have done it! Awaiting video showing them lifting a print (like from a beer mug) and using it to unlock the phone. If so, they'll win."

Meanwhile, an Indiana venture capitalist who pledged $10,000 to the contest pool waffled on his donation, suddenly deciding that he would set his own contest rules. That reduces the IsTouchIDHackedYet contest prize to about $7,500, plus several bottles of liquor.

MORE: 15 Best iOS 7 Apps

Lifting prints to hack the iPhone 5s

Members of Berlin's Chaos Computer Club hacker group yesterday (Sept. 22) posted two YouTube videos that appear to show phony fingerprints imprinted on plastic sheets unlocking an iPhone 5s.

The first video shows a man, presumably lead hacker "Star Bug," registering his right index finger with Touch ID, then sticking a piece of plastic on his middle finger to unlock the phone.

The second video shows what appears to be the same man again registering his right index finger, but this time, a second man using a plastic sheet over his own right index finger unlocks the phone.

By using real fingers to apply the fake fingerprints, the users would defeat the electrical sensor built into the Touch ID reader that makes sure a living finger is touching the phone.

"A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID," read an English-language post on the Chaos Computer Club's website. "This demonstrates — again — that fingerprint biometrics is unsuitable as access control method and should be avoided."

The club also posted detailed instructions on how to fake the fingerprint.

"First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution," a summary of the instructions said. "The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting.

"Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone."

The resulting video is almost, but not quite, enough to satisfy the organizers of the IsTouchIDHackedYet.com contest.

"They say they are imaging the print, which is the missing bit we want on video," tweeted contest organizer Robert David Graham, co-founder and chief technology officer of Errata Security in Atlanta. "I'm probably gonna call the CCC video 'good enough' no matter what — but I'm still gonna hate them :)"

Graham has put $500 into escrow for the prize, as have several other hackers and security researchers, for a total of $900.

Others have pledged about $6,000 in cash, half a dozen bottles of expensive liquor and 10.41 Bitcoin, currently worth about $1,300.

Meanwhile, other ways to unlock an iPhone running iOS 7 have appeared, including one that uses Siri to talk through the phone's normal security barriers.

MORE: Is iPhone Fingerprint Security Secure At All?

Withdrawal of funds

Not included in the total is the $10,000 initially pledged by Bloomington, Ind.-based investor Arturas Rosenbacher, principal of I/O Capital Partners.

After allegedly telling several news organizations Friday that he was one of the organizers of the contest (he wasn't), Rosenbacher over the weekend decided that the contest wasn't for him.

"I/O Capital Partners will not and has not escrowed any amount of money or goods in relation to any stated or non-stated winner of the competition," Rosenbacher wrote on his company's website yesterday. "With this amount of money, stated at Ten Thousand Dollars and Zero Cents ($10,000.00), all financial transactions and releases will be fully internal within I/O Capital Partners, under its own Terms & Conditions, fully separate from any other entity, including the #IsTouchIDHackedYet competition and all representatives."

ZDNet writer Violet Blue documented that Rosenbacher had given interviews to CNBC, Bloomberg TV, the London Telegraph and other outlets in which he seemed to be speaking for the contest organizers.

"By having a competition like this we're only making the software more secure, and we're only making the hardware that much harder to penetrate," Rosenbacher told Mashable.

But, as someone pointed out on Twitter to Rosenbacher, who was "we"?

"Let me make this clear," wrote contest organizer Nick de Petrillo, a Washington, D.C.-based security researcher, on Twitter yesterday. "@arturas is not reviewing anything nor is he a judge in @ErrataRob and my Touch ID Hack challenge. He is misleading."

Rosenbacher has deleted all his tweets in which he refers to the contest.

That's one way to use Touch ID

Meanwhile, de Petrillo may have found a sure-fire way to secure his iPhone 5s.

"I just enrolled my penis in Touch ID on my iPhone and successfully unlocked it with my penis," he tweeted Saturday. "Am I the first to have tested this? #notjoking"

"Now no one will ever, ever steal your phone," replied security researcher Andrew Ruef. "[Is this] the secret to the correct use of Touch ID?"

UPDATE: The organizers of the IsTouchIDHackedYet contest confirmed at about 2:30 ET today (Sept. 23) that the method demonstrated on YouTube by Starbug of the Chaos Computer Club does indeed work. Starbug will receive the prize winnings.

"We don't have exactly the video we wanted from him, but others have confirmed it," wrote contest organizer Robert David Graham on the IsTouchIDHackedYet.com website. "We are in contact with Starbug — he's working on the video for us (apparently he's got a day job that delays things), but since we have several confirmations, it's pointless to hold things up."

Graham wrote that Starbug will be donating his winnings to Raumfahrtagentur ("Space Travel Agency"), a hacker space in Berlin. The IsTouchIDHackedYet.com posting includes Bitcoin, Paypal, bank-transfer and physical-address information for anyone who wants to donate pledged money directly to Starbug.

Others who duplicated Starbug's results included legendary hacker Peiter "Mudge" Zatko, a founder of the 1990s L0pht hacker collective in Boston, former research official at the Pentagon's Defense Applied Projects Research Agency and current Google employee, and Marc Rogers, a security researcher at Lookout Mobile Security in San Francisco.

Rogers posted two videos on YouTube yesterday that more or less echoed Starbug's, with non-enrolled fingers, one belonging to Rogers' wife, unlocking an iPhone that had been "enrolled" with Rogers' right thumbprint.

Graham posted a brief analysis of the contest results on his company's blog.

"What does this mean?" Graham wrote. "First, of all, it means Nick de Petrillo and I were wrong. We claimed it'd be harder."

But it's about much more than just losing money, Graham added.

"Many people claim this hack is 'too much trouble.' This is profoundly wrong," he wrote. "Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband. Or the neighbor's kid. Or an FBI agent.

"As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right," Graham added. "This sort of stuff is easy, easy, easy — you just need to try."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.