Security researchers found a way to trick Face ID in the iPhone X, but it’s premature to declare Apple’s 3D facial scanning technology a failure or unsecure. The method the firm used to trick Face ID is complicated and involved making a seriously creepy mask.
Face ID is Apple’s replacement for Touch ID on the iPhone X. Instead of scanning your fingerprint it scans your face to unlock your iPhone and authenticate purchases.
Researchers from Bkav started with a detailed 3D scan of the subjects head, then used a 3D printer to create the mask’s form. Next, an artist reconstructed the subjects eyes, nose, and mouth with latex. With all the pieces in place, Bkav’s mask seems to have fooled Face ID and unlocked the text iPhone X.
They claim their demonstration shows Face ID isn’t as secure as Apple claims. On the contrary, their work shows it’s even more difficult to spoof Face ID than Touch ID.
Computer Chaos Club members bragged about tricking Touch ID when the iPhone 5s was released in 2013. They started by making a high resolution scan of someone’s fingerprint, then output it to a laser printer. The output was then transfered to latex that was used to unlock the phone.
That was a pretty sophisticated process and proved to not be a serious threat to the iPhone’s biometric security measures. Had this been a practical hack it’s a safe bet the FBI would’ve used to get into the San Bernardino mass shooter’s iPhone instead of trying to force Apple to make a hackable iOS version.
Bkav’s Face ID hack is much more involved and their presentation feels a lot like the “How to draw an owl” meme: First you make a sophisticated 3D mask, and then you unlock the iPhone.
What Bkav has really shown is that any security measure is hackable given enough time and resources.
Practically speaking, if you have someone long enough to get a detailed scan of their head there’s a much faster and more reliable method for getting into their phone. It’s amazing how powerful a motivator threatening to break someone’s arm is.