Hackers offered cash, booze to crack iPhone fingerprint security

Hackers are gearing up for Friday's iPhone 5S release with a contest to crack the device's first fingerprint scanner, a new high-tech feature that Apple says makes users' data more secure.

A micro-venture-capital firm joined a group of security researchers to offer more than $13,000 in cash along with bottles of booze, books and other goodies to the first hacker who breaks the device, in a contest promoted on the website istouchidhackedyet.com.

Arturas Rosenbacher, a founding partner of Chicago's IO Capital, which donated $10,000 to the hacking competition, said that the effort will bring together some of the hacking community's smartest minds to help Apple identify bugs that it may have missed.

"This is to fix a problem before it becomes a problem," he said.

Forbes, meanwhile, reported that a 36-year-old soldier living in Spain's Canary Islands, Jose Rodriguez, has already uncovered a security vulnerability affecting iOS 7, which Apple began distributing to existing iPhone and iPad customers on Wednesday.

The publication said that it is possible to bypass the lock screen of those devices in seconds to access photos, email, Twitter and other applications. It included a video demonstration on its website and advice on how users could thwart the bypass technique.

Apple spokeswoman Trudy Muller said that the company was preparing a fix that it would deliver as an update to iOS 7 when it was ready.  

Security experts worry about the implications of using the fingerprint scanner to grant access to sensitive data on the phone and authorize mobile purchases.

The fingerprint scanner on the top-of-the-line iPhone lets users unlock their devices or make purchases on iTunes simply by pressing their finger on the home button.

Security engineer Charlie Miller, known in hacking circles for uncovering major bugs in the iPhone as well as circumventing security in Apple's App Store, said smart hackers could need less than two weeks to get around the new lock.

Once they're in, they could gain access to the cornucopia of data typically stored on a user's iPhone and might be able to buy itens from iTunes and Apple's App store.

To be sure, experts say they know of nothing intrinsically wrong with Apple's fingerprint reader on the basis of what the company has so far disclosed. Reviewers this week gushed over its ease of use and reliability.

The scanner's sapphire crystal sensor is embedded in the phone's home button and reviews the fingerprint as a user touches it to verify his or her identity.

Apple says data used for verification is encrypted and stored in a secure enclave of the phone's A7 processor chip and that no information is sent to any remote servers, including Apple's iCloud system.

HD Moore, a hacking expert and chief researcher with security software maker Rapid7, said such protections mean "the bar is a little bit higher," but that certainly won't discourage hackers from trying to break the new technology.

Bugs are often revealed by "white hats," hackers who unearth flaws and report them so manufacturers can repair them, preventing criminal exploitation. The hope is the good guys find them before "black hats" uncover them.

White hats have found multiple security issues with iPhones and iPads and in the App Store since Apple released its first smartphone in 2007.

David Kennedy, a former US Marine Corps cyberintelligence analyst who did two tours in Iraq and now runs his own consulting firm, TrustedSec, said he needs to examine the new iPhone to figure out the best course of attack.

He said his choices include hacking the software that analyzes the fingerprint data or physically opening the phone and connecting it to a custom-built device that impersonates Apple's fingerprint reader.

He added that it might be possible to lift a user's fingerprint from elsewhere on the phone and somehow replicate it.

Al Jazeera and Reuters