BOSTON - A group of
German hackers claimed to have cracked the iPhone fingerprint scanner on
Sunday, just two days after Apple launched the technology that it promises will
better protect devices from criminals and snoopers seeking access.
If the claim is verified, it will be embarrassing for Apple
which is betting on the scanner to set its smartphone apart from new Samsung
models and others running the Android operating system of Google.
Two prominent iPhone security experts told Reuters that they
believed the German group, known as the Chaos Computer Club, or CCC, had
succeeded in defeating Apple's Touch ID, though they had not personally
replicated the work.
One of them, Charlie Miller, co-author of the "iOS
Hacker's Handbook," described the work as "a complete break" of
Touch ID security. "It certainly opens up a new possibility for
attackers."
Apple representatives did not respond to requests for
comment.
CCC, one the world's largest and most respected hacking
groups, posted a video on its website that appeared to show
somebody accessing an iPhone 5S with a fabricated print. The site described how
members of its biometrics team had cracked the new fingerprint reader, one of
the few major high-tech features added to the latest version of the iPhone.
The group said they targeted Touch ID to knock down reports
about its "marvels," which suggested it would be difficult to crack.
"Fingerprints should not be used to secure anything.
You leave them everywhere, and it is far too easy to make fake fingers out of
lifted prints," a hacker named Starbug was quoted as saying on the CCC's
site.
The group said it defeated Touch ID by photographing the
fingerprint of an iPhone's user, then printing it on to a transparent sheet,
which it used to create a mold for a "fake finger."
CCC said similar processes have been used to crack "the
vast majority" of fingerprint sensors on the market.
"I think it's legit," said Dino Dai Zovi,"
another co-author of the iOS Hacker's Handbook. "The CCC doesn't fool
around or over-hype, especially when they are trying to make a political
point."
Touch ID, which was only introduced on the top-of-the-line
iPhone 5S, lets users unlock their devices or make purchases on iTunes by
simply pressing their finger on the home button. It uses a sapphire crystal
sensor embedded in the button.
Data used for verification is encrypted and stored in a
secure enclave of the phone's A7 processor chip.
Two security experts who sponsored an impromptu competition
offering cash and other prizes to the first hackers who cracked the iPhone said
they had reviewed the information posted on the CCC website, but wanted more
documentation.
"We are simply awaiting a full video documentation and
walk through of the process that they have claimed," said mobile security
researcher Nick DePetrillo, who started the contest with another security
expert, Robert Graham. "When they deliver that video we will review
it."
The two of them each put up $100 toward a prize for the
contest winner, then set up a website inviting others to contribute. While the
booty now includes more than $13,000 in cash, it was not clear that the CCC
would receive the full payout, even if DePetrillo and Graham declared them
winners.
A micro venture capital firm known as I/O Capital, which had
offered to pay $10,000 of the prize money, issued a press release late on
Sunday saying that it would make its own determination about who won the
contest.
No comments:
Post a Comment