News / Face ID in Apple’s iPhone X tricked by a $150 3D-printed face mask
Face ID in Apple’s iPhone X tricked by a $150 3D-printed face mask
13 November 2017 |
In just a couple of months after Apple launched the iPhone X, the much-touted Face ID security feature in the premium handset has been dealt a major blow.
A team of security researchers has succeeded in fooling Face ID by using a specially designed 3D-printed mask that costs just $150 to make.
When Apple launched iPhone X back in September, the company waxed lyrical on its new Face ID technology, a path-breaking facial recognition feature that used specialised hardware and a flood illuminator to create 30,000 invisible dots to map a person's face. The technology didn't even fall for well-lit photographs or other faces that had similar features.
Apple said there's one in a million chance of someone cracking its proprietary facial recognition feature. In fact, during the iPhone X launch event at the Steve Jobs Center, Tim Cook even joked that unless an iPhone X user has an evil twin, he will have no reason to worry about his security.
Sadly for Cook, the evil twin has arrived but in the form of a specially crafted 3D-printed face mask, despite the fact that Apple took help from Hollywood make-up artists and professional mask makers to ensure Face ID wasn't fooled by such masks.
Security researchers at Bkav Corporation recently announced that they had succeeded in tricking Apple's Face ID concept by using a face mask that was crafted by using a popular 3D printer, a hand-made nose, and certain parts of it designed with a 2D printer. The mask took approximately 150 USD to create.
'It is quite hard to make the "correct" mask without certain knowledge of security. We were able to trick Apple's AI because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops,' the researchers said.
They added that Face ID is 'not an effective security measure' and that for biometric security, fingerprint is the best. If hackers succeed in fooling Face ID by using similar concepts, they would target billionaires, leaders of major corporations, and nation leaders rather than regular users.
'It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask.
'With Face ID's being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, ect. are the ones that need to know about the issue, because their devices are worth illegal unlock attempts. Exploitation is difficult for normal users, but simple for professional ones,' they added.
The researchers at Bkav aren't the only ones who've managed to fool Face ID. FaceTec, a San Diego based software start-up, has also demonstrated that if iPhone X users fall asleep, then their faces can still be used to unlock their handsets. The firm placed paper cut outs, pizza toppings and bottle tops over a sleeping subject’s eye lids to successfully fool Face ID in an iPhone X handset.
'We saw a lot on social media about whether it was possible to use someone’s sleeping face to open their iPhone X so we put it to the test. As you can see from the video we’re just having a bit of fun but I think it raises a valid point. The prospect of someone gaining access to your locked phone while you sleep is something iPhone X users need to be aware of, particularly those that sleep deeply,' Kevin Alan Tussy, CEO of FaceTec.
The firm is launching its own facial recognition technology named ZoOm Login which provides ultra-secure face authentication by matching the user via recognition algorithms and verifying 3D liveness via AI.
Latest posts by Jay Jay (see all)
- Classified Ministry of Defence data lost to 37 cyber incidents in 2017 - 16th October 2018
- Facebook’s access token breach impacted 30 million user accounts - 15th October 2018
- Dropbox: most impersonated company for phishing attacks in first half of 2018 - 12th October 2018
- UK ratifies Convention 108 that safeguards personal data at international level - 12th October 2018
- DHSC reveals WannaCry ransomware attack cost the NHS £92 million - 11th October 2018