Hackers are gearing up for Friday’s release of the iPhone 5S, aiming to be the first to crack the device’s first-ever fingerprint scanner, a security feature that Apple Inc hopes will set the new model apart from the competition.
To sweeten the contest, a group of security researchers and a micro venture capital firm have pitched to offer a prize to the hacker who breaks through ahead of the rest. The booty, promoted online, includes more than US$13,000 in cash, bottles of bourbon and tequila, and other prizes.
Among those hoping to win the prizes -- and the glory of uncovering potential flaws so Apple can then fix them -- is David Kennedy, a former US Marine Corps cyber-intelligence analyst who did two tours in Iraq and now runs his own consulting firm, TrustedSec.
“I am just waiting to get my hands on it to figure out how to get around it first,” the founder of the DerbyCon hacking conference told the Thomson Reuters Global Markets Forum this week. “I’ll be up all night trying.”
The fingerprint scanner on the top-of-the-line iPhone lets users unlock their devices or make purchases on iTunes by simply pressing their finger on the home button. It has been hailed as a major step in popularizing the use of biometrics in personal electronics.
Security experts worry about the implications of using the module to grant access to sensitive data on the phone and potentially enabling mobile purchases.
Security engineer Charlie Miller, known in hacking circles for uncovering major bugs in the iPhone as well as circumventing security in Apple’s App Store, said it could take fewer than two weeks for Kennedy or some other smart hacker to get around the new lock.
Once they’re in, they could gain access to the cornucopia of data typically stored on a user’s iPhone and might potentially be able to buy goods from iTunes and Apple’s App store.
Apple declined to comment for this article.
To be sure, experts say they know of nothing intrinsically wrong with Apple’s fingerprint reader, based on what the company has so far disclosed. Reviewers this week gushed over its ease of use and reliability.
The reader’s sapphire crystal sensor is embedded in the phone’s home button and reviews the fingerprint as a user touches it to verify his or her identity. It can be used to approve purchases of music, videos and other goods.
Data used for verification is encrypted and stored in a secure enclave of the phone’s A7 processor chip. No information is sent to any remote servers, including Apple’s iCloud system.
HD Moore, a well-known hacking expert and chief researcher with the security software maker Rapid7, said such protections mean “the bar is a little bit higher,” but that certainly won’t discourage hackers from trying to break the new technology.
“This is definitely something to target and something people will want to go after,” he said.
Apple shouldn’t take hackers’ enthusiasm personally.
All major electronics products are subjected to similar scrutiny as new features are rolled out, including devices from Google, Microsoft and Samsung Electronics.
For example, last year, Charlie Miller led a team that demonstrated techniques for taking over smartphones running Google’s Android software through their use of near-field communications, or NFC, a wireless technology used for sharing data or making purchases at point-of-sales terminals.
Bugs are often disclosed by “white hats,” or hackers who unearth flaws and report them so manufacturers can repair them, preventing criminal exploitation. The hope is the good guys find them before “black hats” uncover them for nefarious purposes.
White hats have found multiple security issues with iPhones, iPads and in the App store since Apple launched its first smartphone in 2007. They say that scrutiny has helped make it one of the most secure devices on the market today.
Apple executives said at last week’s iPhone launch that the new fingerprint reader, dubbed Touch ID, will help make phones far more secure by dint of its ease of use.
About half of all smartphone users don’t bother to use current screen-locking technology because of the inconvenience of keying in multiple-digit passwords. Apple is betting users may be far more willing to avail themselves of a solution that requires a single finger-swipe.
“The technology within Touch ID is some of the most advanced hardware and software we put in any device,” Dan Riccio, senior vice president of hardware engineering, said at the event.
Kennedy said he needs to examine the new iPhone to figure out how to best attempt an attack.
He said his choices include hacking the software that analyses the fingerprint data, or physically opening up the phone and connecting it to a custom-built device that would impersonate Apple’s fingerprint reader.
He added that it might be possible to lift a user’s fingerprint from elsewhere on the device and somehow make a clone of it.
Rich Mogul, an analyst with the security research firm Securosis, said he planned to use it and expects it to be widely adopted despite the fact that hackers are circling.
“Nobody has gotten their hands on it to see what the weaknesses are and how easy it is to crack,” Mogul said.
“We’ll have to wait to see.”