A German hacker will collect a bounty worth thousands of dollars and several bitcoins after creating a fake finger from a photo of a fingerprint that was able to foil the Touch ID fingerprint sensor on Apple’s new iPhone 5s and unlock the device.
“It's official. Starbug of the CCC has been declared the winner of #istouchidhackedyet http://www.istouchidhackedyet.com Congrats! Video to come soon,” tweeted Nick DePetrillo, one of the two U.K.-based computer security researchers who founded the bounty, around 2 p.m. ET.
The Chaos Computer Club posted a video of the phone being unlocked using the fake finger and posted a description of the technique in a news release Saturday. That likely makes them eligible to collect a crowdfunded bounty worth thousands of dollars, which was started by a group of computer security researchers to award to the first person to hack Touch ID.
The Chaos Computer Club’s method involves the following steps:
- The fingerprint of the iPhone’s owner is photographed with a 2400 dpi resolution. Sprinkling it with coloured powder makes it more visible to the camera.
- The image is cleaned and inverted, so that the parts of your fingerprint that are normally raised appear white, and the “valleys” appear dark. The image is laser printed at 1200 dpi resolution onto a transparent plastic sheet with a thick toner setting.
- A substance such as white wood glue is smeared over the laser printed image on the transparent sheet, filling the spaces between the toner.
- After it dries into a single film, the “fake finger” is peeled off the plastic sheet.
- It is moistened slightly with a person’s breath and then can be used to unlock the phone.
The method is not new – the group had published the instructions online in 2004.
The only difference with Apple’s fingerprint sensor is its resolution is higher than that of previous sensors, requiring a higher resolution fake, the group reported.
“"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token,” said Frank Rieger, a spokesman for the group, in a statement.
The Chaos Computer Club has submitted their work to a contest that is offering a bounty to anyone who can hack Touch ID.
IsTouchIDHackedYet.com was launched by DePetrillo and fellow internet security specialist Robert David Graham on Sept. 18, two days before the new iPhones hit store shelves. DePetrillo and Graham each committed $100 to the bounty, which now sits at several thousand dollars, a few bitcoins and several bottles of booze.
It declared Starbug the winner around 2 p.m. ET Monday, after the technique was reproduced by several other people, confirming that it worked.
However, Jim Denaro, an intellectual property lawyer who is supporting the bounty with the offer of a free patent of the hacking technique, noted on Twitter that each bounty contributor “retains complete discretion whether to award it based on the hack.”
Denaro’s Washington, D.C.-based firm, CipherLaw, is safeguarding some of the bounty money that has already been paid until it can be awarded.
Arturas Rosenbacher, a founding partner at Chicago-based IO Capital, which committed $10,000 to the bounty, announced Monday that he will contribute the money only for a software or hardware solution, rather than lifting prints. His name has been crossed out on the bounty page with the words “reneged, won’t pay.”