iPhone Fingerprint Hack Contest Dangles $18,000

9 Android Apps To Improve Security, Privacy

Cryptographers, security researchers, entrepreneurs and at least one journalist and vulnerability broker have been pooling their resources to offer a reward to the first person who manages to successfully fool the Touch ID biometric fingertip scanner built into the new iPhone 5s and unlock.

The Touch ID hacking bounty, first reported by ZDNet, was kicked off following a Wednesday conversation between security researchers Don Bailey and Nick DePetrillo, which resulted in DePetrillo making the following offer via Twitter: "I will pay the first person who successfully lifts a print off the iPhone 5s screen, reproduces it and unlocks the phone in < 5 tries $100."

"All I ask is a video of the process from print, lift, reproduction and successful unlock with reproduced print," he said. "I'll put money on this."

In short order he did put money on it, and was soon joined by others. According to the IsTouchIDHackedYet? website that he set up with network IPS pioneer and Errata Security CEO Robert David Graham to track the bids, pledgers have included John Hopkins cryptography professor Matthew Green, the Bangkok-based vulnerability seller known as the GrugQ, as well as Arturas Rosenbacher of IO Capital, who Thursday sweetened the pot by $10,000.

[ Guard your smartphone in these cities: Chicago Leads In Smartphone Thefts. ]

By Friday morning, 82 people had been recorded as collectively promising erotica, wine, bourbon, bitcoins and Scottish whisky, as well as cold, hard cash -- nearly $19,000, including the value of bitcoins and euros pledged -- to the winner. The organizers promised to continue watching for related pledges on Twitter.

The popularity of the Touch ID hacking contest seemed to take the organizers by surprise. "Our unofficial internet contest that's based entirely on honor system pledges to defeat a technology that isn't out yet is hysterical," tweeted DePetrillo, who's a senior security researcher at Crucial Security. "Just think of the hackers whose girlfriends will be neglected while they go after this challenge," he added.

Graham said via Twitter that he was "astonished" at the interest in the contest. But he expressed skepticism that Touch ID can be hacked. "I doubt it will be successful ... which is why I'm betting $100 it won't be successful," he said via Twitter. In the meantime, however, he's already ponied up $70 for the hacking contest domain name and six months of hosting, Threatpost reported.

But finding a way to trick Touch ID isn't the only goal of the effort, co-founder Don Bailey, who's a senior security researcher at iSec Partners, told Threatpost. "We want to get more people aware of the new pieces of hardware functionality coming out," he said. "Because not a lot of people are looking at hardware security, and by doing things like this we get to put a spotlight on security in places where people usually presume it's either too easy or too hard."