Hackers offered cash, booze to crack iPhone fingerprint security

By Jim Finkle

BOSTON (Reuters) - Hackers are gearing up for Friday's iPhone 5S release with a contest to crack the device's first-ever fingerprint scanner, a high-tech feature that Apple Inc says makes users' data more secure.

A micro venture capital firm joined a group of security researchers to offer more than $13,000 in cash along with bottles of booze, Bitcoin currency, books and other goodies to the first hacker who breaks the device in a contest promoted on the website http://istouchidhackedyet.com/.

Arturas Rosenbacher, founding partner of Chicago's IO Capital, which donated $10,000 to the hacking competition, said that the effort will bring together some of the hacking community's smartest minds to help Apple identify bugs that it may have missed.

"This is to fix a problem before it becomes a problem," he said. "This will make things safer."

Meanwhile, Forbes.com reported that a 36-year-old soldier living in Spain's Canary Islands, Jose Rodriguez, has already uncovered a security vulnerability affecting iOS 7, which Apple began distributing to existing iPhone and iPad customers on Wednesday.

The publication said that it is possible to bypass the lock screen of those devices in seconds to access photos, email, Twitter and other applications. It included a video demonstration on its website and advice on how users could thwart the bypass technique: http://onforb.es/16IU6Y3

Apple spokeswoman Trudy Muller told Reuters that the company was preparing a fix that it would deliver as an update to iOS 7 when it was ready. "Apple takes user security very seriously," she said.

Among those getting ready for the hacking contest is David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who did two tours in Iraq and now runs his own consulting firm, TrustedSec LLC.

"I am just waiting to get my hands on it to figure out how to get around it first," the founder of the DerbyCon hacking conference told the Thomson Reuters Global Markets Forum this week. "I'll be up all night trying."

WHY WORRY?

Security experts worry about the implications of using the module to grant access to sensitive data on the phone and potentially enabling mobile purchases.

The fingerprint scanner on the top-of-the-line iPhone lets users unlock their devices or make purchases on iTunes by simply pressing their finger on the home button. It has been hailed as a major step in popularizing the use of biometrics in personal electronics.

Security engineer Charlie Miller, known in hacking circles for uncovering major bugs in the iPhone as well as circumventing security in Apple's App Store, said it could take fewer than two weeks for Kennedy or some other smart hacker to get around the new lock.

Once they're in, they could gain access to the cornucopia of data typically stored on a user's iPhone and might potentially be able to buy goods from iTunes and Apple's App store.

Miller declined to comment on the hacking contest or potential security vulnerabilities in the fingerprint reader.

To be sure, experts say they know of nothing intrinsically wrong with Apple's fingerprint reader, based on what the company has so far disclosed. Reviewers this week gushed over its ease of use and reliability.

The reader's sapphire crystal sensor is embedded in the phone's home button and reviews the fingerprint as a user touches it to verify his or her identity.

Data used for verification is encrypted and stored in a secure enclave of the phone's A7 processor chip. No information is sent to any remote servers, including Apple's iCloud system.

HD Moore, a hacking expert and chief researcher with the security software maker Rapid7, said such protections mean "the bar is a little bit higher," but that certainly won't discourage hackers from trying to break the new technology.

"This is definitely something to target and something people will want to go after," he said.

NOTHING PERSONAL

Apple shouldn't take hackers' enthusiasm personally.

All major electronics products are subjected to similar scrutiny as new features are rolled out, including devices from Google Inc , Microsoft Corp and Samsung Electronics Co <005930.KS>.

For example, in 2012, Charlie Miller led a team that demonstrated techniques for taking over smartphones running Google's Android software through their use of near-field communications, or NFC, a wireless technology used for sharing data or making purchases at point-of-sales terminals.

Bugs are often disclosed by "white hats," hackers who unearth flaws and report them so manufacturers can repair them, preventing criminal exploitation. The hope is the good guys find them before "black hats" uncover them.

White hats have found multiple security issues with iPhones, iPads and in the App store since Apple launched its first smartphone in 2007. They say that scrutiny has helped make it one of the most secure devices on the market today.

Apple executives said at last week's iPhone launch that the new fingerprint reader, dubbed Touch ID, will help make phones far more secure by dint of its ease of use.

About half of all smartphone users don't bother to use current screen-locking technology because of the inconvenience of keying in multiple-digit passwords. Apple is betting users may be far more willing to avail themselves of a solution that requires a single finger-swipe.

"The technology within Touch ID is some of the most advanced hardware and software we put in any device," Dan Riccio, senior vice president of hardware engineering, said at the event.

Kennedy said he needs to examine the new iPhone to figure out how to best attempt an attack.

He said his choices include hacking the software that analyzes the fingerprint data, or physically opening up the phone and connecting it to a custom-built device that would impersonate Apple's fingerprint reader.

He added that it might be possible to lift a user's fingerprint from elsewhere on the device and somehow make a clone of it.

Rich Mogul, an analyst with the security research firm Securosis, said he planned to use it and expects it to be widely adopted despite the fact that hackers are circling.

"Nobody has gotten their hands on it to see what the weaknesses are and how easy it is to crack," Mogul said.

"We'll have to wait to see." (Editing by Edwin Chan, Andrew Hay, Cynthia Osterman and Kenneth Barry)

Matches

MORE TOP STORIES TODAY

Bangalore lose nerve, lose game

Bangalore lose nerve, lose game

IPL 7, GAME 11—Vinay's over, Lynn's catch turns last-over finish in KKR's favour. More »

Kolkata bowling vs Bangalore batting might

Kolkata bowling vs Bangalore batting might

The likely return of Gayle will boost Bangalore, but the result could be determined by Kolkata's bowlers. More »

Boycotting IPL will not save cricket

Boycotting IPL will not save cricket

Boycotting the IPL as a means of protest against the grime in the game may not yield the desired results. More »

Gambhir a knock away from striking form - KKR coach

Gambhir a knock away from striking form - KKR coach

Gautam made an eight-ball duck in the opening game against Mumbai and in the second game against Delhi, he lasted only half those balls. More »

Rivals say Srini group delaying BCCI special general meeting

Rivals say Srini group delaying BCCI special general meeting

The group opposed to Srinivasan alleged that since BCCI secretary Sanjay Patel belongs to the president’s group, he was intentionally delaying the SGM… More »

April 24: A legend is born

As Sachin Tendulkar turns 41 - here's a look at some offbeat moments from the Master Blaster's innings. More »

Jadeja spins out Rajasthan in close chase

Jadeja spins out Rajasthan in close chase

IPL 7, GAME 10—Chennai beat Rajasthan by 7 runs after last-over scare. More »

Cleaning up the game starts with fans

Cleaning up the game starts with fans

... because, as recent events reveal, the BCCI has little intention of doing it. More »

Vithanage, Priyanjan get T20 call-ups

Vithanage, Priyanjan get T20 call-ups

Herath has been rested, while the team will be without the veteran pair of Mahela Jayawardene and Kumar Sangakkara, who retired from T20 internationals… More »

SL in 'difficult place' after Farbrace exit

SL in 'difficult place' after Farbrace exit

Sri Lanka depart for assignments in Ireland and England in two weeks, and Sanath Jayasuriya suggested Marvan Atapattu would be interim head coach for those… More »

Chandimal axed as T20 captain

Chandimal axed as T20 captain

Sri Lanka's cricket selectors on Wednesday sacked Dinesh Chandimal as Twenty20 captain and replaced him with Lasith Malinga, while Angelo Mathews was… More »

'BCCI should have picked panel with care'

'BCCI should have picked panel with care'

Dalmiya said that it was the first time that the BCCI had been faced with a situation where the apex court had hauled up the Board and it should have acted… More »

Farbrace is England's assistant coach

Farbrace is England's assistant coach

The ECB continued the restructuring of the England coaching set-up on Wednesday by announcing the appointment of Paul Farbrace as assistant coach. More »

SC asks Mudgal committee to continue

SC asks Mudgal committee to continue

Mukul Mudgal has communicated to the court his willingness to take up the investigation and has been asked to specify the terms and modalities on April… More »

Sri Lanka players resolve pay dispute

Sri Lanka players resolve pay dispute

The pay dispute between Sri Lanka Cricket and its 13 contracted players ended on Wednesday when the latter agreed to accept 10 percent of the participation… More »

Hope to be fit for next game - Pietersen

Hope to be fit for next game - Pietersen

With two heavy defeats at the hands of Bangalore and Chennai, Daredevils currently languish near the bottom of the table. More »

'SC decision could hurt BCCI's status'

'SC decision could hurt BCCI's status'

The Supreme Court prefers that the Justice Mudgal panel further investigate the IPL corruption scandal. More »

Mudgal panel drops bombshell in court

Mudgal panel drops bombshell in court

The Mukul Mudgal probe committee dropped a bombshell in the Supreme Court on Tuesday by making a sensational claim that it was forced to stop audio recording… More »

Perfect Punjab trounce Hyderabad

Perfect Punjab trounce Hyderabad

IPL7, GAME 9—Maxwell (95, 43b), Balaji (4-13) set up 72-run win. More »

Have the ECB played an unfair game?

Have the ECB played an unfair game?

Money talks, but it is in light of this ICC shakeup that the ECB's act of soliciting of another team's coach deteriorates from free-market aggression to… More »

Farbrace quits for England post

Farbrace quits for England post

He will assist Peter Moores who was unveiled as the new England coach on Saturday. More »

Moin appointed to manage Pakistan team

Moin appointed to manage Pakistan team

Pakistan on Monday reappointed Moin Khan as chief selector and manager of the national team, a week after fellow former captain Rashid Latif turned down… More »

Chennai smash Delhi for first win

Chennai smash Delhi for first win

IPL7, MATCH 8—Raina-led middle order, superlative catching give CSK a 93-run win. More »

'BCCI reputation lowest in 80 years'

'BCCI reputation lowest in 80 years'

The former BCCI president says he was "disillusioned" by the happenings at the emergent working committee meeting on Sunday. More »