UPDATE: In an earlier version of this story, we failed to give proper credit to Robert Graham for his involvement in this project.
A group of researchers, hackers, and other security enthusiast are pooling their money and offering it as a bounty to the first person that can successfully crack the Touch ID fingerprint authentication mechanism on Apple’s recently released iPhone 5S.
It all started as a discussion between security researchers Don Bailey and Nick DePetrillo, according to Bailey. DePetrillo then fired off a tweet, offering $100 to the first person that could lift a fingerprint off an iPhone 5S, recreate it, and reliably unlock the phone in five tries or fewer. From there, a number of other security professionals and hobbyists got in on the pot, mostly via twitter, which is now worth more than $14,000 and counting. You can keep an eye on the growing pool of money the contest’s dedicated website, which was created by one of the contest’s other founding members, Robert Graham.
This is something of a casual contest, so a list of official rules is pretty much nonexistent. At first, in order to take the pot, DePetrillo said he wanted “a video of the process from print, lift, reproduction and successful unlock with reproduced print,” but he and Bailey are in agreement that they’ll pay out their portions of the pool for side channel demos as well. It is not clear what criteria the other contributors will use to decide whether or not an attack is worthy of their money too.
The clearest criteria seems to be that the attack exploits either hardware or the software associated with the Touch ID interface. A simple lock screen circumvention is not enough.
The contest is mostly for fun, but there is a serious element to it.
“We want to get more people aware of the new pieces of hardware functionality coming out,” Bailey said in a phone interview. “Because not a lot of people are looking at hardware security, and by doing things like this we get to put a spotlight on security in places where people usually presume it’s either too easy or too hard.”
The contest is based at least in part, according to Bailey, on the fact that these sorts of sensor-based functionalities are implemented into products in such a way that they take up as little room and require as little energy and processing power as possible, despite their versatility.
“You usually get an absurd amount of functionality in a sensor,” Bailey said. “But really when it actually comes to use-case, drivers are actually implemented with the least amount of capabilities necessary to accomplish a task.”
He went on to say that he and DePetrillo are gaming on the idea that Apple could be doing things in a more complicated way, but they aren’t – because they are probably just doing the best they can to get a competent piece of hardware out the door as fast as possible.
Bailey said that no one has come forward yet with a working exploit or otherwise indicated that they are closing in on one, but indicated that a lot of people – himself included – are taking a crack at hacking Touch ID. He and DePetrillo are hoping an exploit will emerge in the next couple of weeks.
When asked if he would take the bounty for his own contest if he were to be the one to break touch ID, Bailey said, quite emphatically:
“Hell yeah, I’ll take the bounty!”
Anyone is welcome to contribute to the bounty, and can work that out with Bailey, DePetrillo, whoever else has gotten involved on Twitter at the following hashtag: #istouchidhackedyet.
They are asking for a minimum contribution of $50, but some individuals are putting up larger sums of money – Graham in particular, who doled out nearly $75 for the domain name and six months of web hosting – and a lot of people are offering up Bitcoins. One person is offering a free iPhone 5C to whoever breaks the fingerprint scanner. Just before initial publication, Arturas Rosenbacher, an entrepreneur and venture capitalist, pledged $10,000.