Vietnamese security firm Bkav says its proof of concept shows face ID isn’t secure
A Vietnamese cybersecurity firm claims to have tricked the facial recognition feature on the iPhone X using a 3D-printed mask.
Researchers at Bkav created the $150 mask shortly after obtaining the smartphone on 5 November. It took them less than a week to spoof Face ID and say it was even easier than they expected with only half a face needed to create the mask.
“The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID,” explains Ngo Tuan Anh, vice president of cybersecurity at Bkav.
Face ID security
Face ID is one of the headline features of the £1,000 iPhone X and can be used to unlock the device. There have been a number of attempts to crack the feature but none have succeeded. Bkav says it was able to do so because of its expertise and posted a video on its website.
“It is quite hard to make the ‘correct’ mask without certain knowledge of security,” Bkav argues. “We were able to trick Apple’s AI, as mentioned in the writing, because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops.”
Bkav has been a long-term critic of facial recognition and alleges that Apple rushed out Face ID without properly securing it. It adds that the most secure form of biometric security is fingerprint, just like the Touch ID system that Face ID replaces.
However given the sophisticated techniques used to create the mask, Bkav says it is government leaders, government workers and high ranking executives that would be the likely target.
It is understood that Bkav’s experiments are not seen as a credible proof of concept, while security experts have suggested that Face ID was a feature designed to be convenient rather than ultra secure.
“Time and effort were involved in creating the mask that fooled the Face ID recognition software,” says Paul Norris, senior systems engineer at Tripwire. “Detailed dimensions would have to be taken to create the mask, and the security firm alluded to the fact that they had to use a special material on the mask too. What they didn’t disclose was how many attempts and what level of effort it took to get the mask to work flawlessly.
“Is this really a risk to iPhone X users? Apple will disable the Face ID after five attempts, and force the user to enter a passcode, which should be secure.
“In order to compromise Face ID authentication, the attacker would have to have a detailed map of the face of the user, create a mask that would map the exact details of the victim’s face, unlock the phone within five attempts and do all of this within 48 hours. This seems like an unlikely sequence of events.”
A report last week suggested the Face ID could be used in the next iPad.