Does anyone really have to say it?
Biometrics are usernames and not passwords
Security researchers have once again claimed a simple mask can hoodwink Apple's Face ID authentication system, which graces the tech giant's $1,000 iPhone X. Earlier this month, bods at Bkav, based in Vietnam, demonstrated it was possible to bypass the face-recognizing login mechanism using a $150 3D-printed mask, effectively …
And they NEED a secure device. So how do we propose going about this if ALL they have is what they ARE (since they can't reliably KNOW anything and can't be counted on to keep something to HAVE due to that memory).
That's my problem. I have friends and family I'm trying to protect, and some of them are VERY far away.
So son two has a One:5t or whatever it is called and his twin brothers' face unlock his phone, go figure the weirdness of an accurate representaion of a persons face working in this way, probably the easiest to copy or simulate, can unlock a phone.
Can we go back to finger prints, vein scans or eye ball recongnition for the important stuff now?
You could perhaps rely on unreliable recall itself.
Phone asks questions. Attacker answers. Real owner can't remember the answers to some of the questions. Add a touch of magic AI powder to detect patterns in the failure to answer and you have a recognition system.
I think I left my phne in my coat pocket ---->
Good iris recognition systems are pretty secure. You can easily test the presence of a real eyeball in two important ways. If it is a printed digital image of an iris, the regular printing pattern will leave easily detected spikes in the Fourier spectrum. This doesn't work on old-fashioned prints from negatives. However, briefly raising light levels (e.g. using the flash) will make the pupil contract, which is fairly trivial to detect. I also wonder whether the saccade-fixate motion of the eye can be detected as evidence of a real live face, although that might be mimicked easily.
"However, briefly raising light levels (e.g. using the flash) will make the pupil contract, which is fairly trivial to detect."
I would think it's also pretty easy to fake with an appropriate aperture and a photometer hidden behind the image. Frankly, I have my doubts as to the inability to fake vein patterns as well. Something I've heard often: what man can create, man can RE-create. And all these detectors are man-made.
Even if this hack is easier than their first cut at it, that's still a lot more work required than to fool fingerprint authentication, or any other phone's face scanner or iris scanner for that matter. It isn't as if these guys are selling a phone with unbeatable biometrics so I'm not sure what their point is other than trying to score some free publicity.
If someone is using their phone to pay for stuff and instead of using biometrics is typing in a PIN or password it isn't that hard to shoulder surf it via video - easier than putting together a 3D model of their face with pictures of their eyes glued on it (that would be a little obvious at the Starbucks checkout)
If you want payment security, don't use your phone to pay for stuff because NOTHING is really secure if you assume people can take physical possession of your phone at will. Of course, the same is true for credit/debit cards whether signature or PIN, and is extra true for cash since no "hacking" is needed to use someone else's $100 bill...
"But what happens if your subject is a masochist (gets off from that kind of stuff) or a wimp (faints at the mere sight of it)?"
Doesn't matter. As long as you can manoeuvre their thumb onto the sensor/point their face at the camera, you can break crypto. Whether or not they enjoy the process is irrelevant...
Would an identical twin always be able to unlock the phone? Many (most?) so called identical twins have faces that are mirror images - and all faces have some asymmetrical features between the left and right sides. Pictures that replicate a face from just its left or right side halves will produce two distinctly different faces.
I hadn't heard of this before so looked it up. Apparently a quarter of identical or monozygotic twins are 'mirror twins', about 5 million pairs in the world. Their mirroring even goes so far as to have opposite handedness and sometimes their internal organs are reversed too!
Simple to do when you are the owner of that phone. But can they do it without the cooperation of the owner, that is without having a passcode, and without the owner being present while creating the mask? Without passcode, you have five attempts to create a mask that will be recognised. Without passcode, FaceID doesn't train itself to the mask (if you use a mask, it fails, then you enter the passcode, then FaceID assumes that the person with the mask was the owner, because they had the passcode). Without passcode, after five attempts you are 100% stuck.
And in case it isn't obvious, if you have the passcode, then it doesn't matter whether you can track the phone into recognising a mask, because with the passcode you can unlock it anyway.
I don't expect that theregister will be able to find out about this important detail. Ars Technica tried during the first round, and they didn't get any answers that were not totally evasive.
"But can they do it ... without the owner being present while creating the mask?"
You don't need to make a clay mask on their physical face.
You (literally) can glean much 3d information from a single photo inferred through shading and reflectivity. And with more photos, including side shots, allows further reduction in error.
This puts anybody with publicly available photos at risk - felons with mug shots on record, actors, models, politicians, Mark Zuckerberg (https://www.theverge.com/2017/9/18/16327906/3d-model-face-photograph-ai-machine-learning), Mr or Ms anybody with a bunch of photos on facebook.
But still, the victims would need to be targeted with planning - it's not a huge risk for someone who phone got pick pocketed at random.
As a variant on Face-ID and drawing a complex pattern, why not require users to pull a face or sticking out a tongue (like the faces pulled at the end of the All-Blacks' Haka) to unlock their phone. It would combine user name (the biometric of face recognition) with a password (the complex sequence of movements). Should be a lot safer than just boring old face-ID.
The best bit of course would be seeing people pulling weird faces and sticking out their tongues to open their (no doubt very expensive) phone.
I wonder if I can get a student to develop something like this as a thesis project.
As a variant on Face-ID and drawing a complex pattern, why not require users to pull a face or sticking out a tongue (like the faces pulled at the end of the All-Blacks' Haka) to unlock their phone. It would combine user name (the biometric of face recognition) with a password (the complex sequence of movements). Should be a lot safer than just boring old face-ID.
I think Frankie Boyle had that aspect covered when he wrote this tweet:
Set your Apple Face ID to your comeface, so that if someone mugs you for your phone they at least have to wank you off first
FaceID isn't secure and anyone who thinks it is will at some point get a nasty surprise. Apple have implemented an extremely complicated convenience function essentially, as far as I can tell, to demonstrate how cool their facial recognition technology is. Arguing about the technology is largely missing the point: users want to be able to use the phone in some situations without having to unlock it.
I have argued elsewhere that for the use case not having a screen lock on at all times is better solved by something like Google's SmartLock approach: not infallible and not making any claims to be but useful all the same.
"Arguing about the technology is largely missing the point: users want to be able to use the phone in some situations without having to unlock it."
Problem is, those VERY situations can be exploited, and we KNOW criminals to be patient enough to wait for just the right moment.
To be fair, the fact that Apple's implementation of a flawed idea is itself flawed does not alter the fact that it is the very idea that is flawed, rather than being an Apple failure per se.
Apple's mistake was believing in their own greatness to think - and to claim - that they could and had overcome the inherent flaws in that idea.
In the scenario, there is mention of a $150 3D-printed mask. What i want to know is, what is the $150 being spent on?
As someone with no 3D printer and no facial scanning equipment is $150 enough for me to produce one of these masks?
Or is it that, once you have the correct equipment to be able to produce these masks (costing $X in the first place) these masks would then cost $150 each to produce (materials etc..).
I get that this is a case of proving the technology is beatable, but, it still seems that if someone were to be mugged in the street, the mugger wouldn't be able to use this to unlock the stolen phone.