Apple recently started shipping its iPhone X, the ‘anniversary’ edition of its best-selling device. One of its main selling points, aside from the almost edge-to-edge screen, is its face recognition-based security. While previous generations used the fingerprint-based Touch ID, Face ID is allegedly much more effective at keeping your phone safe. According to Apple, the probability that a random person could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000.
To your average consumer, this feature might be impressive, but not essential. However, in an enterprise environment, the promise of near-bulletproof security is invaluable. But what if Face ID is more forgiving than we thought? Well, various individuals took Apple’s claims as a challenge and started working on hacks that would trick the face recognition software.
Bkav, a Vietnamese company focused on network security, software, smartphone manufacturing and smarthome, reportedly created a mask that successfully bypassed Apple’s Face ID – with what looks like a simpler technique than some security researchers believed possible. According to the company, the mask cost $150 to create. The researchers used 3D-printed elements, a nose made by a handmade artist, 2D printed-elements, and even hand-made skin to trick Apple’s AI.
The company allegedly wanted to prove that face recognition software is not mature enough to use in mainstream consumer devices. They also claimed that fingerprints are still the best choice in terms of biometric security. However, their demonstration is still awaiting confirmation from other researchers.
According to Dan Goodin of Ars Technica, the video and accompanying press release omitted key details that are necessary to assess if the researchers created a true bypass of Apple’s authentication. He stated that a crucial distinction is whether the mask successfully unlocked the iPhone immediately after it was set up to use the real human face for authentication or if the bypass succeeded only over a period of time following the face enrollment. Why? The software is designed to ‘learn’ subtle changes in the user’s face by taking additional captures over time and uses them to augment enrolled Face ID data. Using this feature, the researchers could have “trained” their iPhone over time to recognize the mask – an advantage that a real-world hacker would most likely not have. The company also claims to have unlocked the phone with static pictures of eyes – yet Apple stated that Face ID also looks for eye movement when scanning the user’s face.
The journalist also questioned the way the mask was made. If the artist making the mask had access to the real face and took measurements or made a mold, again, it would be an unfair disadvantage over a real-world scenario. If the mask was made only using images or videos that could be taken without the target’s knowledge or consent, then the hack would be plausible.
When Ars Technica reached out for comment, the researchers were reportedly evasive, deflecting and at times outright evading the questions. They did not clarify whether the iPhone “learned” to unlock with the mask, why other similar attempts failed, or whether they required the exact dimensions of the user’s face.
Wired reported, however, that the researchers admitted that their technique would require a detailed measurement or digital scan of the face of the target iPhone’s owner. They manually scanned their test subject’s face for about five minutes with a handheld scanner. That puts their hack in the realm of highly targeted espionage, rather than the sort of run-of-the-mill hacking most iPhone X owners might face.
According to Wired, Bkav’s history does lend the experiment credibility. Almost a decade ago, the company broke the facial recognition of Lenovo, Toshiba, and Asus laptops with nothing more than two-dimensional images of a user’s face.
Assuming the company’s hack is legitimate and indicates a flaw in Apple’s security software, this begs the question: how will this actually affect users? It’s safe to assume that the average pickpocket won’t have access to your face measurements – they’re actually more likely to force you to look at your phone and then walk away with it. A more likely, yet uncommon scenario where a hacker would go through the trouble of creating a mask to bypass the iPhone X’s security is actual espionage. A CEO or a key employee working on a secret project could be targeted using this technique (assuming, of course, that the hacker can take their face measurements and photos from a distance).
All in all, this hack involves many variables and many ‘ifs’. If you’re an enterprise user, such a flaw could potentially compromise sensitive company data. In an age when everything is digital, this is definitely something to worry about. However, before you ditch the iPhone X (or decide against it for future purchases), you might want to wait for multiple groups of researchers to confirm the hack. It’s still unclear how Bkav managed to trick Face ID with the mask, but hopefully, once more details emerge, we’ll know whether we should be worried or not.
