back to article Thousand-dollar iPhone X's Face ID wrecked by '$150 3D-printed mask'

Apple's facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone. Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems, and set out to do the same …

  1. Slap

    When will they learn

    When will they learn:-

    Biometrics = piss poor security

    This isn't fucking Star Trek.

  2. Anonymous Coward
    Anonymous Coward

    Re: When will they learn

    Biometrics suck regarding security. My lover opened my phone when I was asleep with my finger and went through all my messages. Not good and she wasn't happy. A plain 4-digit passcode beats all this malarkey from a security perspective, but people just want "easy" - but at what cost?

  3. Voland's right hand Silver badge

    Re: When will they learn

    My lover opened my phone when I was asleep with my finger

    Did she make the plane land as a result?

    https://www.theguardian.com/world/2017/nov/08/qatar-airways-plane-forced-to-land-after-wife-discovers-husbands-affair-midflight

  4. Hans 1 Silver badge

    Re: When will they learn

    The glass you used for dinner, chicken wings for dinner, some candle wax, and she could have done so while you were in the shower ....

    Lesson, don't mess with other ladies ... they have a sixth sense and, sooner or later, you will make a mistake or some one night stand will fall in love with you .... been there, seen that happen ...

  5. zbmwzm3

    Re: When will they learn

    Nothing wrong with using multiple ways of authentication as long as you use them together, you know as is best practice. I believe Star trek used biometrics on the cellular level, but also just good ol'anal probing for most cases. Data hated it because it would tickle his hard drive.

  6. zbmwzm3

    Re: When will they learn

    So enable both you tool.

  7. Anonymous Coward
    Anonymous Coward

    Re: When will they learn

    Everyone* is well aware that common biometric authentication methods currently may be less secure than methods such as strong passwords or PIN codes. The deal is that you make a trade-off between security and convenience; it's not hard to understand. I wouldn't go back to using a phone without a fingerprint sensor, for example. I know it's possible for someone to get an image of my fingerprint and create something that might let them unlock my phone, or more likely someone could forcibly use my finger to unlock my phone. However I weigh the perceived risk of that happening against the convenience of not having to enter a pin every time I pick up the phone, and it comes down heavily on the side of convenience. Everything in life involves some risk.

    So back to this particular article, your "piss poor security" means that someone is going to spend hundreds of dollars making a fake face of someone whose head they somehow got a 3d scan of, to try to unlock a phone that's probably going to be remote-wiped before they get that far, on the off chance that they'll find something useful on it? Really? This is really a big concern to you? Genuine question. Because clickbaity headline aside, I severly doubt that this method will ever be used in the real world, though it's an interesting demonstration of the technique.

    *or almost everyone, anyway

  8. Anonymous Coward
    Anonymous Coward

    Re: When will they learn

    No, but I got a roasting!

    I wonder if that is where she got the idea from...

    She had been asking questions for a while but thankfully she has forgiven me.

  9. bombastic bob Silver badge
    Unhappy

    Re: When will they learn

    I had always figured it would fall apart if I didn't shave for a while or facial hair got longer. Might even pose a problem if you get a radical haircut, are wearing glasses, or if women put on different style eye makeup.

    otherwise it might be "too permissive". False positives and false negatives, all equally bad.

  10. Mephistro Silver badge

    Re: When will they learn (@ AC)

    "...means that someone is going to spend hundreds of dollars making a fake face of someone whose head they somehow got a 3d scan of, ..."

    If they can sell the iPhone online as a 2nd hand unit for $500 or more, that's a very good margin. This would be a typical task for some "specialist" who takes a nice cut for every phone unprotected. The 3d head scanning thing can be done nowadays with a software that uses several pictures or a video as input.

    "...a phone that's probably going to be remote-wiped before they get that far..."

    Unless the thief has a "Faraday Envelope" to take the phone to the Specialist's "Faraday Room".

    Not all criminals are dumb, and some of them are clever and adapt quickly. You usually don't hear about this kind of crims in the news. And because of this -In my opinion, at least- Apple is at fault here.

  11. MacroRodent Silver badge

    Re: When will they learn (@ AC)

    > Unless the thief has a "Faraday Envelope" to take the phone to the Specialist's "Faraday Room".

    Thief - or police. I recently browsed a book about mobile phone forensics, which pretty much started by presenting the requirement of ensuring the phone cannot be wiped remotely.

  12. Prst. V.Jeltz Silver badge

    Re: When will they learn (@ AC)

    "that's a very good margin"

    you'd think a criminal with with those skills , determination , time , resources would use them on something with more margin than a $1000 iphone , like a $100,000 Range Rover for instance.

  13. gnasher729 Silver badge

    Re: When will they learn (@ AC)

    Come on, this doesn’t help a thief.

    You’d have to steal a phone and get a 3D mask of the owner. Hard to do without kidnapping which means serious jail time.

    Then you can unlock the phone once. For at most four days. Then you need the passcode and you have no way to get it. Without passcode you can’t change the Apple ID and without that you can’t reset the phone. It is forever connected with the Apple ID and can be tracked by the user.

    And a phone in a faraday cage can’t make phone calls, can’t get on the internet, and is quite useless.

  14. Anonymous Coward
    Anonymous Coward

    Re: When will they learn (@ AC)

    " like a $100,000 Range Rover for instance"

    Sorry you don't need much skill to steal one of those.

    http://www.telegraph.co.uk/news/uknews/road-and-rail-transport/12172649/Thieves-target-high-value-Range-Rovers-with-keyless-entry-systems.html

  15. Anonymous Coward
    Anonymous Coward

    Re: When will they learn (@ AC)

    "You’d have to steal a phone and get a 3D mask of the owner. Hard to do without kidnapping which means serious jail time."

    Go back, read article.

  16. Dave 126 Silver badge

    Re: When will they learn (@ AC)

    @bombastic Bob

    My understanding is that Face ID adapts to gradual changes in a users face, so growing a beard wouldn't confuse it but shaving off an established beard would cause it to request the passcode.

    The passcode is also required if the phone has not been unlocked for a period of time, it is required after a few unsuccessful attempts to login with Face ID, it is required after a power reset, it is required to connect the phone to a computer even if unlocked at the time, it is required if the user hits the power button five times in two seconds.

  17. Stoneshop Silver badge
    Facepalm

    Re: When will they learn (@ AC)

    you'd think a criminal with with those skills , determination , time , resources would use them on something with more margin than a $1000 iphone , like a $100,000 Range Rover for instance.

    Well, when that iPhone has the access code to the remote-controlled front door to the $1.000.000 house[0] that that Range Rover is parked in[1], those $150 and a few hours of 3D-printing and tweaking sounds like a worthwhile investment.

    [0] See just about any of the articles on IoT lack of security convenience and the punters who fall for that.

    [1] Never mind that there's probably some other stuff worth loading into the back of that Range Rover before taking off.

  18. phuzz Silver badge
    Go

    Re: When will they learn (@ AC)

    "something with more margin than a $1000 iphone , like a $100,000 Range Rover for instance."

    The new Teslas use an app on a phone to unlock and start the car, so by pwning the $1000 phone, you've also just got access to their car as well.

    I'm going to guess most of the high end cars, including Range Rover, are going to introduce this over the next few years.

  19. Rainer

    Re: When will they learn (@ AC)

    > The new Teslas use an app on a phone to unlock and start the car, so by pwning the $1000 phone,

    > you've also just got access to their car as well.

    Also in the new Mercedes E-Class.

    But it does not work with iPhones...

  20. Stuart Castle

    Re: When will they learn

    Re: " The deal is that you make a trade-off between security and convenience; it's not hard to understand. I wouldn't go back to using a phone without a fingerprint sensor," .

    Indeed. As my old Software Engineering Management lecturer (who actually included a lot of security info in his lectures, particularly focusing on secure design of systems) often reminded us, the old security adage is "Security, Ease of Use, Functionality. Pick two".

    Regarding the face mask, I can see it would be a problem If you have any valuable info on your device. Apple Pay is not so much a problem as I would hope the staff of any given shop would notice if you suddenly pulled a face mask out of your bag and used it to pay for goods.

  21. tony
    Happy

    Re: When will they learn

    A ~£5 hammer will crack most peoples password / pin code.

  22. PNGuinn Silver badge
    Black Helicopters

    Re: When will they learn (@ AC) @Gnasher 739

    But if you DO have the phone and the owner ... serious jail time only if your name isn't TLA ... and have an automated motorised silicone mask computer linked to the camera that just took the 3d photo of the owner ... so much less messy that "Traditional" methods.

    "And a phone in a faraday cage can’t make phone calls, can’t get on the internet, and is quite useless."

    You need an internet connected "Smart Michael" (TM). Make sure it's pwned, and then download all that tasty data off the 'Hintertoobz. Simples.

    >> only half in jest.

  23. JimboSmith Silver badge
  24. Muscleguy Silver badge

    Re: When will they learn

    If you are worth your phone being stolen for the info it contains then it will be put in a Faraday cage as soon as it is taken so it cannot be remote wiped or located. If you are going to go to all that trouble then Faraday cages would be a minimum and minor spend.

    That is all it takes to defeat the measures you list.

    Any Physiology dept will have room sized shielded rooms for a start. When you draw a glass pipette fine enough to penetrate a single cell for recording without lysing it, fill it with an ionic solution and stick a wire in it you will have an antenna with an impedance of several mega Ohms. Thus the shielded rooms.

    Back in the day the lab postdoc doing muscle recordings in one ran the aerial wire from his transistor radio out of the room in order to get a signal.

    They were built into a larger space with a 15' stud with a ladder to get access to the roof. I would store my large photomontages of cross sections of developing muscle photographed in the electron microscope rolled up in groups up there. So they were multi-use structures.

  25. Mike Moyle Silver badge

    Re: When will they learn

    "I severly doubt that this method will ever be used in the real world, though it's an interesting demonstration of the technique."

    Most people, it appears, are thinking in terms of theft and resale of the phone. OTOH, could a 3D scan of a face be conducted at the same time that a mug-shot is taken? Because, at that point, the police/random TLA have a photo with the requisite feature bits that correspond perfectly to the 3D map AND possession of your phone.

    The future possibilities inherent in 4-color 3D printing, and the knock-on effects of that are left as an exercise for the reader.

  26. Voland's right hand Silver badge

    Re: When will they learn (@ AC)

    would use them on something with more margin than a $1000 iphone , like a $100,000 Range Rover

    Who told you that the target iPhone does not provide access to something else which as valuable as a 100K Chelsea tractor (or even more).

    If you have decided to spend a few hundred quid to defeat biometrics it is not just for any phone. It is for the phone of a particular mark.

  27. Uffish
    Headmaster

    Re: Faraday cage

    A phone in a Faraday cage can easily get on the internet by connecting to a a wifi widget inside the cage. If you really want it spelled out, the wifi widget is connected to the internet via a nicely screened Ethernet cable which goes into cage through an RF gasket. Other methods are also available.

    By the way does the new iPhone have the same pass key security as the recent slightly-less-than-$1M-to break-it example.

  28. 404 Silver badge
    Holmes

    Re: Star Trek

    ...used two step authentication for important shit like blowing up the Enterprise, voice ID and personal code/password.

    Star Trek wasn't Star Trek and Gene Roddenberry knew better in the 60's.... Hope for the future? Not so much.

  29. Kiwi Silver badge
    Coat

    Re: When will they learn

    A ~£5 hammer will crack most peoples password / pin code.

    Would a 5lb £5 hammer do the trick?

  30. Ken Moorhouse Silver badge

    Re: and added a silicone nose for realism.

    It was this that enabled them to conquer the security.

  31. Flatpackhamster

    Re: and added a silicone nose for realism.

    It worked for Inspector Clouseau.

  32. hplasm Silver badge
    Happy

    Re: and Added a SILICONE NOSE for realism.

    So it IS Star Trek! NG or Voyager?

  33. Prst. V.Jeltz Silver badge
    Trollface

    Re: and added a silicone nose for realism.

    I'm surprised it took more than an inkjet photo printout to fool it. well done apple!

  34. MyffyW Silver badge

    Re: and Added a SILICONE NOSE for realism.

    I know for a fact Janeway would use a PIN code - probably the Avogadro constant.

  35. Rich 11 Silver badge

    Re: and Added a SILICONE NOSE for realism.

    To 24 digits.

  36. JimboSmith Silver badge
    Gimp

    Re: and Added a SILICONE NOSE for realism.

    I know for a fact Janeway would use a PIN code - probably the Avogadro constant.

    Nah probably 8472

  37. Midnight

    Re: and Added a SILICONE NOSE for realism.

    But Picard would use 173467321476C32789777643T732V73117888732476789764376.

  38. Scubadynamo

    Nothing to worry about

    This is actually probably quite difficult to do for your average thief. Id be comfortable with face ID if I knew this was the length someone had to go to get past the lock screen on my phone. And surely this is harder than obtaining someones fingerprints and replicating them.

    Im quite impressed by Face-ID to be honest. I was worried it was going to be like its Android counterparts that can easily be fooled by a photo and often require you to line your phone up exactly to your eyes. Apple appear to be pioneers of this tech. Which is odd because usually they wait for it to mature on the competition before implementing it on their own devices.

    Still wouldnt get an iPhone X though, first gen Apple products ought to be avoided in my experience. The iPad 1 and the Apple watch are good examples as to why.

  39. Pen-y-gors Silver badge

    Re: Nothing to worry about

    Fair point about the general risk.

    However I shall continue to not buy Apple products of any generation, at least until I win the Lottery - then I may buy one for my butler.

  40. DougS Silver badge

    Re: Nothing to worry about

    After the X was announced I saw an article written by a guy who works on military grade biometric scanners. He said based on the hardware Apple was using, it should be capable of telling the difference between real skin and silicone based on the translucency of skin, and the difference between living or dead based on the heat patterns of underlying blood flow. However, he said the software to do that properly was incredibly complex, and there was no way Apple be able to do it without a ton of work. He expected they'd improve its resistance to fakery somewhat over time, but they'd stop short of how good it could be because he didn't believe the investment could be justified for a phone.

    After having my X for a week and a half I have to say I'm pretty impressed with Face ID. It works quickly enough I don't have to think about it, I pick up my phone and swipe 'up' in one motion, and it scans my face and unlocks every time without any perceptible delay. Just like Touch ID in that respect. It even works in complete darkness (I tried it in a room in my basement that has no windows) The first time I wore sunglasses it wouldn't unlock but every other time it did. Sure, if someone 3D prints my face and appropriately follows the rest of the stuff these guys did they can unlock my phone, but they would have had an even easier time lifting my fingerprint off something I touched to beat a fingerprint reader.

  41. Doctor Syntax Silver badge

    Re: Nothing to worry about

    "This is actually probably quite difficult to do for your average thief. Id be comfortable with face ID if I knew this was the length someone had to go to get past the lock screen on my phone."

    Your average mugger, however, just has to wave the phone in front of your face. But look on the bright side - it's a disincentive to damage your face too much.

  42. Sandtitz Silver badge
    Thumb Up

    Re: Nothing to worry about

    "Your average mugger, however, just has to wave the phone in front of your face."

    Muggers can also decrypt with either a rubber hose or a cigar cutter (see icon). Stick to passwords, pins and such if you wish to deny the coppers.

  43. Dave 126 Silver badge

    Re: Nothing to worry about

    If you wish to deny the coppers or border agents, you tap the power button five times in two seconds (or home button on other iPhones) to have the phone require the passcode.

    . This The passcode is also required if the phone has not been unlocked for a period of time, it is required after a few unsuccessful attempts to login with Face ID, it is required after a power reset, and it is required to connect the phone to a computer even if unlocked at the time - to prevent forensic cloning of the phone.

  44. Dan 55 Silver badge

    Re: Nothing to worry about

    Denying the coppers is not really an option in many countries. At least they won't have rubber hoses or cigar cutters though.

  45. Dave 126 Silver badge

    Re: Nothing to worry about

    Indeed, denying the coppers is either not an option or else more trouble than it's worth (unless you're a Guardian journalist's boyfriend)

  46. PNGuinn Silver badge
    Go

    Re: Nothing to worry about @scubadynamo

    You're assuming that you need all that hitech malarky to crack it.

    Has anyone tried a paper mache mockup instead?

    Or an enlarged selfie piccie of someone looking vaguely like the ex owner not even taken with an ithing?

    or ...

    Q lots of people competing to find the simplest crack.

  47. Anonymous Coward
    Anonymous Coward

    Re: The Need For Speed

    "Which is odd because usually they wait for it to mature on the competition before implementing it on their own devices."

    You mean like the Note 3, which had face unlock back in mid 2013?....

  48. DougS Silver badge

    Re: The Need For Speed

    You mean face unlock that could be fooled by a picture of the person - even by holding a phone up to the Note 3? Samsung's implementation of face unlock is almost useless when it can be fooled with a Facebook profile photo!

  49. djstardust Silver badge

    Why oh why

    Why do Apple do this to themselves.

    No-one had issue with the fingerprint scanner or a passcode.

  50. Len Goddard

    Re: Why oh why

    Because they want to unlock it from the front and they can't make the fingerprint scanner work through the screen glass.

    Really a fingerprint scanner on the back is no problem provided you put it in the right place. I just bought a Pixel 2 and the scanner falls under my index finger when I pick it up. Registered both index fingers so I can use either hand.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018