Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crowdfunded Bounty For Hacking iPhone 5S Fingerprint Authentication

Posted by Unknown on from the good-luck-with-that dept.

judgecorp writes "There's more than $13,000 pledged for a crowdfunded bounty for bypassing an iPhone 5S's fingerprint reader. The bounty, set up by a security expert and an exploit reseller, requires entrants to lift prints 'like from a beer mug.' It has a website — IsTouchIDHackedYet — and payments are pledged by tweets using #IsTouchIDHackedYet. One drawback: the scheme appears to rely on trust that sponsors will actually pay up." Other prizes include whiskey, books, and a bottle of wine.

148 comments

  1. Why bother. by stewsters · · Score: 2, Funny

    With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

    1. Re:Why bother. by alen · · Score: 5, Funny

      if you live close to a wal mart chances are your victim will have a gun and can defend him or herself

    2. Re:Why bother. by kruach+aum · · Score: 1

      Because subtlety and subterfuge offer advantages that brute force doesn't.

    3. Re:Why bother. by Anonymous Coward · · Score: 0

      Reports indicate that won't work, so it would be more useful to use the machete to threaten the victim with amputation unless they unlock their phone.

    4. Re:Why bother. by ShanghaiBill · · Score: 2

      With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

      Nope. The iPhone, like most modern fingerprint scanners, requires a pulse. A severed finger won't work.

    5. Re:Why bother. by stewsters · · Score: 2

      Doesn't matter. if you tell the person you are going to chop off their finger and have a machete on hand to do it, they most likely will want to reset their password for you.

    6. Re:Why bother. by ackthpt · · Score: 2

      With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

      Nope. The iPhone, like most modern fingerprint scanners, requires a pulse. A severed finger won't work.

      Arr, ye be only needin' a batt'ry and wires fer ye pulse o' a sev'red finger, matey. ox)P-)

      --

      A feeling of having made the same mistake before: Deja Foobar
    7. Re:Why bother. by CastrTroy · · Score: 3, Interesting

      Personally, living in Canada, I wish they would stop coming up with inventions that don't work in the winter. First, it's capacitive touch screens that won't work with regular gloves. Now we have special gloves with a special material on the fingertips so that you can use your tablet/phone with gloves. Then there's eBook readers, which advertise as being still readable in sunlight, but if the screen gets too cold, they don't refresh properly. Now they have fingerprint readers on the phone. So I have to take my gloves off, just to make a phone call. I'm tired of my hands getting cold!

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    8. Re:Why bother. by geek · · Score: 2

      Yes, and if you hold a gun to their head and make them do things you'll have broken their security. Seriously? Apple is damned if they do and damned if they don't with people like you.

      Yes people may force their victims to do this, no it's not likely to be common. The point of the finger print reader isn't to somehow, mystically prevent an armed robber from getting into your shit. Its to keep purse snatchers and pick pockets from getting in as well as keeping it moderately secure should you forget it at a bar or airport.

    9. Re:Why bother. by noh8rz10 · · Score: 2

      why don't you get those gloves that don't have fingers, or take a glove and cut off one finger?

    10. Re:Why bother. by geek · · Score: 1

      If it's so fucking cold outside then why are you sitting around reading an ebook in it?

    11. Re:Why bother. by hondo77 · · Score: 5, Insightful

      What part of "Designed by Apple in California" don't you understand? :-)

      --
      I live ze unknown. I love ze unknown. I am ze unknown.
    12. Re:Why bother. by Anonymous Coward · · Score: 0

      Better yet, just go to Wal-mart and hack and shoot everyone showing off their new iphone.

      I think that would be more fun than Pizza, Grand Theft Auto 5, and Goatse x.

      USA USA USA!!

    13. Re: Why bother. by Anonymous Coward · · Score: 1

      Obligatory XKCD
       

    14. Re:Why bother. by Anonymous Coward · · Score: 0

      With a $10 Walmart machete from the camping aisle, you can "Hack" off the key for yourself.

      This is EXACTLY why I hate this kind of biometric authentication - for the sufficiently motivated person or organization, this is the easiest kind of security to defeat - all they have to do is cut a finger (or gouge an eye, if it's cornea scanning).

    15. Re:Why bother. by i_ate_god · · Score: 4, Funny

      Walmarts exist in Canada too

      But then again you wouldn't expect a Canadian to do such a brazen hack. Rather the Canadian would ask the other Canadian politely if they could use their phone, then quickly hop on their moose and ride off with it.

      --
      I'm god, but it's a bit of a drag really...
    16. Re:Why bother. by Anonymous Coward · · Score: 0

      So just cut off the tip and put it over your finger, which has a pulse.

    17. Re:Why bother. by mlts · · Score: 2

      I wonder when devices will start having a duress code where if swiped one way, the device opens normally. Swiped another way, device opens, but yet calls the local popo and reports a holdup in progress.

      Even my 13 year old house alarm has that.

    18. Re:Why bother. by Anonymous Coward · · Score: 0

      or take a glove and cut off one finger?

      And then you sew the finger on to the glove. Brilliant!

    19. Re:Why bother. by Kielistic · · Score: 1

      I don't think anybody is damning Apple for this. Especially not the original post that was just making a pun on the word hack.

    20. Re:Why bother. by l0ungeb0y · · Score: 1

      A fingerprint is not all that is required, the appendage leaving the impression must also have a faint electric signature only found in living tissue.
      So it seems a severed finger would only serve to smudge the glass display.

    21. Re:Why bother. by Anonymous Coward · · Score: 1

      No, all they have to do to defeat this, and, any other system, is threaten any of the above, with a reasonable belief that it's true.

    22. Re:Why bother. by Kielistic · · Score: 2

      You underestimate how cold it is in some places / times. Some times you want full-on mittens because gloves of any kind are too cold.

    23. Re:Why bother. by ahem · · Score: 1

      That was the most gratuitous, and yet somehow satisfying, execution of ITLAP Day.

      --
      Not A Sig
    24. Re:Why bother. by Anonymous Coward · · Score: 1

      but more likely shoot some innocent people in the area.

    25. Re:Why bother. by h4rr4r · · Score: 1

      Reports are wrong.
      1. for several minutes it would be basically still alive
      2. The threat of finger removal will get the phone unlocked in 99.99% of cases.
      3. you can always skin the finger and wear it like a glove.

    26. Re:Why bother. by jeffmflanagan · · Score: 1

      If only Walmart was still just a rural thing. They're everywhere these days.

    27. Re:Why bother. by holmstar · · Score: 1

      Perhaps they are waiting for the bus?

    28. Re:Why bother. by Anonymous Coward · · Score: 0

      Or just behead them and start eating them.

    29. Re:Why bother. by noh8rz10 · · Score: 1

      you could have a mitten with a hole that you poke your finger through. I am having all the answers today!

    30. Re:Why bother. by Kielistic · · Score: 3, Interesting

      Holes are known for their efficiency at losing heat. If frostbite is a concern do not poke holes in your insulation!

    31. Re:Why bother. by Anonymous Coward · · Score: 0

      1.Get the iphone owner drunk, no need to cut off anything.

      or

      2. Kids will wake before parents and grab parents iphone and then get the sleeping owner finger to play their games.

    32. Re:Why bother. by K.+S.+Kyosuke · · Score: 1

      Bah. I find it fascinating that the family of the victim sued for $150k for their son having gotten mutilated and his eyes eaten, while two passengers apparently sued for $3M each for having witnessing it, which I'm sure is so much more damaging.

      --
      Ezekiel 23:20
    33. Re:Why bother. by Anonymous Coward · · Score: 0

      Using my Galaxy S4, I can turn on extra sensitivity and use it as normal while wearing gloves. Sorry you want an apple :S

    34. Re:Why bother. by Quila · · Score: 1

      That would be nice. Right thumb for normal operation, left middle finger (or one you'd never accidentally use) to come up with some generic looking data that'll get you off the hook, while your real data is wiping in the background.

    35. Re:Why bother. by Anonymous Coward · · Score: 0

      I've not understood why duress codes are not present in more systems. For example, if overseas and the local police demand access to your company's username and password as part of a "routine" search.

      This is stuff from the Security 101 guides from the early 1980s when numeric keypads were being placed on doors before HID badges became the norm.

      It seems we have forgotten actual security these days, and what it means...

    36. Re:Why bother. by Dixie_Flatline · · Score: 1

      You don't have to use the scanner. You can use the passcode any time you like. I keep my phone in my pockets in the winter as much as possible, personally. If I really need to make a phone call, well, it's probably pretty important to force me to contemplate doing it at -30C anyway, so I'll take my glove off for 3 seconds.

    37. Re:Why bother. by Penguinisto · · Score: 1

      Err, some thoughts here:

      1) The vast majority of smartphone thefts are 'smash and grab' jobs - that is, some dude gets his phone jerked out of his hand by some criminal already moving at a high rate of speed.

      1a) Why? Because every second spent threatening the victim, watching him fumble through the unlock, etc, is another second more that the criminal can be identified, remembered, etc (not just by the victim, but by companions and passerby). It's also one more second for the victim (if suitably armed) to recover from the initial shock, and quietly reach for his own weapon. A $600 phone that one can fence for maybe $300-$400 at best isn't really worth those kinds of risks; most criminals are at least smart enough to know this (which is why most of them do the whole smash-and-grab thing in the first place.)

      3) Great - you (the criminal) got the phone and it's unlocked. Now what if it takes some extraordinary measure to get the fingerprint ID changed on it (e.g. only the carrier or it's representative unlocks it, etc)?

      Now yeah - if the reward for successfully stealing the phone and getting into it is great enough (e.g. the thing contains secret launch codes or some other fantastic nation-state-sized thing), *nothing* short of destroying the phone will stop you from finding a way into the device. However... this is a consumer device. It may have (at most) a banking app on it (which will require a password anyway), but is otherwise going to be largely useless. If it's used in BYOD (or even a full employer-provided phone) for work, ActiveSync (or whatever) will render at least that bit useless less than five minutes after the victim reaches another phone to call his/her employer and have it wiped.

      Long story short? Yeah, it *can* be done, but the risks quickly outstrip the rewards.

      ==

      As for TFA? Cool... now which finger? I never use an index finger for any biometric device... ever. That still leaves 8 to pick from if you want to lift my prints. If the thing locks solid after, say, 5 attempts? Well, your odds aren't exactly perfect, now are they?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    38. Re:Why bother. by Anonymous Coward · · Score: 0

      Just buy a spool of that conductive thread and put a couple of stitches through the fingers of whatever gloves you like...

    39. Re:Why bother. by Anonymous Coward · · Score: 0

      You don't have to use the scanner. You can use the passcode any time you like.

      Are you kidding? any time there is a new option, everyone must take it! that's why I oppose gay marriage.

    40. Re:Why bother. by Anonymous Coward · · Score: 0

      I wonder when devices will start having a duress code where if swiped one way, the device opens normally. Swiped another way, device opens, but yet calls the local popo and reports a holdup in progress.

      Even my 13 year old house alarm has that.

      That's pretty stupid. You need the duress code to be indistinguishable from the real code to the observer. This is one reason why biometrics are asinine and passwords are still superior.

    41. Re:Why bother. by Anonymous Coward · · Score: 0

      You don't have to enable the fingerprint scanner, so you can stop whining.

    42. Re:Why bother. by Anonymous Coward · · Score: 0

      Samsung S1,2,3 and 4 all have a button that you can double click to activate voice recognition. You can make calls using that with gloves. The downside is that if it gets wet, the button may no longer work as it did for me and there's no easy fix for it as you need to hack off the front part of the phone due to their stupid internal design. I assume that more phones will come with physical buttons and hopefully better assembly methods but that's something that apple will not ever have since "simplicity" with less buttons to them is their approach. But if it were me, I'd get a industrial cellphone that is waterproof/stormproof/shockproof to use while going out. Just make sure there's a SIM card slot, heck you can just close your SIM card I'm sure. You're not going to be playing angry birds while riding a moose to your friend's house but if you need to make phone calls, and only phone calls having that kind of phone would be idea. They are relatively affordable at just $80 a piece without contract, at least around where I live. There will never be a phone that fits into every possible scenario, that's why you have to be the smart one and decide for yourself what is best for you.

    43. Re:Why bother. by XxtraLarGe · · Score: 1

      Holes are known for their efficiency at losing heat. If frostbite is a concern do not poke holes in your insulation!

      Here you go, Nancy.

      --
      Taking guns away from the 99% gives the 1% 100% of the power.
    44. Re:Why bother. by cybertears · · Score: 1

      If you're straight, wouldn't gay marriage be a new option?

    45. Re:Why bother. by Kielistic · · Score: 1

      Exactly what I use in day-to-day outings actually. I live in a comparatively warm area though. Also I tend to use my thumb for most of my phone fiddling which those gloves do not help with. None of it really matters though because no matter how you are interacting with your phone bulky things over your hands is going to impede that.

    46. Re:Why bother. by semi-extrinsic · · Score: 1

      The new Samsung GS4 actually has a glove mode! It's not very advertised on the GS4 (it is on the "Active" version), but it is there, and it works with fairly thick lether gloves. I expect this to become a fairly standard future on Android in the future.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    47. Re:Why bother. by Plumpaquatsch · · Score: 1

      Reports are wrong. 1. for several minutes it would be basically still alive 2. The threat of finger removal will get the phone unlocked in 99.99% of cases. 3. you can always skin the finger and wear it like a glove.

      And then you'd have to enter the passphrase sooner or later anyway (as in no later than 48 hours).

      --
      Of course news about a fake are Fake News.
    48. Re:Why bother. by Plumpaquatsch · · Score: 1

      Better yet, just go to Wal-mart and hack and shoot everyone showing off their new iphone.

      The NRA has successfully lobbied for any mass-killing above 3 persons to be carried out only with firearms.

      --
      Of course news about a fake are Fake News.
  2. 'like from a beer mug' by Culture20 · · Score: 2, Insightful

    Or from the iPhone itself.

    1. Re:'like from a beer mug' by De+Lemming · · Score: 4, Informative

      As was explained in the Apple keynote, a capacitive (not optical) sensor is used, which scans sub-epidermal skin layers. So lifting a fingerprint will not work.

      Here is an extensive explanation of the technologies used.

    2. Re:'like from a beer mug' by chihowa · · Score: 5, Interesting

      That's not an extensive explanation of how the technology works. The only description of how the sensor works from that article is this:

      A capacitance fingerprint reader leverages a handy property of your skin: The outer layer of your skin (your dermis), where your fingerprint is, is non-conductive, while the subdermal layer behind it is conductive. When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

      So it's still measuring your fingerprint as made up of ridges and troughs, just using conduction instead of optics. So you lift a fingerprint from a glass, etch it onto a conductive substrate (that matches the dermis roughly) and put it on the sensor.

      The sensor is likely looking at a fairly wide range of relative conduction between the ridges and troughs, so that it will work if your fingers are oily or sweaty or cold, so you wouldn't need to perfectly match the conduction of the user's actual finger.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    3. Re:'like from a beer mug' by Anonymous Coward · · Score: 0

      Your argument appears to be that this is a new technology, thus it won't succumb to the vulnerabilities of the previous generation. Even ignoring heretofore-unknown, new attacks, this has yet to be shown. As an example of why this isn't always true: Java run everything in a VM, thus it can't have security issues.

      I'll point out a new vulnerability for you: fingerprint scans are much easier to rubber-hose out of people than passwords.

    4. Re:'like from a beer mug' by Anonymous Coward · · Score: 0

      As was explained in the Apple keynote, a capacitive (not optical) sensor is used, which scans sub-epidermal skin layers....

      In other words, pressing down too lightly on the reader during an election year will result in a hanging eChad and failure to validate.

    5. Re:'like from a beer mug' by Anonymous Coward · · Score: 0

      It's been done.

      Lift fingerprint.
      Print by a laser printer to make a mold.
      Pour jello onto the printout.
      Lift jello to have "finger" that works on "a capacitive (not optical) sensor."

      https://www.google.ca/search?q=jello+mold+fingerprint

    6. Re:'like from a beer mug' by Anonymous Coward · · Score: 0

      As was explained in the Apple keynote, a capacitive (not optical) sensor is used, which scans sub-epidermal skin layers. So lifting a fingerprint will not work.

      Here is an extensive explanation of the technologies used.

      Yes, because claims by the manufacturer and related sites that the technology is unbreakable have always stopped hackers. </sarcasm>

    7. Re:'like from a beer mug' by citizenr · · Score: 1

      sure sure, gummy bears work on those

      --
      Who logs in to gdm? Not I, said the duck.
    8. Re:'like from a beer mug' by Anonymous Coward · · Score: 0

      Here: PPT Doc is a powerpoint of a presentation on the technology from AuthenTec... the company that created this technology from mere months before Apple bought them.

      It is as in-depth as one would want.

    9. Re:'like from a beer mug' by Solandri · · Score: 1

      My dad has abnormally dry hands and a thin (as in not very high) fingerprint ridge layer. He hates typing passwords so uses the same short password on everything. A few years ago I got him a Thinkpad with a fingerprint scanner in hopes of beefing up his security without much additional effort.

      The scanner only works about 10% of the time on him. He doesn't use it because of the high failure rate. This tells me that although the tech may read some of its data from the interior structure of the finger, the majority of its functionality depends on the fingerprint ridges themselves. (And yes it's the same technology. Apple bought Authentec in 2012, Authentec bought UPEK in 2010, and UPEK made the fingerprint scanners for the Thinkpads.)

    10. Re:'like from a beer mug' by ModernGeek · · Score: 1

      I'm not sure if it does this, but another good layer of security would be to require the passcode after maybe two failed fingerprint attempts.

      --
      Sig: I stole this sig.
    11. Re:'like from a beer mug' by Dixie_Flatline · · Score: 1

      If you're putting that much effort into hacking into my phone, well, you'd get my data no matter what I did. Frankly, I think you'd be better off packet sniffing my cellular traffic or something.

      Why are you so interested in my phone that you want to lift my fingerprints onto a conductive substrate and force my phone open? What data do you think I keep on my phone that's worth so much? Once I notice my phone is gone I'm just going to remote wipe it anyway, and you can't turn THAT off without the code that I have memorised. Wait, you know that code? Well in that case you DIDN'T NEED MY FINGERPRINT AT ALL.

    12. Re:'like from a beer mug' by chihowa · · Score: 1

      Well, "etch it onto a conductive substrate" sounds like a lot of effort right now, but we'll likely find out in the next article that gummy bears have the exact same conduction as the dermis and that the etching just involves licking the gummy bear before you press it on the fingerprint.

      Personally, I don't care about the security of iPhones. I'm just annoyed at the over-the-top portrayal of this fingerprint reader as some sort of magical "doesn't read your fingerprint, but reads, like the inside of your finger, man" bullshit, when "inside of your finger" means tens of micrometers below the surface (ie, smaller than the ridges).

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    13. Re:'like from a beer mug' by Anonymous Coward · · Score: 0

      Lifting a finger print WILL work, you just need a middle step between 'lift fingerprint' and 'put lifted finger print against scanner'

      All you need is a dummy capacitive substance that is roughly the size and shape of a finger (a hot dog will probably work), and then attach a thin non-capacitive layer with the grooves from the finger print you lifted.

      TL;DR; a hot dog and a 3d printer is all you need.

    14. Re:'like from a beer mug' by Plumpaquatsch · · Score: 1

      It's been done.

      Lift fingerprint. Print by a laser printer to make a mold. Pour jello onto the printout. Lift jello to have "finger" that works on "a capacitive (not optical) sensor."

      https://www.google.ca/search?q=jello+mold+fingerprint

      Now all you have to do is do that - and buy an iPhone 5s to test it. Then you will be $13,000 richer. Unless it doesn't work. Then you will have an iPhone 5s.

      --
      Of course news about a fake are Fake News.
    15. Re:'like from a beer mug' by Anonymous Coward · · Score: 0

      As was explained in the Apple keynote, a capacitive (not optical) sensor is used, which scans sub-epidermal skin layers. So lifting a fingerprint will not work.

      Here is an extensive explanation of the technologies used.

      In light of current news, care to modify your smug statement?

  3. Morons by Anonymous Coward · · Score: 1

    Apple has already pointed out that the fingerprint sensor will deliver a false-positive approximately 1 time in 50,000 (which they correctly point out is five times more secure than a four digit passcode which can be guessed 1 time in 9,999 attempts). Further, it's already been covered to death that the fingerprint sensor does not read the outer layer of skin and thus lifting a fingerprint from a beer mug will NOT work (despite the internet's intent to claim that it will...).

    There's so much stupid surrounding this that it hurts my brain...

    1. Re:Morons by phantomfive · · Score: 2

      Apple has already pointed out that the fingerprint sensor will deliver a false-positive approximately 1 time in 50,000

      Presumably they are going to require repeatable results....

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Morons by K.+S.+Kyosuke · · Score: 1

      the fingerprint sensor does not read the outer layer of skin and thus lifting a fingerprint from a beer mug will NOT work

      You mean that it can correctly identify whether the shape it reads is a natural pattern on the finger or a living human being, or whether it's some sort of synthetic replacement, regardless of the millions of combinations of materials and structure that come to one's mind?

      --
      Ezekiel 23:20
    3. Re:Morons by FrankSchwab · · Score: 1

      There's so much stupid surrounding this that it hurts my brain...

      Well, as an expert in the field, I have to say that you've taken way too many internet postings as gospel.

      This contest will be won quickly and easily. /frank

      --
      And the worms ate into his brain.
  4. Broken on first day by Misagon · · Score: 0

    I would not be surprised if someone would have broken it within mere hours after they have become available.

    How long does it take to etch a PCB (mould) and how long does it take for gelatine to cool down (finger cast)? (The method that Mythbusters used)

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    1. Re:Broken on first day by glennrrr · · Score: 1

      I wonder if the sensor could be trained to recognize an inanimate object like a casting of my finger. Then I could say "see this casting bypasses the security".

    2. Re:Broken on first day by Anonymous Coward · · Score: 1

      I'm pretty sure the fingerprint sensor does not scan the outer layer of skin, but the sub-dermal layer. Why would you think that taking a cast of the outside of the finger would work?

    3. Re:Broken on first day by Anonymous Coward · · Score: 0, Insightful

      Does.

      Not.

      Work.

      Gawd, you're a geek that reads Slashdot. Please invest just a minor amount of effort to learn how a significant new feature from one of the most influential tech companies works. It's not hard - it's been discussed extensively virtually everywhere.

    4. Re:Broken on first day by Anonymous Coward · · Score: 0

      Like using your cat to unlock?
      http://techcrunch.com/2013/09/19/watch-a-cat-unlock-the-iphone-5s-using-touch-id-and-the-fingerprint-sensor/

    5. Re:Broken on first day by ShanghaiBill · · Score: 3, Insightful

      How long does it take to etch a PCB (mould) and how long does it take for gelatine to cool down (finger cast)? (The method that Mythbusters used)

      The Mythbusters episode was from 2006, and was done on a sensor that was even older. Technology improves. In a decade, it can improve a lot. Their technique would almost certainly not work today. Apple's sensor requires a pulse, and detects deep skin layers that do not show up on a lifted fingerprint.

    6. Re:Broken on first day by noh8rz10 · · Score: 1

      yes, but only the cat can unlock it! actually i don't know, if one cat is registered can others unlock it as well?

    7. Re:Broken on first day by sootman · · Score: 3, Informative

      > How long does it take to etch a PCB (mould) and
      > how long does it take for gelatine to cool down
      > (finger cast)?

      I don't know. How long does it take to use Google and learn that your method won't fucking work?

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    8. Re:Broken on first day by Anonymous Coward · · Score: 0

      So I need to apply current to the gelatin and let the surface of it dry out?

    9. Re:Broken on first day by Terrasque · · Score: 1

      Didn't the manufacturer make similar claims about the Mythbusters lock too? That turned out to be hogwash.

      Let's wait and see how it actually works.

      --
      It's The Golden Rule: "He who has the gold makes the rules."
    10. Re:Broken on first day by Anonymous Coward · · Score: 0

      Yes, if they're registered too. I recall they (Apple) said you could register up to 5 or 10 (?) different prints in order to allow multiple people to unlock the same device.

    11. Re:Broken on first day by mrwolf007 · · Score: 1

      Hmm, so how many things did Apple patent that they didnt bother to implement?
      And givent he fact that most testers probably wont find a test candidate to chop a finger off ill guess i just ... have to take your word for it?

    12. Re:Broken on first day by Anonymous Coward · · Score: 0

      I know! Why don't we submit a request to get MB to hack it?

    13. Re:Broken on first day by sootman · · Score: 0

      > And givent he fact that most testers probably wont
      > find a test candidate to chop a finger off ill guess i
      > just ... have to take your word for it?

      Logic much? How's this: if it won't get a reading at all, a match can't happen. So: find a cadaver. Press the finger onto the pad. No reading? No match possible.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    14. Re:Broken on first day by semi-extrinsic · · Score: 1
      Oh dear god. As a physicist, skimming that article made me even more sure that people who write technology blogs about Apple are mindnumbingly stupid. To wit:

      We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch.

      If you fail that hard in your understanding of such a basic smartphone technology as capacitance, then your opinion on technical matters will be considered irrelevant and background noise. They then go ahead and fail at biology:

      Once the tissue is dead -- which, in the case of someone chopping your finger off without your consent, should happen within a matter of minutes.

      A chopped off human finger can be successfully re-attached to the person after 12 hours if kept warm and up to four days if kept refrigerated. This claim is thus patently false.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    15. Re:Broken on first day by Megol · · Score: 1

      False! If it requires a pulse (which I doubt) it would be simple to emulate this with a very easy circuit varying the capacitance which is the only thing a normal capacitive reader can sense. If it is a combination of a capacitive reader for the fingerprint and an IR oximeter for sensing pulse the solution is to have a pulsed IR lightsource. But it is unlikely that it's anything more than a flat capacitive reader possibly with a higher resolution than normal readers. But realistically this is the normal "Apple" exaggerations* coupled with normal "Apple" fanboyism. The standard for PC notebooks with fingerprint readers is capacitive reading in a scanner configuration which is more secure than non-scanning reader as the scanning removes most of the fingerprint automatically. And the technology does improve there too unlike what Apple fanboys like to think... (* Anybody remember the G4 supercomputer claims? The GCD claims? The retina claims? The list goes on...)

    16. Re:Broken on first day by Plumpaquatsch · · Score: 1

      I would not be surprised if someone would have broken it within mere hours after they have become available.

      How long does it take to etch a PCB (mould) and how long does it take for gelatine to cool down (finger cast)? (The method that Mythbusters used)

      The iPhone 5s went on sale in Australia about 21 hours ago in Australia, shortly after that in China and Japan, More than 13 hours in Europe - still not hacked yet.

      --
      Of course news about a fake are Fake News.
    17. Re:Broken on first day by Plumpaquatsch · · Score: 1

      yes, but only the cat can unlock it! actually i don't know, if one cat is registered can others unlock it as well?

      Second paragraph: ". Note that no other paw pads would unlock the device, and that cats essentially have unique “fingerprints” just like people, so this doesn’t make the Touch ID sensor any less secure."

      --
      Of course news about a fake are Fake News.
    18. Re:Broken on first day by noh8rz10 · · Score: 1

      Second paragraph: ". Note that no other paw pads would unlock the device, and that cats essentially have unique “fingerprints” just like people, so this doesn’t make the Touch ID sensor any less secure."

      i don't worry so much about a cat paw fooling the sensor that it is a person's finger print. Just trying to make sure that my two cats won't be able to unlock each other's phones.

    19. Re:Broken on first day by Anonymous Coward · · Score: 0

      Their technique would almost certainly not work today. Apple's sensor requires a pulse, and detects deep skin layers that do not show up on a lifted fingerprint.

      LOL, nope.

    20. Re:Broken on first day by Anonymous Coward · · Score: 0

      FYI, it's been broken.
      http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

  5. You can just enter the passcode. by jcr · · Score: 1, Interesting

    Didn't these clowns watch the keynote?

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  6. One Word: by Shakrai · · Score: 1

    Gunblade

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  7. Not the usual sort of fingerprint reader. by Anonymous Coward · · Score: 0

    From apple's marketing material the device claims to be a capacitive fingerprint reader and not the optical sort. This is the first I've ever heard of anything like that.

    Supposedly it's not vulnerable to lifted fingerprints from other surfaces because it's able to capture sub-dermal characteristics that are not left behind on a fingerprint you'd find on something like a beer mug. So its less a fingerprint reader, and some sort of deep finger scanner.

    I'm not sure why this is a big deal either, because historically it's been easy to attack a phone, iphones included, via the usb port/dock/port/whatever. Security companies even sell handheld devices to cops that let them plug-and-play dump phones via said interface ports.

    Of course I look forward to seeing what people can do. It will be interesting to see how apple's claims hold up. If what apple claims is true then everything is buttoned up and secured inside some security module in the main CPU. Sounds like you may need to do some JTAG hacking to see what's really going on.

    1. Re:Not the usual sort of fingerprint reader. by Daniel_Staal · · Score: 1

      Apple's been working on the dock port problem as well: IIRC, Recent OS updates will alert the user if you plug into a device that attempts to treat the phone as a USB storage device (instead of a battery), and require the user to allow it. (After unlocking the screen, of course, which means if it's locked and requires a password or fingerprint, you need the password or fingerprint.)

      It's not a high-security device by any means, but the obvious pitfalls are being taken care of. I don't expect this bounty to be particularly hard, but it's probably going to be beyond the average thief.

      --
      'Sensible' is a curse word.
  8. Drunk and passed out? by Anonymous Coward · · Score: 0

    Your finger is not.

  9. Date rape drug, profit by Anonymous Coward · · Score: 0

    nothing more to say.

  10. Re:You can just enter the passcode. by maccodemonkey · · Score: 4, Funny

    Didn't these clowns watch the keynote?

    -jcr

    I am totally shocked someone in the tech industry would launch a project without fully understanding the original problem. SHOCKED I SAY.

  11. Scotch Tape by klaasb01 · · Score: 0

    Wouldn't the surface of the phone (front or back) be a good place to lift a print of the owner then transfer it to another medium so that you could use it on the phone?

    1. Re:Scotch Tape by Anonymous Coward · · Score: 1

      No, because the iPhone 5S doesn't use an optical fingerprint scanner. It's using a capacitive sensor that measures capacitance of the skin and sub-epidermal layers of the finger. A simple image of the print won't fool it.

    2. Re:Scotch Tape by Anonymous Coward · · Score: 0

      No, because the iPhone 5S doesn't use an optical fingerprint scanner. It's using a capacitive sensor that measures capacitance of the skin and sub-epidermal layers of the finger. A simple image of the print won't fool it.

      an engraved gummy-bear probably would though.

  12. MacGyver already did it. by Videospike · · Score: 1

    Season 2 Episode 1, "The Human Factor". Mac scrapes some gypsum dust off of a wall and blows it across the reader (a hand print reader, if I remember correctly) like one would dust for fingerprints. Then he wrapped his hand and pressed the reader - voila! It should work as long as the phone's owner doesn't remember to wipe down their fingerprint reader each time they use it.

    1. Re:MacGyver already did it. by Anonymous Coward · · Score: 0

      It won't work since the fingerprint/epidermal layer isn't read by the sensor in the first place

  13. Better bounty needed by Sponge+Bath · · Score: 1

    If someone could find a way around this, it would be worth a lot more than the stated bounty to criminals.

    1. Re:Better bounty needed by Bob_Who · · Score: 1

      Yeah, a whole hell of a lot better than honor among thieves and a low ball guarantee..

      Crime pays better when dealing directly with Congress and lobbyists.

  14. Easy by sexconker · · Score: 0

    Dig up the corpse of Steve Jobs Chop off thumb. You now have access to every iPhone 5s.

    I guarantee you there are back doors in place for that corpse.

  15. FYI by Anonymous Coward · · Score: 0

    I don't know if it 'requires' a fingerprint in order to use the phone, But I will never purchase any device that does. I do however have some suggestions for hacks.

    First, somebody come up with an artifical finger complete with fingerprints, temp and a pulse. Second, all the dead people throughout history, the is a potential market for their fingerprints, and so there is also a market for artificial fingers. You could carry around in your wallet, the fingerprint of your choice.

    They play their games, and we play ours.

  16. Re:You can just enter the passcode. by thue · · Score: 1

    The problem is that the fingerprint scanner could create a false sense of security.

  17. Citation does not back up your claim by amaurea · · Score: 1

    The source you site seems to be saying the opposite of what you claim:

    When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

    Those raised parts of the fingerprint are exactly the ones that deposit fat stains on every surface you touch.

    Of course, it is possible that the macworld article is misleading, and that the fingerprint reader reads some other pattern after all. If so, it would be nice to see a source that backs that up. This has been brought up in previous slashdot discussions too, but I have never seen any evidence backing it up, even after explicitly asking for it.

    1. Re:Citation does not back up your claim by chihowa · · Score: 2

      Here's your reference. It's reading a plain old fingerprint.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  18. Re:You can just enter the passcode. by Anonymous Coward · · Score: 0

    Didn't these clowns watch the keynote?

    -jcr

    I am totally shocked someone in the tech industry would launch a project without fully understanding the original problem. SHOCKED I SAY.

    Yeah, especially with Apple products. I mean, no one overreacts with those, right?

    Wait, what the fuck do you mean people are in line already?!?

  19. Waiting for the bus... by Anonymous Coward · · Score: 1

    Probably :)

  20. Caimed to death, but not backed up by amaurea · · Score: 3, Informative

    What is your source for claiming that the sensor reads a different pattern than the normal fingerprints you leave behind? A capacitive fingerprint reader works by measuring the difference in capacitance between the ridges and valleys of your fingerprint. In the ridges, the distance to the more conductive layers beneath the skin (the sub-dermal layers you've heard about) is greater than in the valleys, which gives these regions higher capacitance. I guess the pattern you get this way could be different from the visible fingerprint if the underside of the skin has a significant, different pattern than the overside, but I have not heard that that is supposed to be the case.

    To simplify things a bit, the much touted sub-dermal layers work as a sort of capacitive back-light which highlights the differences in thickness of the fingerprint above it. It is, to the best of my knowledge, simply another way of measuring the same fingerprint we see when we look at our fingers.

  21. Re:One punch will do it, no weapons required. by Anonymous Coward · · Score: 0

    Virtually the same post got stated when anti-theft engine modules came to car computers. The car is theft-resistant, so just rear-end the car, wait until the driver is out, punch him out and take his keys.

    This isn't Apple's problem, and if there is a feature to demand a passcode + fingerprint, this is a nonissue anyway.

  22. Macworld contradicts you by amaurea · · Score: 1

    From this macworld article on the subject:

    A capacitance fingerprint reader leverages a handy property of your skin: The outer layer of your skin (your dermis), where your fingerprint is, is non-conductive, while the subdermal layer behind it is conductive. When you touch the iPhone’s fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

    A capacitor works by having an insulator sandwitched between two conductors. The thinner the insulator is, the higher the capacitance. In the case of a capacitive fingerprint reader, the conductors are the reader itself on one side, and the subdermal layers on the other side. In between them, the skin works as an insulator. Hence, by measuring the capacitance, one is effectively measuring the thickness of the skin. I.e. the pattern of ridges and valleys visible on your fingers. This is the layer you claimed wasn't measured in the first place.

    1. Re:Macworld contradicts you by Anonymous Coward · · Score: 0

      The context is the bounty. The bounty requires that a fingerprint be lifted from something. A fingerprint lifted from something only tells you where skin oil is left on that something. It only tells you touching and not touching, and not any thickness beyond that. The MacGyver scenario from the OP assumes that this is enough to give access. Now, "read" != "measured". The sensor does not read anything from the epidermal layer directly, thus simply having a fingerprint lifted from something will not give access. As you said, the epidermal layer is measure via the capacitance between the sensor and subdermal layers. This information cannot be obtained from a fingerprint lifted from something. GP and you are both correct but you just didn't fully think this through in the context of the OP and article

    2. Re:Macworld contradicts you by Quila · · Score: 1

      And how does this defeat the RF scanner that looks only at the live tissue underneath?

    3. Re:Macworld contradicts you by Overzeetop · · Score: 1

      The one that doesn't actually exist (there is no RF scanner), or the theoretical RF scanner which can't tell the difference between a finger and a small tube of ketchup (or other mostly-water filled tube)?

      --
      Is it just my observation, or are there way too many stupid people in the world?
    4. Re:Macworld contradicts you by semi-extrinsic · · Score: 1

      It seems a lot of uninformed appleblogs/fanboys think there is an RF scanner simply because Apple has patented one.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
  23. Is the contest open to cats? by Anonymous Coward · · Score: 0

    They seem to be able to use it, after all...

  24. Anything for attention by Anonymous Coward · · Score: 0

    Good luck, chumps!

    (Sore lusers.)

  25. Why? So simple to break... by Anonymous Coward · · Score: 0

    Just get the person really drunk and no need to cut off any finger.
    Millions of kids will wake before the rents and grab the phone and then get their parents sleeping finger to play their games.

  26. Small correction by amaurea · · Score: 1

    Higher distance gives lower capacitance, not higher. This does not change the argument, though.

  27. Easy hack by deviated_prevert · · Score: 1

    Just take close in photos of all the smudges on the "retinal" display screen extrapolate 3d from it and print it with a 3d printer. Presto access.

    --
    This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    1. Re:Easy hack by Anonymous Coward · · Score: 0

      dood ur so fakkin smart

  28. Laptops by Kozar_The_Malignant · · Score: 1

    Laptops have had fingerprint login authentication for years. Why all the fuss over what seems to be a more secure method than the one on my wife's four year old HP?

    --
    Some mornings it's hardly worth chewing through the restraints to get out of bed.
    1. Re:Laptops by guruevi · · Score: 1

      Most laptop-fingerprint-thingies are basically very cheap camera's. They take a (very low resolution) picture and compare it with an existing (very low resolution) one. Easy to fool with a piece of paper or a superglue version of the fingerprint.

      Other problems is (specifically with Windows) is that the Windows-based fingerprinting software (UPEK) stores the passwords pretty much plain text into the registry anyway.

      Apparently the iPhone fingerprint scanner is not so easily fooled because otherwise there wouldn't be a bounty, even severed fingers are reported not to work with the iPhone sensor. So how does it do it? The patents are very vague but seem to describe some way of sending a (small) current through. If that is true, you would have to be able to replicate an entire fingerprint with a very specific capacitance and resistance so the "circuit" that are the ridges of your fingerprint can be replicated.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Laptops by Anonymous Coward · · Score: 0

      fingerprint readers are not security devices. one of the fears is people will think this is a more secure mechanism than a good password, IT ISN'T. hence why any place that takes security seriously doesn't permit fingerprint scanners as a primary method of authentication.

    3. Re:Laptops by semi-extrinsic · · Score: 1

      It can't be that specifically sensitive either, since then a wet, sweaty, greasy or dirty finger would not work. I'm fairly sure that Apple has realized that the most useless security technology is the one no-one bothers to use.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    4. Re:Laptops by Megol · · Score: 1

      No the standard is capacitive scanning readers. The last camera based fingerprint reader I've seen was the Microsoft fingerprint reader that was released 9 years ago.

    5. Re:Laptops by Anonymous Coward · · Score: 0

      Because your wife's four year old HP is not made by Apple, a company well known for having legions of rabid fans obsessed with discussing its latest products on web fora.

  29. Got the motivation right by Anonymous Coward · · Score: 0

    I enjoy that a large number of the pledged rewards include money but also alcohol. Clearly they understand the potential audience.

  30. 1,000,000 X by Anonymous Coward · · Score: 0

    "just cut off the owner's finger"

    (So original!)

  31. One punch won't do it by Anonymous Coward · · Score: 0

    First of all, do you not understand why anyone uses a passcode on their smartphone? (because if you don't, then there's no need for further discussion.)
    Secondly, I don't think you've thought it through, as what you describe is insufficient for resetting (stealing) the iPhone 5s. The passcode is needed for that.

  32. Obligatory XKCD by Anonymous Coward · · Score: 0

    $13,000? Bottle of wine? Come on folks.

    http://xkcd.com/538/

  33. Capactitive and RF sensors. by westlake · · Score: 1

    The sensor in the iPhone 5s utilizes two methods to sense and identify your fingerprint:

    Capacitive -- A capacitive sensor is activated by the slight electrical charge running through your skin.

    Radio frequency -- RF waves do not respond to the dead layer of skin on the outside of your finger -- the part that might be chapped or too dry to be read with much accuracy -- and instead reads only the living tissue underneath. This produces an extremely precise image of your print, and ensures that a severed finger is completely useless.

    This means that the Touch ID sensor should be remarkably accurate for living creatures, but it also means that only a finger attached to a beating heart will be able to unlock it.

    Why a disembodied finger can't be used to unlock the Touch ID sensor on the iPhone 5s

    1. Re:Capactitive and RF sensors. by semi-extrinsic · · Score: 1

      Not only does that article never discuss disembodied or severed fingers, but it also misses the huge issue with biometric ID: you're "broadcasting" it daily, and it can never be changed. Once someone gets your fingerprint associated with your name, do you have any idea how large the black-market value will be if biometric IDs like this become common? If your fingerprint can be used with your credit card, for instance? That is a much larger incentive for criminals than stealing your iphone passcode.

      It's also largely undetectable: sit at a coffee shop, pose like a hipster with your DSLR, wait until you can pick up someone's name, then take their glass and photograph it after they leave. If you think this is just paranoia, there were several people who were succesful in copying Angela Merkel's fingerprint a few years back. If they can do it to the prime minister of Germany, they can do it to you.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    2. Re:Capactitive and RF sensors. by Plumpaquatsch · · Score: 1

      Not only does that article never discuss disembodied or severed fingers, but it also misses the huge issue with biometric ID: you're "broadcasting" it daily, and it can never be changed. Once someone gets your fingerprint associated with your name, do you have any idea how large the black-market value will be if biometric IDs like this become common? If your fingerprint can be used with your credit card, for instance? That is a much larger incentive for criminals than stealing your iphone passcode. It's also largely undetectable: sit at a coffee shop, pose like a hipster with your DSLR, wait until you can pick up someone's name, then take their glass and photograph it after they leave. If you think this is just paranoia, there were several people who were succesful in copying Angela Merkel's fingerprint a few years back. If they can do it to the prime minister of Germany, they can do it to you.

      1. Steal Angela Merkel's fingerprints
      2. ???
      3. PROFIT!

      --
      Of course news about a fake are Fake News.
  34. Very hackable for 7-9 hours a day by Anonymous Coward · · Score: 0

    A simple hack for the fingerprint sensor is already available ... just look around for a phone owner who is asleep

  35. Why lock a phone? by kubajz · · Score: 2

    Assuming that you protect your phone from the random thief, I would recommend installing a tracing app and leaving the phone unlocked - a locked phone will just encourage the thief to hard reset it or turn it off immediately. Same with a laptop - I had some tracing software installed but unfortunately I forgot to enable the guest account so the thief could not use the laptop... and therefore never gave me a chance to locate it.

  36. Re:You can just enter the passcode. by Sockatume · · Score: 1

    The whole point of the scanner is that the 90% of iPhone users who don't even use a code because it wastes too much time, might turn it on because it's convenient.

    --
    No kidding!!! What do you say at this point?
  37. What a terrible idea by Anonymous Coward · · Score: 0

    "Let's set up a fund for making life worse" is a terrible idea. Who exactly do they think they're serving by this?

  38. Re:utter nonsense by Anonymous Coward · · Score: 0

    The real purpose of the sensor is to gather fingerprint data for the NSA. The NSA is now such a bloated runaway monolith, it has every significant company in its pocket vying to find new ways of expanding the 'total surveillance' society. Most of this data is collected simply because it can (and has NOTHING to do with stopping crime or 'terrorism'), but that doesn't prevent depraved individuals finding nefarious uses for the information sometime down the line.

    Sounds like you are confusing the NSA with Google.

  39. Re:You can just enter the passcode. by Internal+Modem · · Score: 1

    Exactly. The inclusion of the sensor is not about being 100% secure all the time, it's about encouraging the use of some level of security by the majority who currently have none. Since it is quicker to use the sensor than to swipe to unlock without a PIN, that is the metric to consider.