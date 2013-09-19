By Jim Finkle
BOSTON, Sept 19 Hackers are gearing up for
Friday's iPhone 5S release with a contest to crack the device's
first-ever fingerprint scanner, a high-tech feature that Apple
Inc says makes users' data more secure.
A micro venture capital firm joined a group of security
researchers to offer more than $13,000 in cash along with
bottles of booze, Bitcoin currency, books and other goodies to
the first hacker who breaks the device in a contest promoted on
the website
Arturas Rosenbacher, founding partner of Chicago's IO
Capital, which donated $10,000 to the hacking competition, said
that the effort will bring together some of the hacking
community's smartest minds to help Apple identify bugs that it
may have missed.
"This is to fix a problem before it becomes a problem," he
said. "This will make things safer."
Meanwhile, Forbes.com reported that a 36-year-old soldier
living in Spain's Canary Islands, Jose Rodriguez, has already
uncovered a security vulnerability affecting iOS 7, which Apple
began distributing to existing iPhone and iPad customers on
Wednesday.
The publication said that it is possible to bypass the lock
screen of those devices in seconds to access photos, email,
Twitter and other applications. It included a video
demonstration on its website and advice on how users could
thwart the bypass technique:
Apple spokeswoman Trudy Muller told Reuters that the company
was preparing a fix that it would deliver as an update to iOS 7
when it was ready. "Apple takes user security very seriously,"
she said.
Among those getting ready for the hacking contest is David
Kennedy, a former U.S. Marine Corps cyber-intelligence analyst
who did two tours in Iraq and now runs his own consulting
firm, TrustedSec LLC.
"I am just waiting to get my hands on it to figure out how
to get around it first," the founder of the DerbyCon hacking
conference told the Thomson Reuters Global Markets Forum this
week. "I'll be up all night trying."
WHY WORRY?
Security experts worry about the implications of using the
module to grant access to sensitive data on the phone and
potentially enabling mobile purchases.
The fingerprint scanner on the top-of-the-line iPhone lets
users unlock their devices or make purchases on iTunes by simply
pressing their finger on the home button. It has been hailed as
a major step in popularizing the use of biometrics in personal
electronics.
Security engineer Charlie Miller, known in hacking circles
for uncovering major bugs in the iPhone as well as circumventing
security in Apple's App Store, said it could take fewer than two
weeks for Kennedy or some other smart hacker to get around the
new lock.
Once they're in, they could gain access to the cornucopia of
data typically stored on a user's iPhone and might potentially
be able to buy goods from iTunes and Apple's App store.
Miller declined to comment on the hacking contest or
potential security vulnerabilities in the fingerprint reader.
To be sure, experts say they know of nothing intrinsically
wrong with Apple's fingerprint reader, based on what the company
has so far disclosed. Reviewers this week gushed over its ease
of use and reliability.
The reader's sapphire crystal sensor is embedded in the
phone's home button and reviews the fingerprint as a user
touches it to verify his or her identity.
Data used for verification is encrypted and stored in a
secure enclave of the phone's A7 processor chip. No information
is sent to any remote servers, including Apple's iCloud system.
HD Moore, a hacking expert and chief researcher with the
security software maker Rapid7, said such protections mean "the
bar is a little bit higher," but that certainly won't discourage
hackers from trying to break the new technology.
"This is definitely something to target and something people
will want to go after," he said.
NOTHING PERSONAL
Apple shouldn't take hackers' enthusiasm personally.
All major electronics products are subjected to similar
scrutiny as new features are rolled out, including devices from
Google Inc, Microsoft Corp and Samsung
Electronics Co.
For example, in 2012, Charlie Miller led a team that
demonstrated techniques for taking over smartphones running
Google's Android software through their use of near-field
communications, or NFC, a wireless technology used for sharing
data or making purchases at point-of-sales terminals.
Bugs are often disclosed by "white hats," hackers who
unearth flaws and report them so manufacturers can repair them,
preventing criminal exploitation. The hope is the good guys find
them before "black hats" uncover them.
White hats have found multiple security issues with iPhones,
iPads and in the App store since Apple launched its first
smartphone in 2007. They say that scrutiny has helped make it
one of the most secure devices on the market today.
Apple executives said at last week's iPhone launch that the
new fingerprint reader, dubbed Touch ID, will help make phones
far more secure by dint of its ease of use.
About half of all smartphone users don't bother to use
current screen-locking technology because of the inconvenience
of keying in multiple-digit passwords. Apple is betting users
may be far more willing to avail themselves of a solution that
requires a single finger-swipe.
"The technology within Touch ID is some of the most advanced
hardware and software we put in any device," Dan Riccio, senior
vice president of hardware engineering, said at the event.
Kennedy said he needs to examine the new iPhone to figure
out how to best attempt an attack.
He said his choices include hacking the software that
analyzes the fingerprint data, or physically opening up the
phone and connecting it to a custom-built device that would
impersonate Apple's fingerprint reader.
He added that it might be possible to lift a user's
fingerprint from elsewhere on the device and somehow make a
clone of it.
Rich Mogul, an analyst with the security research firm
Securosis, said he planned to use it and expects it to be widely
adopted despite the fact that hackers are circling.
"Nobody has gotten their hands on it to see what the
weaknesses are and how easy it is to crack," Mogul said.
"We'll have to wait to see."