Samsung Galaxy S3 Face Unlock Tricked By Photograph

AlistairCharlton writes with a story about an Android Face unlock security system that could use some tweaking. "Android's Face Unlock security on the Samsung Galaxy S3 can be tricked into unlocking the phone by showing it a photograph of the owner. In a test carried out by IBTimes UK, we found that the Galaxy S3 cannot distinguish between a photograph and a real person, leading us to suggest users should select a more secure way of locking the phone, such as with a PIN or password."

Not Intended to be Industrial Grade

[nahdude812]

Face unlock is not intended to be industrial grade security. By its nature it has to be tolerant to unlocks (it would suck if you couldn't unlock your phone after a haircut or beard trim, for example). It's intended to prevent casual perusal by someone who finds the phone sitting around. They've added some little things like requiring some movement in the face (eg, blinking), so it's mildly surprising that a static photo can trick it. But it's not especially worrying either - again, it's meant to be one step above slide to unlock.

It's almost like stating that the standard "slide to unlock" is insecure because anyone can slide that button! The statement is true, but it misses the point.

Also, a quote from Samsung taken directly FTFA:

"Therefore, users with sensitive information on their phone are advised to use higher-protection security features, such as pattern, pin, or password unlock."

Re:Not Intended to be Industrial Grade

[localman57]

It's not necessarily pointless, depending on who your attacker is. Against a sufficiently advanced and determined attacker, nearly all security attempts are pointless, because all can be broken, even if a rubber hose must be used. If your goal is to simply prevent someone from casually picking up your phone and browsing through your inbox, it might be worthwhile. Additionally, if the "gimmick" aspect leads some people to use it who would not otherwise use a PIN (which is very un-gimmicky), there may be some value in it.

Finally, I see this as potentially very useful as a two-factor authentication for cases where the person who has the phone doesn't know to whom it belongs. e.g. they found it in a bar. If brute-forcing the face recognition is somewhat difficult, it could be added to a pin code for extra security. All of this assumes that there isn't an easily exploited backdoor or weakness via USB or other interface.

2011 called

[SmurfButcher+Bob]

...duh? really?

Re:Feature...

[bughunter]

This is a "feature", not a "bug".

Obviously. With all of the face-eating zombies in the news lately, Samsung thoughtfully permits you to unlock your phone with a backup of your face.

Possible solution...

[FridayBob]

Equip the phone with two or more cameras so that the user's face can be verified in 3D, thus making it a lot harder to fool the system with one or more 2D pictures.

Informed decision?

[astrodoom]

No information on the test they performed whatsoever, no shots of the photos used, no information on how they overcame (or if they did at all) the supposed blinking requirement. This news site has a low opinion of their readers to not even include the simplest information.

Re:Solution

[XiaoMing]

Use someone *else's* face as your unlock.

Like Teddy Roosevelt.

And then put that picture as your login screen, so it'll log you in if you point at a mirror.

It'll still be a problem if Zombie Teddy Roosevelt steals your phone, but how likely is that...

So you now have a cell-phone that's only useful near mirrors.

Face unlock is not a security feature

It's not a security feature and it should not be. It's there for convenience. nothing more.
It's just like slide to unlock, but all you have to do is look at the camera and voila :)