back to article Thousand-dollar iPhone X's Face ID wrecked by '$150 3D-printed mask'

Apple's facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone. Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems, and set out to do the same …

  1. Slap

    When will they learn

    When will they learn:-

    Biometrics = piss poor security

    This isn't fucking Star Trek.

    1. Anonymous Coward
      Anonymous Coward

      Re: When will they learn

      Biometrics suck regarding security. My lover opened my phone when I was asleep with my finger and went through all my messages. Not good and she wasn't happy. A plain 4-digit passcode beats all this malarkey from a security perspective, but people just want "easy" - but at what cost?

      1. Voland's right hand Silver badge

        Re: When will they learn

        My lover opened my phone when I was asleep with my finger

        Did she make the plane land as a result?

        https://www.theguardian.com/world/2017/nov/08/qatar-airways-plane-forced-to-land-after-wife-discovers-husbands-affair-midflight

        1. Anonymous Coward
          Anonymous Coward

          Re: When will they learn

          No, but I got a roasting!

          I wonder if that is where she got the idea from...

          She had been asking questions for a while but thankfully she has forgiven me.

        2. JimboSmith Silver badge
      2. Hans 1 Silver badge

        Re: When will they learn

        The glass you used for dinner, chicken wings for dinner, some candle wax, and she could have done so while you were in the shower ....

        Lesson, don't mess with other ladies ... they have a sixth sense and, sooner or later, you will make a mistake or some one night stand will fall in love with you .... been there, seen that happen ...

        1. 404 Silver badge
          Holmes

          Re: Star Trek

          ...used two step authentication for important shit like blowing up the Enterprise, voice ID and personal code/password.

          Star Trek wasn't Star Trek and Gene Roddenberry knew better in the 60's.... Hope for the future? Not so much.

      3. zbmwzm3

        Re: When will they learn

        So enable both you tool.

    2. zbmwzm3

      Re: When will they learn

      Nothing wrong with using multiple ways of authentication as long as you use them together, you know as is best practice. I believe Star trek used biometrics on the cellular level, but also just good ol'anal probing for most cases. Data hated it because it would tickle his hard drive.

    3. Anonymous Coward
      Anonymous Coward

      Re: When will they learn

      Everyone* is well aware that common biometric authentication methods currently may be less secure than methods such as strong passwords or PIN codes. The deal is that you make a trade-off between security and convenience; it's not hard to understand. I wouldn't go back to using a phone without a fingerprint sensor, for example. I know it's possible for someone to get an image of my fingerprint and create something that might let them unlock my phone, or more likely someone could forcibly use my finger to unlock my phone. However I weigh the perceived risk of that happening against the convenience of not having to enter a pin every time I pick up the phone, and it comes down heavily on the side of convenience. Everything in life involves some risk.

      So back to this particular article, your "piss poor security" means that someone is going to spend hundreds of dollars making a fake face of someone whose head they somehow got a 3d scan of, to try to unlock a phone that's probably going to be remote-wiped before they get that far, on the off chance that they'll find something useful on it? Really? This is really a big concern to you? Genuine question. Because clickbaity headline aside, I severly doubt that this method will ever be used in the real world, though it's an interesting demonstration of the technique.

      *or almost everyone, anyway

      1. Mephistro Silver badge

        Re: When will they learn (@ AC)

        "...means that someone is going to spend hundreds of dollars making a fake face of someone whose head they somehow got a 3d scan of, ..."

        If they can sell the iPhone online as a 2nd hand unit for $500 or more, that's a very good margin. This would be a typical task for some "specialist" who takes a nice cut for every phone unprotected. The 3d head scanning thing can be done nowadays with a software that uses several pictures or a video as input.

        "...a phone that's probably going to be remote-wiped before they get that far..."

        Unless the thief has a "Faraday Envelope" to take the phone to the Specialist's "Faraday Room".

        Not all criminals are dumb, and some of them are clever and adapt quickly. You usually don't hear about this kind of crims in the news. And because of this -In my opinion, at least- Apple is at fault here.

        1. MacroRodent Silver badge

          Re: When will they learn (@ AC)

          > Unless the thief has a "Faraday Envelope" to take the phone to the Specialist's "Faraday Room".

          Thief - or police. I recently browsed a book about mobile phone forensics, which pretty much started by presenting the requirement of ensuring the phone cannot be wiped remotely.

        2. Prst. V.Jeltz Silver badge

          Re: When will they learn (@ AC)

          "that's a very good margin"

          you'd think a criminal with with those skills , determination , time , resources would use them on something with more margin than a $1000 iphone , like a $100,000 Range Rover for instance.

          1. Anonymous Coward
            Anonymous Coward

            Re: When will they learn (@ AC)

            " like a $100,000 Range Rover for instance"

            Sorry you don't need much skill to steal one of those.

            http://www.telegraph.co.uk/news/uknews/road-and-rail-transport/12172649/Thieves-target-high-value-Range-Rovers-with-keyless-entry-systems.html

          2. Stoneshop Silver badge
            Facepalm

            Re: When will they learn (@ AC)

            you'd think a criminal with with those skills , determination , time , resources would use them on something with more margin than a $1000 iphone , like a $100,000 Range Rover for instance.

            Well, when that iPhone has the access code to the remote-controlled front door to the $1.000.000 house[0] that that Range Rover is parked in[1], those $150 and a few hours of 3D-printing and tweaking sounds like a worthwhile investment.

            [0] See just about any of the articles on IoT lack of security convenience and the punters who fall for that.

            [1] Never mind that there's probably some other stuff worth loading into the back of that Range Rover before taking off.

          3. phuzz Silver badge
            Go

            Re: When will they learn (@ AC)

            "something with more margin than a $1000 iphone , like a $100,000 Range Rover for instance."

            The new Teslas use an app on a phone to unlock and start the car, so by pwning the $1000 phone, you've also just got access to their car as well.

            I'm going to guess most of the high end cars, including Range Rover, are going to introduce this over the next few years.

            1. Rainer

              Re: When will they learn (@ AC)

              > The new Teslas use an app on a phone to unlock and start the car, so by pwning the $1000 phone,

              > you've also just got access to their car as well.

              Also in the new Mercedes E-Class.

              But it does not work with iPhones...

          4. Voland's right hand Silver badge

            Re: When will they learn (@ AC)

            would use them on something with more margin than a $1000 iphone , like a $100,000 Range Rover

            Who told you that the target iPhone does not provide access to something else which as valuable as a 100K Chelsea tractor (or even more).

            If you have decided to spend a few hundred quid to defeat biometrics it is not just for any phone. It is for the phone of a particular mark.

        3. gnasher729 Silver badge

          Re: When will they learn (@ AC)

          Come on, this doesn’t help a thief.

          You’d have to steal a phone and get a 3D mask of the owner. Hard to do without kidnapping which means serious jail time.

          Then you can unlock the phone once. For at most four days. Then you need the passcode and you have no way to get it. Without passcode you can’t change the Apple ID and without that you can’t reset the phone. It is forever connected with the Apple ID and can be tracked by the user.

          And a phone in a faraday cage can’t make phone calls, can’t get on the internet, and is quite useless.

          1. Anonymous Coward
            Anonymous Coward

            Re: When will they learn (@ AC)

            "You’d have to steal a phone and get a 3D mask of the owner. Hard to do without kidnapping which means serious jail time."

            Go back, read article.

            1. Dave 126 Silver badge

              Re: When will they learn (@ AC)

              @bombastic Bob

              My understanding is that Face ID adapts to gradual changes in a users face, so growing a beard wouldn't confuse it but shaving off an established beard would cause it to request the passcode.

              The passcode is also required if the phone has not been unlocked for a period of time, it is required after a few unsuccessful attempts to login with Face ID, it is required after a power reset, it is required to connect the phone to a computer even if unlocked at the time, it is required if the user hits the power button five times in two seconds.

          2. PNGuinn Silver badge
            Black Helicopters

            Re: When will they learn (@ AC) @Gnasher 739

            But if you DO have the phone and the owner ... serious jail time only if your name isn't TLA ... and have an automated motorised silicone mask computer linked to the camera that just took the 3d photo of the owner ... so much less messy that "Traditional" methods.

            "And a phone in a faraday cage can’t make phone calls, can’t get on the internet, and is quite useless."

            You need an internet connected "Smart Michael" (TM). Make sure it's pwned, and then download all that tasty data off the 'Hintertoobz. Simples.

            >> only half in jest.

          3. Uffish
            Headmaster

            Re: Faraday cage

            A phone in a Faraday cage can easily get on the internet by connecting to a a wifi widget inside the cage. If you really want it spelled out, the wifi widget is connected to the internet via a nicely screened Ethernet cable which goes into cage through an RF gasket. Other methods are also available.

            By the way does the new iPhone have the same pass key security as the recent slightly-less-than-$1M-to break-it example.

      2. Stuart Castle

        Re: When will they learn

        Re: " The deal is that you make a trade-off between security and convenience; it's not hard to understand. I wouldn't go back to using a phone without a fingerprint sensor," .

        Indeed. As my old Software Engineering Management lecturer (who actually included a lot of security info in his lectures, particularly focusing on secure design of systems) often reminded us, the old security adage is "Security, Ease of Use, Functionality. Pick two".

        Regarding the face mask, I can see it would be a problem If you have any valuable info on your device. Apple Pay is not so much a problem as I would hope the staff of any given shop would notice if you suddenly pulled a face mask out of your bag and used it to pay for goods.

      3. Muscleguy Silver badge

        Re: When will they learn

        If you are worth your phone being stolen for the info it contains then it will be put in a Faraday cage as soon as it is taken so it cannot be remote wiped or located. If you are going to go to all that trouble then Faraday cages would be a minimum and minor spend.

        That is all it takes to defeat the measures you list.

        Any Physiology dept will have room sized shielded rooms for a start. When you draw a glass pipette fine enough to penetrate a single cell for recording without lysing it, fill it with an ionic solution and stick a wire in it you will have an antenna with an impedance of several mega Ohms. Thus the shielded rooms.

        Back in the day the lab postdoc doing muscle recordings in one ran the aerial wire from his transistor radio out of the room in order to get a signal.

        They were built into a larger space with a 15' stud with a ladder to get access to the roof. I would store my large photomontages of cross sections of developing muscle photographed in the electron microscope rolled up in groups up there. So they were multi-use structures.

      4. Mike Moyle Silver badge

        Re: When will they learn

        "I severly doubt that this method will ever be used in the real world, though it's an interesting demonstration of the technique."

        Most people, it appears, are thinking in terms of theft and resale of the phone. OTOH, could a 3D scan of a face be conducted at the same time that a mug-shot is taken? Because, at that point, the police/random TLA have a photo with the requisite feature bits that correspond perfectly to the 3D map AND possession of your phone.

        The future possibilities inherent in 4-color 3D printing, and the knock-on effects of that are left as an exercise for the reader.

    4. bombastic bob Silver badge
      Unhappy

      Re: When will they learn

      I had always figured it would fall apart if I didn't shave for a while or facial hair got longer. Might even pose a problem if you get a radical haircut, are wearing glasses, or if women put on different style eye makeup.

      otherwise it might be "too permissive". False positives and false negatives, all equally bad.

    5. tony
      Happy

      Re: When will they learn

      A ~£5 hammer will crack most peoples password / pin code.

      1. Kiwi
        Coat

        Re: When will they learn

        A ~£5 hammer will crack most peoples password / pin code.

        Would a 5lb £5 hammer do the trick?

  2. Ken Moorhouse Silver badge

    Re: and added a silicone nose for realism.

    It was this that enabled them to conquer the security.

    1. Flatpackhamster

      Re: and added a silicone nose for realism.

      It worked for Inspector Clouseau.

    2. hplasm Silver badge
      Happy

      Re: and Added a SILICONE NOSE for realism.

      So it IS Star Trek! NG or Voyager?

      1. MyffyW Silver badge

        Re: and Added a SILICONE NOSE for realism.

        I know for a fact Janeway would use a PIN code - probably the Avogadro constant.

        1. Rich 11 Silver badge

          Re: and Added a SILICONE NOSE for realism.

          To 24 digits.

        2. JimboSmith Silver badge
          Gimp

          Re: and Added a SILICONE NOSE for realism.

          I know for a fact Janeway would use a PIN code - probably the Avogadro constant.

          Nah probably 8472

          1. Midnight

            Re: and Added a SILICONE NOSE for realism.

            But Picard would use 173467321476C32789777643T732V73117888732476789764376.

    3. Prst. V.Jeltz Silver badge
      Trollface

      Re: and added a silicone nose for realism.

      I'm surprised it took more than an inkjet photo printout to fool it. well done apple!

  3. Scubadynamo

    Nothing to worry about

    This is actually probably quite difficult to do for your average thief. Id be comfortable with face ID if I knew this was the length someone had to go to get past the lock screen on my phone. And surely this is harder than obtaining someones fingerprints and replicating them.

    Im quite impressed by Face-ID to be honest. I was worried it was going to be like its Android counterparts that can easily be fooled by a photo and often require you to line your phone up exactly to your eyes. Apple appear to be pioneers of this tech. Which is odd because usually they wait for it to mature on the competition before implementing it on their own devices.

    Still wouldnt get an iPhone X though, first gen Apple products ought to be avoided in my experience. The iPad 1 and the Apple watch are good examples as to why.

    1. Pen-y-gors Silver badge

      Re: Nothing to worry about

      Fair point about the general risk.

      However I shall continue to not buy Apple products of any generation, at least until I win the Lottery - then I may buy one for my butler.

    2. DougS Silver badge

      Re: Nothing to worry about

      After the X was announced I saw an article written by a guy who works on military grade biometric scanners. He said based on the hardware Apple was using, it should be capable of telling the difference between real skin and silicone based on the translucency of skin, and the difference between living or dead based on the heat patterns of underlying blood flow. However, he said the software to do that properly was incredibly complex, and there was no way Apple be able to do it without a ton of work. He expected they'd improve its resistance to fakery somewhat over time, but they'd stop short of how good it could be because he didn't believe the investment could be justified for a phone.

      After having my X for a week and a half I have to say I'm pretty impressed with Face ID. It works quickly enough I don't have to think about it, I pick up my phone and swipe 'up' in one motion, and it scans my face and unlocks every time without any perceptible delay. Just like Touch ID in that respect. It even works in complete darkness (I tried it in a room in my basement that has no windows) The first time I wore sunglasses it wouldn't unlock but every other time it did. Sure, if someone 3D prints my face and appropriately follows the rest of the stuff these guys did they can unlock my phone, but they would have had an even easier time lifting my fingerprint off something I touched to beat a fingerprint reader.

    3. Doctor Syntax Silver badge

      Re: Nothing to worry about

      "This is actually probably quite difficult to do for your average thief. Id be comfortable with face ID if I knew this was the length someone had to go to get past the lock screen on my phone."

      Your average mugger, however, just has to wave the phone in front of your face. But look on the bright side - it's a disincentive to damage your face too much.

      1. Sandtitz Silver badge
        Thumb Up

        Re: Nothing to worry about

        "Your average mugger, however, just has to wave the phone in front of your face."

        Muggers can also decrypt with either a rubber hose or a cigar cutter (see icon). Stick to passwords, pins and such if you wish to deny the coppers.

        1. Dave 126 Silver badge

          Re: Nothing to worry about

          If you wish to deny the coppers or border agents, you tap the power button five times in two seconds (or home button on other iPhones) to have the phone require the passcode.

          . This The passcode is also required if the phone has not been unlocked for a period of time, it is required after a few unsuccessful attempts to login with Face ID, it is required after a power reset, and it is required to connect the phone to a computer even if unlocked at the time - to prevent forensic cloning of the phone.

        2. Dan 55 Silver badge

          Re: Nothing to worry about

          Denying the coppers is not really an option in many countries. At least they won't have rubber hoses or cigar cutters though.

          1. Dave 126 Silver badge

            Re: Nothing to worry about

            Indeed, denying the coppers is either not an option or else more trouble than it's worth (unless you're a Guardian journalist's boyfriend)

    4. PNGuinn Silver badge
      Go

      Re: Nothing to worry about @scubadynamo

      You're assuming that you need all that hitech malarky to crack it.

      Has anyone tried a paper mache mockup instead?

      Or an enlarged selfie piccie of someone looking vaguely like the ex owner not even taken with an ithing?

      or ...

      Q lots of people competing to find the simplest crack.

    5. Anonymous Coward
      Anonymous Coward

      Re: The Need For Speed

      "Which is odd because usually they wait for it to mature on the competition before implementing it on their own devices."

      You mean like the Note 3, which had face unlock back in mid 2013?....

      1. DougS Silver badge

        Re: The Need For Speed

        You mean face unlock that could be fooled by a picture of the person - even by holding a phone up to the Note 3? Samsung's implementation of face unlock is almost useless when it can be fooled with a Facebook profile photo!

  4. djstardust Silver badge

    Why oh why

    Why do Apple do this to themselves.

    No-one had issue with the fingerprint scanner or a passcode.

    1. Len Goddard

      Re: Why oh why

      Because they want to unlock it from the front and they can't make the fingerprint scanner work through the screen glass.

      Really a fingerprint scanner on the back is no problem provided you put it in the right place. I just bought a Pixel 2 and the scanner falls under my index finger when I pick it up. Registered both index fingers so I can use either hand.

    2. DougS Silver badge

      "No one had issue with ... a passcode"

      I hope you realize you can still and always have been able to use a passcode or even a long complex password like "correctbatteryhorsestaple" with iPhones, right?

      All Face ID did was replace Touch ID, you don't have to use it and even with it you still must have a password or passcode, which you must use when first booted to enable Face ID, or if Face ID becomes disabled due to timeout or too many failed attempts.

    3. Ledswinger Silver badge

      Re: Why oh why

      Why do Apple do this to themselves.

      Because it's this sort of frippery that persuades a subset of otherwise sane people to pony up a grand for a mobile phone, all of whose important capabilities can be had on a device costing a couple of hundred.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why oh why

      They didn't have much choice, their intended tech fell on it's arse, so they chucked a last minute bodge out, knowing that Apple sheep will buy any old turd as long as it's got an apple logo.

      If you want to confuse an Apple Sheep, as him what the large hold in the back of their iphone case does. Watch them start telling you that it allows people to see the logo, until they realise how dumb it then sounds....

    5. Joe Gurman

      Re: Why oh why

      Because no one has yet built a fingerprint scanner that works > 50% of the time for every possible punter. And because Apple has other fish to fry with virtual reality. Wait year or two, it won't be just animojis.

      1. Toc-H-Lamp

        Re: Why oh why

        Not sure why you got down voted. I have registered the same thumb print four or five times now. One for when I’m warm, another for cold, one for when my thumb is wet etc.

    6. macjules Silver badge

      Re: Why oh why

      Because someone else had already done it. And there was ... like ,, this patent .. just lying around waiting to be nicked used.

    7. Halfmad

      Re: Why oh why

      Search for a USP, which unfortunately for apple means innovating, something they have never been that great at. Samsung and co though.. well they love having a go with random stuff and typically make a better job of it.

      This was an unwanted addition and Apple know it, but they can't possibly admit it.

    8. chivo243 Silver badge
      Windows

      Re: Why oh why

      @djstardust

      It's the change for the sake of change mentality that the millennial designers bring to the game. Change it all, make it flat, prop it up again.

      Now get off my lawn...

      1. Dave 126 Silver badge

        Re: Why oh why

        The fingerprint scanners can be spoofed too - which is why there are lots of circumstances in which iPhones will fall back to requesting a passcode or phrase.

        It's a between security and convenience. It's after considering this balance in real life that I didn't fit ten locks to the front door of my house.

  5. Pen-y-gors Silver badge

    A curious business

    Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems,

    Is that sort of business anything like a business that specialises in making skeleton keys or jemmying open back windows of houses in the middle of the night?

  6. JeffyPoooh Silver badge
    Pint

    Meanwhile, on Qatar Airways flight QR-962 (Doha-Bali)...

    Recent News report: "A Qatar aircraft was forced to land midflight after a woman used her sleeping husband’s thumb to unlock his smartphone and thus discovered that he was having an affair. ...forced to make an unscheduled stop in Chennai, India, when the cabin crew was unable to restore order."

    1. DougS Silver badge

      Re: Meanwhile, on Qatar Airways flight QR-962 (Doha-Bali)...

      I can't believe the Reg's "yes there's an IT angle there, because we say there is" desk missed that one!

      1. David Roberts Silver badge
        Unhappy

        Re: Meanwhile, on Qatar Airways flight QR-962 (Doha-Bali)...

        They didn't miss it because I emailed a link to the news desk.

        Seemed very relevant at least for Bootnotes.

    2. Michael Thibault

      Re: Meanwhile, on Qatar Airways flight QR-962 (Doha-Bali)...

      "...a woman used her sleeping husband’s thumb..."

      And served everyone in the neighbourhood a scene-de-menage when a little stewing time would likely have made the dish, ultimately, that much tastier. Impulsive humans!

      1. Prst. V.Jeltz Silver badge

        Re: Meanwhile, on Qatar Airways flight QR-962 (Doha-Bali)...

        "would likely have made the dish, ultimately, that much tastier. "

        Yeah and also not get a 747 diverted at considerable cost , the whole family incarcerated for further stewing , until being deported.

        I guess she just couldnt wait. Few things will make you less calm and rational i guess.

        1. JimboSmith Silver badge

          Re: Meanwhile, on Qatar Airways flight QR-962 (Doha-Bali)...

          Slightly pedantic here but Qatar don't have any 747 aircraft in their fleet. The flight in question was being operated by a 777 I believe.

  7. zbmwzm3

    haters gonna hate

    There is always the option NOT to use biometrics and use just a passcode OR both. The fact of the matter is that this technology will improve over time and some people that prefer the convenience of unlocking the phone by looking at it will use. In that case security it not their largest concern and there are always going to be people like that. This so far is the best implementation of face ID on a smartphone so deal with it.

    1. Len Goddard

      Re: haters gonna hate

      This argument would almost make sense if they had implemented facial recognition as well as fingerprint scan. Almost.

      1. zbmwzm3

        Re: haters gonna hate

        It doesn't make sense to you because you hate the innovation that apple does. The thing that you don't appreciate is that IOS can be updated and many of these issues fixed. Yet people on this site just rather hate because they do nothing other than complain.

        1. Hans 1 Silver badge

          Re: haters gonna hate

          It doesn't make sense to you because you hate the innovation that apple does.

          No, that is not the point. What do you do when your biometrics are compromised ? Finger or face surgery ? Is it allowed to alter your finger prints (is it even possible, no surgeon, here)?

          What about compromised password ? Ahhh, easy, just change.

          As for unlocking phone, grab the guyz finger, as seen on Qatar Airways or point at face of the victim, held by two accomplices ... BIOMETRICS, on a portable device, IS BRAIN DEAD, no ifs, buts or maybes - yes, as simple as that - doesn't matter who comes up with the "innovation", it is braindead. Android has finger auth as well, it is JUST AS BRAINDEAD.

    2. Anonymous Coward
      Anonymous Coward

      Re: haters gonna hate

      So, there really isn't a reason to buy the iPhone X?

      1. Uffish

        Re: a reason to buy the iPhone X

        1. You can afford it ten times over so why not, it's a good enough phone.

        2. Conspicuous Consumption, an economic activity first analyzed by Thorstein Veblen in 1899.

        3. You want to give the impression that you belong to 1 and/or 2.

        4. You have made a mistake.

  8. Davegoody

    From experience though.....

    It's pretty much impossible to fool these devices as a couple of attempts to log-in with a mask (or just a bad-hair day, not that I have much) forces you to log-on using the passcode (as seen on the launch of the iPhone X when it failed). It's still faster and more intuitive than a fingerprint with TouchID, and I would hazard a guess that the majority of people who are complaining about the technology don't actually own an iPhone X. I am a confessed Apple fan, have been since the days of the Mac Plus, however on the rare occasions that Apple have seriously mis-stepped (such as the first Apple Watch) I have steered clear. Could see no compelling reason to upgrade my 6s Plus, though the 7, and also the 8, the X, delivered on launch-day is a fab piece of technology. All those people who go on about it being a £1000 phone, true enough, but a Samsung S8 is not much further behind (price-wise) and as nice as this device is, it's not a patch on build-quality of the X, and is hampered with Yet another version of Android (I am not a fan of the software, but the hardware from Samsung is great)......... Nobody is forcing anybody to buy one of these in any case ! - Going back to the pertinent point of the original post, the average phone thief is not going to go to the trouble of 3d Scanning their Mark's face and 3d printing a mask that may, if they are lucky, unlock the phone.

    1. The Original Steve

      Re: From experience though.....

      "...being a £1000 phone, true enough, but a Samsung S8 is not much further behind (price-wise)..."

      Um, £515 says you're wrong.

      I brought a S8 yesterday evening after always assuming the S8 was up there with the iPhone an Pixel 2 price wise. The non + was brought for £515 plus it has a microSD slot so I don't need to even contemplate a higher capacity model for insane prices.

      1. Prst. V.Jeltz Silver badge
        Facepalm

        Re: From experience though.....

        "The OLED display has a resolution of 2,436 x 1,125 pixels, or 458 pixels per inch (the Samsung Galaxy Note 8 actually has a greater pixel density), which allows the device to produce truer dark colours."

        I simply cant read a display with less than 450 dots per inch. it gives me a headache.

        1. gsf333

          Re: From experience though.....

          So I take it you don't use a computer monitor, nor did you use any mobile comms equipment before 3-4 years ago, and lastly have no idea what the text on your TV screen says when you put the menu up or change channel?

          1. Prst. V.Jeltz Silver badge

            Re: From experience though.....

            So I take it you don't use a computer monitor,

            nor did you use any mobile comms equipment before 3-4 years ago,

            and lastly have no idea what the text on your TV screen says when you put the menu up or change channel?

            just checked my monitor - its at 1280 x 1024 and is about 40cm across the top ( 15" ) 1280 / 15 = 85 dots per inch - looks fine to me

            My tv is fed by a hdmi lead , but i dont use the HD channels - too far away from the rest for channel hopping!

            if it *is* on 1080p then a32" tv must be around 24" inches across the top - 1920 pixels, making 80dpi

            I seem to be able to read the text

            Likewise im sure the 800x600 8" screen im going to fit in my car will be fine for drawing buttons and sliders on.

            My point is surely no human eye can see 1080p resolution on a phone screen 4 inces long?

            HD or BLU ray or Ultra wallet bleeeding or 8 x ego factor or whatever its called is for big tellys!

            didnt 72dpi used to be the stnadard web designers aimed at?

            Therefore all mobiles should have a screen res of 288 x 144 and that will be fine!!

            If you think the long side of your iPhone screen needs to be 2,436 pixels , then how do you watch your big flashy 50" TV which has the same resolution? 8K would no where near cut it as that screen is about 12.5 times the width

      2. David Nash Silver badge

        Re: From experience though.....

        "...being a £1000 phone, true enough, but a Samsung S8 is not much further behind (price-wise)..."

        "Um, £515 says you're wrong."

        And also, just because another expensive phone exists doesn't mean the iPhone is suddenly worth the money. Maybe they are both overpriced.

  9. Dominion

    Selfie?

    I guess using a selfie as your lock screen is a really bad idea!

    1. zbmwzm3

      Re: Selfie?

      Hmm who could possibly have narcissistic tendencies. Bah, in any case it's not like they would have access to nuke launch codes or anything like that. So I'm not worried.

  10. agurney

    At least it saves Apple having to go to court to defend not unlocking suspects' criminals' iDevices .. the police/security services just need to employ some sculptors.

    1. Dave 126 Silver badge

      The passcode is still required before the phone will connect by cable to an computer, if the aim is to dump all the data off it.

      For more casual perusal of the phone by law enforcement officers, the mask will have to be created before such time passes that the phone requests the passcode. The mask has to work within a few attempts, too.

      And all of this is assuming the users hasn't had time to tap the power button five times to disable Face ID.

      So yeah, Face ID is a potential security hole, but one that takes some planning and luck to exploit.

  11. This post has been deleted by its author

  12. Adam 1 Silver badge

    so what you're saying is ...

    ... that Guy Fawkes should stick to a passcode.

  13. PhilipN Silver badge

    Biometric Historical Fail (discretion advised)

    Grandpa's thumb in a pickle jar.

    Who needs probate?

  14. The Nazz Silver badge

    Infallible face recognition tech here

    Every two/three years, or so, i go down to the same stall on the market and without fail the guy says

    "Hello, *******, nice to see you, how you're doing? Another replacement battery? No probs".

  15. RobotMan

    Told you so

    I predicted this would happen in a report I wrote last month: I said that criminals would use 3D printed masks to fool facial recognition systems, a crime that could have serious implications, given that – in China, for example – retailers are using facial recognition as a supposedly secure payment platform.

    Shocked to be proved right less than a month later.

    1. Dave 126 Silver badge

      Re: Told you so

      Have you seen the mask? (You might not if you're on m.theregister) It wouldn't fool a human retailer!

      Right o, dunno what to watch tonight... Mission Impossible 3 or 4, or Darkman with Liam Neeson. Or maybe Total Recall, that's got a good fake head in it. Or possibly A Scanner Darkly - no fake faces, but the the characters have tech that constantly changes and obscures their heads in order to defeat ubiquitous tracking via facial recognition!

  16. Tim99 Silver badge
  17. aaaa
    Boffin

    they failed to unlock the phone

    Let me re-write the article based on an actual quote in the article:

    The creation wasn't able to defeat Face ID at first, [then it locked and required a passcode].

    They were spectacularly unsuccessful. Rather than El Reg criticise their over-optimistic press release, they've bought in whole heartedly.

    Shame El Reg, shame.

    1. Richard 12 Silver badge

      Re: they failed to unlock the phone

      The second time it worked, so now they know how to do it first time.

      And does it really permanently lock out after a couple of failed attempts at facial? The fingerprint doesn't, it just forces a wait before retrying (or passcode to bypass the wait).

      Biometric is not security, it's just a complicated username. That's why phones won't accept it after power cycle.

      1. gnasher729 Silver badge

        Re: they failed to unlock the phone

        It locks you out permanently if you don’t have the passcode. So in real life, no second attempt.

        1. RAMstein

          Re: they failed to unlock the phone

          Multiple tries to unlock with the mask (because they can reset with the pin). Also - they must have disabled the "attention aware" feature to get a lifeless mask to do the unlock.

          1. Richard 12 Silver badge

            Re: they failed to unlock the phone

            You are assuming the "attention aware" thing isn't merely having the pupils aimed in the right direction.

  18. Alistair Silver badge
    Joke

    Actually, I rather suspect this is apple cooperating with the NSA/FBI/(insert tla/fla of choice).

    Locked yer phone did ya? ... smile for the 3d laser scanner!

    1. Richard 12 Silver badge

      Reconstructing a 3D model can be fairly easily done with a few photos.

      Front and side profile are usually enough for a face, especially if the lighting conditions are known - mugshot database, anyone?

  19. Ken Moorhouse Silver badge

    You can see the headlines now...

    "Man unlocks wife's phone by waving it at rear of bus."

    1. The Boojum

      Re: You can see the headlines now...

      Thanks. Made me chuckle. No mean achievement at this time in the morning

  20. Outer mongolian custard monster from outer space (honest)

    Interestingly nobody seems to have wondered if the mask itself is unique to the user being unlocked, or you can use the generic printed human shaped mask and just glue new bits of photo onto it for each case. In which case, productionized unlock, photo, print, done.

    Makes it more serious of a issue. Especially when cheap "costume masks" start coming onto alibaba moulded off some generic face by a enterprising company with a vacumn former at pence apiece.

    My wife's always on at me why I use a pin when I have face unlock on my samsung. But then she's also bemoning the fact we wont ever have a alexa or a google mini in our house.

    1. Dave 126 Silver badge

      The mask is unique to the target's phone, which is why there is a mask. Otherwise the attacker would just stick photos of the target's eyes and mouth on his own face.

  21. Anonymous Coward
    Anonymous Coward

    This morning...

    In the office, this has been discussed. The only observation I can make, is that I love watching the Apple Distortion Field in action. If I wasn't so restrained, I'd wet my pants laughing.

    1. Dave 126 Silver badge

      Re: This morning...

      I think you'll find that that the distortion is in the reporting, hence no mention of all the circumstances that cause the phone to demand a passcode, and that this potential attack method is more effort and less reliable than spoofing a fingerprint. Both Touch ID and Face ID unlocking are optional.

      Still, if you want to laugh and do your heart some good, more power to you.

      1. Anonymous Coward
        Anonymous Coward

        Re: This morning...

        So tell me... what did I miss from the video of the attack? Looked to me like... no face, ask for the pin. With face... opens right up.

  22. eldakka Silver badge
    Coat

    Does it have to be a face?

    Or could you use other...ummm...parts of your anatomy than your face?

    Could be fun at parties working out what will actually unlock it...

    1. Anonymous Coward
      Anonymous Coward

      Re: Does it have to be a face?

      That could result in a real cock-up ...

  23. Anonymous Coward
    Anonymous Coward

    Could you set it up to be used with a printed out picture of some random face?

    Have the people who nicked your phone spend money to recreate your face - when all they really needed was to print out a picture of Valery Borzov 1972 Olympic 100 m gold medallist.

    Or you know, whoever.

  24. JaitcH
    Happy

    Singapore and USA?

    It's Head Office:

    Bkav Corporation

    2nd Floor, Bkav Building

    Yen Hoa New Town, Cau Giay Dist.

    Ha Noi, 122000

    VietNam

  25. TomPhan
    Thumb Down

    Ars Technica

    There's a much better article over at Ars, one where they actually ask questions rather than reprint the press release.

    1. aaaa

      Re: Ars Technica

      Just read it - yeah, much fuller (and better) article.

  26. PNGuinn Silver badge
    Big Brother

    Hmmm...

    When I was a kid I had a potato man kit (Q lots of tut tutting and cries of miss spent youth and all that)

    ISTR that the, blue if I remember correctly (ok - its a fair cop - a miss spent childhood - I admit it - I must have played with it at least a dozen times, cruelty to spuds and all that) nose was extremely large compared to the other plastic bits.

    Now, with all the wisdom of advancing years, I wonder if those bits of plastic landfill plus a suitable tuber might be used for something useful after all?

    >> we need a potato man icon. perfectly round and with frikkin lasers of course - it's got to be a grownups icon, natch, this is el Reg.

  27. Jin

    A terrific ‘one-in-a-million’ and an empirical ‘0.1%’, which of the two can we trust?

    NIST and IARPA announced the winners of face recognition contest. The best figure for verification of 99.9% (0.1% reversely) seems to fall reasonably in the range that wouldn’t astonish anyone, although it does not look as fantastic as ‘one millionth’ that Apple boasts for Face ID.

    This and the other related news that Apple’s Face ID was reportedly designed to learn to get fooled are not only eye-catching on their own but also demonstrate part of a more crucial problem.

    It appears that the 'ex-factory Face IDs of low FAR with high FRR' are rapidly turning into the 'in-use Face IDs of high FAR with low FRR' day after day in a gigantic scale. Then criminals would only have to wait for a good time to come.

    In any case, most critical is a fact that Face ID and other biometrics solutions are dependent on a fallback password, which only results in the level of security lower than that of a password-only authentication and also that of a biometrics-only authentication.

  28. Louis Schreurs BEng

    keep the phone safe just as your wallet and accept the occasional loss

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019