Company offers cash for iPhone 5S hacker

New iPhone 5S owners might want to reconsider their phone’s safety. Thieves can use finger residue to hack its thumbprint sensor.

And one IU student’s company will reward thousands of dollars to whoever proves the security breaches don’t stop there.

IU senior Arturas Rosenbacher’s venture capital firm is offering a $10,000 reward to the first person or group who can digitally hack the new program, removing the sensor lock software to access an individual’s phone.

Rosenbacher, a computer science major who transferred to IU in August 2012, is a founding partner of a Chicago-based firm I/O Capital, which invests in startup companies.

On Saturday, I/O Capital joined a group of companies and people worldwide pledging monetary awards for a competition to hack the new sensor technology.

The competition, called #IsTouchIdHackedYet, required hackers to submit a video showing their solution to hack the sensor.

On Sunday, a biometrics hacking team from Germany-based Chaos Computer Club submitted a video solution in which the phone user unlocked the sensor by taking a photo of a fingerprint from a glass surface to create a “fake finger.”

The #IsTouchIdHackedYet group of companies officially declared Starbug, a member of the Chaos Computer Club, the competition’s winner. Starbug will receive more than $7,000 as well as non-monetary gifts, such as bitcoin funds and bottled wine.

They can then decide whether or not to approach Apple with their solution.

But when Rosenbacher heard of Starbug’s solution, he and his firm decided to withdraw their $10,000 pledge from the competition.
 
He argued Starbug’s hacking did not provide a digital solution. Rather, it physically unlocked the sensor using “lifted prints” from finger residue.

The company decided to restructure its terms and conditions into a separate contest focused on a fully digital solution.

It will still offer its $10,000 to the first person who hacks the sensor using software and hardware, but the contest will now have a new name, which is yet to be determined.

“We are being much more vigilant and specific,” Rosenbacher said. “We are looking for someone to use technology to get into the software to take the digital print off the phone. We want someone to use technology, not finger residue.”

Once I/O Capital receives a solution, it will contact Apple employees within 24 hours of verification, informing them of the method used to hack the program, Rosenbacher said. He said he hopes Apple can use the information to patch the bug, and prevent future hacking.

“Our main concern is a malicious hacker trying to do the same thing, so we are taking it upon ourselves to try to figure it out,” Rosenbacher said.

The #IsTouchIdHackedYet competition began before the new iPhone was released Friday.

Nick DePetrillo, a security researcher and independent consultant in Silicon Valley, said he  decided to create the contest with a team of his friends.

“It started out as a joke, I believed it wouldn’t be too trivial to hack, so instead of arguing with my friends about it I threw money at the problem,” DePetrillo said.
He offered $100 to anyone who could hack the program and send in the video, but the contest expanded to include pledges from about 90 different individuals or investment companies.

“My $100 turned into $1,000 which turned into $15,000,” Depetrillo said.

After I/O Capital withdrew its pledge, that total dropped down to about $7,000 in pledges.

Depetrillo refrained from commenting about Rosenbacher’s decision to step out of the pool of pledges.

He said he was amazed at how quickly solutions were submitted. Three submissions were made as of Sunday night, but Starbug was the first to provide video proof of a legitimate solution.

“I’m extremely impressed and I’m not surprised,” Depetrillo said. “The Chaos Computer Club has some of the smartest hackers in the computer world.”

Rosenbacher is a full-time student at IU while also managing his venture capital firm. I/O Capital just sold its Chicago office, and is now considering selling the company late next year, Rosenbacher said. 

He said he takes regular flights from Bloomington to Chicago for meetings and negotiations. The company, founded February 2012, began making iPhone applications, and decided to begin supporting the growth of young entreprenuers’
companies.

“There are a lot of startups trying to get off the ground, especially at IU,” Rosenbacher said. “We help them when they’re still in infant stages.”

Rosenbacher said although the contest has gotten the word out about his company, his primary motive is to prevent future ill-natured hacking.

“If we can figure it out before some malicious hacker, we can save Apple a lot of time and money, and also people from being hacked,” Rosenbacher said.

Follow reporter Sara Nash on Twitter @sarakatenash.

— Samantha Schmidt contributed reporting