When Apple unveiled Face ID – the main security feature of their latest device, the iPhone X – the company touted that not even Hollywood-makeup-designer-level masks would be able to beat the phone’s sensors.
Cut to one week later, and a computer security company along with casual users are claiming to have beaten the system.
The most sophisticated method seems to have been devised by researchers from antivirus firm Bkav, a computer security firm based in the US and Singapore, which seems to have fooled the device with a purpose-built mask. Rather than strive for realism, the team of Bkav researchers claim that they sought to trick the phone’s depth-mapping technology. As a result, the final product bears hand-crafted white-coloured ‘skin’ and 2D printed eyes, but with very realistic 3D printed features, depth and proportions.
In another scenario, a casual user has also demonstrated pretty conclusively that her 10-year-old son could unlock her iPhone X using his face because he shares his mother’s features.
So, do iPhone X users have anything to worry about?
The team of researchers from Bkav maintain that their test was not ‘cheated’, and the more casual demonstration lends credence to their claims. Matching the iPhone X to one of the Bkav team’s faces, the researchers claim that aside from the off-the-shelf 3D printer the materials required to build the mask cost around $150. In practice, the demo shows the mask fooling the Face ID in one attempt, although it is unclear how many tries the team took off-camera. As for building to mask, the researchers assert that work began on November 5th, and took only five days to complete.
When approached for comment, Apple directed concerned users to its white paper on Face ID, which outlines how the tech works. According to Apple, 30,000 infrared dots and a 2D infrared image are analysed when Face ID reads a user’s visage. When processing the image, the iPhone will then combine the data it collects – which is specific to the device – and combines these against stored facial data. In short, the data should be locked tight, specific to individual devices.
Realistically, most iPhone X users will should not be too concerned with the findings. Bkav itself acknowledges that that the effort extended to make the mask does not compromise ‘normal users’. As Engadget put it, “If someone is so determined to get into your phone that they build a custom mask, you have much larger security concerns than whether or not Face ID is working.”
What these ‘breaches’ show is that biometric security is still more of a convenience feature than bulletproof security measure, as readers of The Register were quick to point out. Or, as Engadget put it: “They [biometrics] make reasonable security painless enough that you’re more likely to use it instead of leaving your device unprotected.” For those genuinely concerned about the protection of their mobile phones, passcodes are seemingly still the best way to go.