Just a week after releasing the iPhone X, Apple is convincing its users to use the recently rolled out Face ID feature, which they claim to be more secure and convenient than the Touch ID fingerprint sensor.
Each time iPhone X users try to unlock their smartphones through Face ID authentication, it creates a facial topographical map based on a 30,000-point scan.
A neural network then compares this scan with the initial scan provided by the smartphone owner. In case facial verification fails within five attempts, Apple forces the user to enter a unique and secure passcode.
A series of previous attempts to trick the Face ID feature have failed. However, security researchers have demonstrated the facial recognition feature as flawed, showing how hackers can easily bypass it.
Security researchers at the Vietnamese cyber-security firm Bkav have reportedly fooled the iPhone X’s Face ID security feature using a simply constructed 3D-printed mask.
In a press release, the researchers claim that it was much easier than they expected to break the smartphone’s security feature, which only took less than a week to do. According to Bkav VP of Cyber Security Ngo Tuan Anh, only half a face was used to create the mask.
The cybersecurity team at Bkav crafted the mask by combining 3D printing, 2D-printed eyes, a hand-sculpted silicone nose and makeup. They also included some special processing on parts of the face with large skin areas such as the cheeks.
In a write-up, Bkav says its experts were able to crack the Face ID feature because of their expertise and knowledge on how Apple’s AI works. They argued that it is quite challenging to make the “right” mask, but with the team’s sophisticated techniques, their mask managed to unlock the iPhone X.
Bkav’s researchers had to scan the victim’s face for at least five minutes to get enough details on the points of recognition. The mask was precisely crafted using the obtained dimensions. A facial scanning system was also used to get facial features at the nodal points right.
Bkav has been a long-term critic of facial recognition, and in 2009 was the first security firm to demonstrate why the technology does not meet the expected security measures for top brand laptops such as Asus, HP, Lenovo and Samsung.
The purported hack may not affect the average person but can potentially target billionaires, celebrities and high-profile executives like presidents who have their faces photographed, widely shared and published.
With enough effort, skilled craftsmen could use the victim’s photographs to reconstruct a mask similar to that Bkav made—one that replicates the user’s face.
Bkav warns such public figures should rethink their use of Apple’s incipient facial recognition technology, as this exploit could be difficult for normal users but relatively easy for professionals.
When the iPhone X was first unveiled in September, the tech giant said the neural network which serves as Face ID’s core functionality was tested on more than a billion faces.
The company also said they had sought help from various special effects professionals to design different masks that were used for tricking the feature during the testing phase of development.
In a technical whitepaper published by Apple, the company stated that the odds of some random user breaking the Face ID feature to unlock the phone is about one in a million as compared to Touch ID, where an adversary has a one in 50,000 chance.
Though biometric security in smartphones has seen significant advancements over the last decade, the technology still has a long way to go.
With the Vietnamese security firm Bkav breaking Apple’s facial recognition feature just a week after its release, tech vendors should introduce a better alternative to biometric technology. A facial detection system with a more secure iris scanner that requires a blink during the recognition process could be much more difficult to crack.
Bkav researchers advise iPhone X users to use a strong passcode, consisting of six digits or alphanumerics. In any case, hackers will always try to slide their way into your phone using third-party software, but cannot obtain a password stored in your mind if it’s sensitive enough.