back to article Full frontal vulnerability: Photos can still trick, unlock Android mobes via facial recognition

Smartphones have boasted facial recognition for some time, but tests in the Netherlands suggest it still falls short of properly securing many devices. The tests, conducted by the country's Consumers Association, identified 42 smartphones out of 110 tested could be unlocked with only a high-quality photograph of the phone's …

  1. Anonymous Coward
    Anonymous Coward

    Weird

    Given that many of these devices have a fingerprint sensor, what cretin would enable basic face unlock? And lets be VERY clear. Face unlock is not enabled by default, and (on Android) comes with a warning that it's not the most secure form of locking your phone).

    Clearly yet more clickbait from The Register.

    1. Christian Berger Silver badge

      Fingerprint sensors are useless

      I mean those devices have very smooth surfaces which you touch with the same finger you use to unlock them, so that's rather insecure.

      Also obviously this is only the simplest step. The next step is using a photograph and using a pen to simulate blinking. Then there's putting 2 contact lenses (or other kind of bubble shaped piece of transparent plastic) onto the eyes. Eventually you'll reach the mask which will probably fool all of those devices.

      Essentially biometry is broken for authentication. It doesn't matter if you add more obscurity to it, you cannot make it as secure as a password. However since many phone manufacturers refuse to let you have a propper keyboard, entering a password is near impossible on those devices.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fingerprint sensors are useless

        "I mean those devices have very smooth surfaces which you touch with the same finger you use to unlock them, so that's rather insecure."

        Huh????

        1. katrinab Silver badge

          Re: Fingerprint sensors are useless

          If someone steals your phone, your phone will have your fingerprints on it, which could potentially be copied and used to unlock the phone.

          As far as I'm aware, Apple's touch ID is secure against that sort of attack, but some other fingerprint readers are not.

          1. Anonymous Coward
            Anonymous Coward

            Re: Fingerprint sensors are useless

            Do you want to buy some magic beans?

            Apple buy their fingerprint sensor from the same place everyone else does. You clearly have been brainwashed by Apple spin. Lifting a fingerprint and making fake fingers from them to unlock the phone, yes, it's possible, and it might fool a few older cherrypicked models of phone, but it's not going to work on recent devices, and it's not trivial to do. Saying fingerprint biometrics are insecure is grossly misleading, and pretending Apple have some magic sauce that the others don't is outright lies.

          2. Siberian Hamster

            Re: Fingerprint sensors are useless

            Actually TouchID is definitely not secure against this attack, as I demonstrated (a few years ago now) to a friend less than a week after he got his new iPhone!

            He was proudly willy waving his iPhone around when we were over his place so I sent his son off to the local shop for some sweets. It took a few tries but I got his phone unlocked after warming up a gummy bear and kneading it thinner.

            He shut up about his phone for a quite a while after that!

            https://www.theregister.co.uk/2014/09/24/iphone_touchid_hack/

      2. Halfmad

        Re: Fingerprint sensors are useless

        You can make it as secure by limiting attempts then wiping the device.

        But would any of us trust it to be reliable enough to do that? I repeatedly have problems with fingerprint sensors on phones.

      3. Anonymous Coward
        Anonymous Coward

        Securing Private Parts

        > Fingerprint sensors are useless

        We need a Penis Unlock(TM) feature (or equivalent) instead. Would be much more secure, assuming the image is not available in the public domain. It would have the side benefit of discouraging dick pics as you would risk having your bank account cleaned out by whoever you sent one to.

        Then again, the Apple Pay version may be to awkward to use in a the check-out line.

        1. EVP

          Re: Securing Private Parts

          ”We need a Penis Unlock(TM) feature (or equivalent) instead. Would be much more secure, assuming the”

          Excellent idea, bravo!

          ”image is not available in the public domain.”

          Oh no, there goes my security :/

          How about a contact based solution? Penisid, or PID in short, would definitely increase security considerably.

          However, there is a tricky question to answer before implementing: Where should the reader module go? With fingerprint sensors, some people prefer placement in front, some like it backside, others don’t care and will have it whichever way. Choices, choices...

          Also, there must an equal opportunity for both, or in fact for all, sexes to enjoy the benefits of such an advanced security system. One implemention won’t suffice for all use cases.

          Can anyone think of a similar technical solution for women? It could well be called Penisid, I suppose.

        2. DropBear Silver badge
          Joke

          Re: Securing Private Parts

          Admit it, this is just an elaborate setup for a "credentials too short" joke...

    2. Pascal Monett Silver badge
      Holmes

      Re: comes with a warning that it's not the most secure form of locking your phone

      Right, so there's no need to mention the subject ever again and absolutely no one needs to be educated as to how exactly face unlock can be circumvented.

      Thank you for clearing that up for the rest of us.

    3. jmch Silver badge

      Re: Weird

      Cold weather outside, gloves on = useless fingerprint sensor, AND in many cases impossible or difficult to enter a pin / passcode, since even with special gloves that allow touchscreen to detect their touch, there is the 'fat finger' effect. Bad enough having to hit the right keys with just my fingers, with gloves it's much worse.

      Yes face recognition and fingerprint is less secure than pin / password. Yes, biometrics is more like a 'username' than a 'password'. BUT security isn't binary. Ultimately nothing is completely secure, it's just a question of cost / effort / time to break it, which really just needs to be greater than teh value of whatever it is protecting. For the vast majority of people, face recognition or fingerprint is secure enough.

    4. Mr Benny

      Re: Weird

      "what cretin would enable basic face unlock?"

      Meet Mr & Ms Average Thick-as-mince Consumer who know as much about IT security as they do about ancient phoenecian galley design.

      1. Anonymous Coward
        FAIL

        Re: Weird

        Hi would they know how to enable it genius? If they are thick enough to not understand the limitations (and also can't read the clearly worded warning), they are also too thick to find it in the security settings.

        1. Mr Benny
          Facepalm

          Re: Weird

          You can find anything if you play around with something long enough. Or maybe they just googled how-to. And it takes a lot less brains to switch on something that understand its issues and limitations.

          1. Anonymous Coward
            Anonymous Coward

            Re: Weird

            It fecking tells you it's less secure than pins and passwords.

            You really are a fecking idiot...

      2. This post has been deleted by its author

    5. SecOps

      Re: Faceunlock

      Face unlock provides a reasonable level of security given you aren't being targeted for attack. A photo might unlock the phone, but most people are worried about access to their phone if they lose it. In the event a phone is lost, it is unlikely someone will discover the correct photo to unlock the phone unless there is some indication of the owner displayed somewhere.

      Sure it would be bad to do in cases where you may be targeted (e.g. an executive traveling to China) but otherwise it provides a reasonable level of security for most people. And lets be honest, face unlock is more convenient than fingerprints.

  2. The Alphabet

    I know this article relates to smartphones, but lets include "Windows Hello" in the "unlock with a photo" category. I tested it with Surface Pro on 1803 and a relative was able to unlock the Surface with a photo on her phone.

    1. Anonymous Coward
      Anonymous Coward

      That;s not going to be mentioned, as it wasn't part of the contract that was created to create this "news".

      1. Anonymous Coward
        Anonymous Coward

        New here?

  3. Dave 126 Silver badge

    Sony soon to release TOF sensors

    Sony are reportedly close to offering laser Time-Of-Flight sensors to Apple and Android OEMs. These sensors allow a phone to build up a three dimensional map of a face or environment. The current iPhone system is also three dimensional, but uses distortions in a projected infrared grid instead of measuring distances directly.

    My interest in a TOF sensor isn't security based; I'd like a handheld 3D scanner for use in the workshop.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sony soon to release TOF sensors

      They had stuff up and running 2 years ago.

      https://techcrunch.com/2017/06/26/sony-to-demo-3d-face-biometric-running-on-xperia-smartphone/?guccounter=1

  4. DontFeedTheTrolls
    Boffin

    Inside Job

    Like "most" hack jobs rely on an insider, surely having a "high quality photo" is likely to be restricted to family and other close connections?

    Not saying it isn't a problem or risk, just suggesting that the attack vector has limited scope. You don't tend to get pickpockets snapping pictures of their victims. Maybe if you're at risk of industrial or state sponsored espionage then you shouldn't use the risky devices, but then if you are an espionage risk you probably shouldn't be using those devices in the first place.

    1. katrinab Silver badge

      Re: Inside Job

      High quality photos are often available on facebook. You obviously need to know who the owner of the phone is to do that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Inside Job

      I break into your house, (as an opportunist burglar), and see your phone on a table. I check it, and find that it's locked with a facial recognition lock. I look around and see a nice picture of you and the spouse on the wall.

      1. Anonymous Coward
        Anonymous Coward

        Re: Inside Job

        oh purleeeeese!

    3. Test Man

      Re: Inside Job

      Facebook has reasonably high-quality images. Judging by the amount of idiots who make their photos public (and the fact that it seems to be really really trivial for the news media to grab photos for their bulletins and articles), this is not a problem for anyone who wants to get one.

    4. NightFox

      Re: Inside Job

      Personally, I want security on my phone so if I lose it or someone swipes it, they can't access it. I'm happy that in the real world, the likelihood of a finder or opportunist thief taking or having access to a quality photo of my face is negligible. The only scenario in which a thief might potentially have the opportunity to take a photo would be a prolonged confrontation with a very confident mugger, but then they could just as easily demand I unlock my phone or tell them my PIN anyway.

  5. Anonymous Coward
    Anonymous Coward

    So, trading security for convenience leads to poor security.

    And this is news, why ?

    It's a given that the more we rely on our phones as a single point of failure, there will have to be a balancing act between pretend security, and convenience.

    So far, all "security" measures start with the mandate: "Needs minimal human interaction". Because call centres and helpdesks rather cut into the bottom line.

    I imagine such meetings must be a little like that scene from "A Few Good Men"

    "What do you want from us ?"

    "We want SECURITY !"

    "You can't handle security !"

  6. Chairman of the Bored Silver badge

    Stupid idea in the US

    For left pondians...

    The lawman believes and the courts agree that you have no reasonable expectation of privacy concerning your appearance or fingerprints, as you leave those exposed in public all the time. So you can be compelled to unlock with your mug or prints. I assume this means they can use your photo - its not that much of a legal stretch in an already elastic system.

    A PIN on the other hand is stored in your brain, so they need your permission or a court order. YMMV, and I've no clue what the rules are for right pondians.

    Now, contemplate the smudge pattern your PIN entry has left on your display and think about a new PIN...

    1. Dave 126 Silver badge

      Re: Stupid idea in the US

      Which is why tapping the power button of an iPhone five times causes the device to demand a passcode to unlock instead of a face or fingerprint. The same applies if the device has been turned off, restarted, too many incorrect biometric attempts have been made or if a period of time has elapsed since the phone was last unlocked.

      I haven't looked into the equivilent system on my Samsung, other than to note that it requires a passcode instead of a finger print t or or iris scan after it has been restarted.

      1. Chairman of the Bored Silver badge

        Re: Stupid idea in the US

        @Dave 126: nice, did not know that, and it's good to know. Have upvote!

      2. Is It Me

        Re: Stupid idea in the US

        Nexus phones need the PIN after reboots and if it fails to read your finger print a certain number of times it needs the PIN.

        In addition if you have only unlocked with a finger print enough times it asks for a PIN then.

        I am not aware of the an equivalent to fitting the power button, but I am sure you can just use a finger that hasn't be enrolled a few times to lock it out and require a PIN.

        1. Alan Watson

          Re: Stupid idea in the US

          I just tested: 5 failed attempts and it tells you to enter the PIN or try again later.

    2. Anonymous Coward
      Anonymous Coward

      Re: Stupid idea in the US

      Now, contemplate the smudge pattern your PIN entry has left on your display and think about a new PIN...

      Which is why if you have any sense you enable the option to randomise the PIN keypad layout.

      1. DropBear Silver badge

        Re: Stupid idea in the US

        No need. My PIN is _not_ a swipe pattern and it actually involves _all_ digits except one. Have fun with what you learn from my potential smudges over my non-randomized keys. Yes, I type it in every single time I take out my phone for any reason as it auto-locks in a couple of minutes, and using it hasn't killed me yet. Or the phone.

  7. Nick Ryan Silver badge

    Sigh

    A photo, or a fingerprint, is an identifier. These are not suitable replacements for a password, they are, however, suitable replacements for a user identifier. By all means use these in addition to a password but they are not replacements for a password; They do not and can not adequately replace something that is secret.

    But whatever... hollywood movies and all that can't be wrong can they?

    1. Dave 126 Silver badge

      Re: Sigh

      Researchers have enjoyed a high success rate of determining phone passcodes by examining video footage of the legitimate user entering said code. The footage was taken from across a room with the phone screen hidden from the camera.

      So, as you say, consider using biometrics in addition to a passcode. Also, consider ways of moving your fingers when entering a passphrase in such a way as to make it harder for attackers to extrapolate your phrase from your finger movement.

  8. Anonymous Coward
    Anonymous Coward

    Idiots that can't read

    Including this self proclaimed security researcher it seems

    https://goo.gl/images/j3QHZH

  9. Anonymous Coward
    Anonymous Coward

    The more convenient something is then the less secure it is.

  10. Cuddles Silver badge

    What is security for?

    This isn't particularly new or surprising, and as others have already mentioned biometrics are just not a replacement for something like a decent password. What the complaints tend to miss, however, is that that's not really what they're intended for in many situations. I don't need my phone to be locked up well enough to keep out TLAs with the full resources of a large country behind them. I don't even need it to be locked up well enough to keep out someone with the time and dedication to specifically target me for fingerprinting. If someone swipes my phone in a pub or wherever, I just want it locked up well enough that it's not any use to them, or ideally to avoid having it swiped in the first place because they know that will be the case.

    That's the situation the vast majority of people are in. Sure, my phone might be vulnerable to anyone with a decent photo of my face, but a casual thief doesn't even know whose phone it is so that simply doesn't matter. Trying to keep out specifically targetted attacks is certainly not something a cheap fingerprint sensor is good for, but that's just not something most people need to worry about. If all you want to do is stop your mate getting on your Facebook page while you're in the toilet, security on the average phone is more than good enough. If you're worried about more serious attacks than that, you'd be a fool to expect cheap consumer goods to have that level of security off the shelf. It's no different from noting that the front door of my house is not as secure as a bank vault; as long as you understand what job it's there to do the fact that some things are less secure than others is not inherently a problem.

    1. DropBear Silver badge

      Re: What is security for?

      "If all you want to do is stop your mate getting on your Facebook page while you're in the toilet," you have already failed. You're right that biometrics is most likely sufficient against opportunistic thieves (or someone who does not intend to return your lost phone) as they're likely not interested in investing _any_ effort whatsoever in accessing the data on the phone; they just want it wiped and shifted.

      But anyone in your circles (family / mates / work colleagues) with even a weak motivation to access the phone is a completely different threat model altogether, and biometrics won't do almost anything against them. Even PINs can have the same problem but that depends on how observably you tend to input your PIN. But hey, if you've never even heard of anyone ever getting their phone's language set to Chinese while they were away for five minutes as a mere prank, you might just be ok...

  11. livin' thing

    To be fair...

    The table shows that Photos can still trick, and unlock some (not all) Android mobes via facial recognition. Seems Samsung's been working on this a bit since their early attempts, at least. But it does currently seems that Apple's face id is way ahead of the competition in terms of how it works, what it recognises, what it rejects and and how little it can be fooled*, so they should get some respect for that.

    * I know: twins - but twins can and do fool other humans regularly too.

  12. Jay Lenovo Silver badge
    Trollface

    Just add some more detail

    Maybe if the facial recognition was not just based on your face, but your face with a rarely displayed expression.

    "Hey Joe, why are you making that strange face?"

    "No worries Sam, that's my unlock face. Just forget you ever saw it."

    1. mosw

      Re: Just add some more detail

      But now I will forever have to carry around that clown nose and googly eye googles.

  13. mosw

    Use someone else's picture?

    Maybe I will just carry around the picture of a stranger and use that to unlock my phone. Like using a fake name when they want your mother's maiden name for a security question. I will probably get some dirty looks when using it for Google Pay.

  14. Kevin McMurtrie Silver badge

    Wrong color

    Except for the phones with depth scanners, I think most of those "Can't unlock with a photo" attempts didn't work because they're using near-IR cameras. A photo taken with visible light would be unrecognizable to them. A B&W photo taken using the near-IR band should do the trick.

  15. SNAFUology
    Boffin

    Take away

    Any intelligence, any system can be deceived in some way.

    Perfection does not exist, #SNAFU does.

  16. Lucky2BeHere

    Can't believe they couldn't beat the iPhone X. Too easy. That puts the wrong message out there. Face ID is *not* a security feature. It's - like all the rest - a convenience.

    1. Anonymous Coward
      Anonymous Coward

      They also couldn't beat the majority of Android phones either, including some that are 10th the price of the iPhoneX....

  17. Black Betty

    Cheap phone and don't effing bother.

    I just bought the cheapest phone I could find, hooked it up to a prepaid account and left it on swipe to unlock. I simply don't store anything on it that matters worth a tinker's damn. If I want security I'll use a proper computer locked with a decent password.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019