Face ID Hacked, But it Isn’t as Big a Deal as You Think

1 minute read
| Analysis

Security researchers found a way to trick Face ID in the iPhone X, but it’s premature to declare Apple’s 3D facial scanning technology a failure or unsecure. The method the firm used to trick Face ID is complicated and involved making a seriously creepy mask.

Face ID is Apple’s replacement for Touch ID on the iPhone X. Instead of scanning your fingerprint it scans your face to unlock your iPhone and authenticate purchases.

Researchers from Bkav started with a detailed 3D scan of the subjects head, then used a 3D printer to create the mask’s form. Next, an artist reconstructed the subjects eyes, nose, and mouth with latex. With all the pieces in place, Bkav’s mask seems to have fooled Face ID and unlocked the text iPhone X.

They claim their demonstration shows Face ID isn’t as secure as Apple claims. On the contrary, their work shows it’s even more difficult to spoof Face ID than Touch ID.

Computer Chaos Club members bragged about tricking Touch ID when the iPhone 5s was released in 2013. They started by making a high resolution scan of someone’s fingerprint, then output it to a laser printer. The output was then transfered to latex that was used to unlock the phone.

That was a pretty sophisticated process and proved to not be a serious threat to the iPhone’s biometric security measures. Had this been a practical hack it’s a safe bet the FBI would’ve used to get into the San Bernardino mass shooter’s iPhone instead of trying to force Apple to make a hackable iOS version.

Bkav’s Face ID hack is much more involved and their presentation feels a lot like the “How to draw an owl” meme: First you make a sophisticated 3D mask, and then you unlock the iPhone.

What Bkav has really shown is that any security measure is hackable given enough time and resources.

Practically speaking, if you have someone long enough to get a detailed scan of their head there’s a much faster and more reliable method for getting into their phone. It’s amazing how powerful a motivator threatening to break someone’s arm is.

5 Comments Add a comment

  1. pjs_boston

    It’s quite right that if bad guys want into your phone they’ll just threaten you to give them your passcode rather than go through a laborious 3D scanning, mask making adventure.

    Sadly, this logic is completely lost on every single Apple hater on the web 😁

  2. Frank V

    Also, do we know if they had “Require Attention for Face ID” switched on and did they train the phone to recognise the mask?

  3. wab95

    Jeff:

    A 3D latex mask of someone’s face, to which you obviously have access to get into a phone? Why not just use the poor bugger’s face, since you obviously have access to it?

    This ‘hack’ has all of the internal logic of a ‘faked moon landing’ that involves the launching of real rockets and leaving real artefacts on the moon’s surface, including moon buggies and footprints for good measure, and then pinky-swearing hundreds of thousands of contractors to keep mum…forever.

  4. BlackCorvid

    Just a quibble, the phones used by the San Bernardino shooters were 5C’s weren’t they? No touch ID on those so other than the likelihood that they had a simple 4 digit code, they were safe from biometric hacking.

  5. jhorvatic

    This is so lame to claim they hacked Face ID. First of all who has the tools to get a scan of someones face and create a 3D mask from it? And how does someone get a scan of someones face without them knowing it? Apple went through the steps making it very hard for someone to put a mask on to fool Face ID. Obviously it worked because this was a hack job that poses no threat to anyone in the real world.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account