Just like the title says, if you’re the first to hack my iPhone 5s’ TouchID during Derbycon, I’ll give you $100.
The recently claimed IsTouchIDHackedYet bounty has be claimed by Starbug of the Chaos Computer Club and the corresponding video shows the technique. They used a scanner to create an image of a fingerprint from the iPhone’s touchscreen, made a dummy fingerprint out of wood glue, and used that dummy print to authenticate to touchID. Marc Rogers and others have reproduced the technique. So everything is laid bare, right?
Not quite.
I’m still not entirely sure just how big a threat this is in reality. Given an intentionally laid clean print, it can be reproduced and used as a template, that much is clear. I’m suprised that a scanned image (and reportedly a photo from another iPhone) are of sufficient resolution, but that seems to be the case.
But how easily can such a print be captured from an un-cooperating subject? To me, this gets to the heart of how risky TouchID actually is. Many people believe that since we leave fingerprints on everything we touch, there’s no security whatsoever. I’m not so sure, so I decided to unscientifically test this assumption and have some fun in the process.
Would you like to play a game?
Here’s the challenge.
Capture my fingerprint, build a model of it, and replay it against my phone. If you are the first to do this during Derbycon, I’ll give you $100!
Of course, there’s a few small rules to keep things civil.
The Rules
- I will not intentionally provide my print. I’m not going to allow my fingers to be scanned, inked, etc. The whole idea here is to see if it’s true that we leave sufficient prints in the wild on a regular basis. It’s likely I’ll be at the bar a few nights, and will have a couple drinks. Let’s see if the ‘lifted print from a beer glass’ is actually viable!
- I won’t say which fingers are enrolled Maybe you’ll see me unlock my phone and can deduce this, but that’s part of the challenge. Just as in an actual attack, I won’t provide information.
- I will not provide my phone for sampling. I want to see if my print can be lifted from the environment. As such, I’ll not be providing my phone for sampling. I don’t want to be babysitting my gear the whole con, after all.
- I will not take extreme measures to prevent leaving prints. I’m not going to do anything silly like wear gloves through the whole conference, or wipe down everything I touch, etc. I might be slightly more aware, but I’ll try not to change my behavior. However, I’m likely to grow suspicious of those who show an extreme interest in my glassware, etc.
- If you have a model you want to try, find me. I’ll let anyone who thinks they can do it try their dummy against my phone. I look like my Twitter avatar image (see sidebar) and enough people know me at Derbycon that you probably wouldn’t have to ask around much to find me. If all else fails, tweet at me and I’ll see if we can coordinate something.
- No damaging or disgusting dummys I may ask you to show me what you intend to use on my phone, and reserve the right to refuse anything that may damage or contaminate my phone. No sledgehammers, no genitals, no chewing gum.
- Don’t taze me, bro! No physical attacks, rubber hose cryptanalysis, or theft of my phone, please. The usual consequences will apply for assault or theft, and no bounty will paid.
- One try per person/team per hour I’ll let you try a few times, but if the phone presents the PIN entry screen, you’re done for at least an hour. This is to keep things fair and ensure that in the event multiple people/teams are trying, there’s a reasonable chance for the best finger-analog to work.
- First person gets $100 And maybe I’ll let you send one tweet from my account if you make it good, relevant, or funny.
Why am I doing this?
I think TouchID provides a decent amount of security, even if it can be bypassed by targetted attackers with a good sample of their target’s print. I find the question of how easy it is to get a good enough latent print interesting. I’m not sure if I expect that someone will do this or not (a lot depends on how many people try). Most of all, I thought it’d be a fun experience.
What do I think this will prove?
Truly, I don’t think this will prove anything.
If someone is successful that it shows that a targetted individual will, in the course of their normal day, leave behind sufficient fingerprints to bypass the security afforded by TouchID.
If no one is successful, it says a lot less. Maybe $100 wasn’t enough of an incentive. Maybe no one cared enough to take a shot at it. Or maybe, just maybe, it’s a bit harder than some people believe.
Anyhow, time will tell, and the offer stands. Be the first to bypass my TouchID during Derbycon, and $100 awaits. Good luck!
Additional info
I’m adding this section on the morning of 9/25. Some folks have offered to add to my bounty, to make it more attractive and hopefully draw more interest. I’m a little uncomfortable getting involved in arbitrage, so I’m not going to handle anyone else’s money, payouts, etc. But I’ll do a couple things to help facilitate any ‘side bets’ that might occur.
- Feel free to use the comments to share any additional offers. They’re moderated, but I’ll post any offers folks make.
- If/When I determine a winner of my offer, I’ll tweet about it immediately and use the #derbycon hashtag.
- I’ll follow up with a blogpost as soon as I have a chance.
- I’ll continue to allow others to try for the duration of the contest. Only the first is eligible for my award, but this will let people test their efforts, and may also provide backup candidates for other awards should anyone disagree with my decision.
- After Derbycon, I’ll write up a blog outlining the number of attempts, how many were successful, etc. I’ll relay contact info for any payouts to the extent those who try want to provide it and are comfortable with my doing so.