There is no such thing as foolproof phone security.
The average person probably doesn’t need to worry about the purported hack, but billionaires, celebrities, and high-profile public figures like presidents may want to rethink their use of Apple’s nascent facial recognition technology.
Apple is trying to convince people Face ID is more secure than its Touch ID fingerprint sensor, which is still used in the iPhone 8 in addition to earlier models. But stories about weak spots (especially if you’ve got a twin or you’re a kid) keep popping up.
While Apple acknowledges that Face ID isn’t hack-proof, the company says it’s built the face recognition technology to have 1 in a million chance of somebody else unlocking your iPhone X compared to the 1 in 50,000 chance using Touch ID.
Not only that, but Apple says it worked with Hollywood makeup artists and mask makers to ensure that elaborate masks couldn’t be used to bypass a person’s iPhone X.
Before Bkav, a security firm, released its results, others have tried to trick Face ID using detailed masks and failed. The Wall Street Journal’s Joanna Stern had a mold of her face made by a professional prosthetic company and, sure enough, her iPhone X wouldn’t unlock when a colleague donned her fake face. Wired’s David Pierce also attempted a much more detailed recreation of his face using a variety of different materials, but also failed to trick Face ID.
Bkav’s rudimentary mask, though, tripped up the feature. The mask, which you can see below, included a 3D-printed face with 2D-printed eyes and lips and a 3D nose constructed of silicone. Mashable has reached out to Apple for comment on the hack.
If this hack looks basic, that’s because it is — at least on the surface. Bkav says the crude mask only cost about $150 to make.
That may sound really scary, but this hack won’t affect most people.
For starters, the lengths one must go through — it took about a week for Bkav to create a mask that successfully tricked the iPhone X — isn’t worth it in most cases.
Then there’s the matter of getting scans of your eyes and mouth. According to Wired, Bkav’s researchers need to manually scan a person’s face for five minutes before getting enough detail to reconstruct a false mask.
Billionaires, celebrities and public figures, who will have their faces photographed and widely published could be easier targets.
Additionally, the silicone nose needs to be made by hand. An initial version of the nose reportedly didn’t work and needed to be modified to deceive the iPhone X’s TrueDepth cameras and built-in AI.
Though similar facial recognition unlocking technology on Samsung’s Galaxy S8 and Note 8 phones is much easier to bypass (in some cases, it can be fooled by a picture), the alternative and more secure iris scanner built into these phones is much more difficult to hack, requiring very specific printers and contact lenses.
All things considered, Bkav’s researchers say billionaires, celebrities and public figures, who will have their faces photographed and widely published could be easier targets for its hacks. With enough effort, a skilled craftsman could reconstruct a mask similar to the one Bkav made using lots of photographs.
“Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID’s issue,” the researchers said in a statement. “Security units’ competitors, commercial rivals of corporations, and even nations might benefit from our PoC [proof of concept].”
Bkav still has some further explaining to do to convince other security experts that the hack is genuine, but given their track record — in 2008, they were the first ones to bypass face biometrics that shipped on top-brand laptops from the likes of Lenovo, Toshiba, Asus, and more — it appears sound.
Still, the researchers say Face ID is weaker than Apple claims:
You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.
I tried covering half my face (both sides), and then only my eyes, only my mouth, and then placed my hand spread open on my face, and I couldn’t get Face ID to unlock on my own iPhone X. That’s how it should work.
Face ID, like the face recognition technology on other phones, requires a person’s eyes to be open in order to work. So if someone points your iPhone X at your face while you’re sleeping it won’t unlock.
However, while requiring your eyes to be open is one way to check against fakes, it’s not a way to verify the face it’s looking at is really alive. One way Apple could make Face ID just a smidgen more secure is to require a blink during the face detection process. Android introduced this blink check on Android 4.0 in 2011 after hackers cracked its face unlock feature.
Biometric security in our smartphones has improved significantly over the last few years. Though this Face ID hack looks terrifying, it’s just as complex and time-consuming as recreating a mold of your fingerprint to fool Touch ID.
Unless you’re holding the codes to nuclear codes (in which case you probably wouldn’t even be allowed to use this tech) or have something in your device that’s totally worth stealing, the amount of work required for this hack isn’t going to produce a valuable return for hackers.
In any case, should you elect to not use Face ID as your main method of security for your iPhone X, make sure you have a really strong 6-digit or alphanumeric passcode in place (never just use four digits). Hackers could always try to brute force their way into your phone using software, but barring that, they can’t obtain a code that’s stored in the only impenetrable place in the world: your mind.