Samsung Galaxy S3 Face Unlock Tricked By Photograph

← Back to Stories (view on slashdot.org)

Samsung Galaxy S3 Face Unlock Tricked By Photograph

Posted by samzenpus on Monday June 18, 2012 @08:12AM from the a-picture-is-worth-a-thousand-passwords dept.

AlistairCharlton writes with a story about an Android Face unlock security system that could use some tweaking. "Android's Face Unlock security on the Samsung Galaxy S3 can be tricked into unlocking the phone by showing it a photograph of the owner. In a test carried out by IBTimes UK, we found that the Galaxy S3 cannot distinguish between a photograph and a real person, leading us to suggest users should select a more secure way of locking the phone, such as with a PIN or password."

33 of 174 comments (clear)

Min score:

Reason:

Sort:

Can you see it? by alexbgreat · 2012-06-18 08:12 · Score: 5, Funny

This is my shocked face...
1. Re:Can you see it? by icebike · 2012-06-18 09:09 · Score: 2
  
  Obligatory:
  http://www.youtube.com/watch?v=HqVBKO_QM3o
  
  --
  Sig Battery depleted. Reverting to safe mode.
Not Intended to be Industrial Grade by nahdude812 · 2012-06-18 08:13 · Score: 5, Insightful

Face unlock is not intended to be industrial grade security. By its nature it has to be tolerant to unlocks (it would suck if you couldn't unlock your phone after a haircut or beard trim, for example). It's intended to prevent casual perusal by someone who finds the phone sitting around. They've added some little things like requiring some movement in the face (eg, blinking), so it's mildly surprising that a static photo can trick it. But it's not especially worrying either - again, it's meant to be one step above slide to unlock.
It's almost like stating that the standard "slide to unlock" is insecure because anyone can slide that button! The statement is true, but it misses the point.
Also, a quote from Samsung taken directly FTFA:

"Therefore, users with sensitive information on their phone are advised to use higher-protection security features, such as pattern, pin, or password unlock."

--
Slay a dragon... over lunch!
1. Re:Not Intended to be Industrial Grade by Rhodri+Mawr · 2012-06-18 08:20 · Score: 2
  
  They've added some little things like requiring some movement in the face (eg, blinking), so it's mildly surprising that a static photo can trick it.
  Given that my son's camera consistently detected the Mona Lisa blinking, I'm not surprised at all.
2. Re:Not Intended to be Industrial Grade by errandum · 2012-06-18 08:38 · Score: 2
  
  it's not stupid at all, you don't have to slide your finger on the screen!
  With a 4.8 screen, imagine how much work you'd have to put into that every single day... It's a godsend, I tell you, a godsend!
3. Re:Not Intended to be Industrial Grade by localman57 · 2012-06-18 08:44 · Score: 4, Insightful
  
  It's not necessarily pointless, depending on who your attacker is. Against a sufficiently advanced and determined attacker, nearly all security attempts are pointless, because all can be broken, even if a rubber hose must be used. If your goal is to simply prevent someone from casually picking up your phone and browsing through your inbox, it might be worthwhile. Additionally, if the "gimmick" aspect leads some people to use it who would not otherwise use a PIN (which is very un-gimmicky), there may be some value in it.
  
  Finally, I see this as potentially very useful as a two-factor authentication for cases where the person who has the phone doesn't know to whom it belongs. e.g. they found it in a bar. If brute-forcing the face recognition is somewhat difficult, it could be added to a pin code for extra security. All of this assumes that there isn't an easily exploited backdoor or weakness via USB or other interface.
4. Re:Not Intended to be Industrial Grade by KhabaLox · 2012-06-18 08:50 · Score: 5, Funny
  
  Want security, pick a strong passsword.
  Exactly. That's why I use a picture of Rainer Wolfcastle for my Galaxy.
  
  --
  Ceci n'est pas un sig.
5. Re:Not Intended to be Industrial Grade by icebike · 2012-06-18 09:12 · Score: 4, Informative
  
  Face unlock is not intended to be industrial grade security. By its nature it has to be tolerant to unlocks (it would suck if you couldn't unlock your phone after a haircut or beard trim, for example). It's intended to prevent casual perusal by someone who finds the phone sitting around. They've added some little things like requiring some movement in the face (eg, blinking), so it's mildly surprising that a static photo can trick it. But it's not especially worrying either - again, it's meant to be one step above slide to unlock.
  It's almost like stating that the standard "slide to unlock" is insecure because anyone can slide that button! The statement is true, but it misses the point.
  Also, a quote from Samsung taken directly FTFA:
  
  "Therefore, users with sensitive information on their phone are advised to use higher-protection security features, such as pattern, pin, or password unlock."
  Further this is a standard feature of ICS, and nothing to do with Samsung. Its on all the HTC phones that ship with a front facing camera and ICS installed.
  Want to blame someone, blame Google for adding this silly feature to Android.
  
  --
  Sig Battery depleted. Reverting to safe mode.
6. Re:Not Intended to be Industrial Grade by liquidsin · 2012-06-18 09:49 · Score: 5, Funny
  
  just use a picture of your balls; in theory it should be easier to keep would-be hackers from getting a picture of your balls, and it's only slightly awkward to shove your hand down the front of your pants every time you'd like to use your phone.
  
  --
  do not read this line twice.
7. Re:Not Intended to be Industrial Grade by crakbone · 2012-06-18 10:01 · Score: 4, Interesting
  
  Actually I see this as preventing the casual phone check by a police officer. It becomes a locked container and they then legally have to go to more extremes to open it. In some cases a warrant.
8. Re:Not Intended to be Industrial Grade by girlintraining · 2012-06-18 10:24 · Score: 2
  
  "Therefore, users with sensitive information on their phone are advised to use higher-protection security features, such as pattern, pin, or password unlock."
  Yeah, because it's terribly difficult to see the finger smear left on the display after the unlock code is entered.... o_o Hmm, it looks like a backwards Z! Actually, in studies of it, they've discovered people tend to make geometric shapes or reversed alphabet characters as their unlock code... There's a fairly good chance that if you try the top 20, you'll unlock the phone. So there's that too...
  
  --
  #fuckbeta #iamslashdot #dicemustdie
9. Re:Not Intended to be Industrial Grade by CCarrot · 2012-06-18 10:27 · Score: 5, Funny
  
  Actually I see this as preventing the casual phone check by a police officer. It becomes a locked container and they then legally have to go to more extremes to open it. In some cases a warrant.
  Or they just hold it up 'Is this your phone, sir? Oh look, it's unlocked...'
  
  --
  "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
10. Re:Not Intended to be Industrial Grade by kqs · 2012-06-18 10:27 · Score: 2
  
  Take a simple PIN for instance. Pair it up with the setting to erase the device after ten fails. Then an attacker gets the device and looks for fingerprints. One smudge on the device -- trivial. Two smudges and a four digit PIN can mean a 10 in 16 chance of getting the result. Three smudges, a 10 in 27, and four smudges, a 10 in 256 chance.
  If someone uses a longer PIN, it becomes harder to guess things.
  How do you get 256? 4 smudges means a 10 in 24 chance (4*3*2). Three or two smudges are even easier though I don't recall how to calculate the odds.
  Compare to face unlock which protects a lost cell phone pretty well, but gives little protection against your friends. I know which attacker I care about more.
11. Re:Not Intended to be Industrial Grade by viperidaenz · 2012-06-18 13:27 · Score: 2
  
  I have two reasons for enabling "slide to unlock" on my phone. 1: to stop pocket dialing. 2: to stop my son from dialing 111 if he gets my phone. He's two now and has figured out how to unlock already, dial numbers and start angry birds. It would take him another few years to figure out he has to point the phone at me or a photo of me.
12. Re:Not Intended to be Industrial Grade by YttriumOxide · 2012-06-18 16:22 · Score: 2
  
  I have two reasons for enabling "slide to unlock" on my phone. 1: to stop pocket dialing. 2: to stop my son from dialing 111 if he gets my phone. He's two now and has figured out how to unlock already, dial numbers and start angry birds. It would take him another few years to figure out he has to point the phone at me or a photo of me.
  My 14 month old daughter can now "slide to unlock" my wife's phone, bring up the address book and press the picture of her dad. She calls me at work at least twice a week. She's a little behind in the speaking department though, so no matter how much I try to get her to say something, she'll remain silent or offer a non-specific squeak/grunt at best (no cause for concern yet, but we're hoping her language skills pick up soon).
  So yes, I completely agree that the face recognition would be useful here - my wife's phone contains very little in the way of sensitive data; is never left anywhere when she goes out; and we live in a very low-crime city/country... security is therefore basically irrelevant, we just need a way to stop our daughter racking up pointless phone bills! (although I'll happily get her her own gizmos and toys since she clearly loves anything with buttons and/or screens)
  
  --
  My book about LSD and Self-Discovery
  Also on facebook as: DroppingAcidDaleBewan
2011 called by SmurfButcher+Bob · 2012-06-18 08:13 · Score: 3, Insightful

...duh? really?

--

help me i've cloned myself and can't remember which one I am
Feature... by N0Man74 · 2012-06-18 08:15 · Score: 5, Funny

This is a "feature", not a "bug". In fact, it's a "safety feature".
Now there is no need for someone to kill you, skin your face off, and make a mask out of it to break into your phone (like in the movies). They can just take a photo of you from a telephoto lens. Sign me up!
1. Re:Feature... by bughunter · 2012-06-18 08:29 · Score: 3, Insightful
  
  This is a "feature", not a "bug".
  Obviously. With all of the face-eating zombies in the news lately, Samsung thoughtfully permits you to unlock your phone with a backup of your face.
  
  --
  I can see the fnords!
2. Re:Feature... by 93+Escort+Wagon · 2012-06-18 09:03 · Score: 2
  
  Now there is no need for someone to kill you, skin your face off, and make a mask out of it to break into your phone (like in the movies).
  
  But we can still do it for fun, right?
  
  --
  #DeleteChrome
even more dangerous... by Anonymous Coward · 2012-06-18 08:16 · Score: 5, Funny

It would be even more dangerous if someone compiled a whole book of face photographs... i dunno, maybe they could call it a "face book" or something like this.
We've heard this with the Galaxy Nexus by mikecase · 2012-06-18 08:22 · Score: 2

That said, this isn't meant to be industrial grade security. Compared to no security at all, this is a big step up. The likelihood that I loose my phone in the parking lot and someone who finds it has a picture of me to unlock the phone with seems extremely slim. More likely, this would be vulnerable to attack from people I know, but even then, it's better than nothing.
Solution by mdarksbane · 2012-06-18 08:25 · Score: 4, Interesting

Use someone *else's* face as your unlock.
Like Teddy Roosevelt.
And then put that picture as your login screen, so it'll log you in if you point at a mirror.
It'll still be a problem if Zombie Teddy Roosevelt steals your phone, but how likely is that...
1. Re:Solution by XiaoMing · 2012-06-18 08:56 · Score: 4, Insightful
  
  Use someone *else's* face as your unlock.
  Like Teddy Roosevelt.
  And then put that picture as your login screen, so it'll log you in if you point at a mirror.
  It'll still be a problem if Zombie Teddy Roosevelt steals your phone, but how likely is that...
  So you now have a cell-phone that's only useful near mirrors.
2. Re:Solution by jgeiger · 2012-06-18 09:54 · Score: 2
  
  Use someone *else's* face as your unlock.
  Like Teddy Roosevelt.
  And then put that picture as your login screen, so it'll log you in if you point at a mirror.
  It'll still be a problem if Zombie Teddy Roosevelt steals your phone, but how likely is that...
  So you now have a cell-phone that's only useful near mirrors.
  And completely useless if you're a vampire.
Possible solution... by FridayBob · 2012-06-18 08:33 · Score: 3, Insightful

Equip the phone with two or more cameras so that the user's face can be verified in 3D, thus making it a lot harder to fool the system with one or more 2D pictures.
Re:Never fool-proof by ThunderBird89 · 2012-06-18 08:33 · Score: 2

You can crack a pattern lock by looking at the glass and noting the path the finger travels across the grid. For a PIN, you have 4-8 or more distinct points on the screen, with no indication of the order. That means you're looking at at least 24 (4!) different combinations, and most phone OS-es lock out after 3-5, for increasing periods. So it frustrates cracking attempts more than a pattern unlock.

--
Hyperbole: I use it liberally!
Solution: Silly faces! by LordRobin · 2012-06-18 08:38 · Score: 4, Funny

There's an easy solution! Just cross your eyes and stick out your tongue when taking the security image! Of course, the people on the bus might think you're a little looney each time you unlock your phone, but that's the price you pay for security!
------RM
1. Re:Solution: Silly faces! by gbjbaanb · 2012-06-18 09:20 · Score: 2
  
  and what's more - you can't accidentally unlock the phone just be picking it up, which could be awkward if youy're on the bus and the person behind/next to you sees what you were doing with it before it locked last....
Informed decision? by astrodoom · 2012-06-18 08:39 · Score: 4, Insightful

No information on the test they performed whatsoever, no shots of the photos used, no information on how they overcame (or if they did at all) the supposed blinking requirement. This news site has a low opinion of their readers to not even include the simplest information.
Last I checked.... by SIR_Taco · 2012-06-18 08:46 · Score: 4, Informative

Last I checked on my Samsung Galaxy SII (with ICS 4.0.3), the "Face Unlock" feature was aptly labeled as "Low Security, Experimental".
The only item marked as "High Security" is the password option.
I don't have an S3, but from what I've read the UI/OS version is pretty close at the moment (4.0.3 vs. 4.0.4). And I do believe, correct me if I'm wrong, that "Face Unlock" is still labeled the same.

--
I say don't drink and drive, you might spill your drink. Before you get behind the wheel just stop and think.
Face unlock is not a security feature by Anonymous Coward · 2012-06-18 09:08 · Score: 4, Insightful

It's not a security feature and it should not be. It's there for convenience. nothing more.
It's just like slide to unlock, but all you have to do is look at the camera and voila :)
Someone is telling you by Anonymous Coward · 2012-06-18 09:10 · Score: 2

that starting your post in the subject and continuing in the body is bad form.

By "someone" I mean me.

With this reply.

Don't do it.

Ever.
Re:Never fails... by Cosgrach · 2012-06-18 09:33 · Score: 2

My voice is my PASSPORT.
There, fixed that for you.

--
Why is it that most of the people that I encounter seem to have been shat from the Sphincter of Mediocrity?