Slashdot Mirror
Hackers Say They've Broken Face ID a Week After iPhone X Release (wired.com)
Andy Greenberg, writing for Wired: When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make. But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it. Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."
.... ain't all asian all look alike anyway?
Put some scotch tape over the camera lense so your face always looks blurry.
Authentication is predicated upon knowing a secret, which your face isn't
If you remember, Touchid was similarly soon broken, and it also required quite some commitment from the hacker.
Still, for most people the security of TouchId was good enough and practical in use.
I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.
Is the video at the bottom telling you about all those new and exciting security features. I first had to check whether it's a video from 2008 but no, it really talks about this iPhone.
Just as one of the huge innovations you can now set a six digit pin code instead of that puny 4 digit one. Talk about courage!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
material things will fail you
The reason FaceID exists it to collect biometric data for Apple. It isn't to improve end user security. Silly people.
... that its "Bphone the best smartphone the world" (2015). It sank without a trace.
I'd treat that their claims that "Apple has done this not so well" and "Face ID can be fooled by mask, which means it is not an effective security measure" with a grain of salt. Of course their company is from Vietnam, "land of fakes" https://tuoitrenews.vn/news/ci... where scandal after scandal of dangerous, counterfeit and frank outright fraud is commonplace.
Unfortunately I have firsthand experience of this :(
You also have to have the equipment, time and expertise to pull this off. And I guess some kind of 3D model of the person's head? Not sure, haven't read TFA. Personally if I lost my phone I'd immediately have it wiped and locked via MDM. So unless this was all carefully orchestrated before hand, I think I'm ok.
So, what exactly is wrong with having to enter a passcode, anyway?
FaceID reminds me of this xkcd comic.
Except that you no longer need the wrench...
Fanatically anti-fanatical
This wasn't funny the first time you posted.
Your mission, should you choose to accept it, is to somehow sedate the subject and create a life cast of their face without them figuring out that you're doing it. You must then jump though a bunch of other hoops in order to unlock the subject's phone. You are under no circumstances to use the subject's own face to unlock their phone. Should you or any of your IM force be caught or killed, you will be mocked mercilessly on Slashdot.
If you get arrested, they unlock the phone by holding it up to your face. That doesn't even require a mask. It's the opposite of security.
Now I need to get a new face!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
And I keep it in my rectum.
What happens when a person suffers an injury to their face? A serious black eye, swelling, etc? Do they get locked out of their phone at a time when that's probably the last thing they want to have to deal with?
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Face recognition is less secure than good fingerprint scanning, which includes capillary response and other non-visible checks. I'm frankly surprised it took them this long.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Really was better and more convenient, in my opinion. Lately Apple's new features feel an awful lot like tech demos (Touch Bar, Face ID, Animojis) that perhaps should have stayed in the lab. Gee whiz look at what we can do is not the same thing as useful.
You can also create fake finger prints if you can get a good model print.
Some drink at the fountain of knowledge. Others just gargle.
The reason FaceID replaced TouchID is to decrease the number of steps users must take to start using the newly iPhone-exclusive Animoji.
Apple does love its walled garden...
The researcher shows that the phone unlocks when presented with his face, but it doesn't show the enrollment or training phase.
For the sake of transparency, it would be nice to see that enrollment was done on his normal face without using any part of the mask or other shenanigans. And since the scanner apparently 'learns' from failed scans where you immediately enter the (correct) passcode, that's another route by which he could corrupt the enrolled data -- he could scan the mask and then enter his passcode enough times that it 'learns' the wrong thing.
If either of those are true, it only shows that the authorized user can enroll data that's close enough to both his real face and a mask that both unlock it.
Hasn't anyone watched the Mission Impossible movies? They are making those masks pretty realistic nowadays! (albeit a bit more expensive than $150)
They'll be able to have a 3d printer at their HQ, photograph the recipient, and viola - privacy violated.
I hate to say this, but the ability to scan someones face for 3D without them knowing it isn't far fetched. The accuracy with which software can take 2D video and make 3D data models is quite frightening. But ya, it's all a little far fetched. You'd need someones phone and a map of their face. Here's what is better. Add a 4 digit pin!
Well it looks like the police won't need to rely on the prisoner to divulge a password anymore. They can just do a 3D mug-shot, make a mask and open up the phone.
"Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."
Isn't that true of any biometric-only authentication system? Fingerprint, face, iris, voice... they can all be emulated with enough effort. It's a darn convenient security measure, however, which under the right circumstances is augmented by a strong passcode.
We just want to go our own way. The rest of the world will go its way. Who can argue with the fairness of that?
Alternative Right.
Assuming that it's sufficiently accurate, Face ID is a great authentication system for inconsequential people. IE: People who don't have a lot of money nor power, which is a very large portion of the population.
For those that do have some kind of responsibility, ie: managers, IT staff, etc, it's bad.
If said individuals work for a major corporation and/or deal with sensitive information, it's downright idiotic. A biometric authentication system that doesn't even require you to be near the individual to unlock a device with sensitive data is foolish, especially today when people have access to 3D cameras and printers, and can do a targeted attack relatively inexpensively.
It's not Mission Impossible type stuff, but it's not far off.
Again, it is retarded to believe that the police would not simply get a warrant, and then use the finger of the iphone owner to unlock their phone, dead or not. (Notwithstanding the retards in Texas, apparently.) Although that method will only work for 48 hours according to Apple, before the phone resets to a pin. Why the morons in law enforcement don't appear to know this is disturbingly absent in the conversation.
Similarly, they will simply use your face to unlock the phone when they have you in custody....and custody of the phone, by just holding it up to your face...dead or not, and/or willing or unwilling. Duh.
You could just kill someone, then scan their face with their iPhone to unlock it.
I'd prefer a simple password, which at least doesn't make my death a convenient way to break into my stuff.
The researchers concede, however, that their technique would require a detailed measurement or digital scan of a the face of the target iPhone's owner. The researchers say they used a handheld scanner that required about five minutes of manually scanning their test subject's face.
So they haven't really broken anything. It turns out if you sit there and let them scan your face for 5 minutes they can make a model that can bypass a scanner in a consumer device. I'm surprised that it isn't possible to make a perfectly matched face that could fool a human with that kind of scanning.
Non-story.
- Vincit qui patitur.
iOS has required a 6-digit PIN (or passphrase) to use TouchID for ages. I doubt they've regressed for FaceID.
In either case you can press the power button 5 times quickly to disable TouchID and require the passcode to be entered.
Authentication is predicated upon knowing a secret, which your face isn't
Neither is your fingerprint, but Touch ID is a decent trade-off (IMHO).
At the time of Touch ID's introduction, Apple's numbers showed that 80% of people did not have a PIN / pass code on their phones. Why would that be the case? Because it's a pain in the ass to also enter the PIN, and people wanted to get to their apps and alert quickly.
By introducing Touch ID (which forces you to enter a PIN / code), it allowed people convenient access to their data, but at the same time ensured that they had (at least) a PIN. Previously people's phones were completely open.
The point of Face ID is to reduce the "friction" of a locked device even more.
Do you have to use faceid? If so don't buy this phone if you're doing shady things... $150 and a few high quality Facebook, mug or old photoalbums should like you could beat it in mass...
Hold it there, let's not get crazy. Talking about this like it's some kind of security thing is totally and completely absurd.
Nobody was ever going to take FaceID seriously as a way to authenticate; it's a toy. Saying this pokes a hole in the iPhone's "security" is like saying that cracking rot-13 pokes a hole in your no-girls-allowed clubhouse's secret-messaging "security."
You know, prior to purchase, that there's virtually no chance that the phone is secure. There isn't anything to crack or defeat.
Authentication is predicated upon knowing a secret, which your face isn't
Authentication has nothing inherently to do with secrets. It's merely the act of proving you are who you say you are or verifying some other fact. In some cases secret information can aid in this or make it more dependable but most authentication is actually done with publicly available non-secret information. People recognize your face on a daily basis which is the most basic form of authentication. Sometimes it is useful to layer a secret passcode onto some item you possess or some bio-metric identifier but those merely enhance the confidence of the authentication.
It is more and more obvious that face recognition-based authentication does not solve any significant problems, while introducing issues of its own - most notably, as many have already pointed out, once your face as been compromised, you can't easily change it. The bottom line is, this will deter the opportunistic agents. Those sufficiently well funded and determined (and, on the basis of the article, the do not have to be all that well funded or determined) will still crack it. ANd the truth is that there are far simpler approaches to deter opportunistic agents. Face recognition-based authentication has its place, but it is a teeny-weeny niche. Hype and hoopla aside, that is.
It's still harder to fake than a finger scan, potentially saving planes from being redirected mid flight You leave prints everywhere and can be scanned while asleep or non compliant. You don't as of yet leave a highly detailed face scan everywhere and it won't work with your eyes closed or face contorted. You are required to use a password in any case. If the faceID gets a couple of fails you need to use the password to unlock even if you then provide the right face; this was demonstrated live on tv at the official launch.
If it is no worse than a thumbprint, then why is it news? We've had fingerprint based unlocking for years--did you just now find out about it?.
Also, FaceID doesn't work if you're unconscious.
Also, if somebody is willing to beat you to death to get into your locked phone, then what form of security is going to stop that?
It seriously took 10 seconds to completely destroy your argument, maybe try harder next time.
If it can be established that FaceID can be fooled we can expect the technique to be refined over time to the point that it is accessible enough to be a general threat.
From here, it is just a matter of narrowing down to the minimum requirements to execute a fake. Establishing that a fake can work at all clears the most significant hurdle.
Presumably, scanning tech will improve. Presumably, use of facial recognition will expand. Presumably, some systems will store everything needed to spoof your face in an insecure way, without you permission or knowledge.
You feelin' lucky?
Just have one guy hold the person still while you hold the phone up to their face? I still can't believe anybody thought this was a good idea.
For fingerprint scanners we used to cut of a finger, and now we just cut of the head.
Out of curiosity: IIRC, the iPhone projects some IR dots on the face, and reconstructs a 3D model based on the distortion of the projected pattern using a rather regular 2D camera.
Is that pattern fixed?
If so, would it be possible to block the projection, and "simply" show the sensor the pattern that should appear?
I bet it's not that easy, but i'd like to know why?
Does she give you a secret passcode when you pick her up from daycare? No? Then how do you know that she's not an imposter? After all, her appearance is public knowledge.
Here's how:
1. trusted authentication hardware/sensors : You trust your own eyes, you are pretty certain that no one has done a MIM attack in the path from your visual cortex to the child's face.
2. weighing cost-to-defeat vs. benefit : sure it's possible to find another child and do elaborate plastic surgery or a mask, but that's a fantastical notion considering the costs involved when weighed against any possible benefit
3. chain of custody : Your daughter has been with you or with people you trust the entire time. One of them likely would have warned you that a black van appeared, took your daughter for a couple hours, and then returned her
4. If any of #1-#3 are in doubt then you can always fall back to asking her something only she would know (i.e., a secret)
This is, more or less, exactly the way that TouchID or FaceID works. The sensors are in a secure, encrypted domain that's outrageously difficult to hack and would require getting your phone out of your possession without you knowing it. Successfully hacking into your phone would be extremely expensive and thus not worth it. And whenever Apple becomes a little suspicious that someone is trying to hack in (i.e., when the phone gets rebooted, when you hit the power button 5 times, when the SW is updated, after 48 hours of you not logging in) then it reverts to a mode where it insists on you entering a secret.
You have made the child-like mistake of thinking that any form of security that is theoretically breakable is worthless. In fact, there is no such thing as perfect security--the goal is ALWAYS to increase the cost & effort required such that breaking the security is not economically practical.
It doesn't. In fact it doesn't use the front-facing video camera at all. Try again.
It uses special a 3d depth-sensing IR-based system.
Look at all this trouble that researchers went through to "crack" the phone. $150 in materials, silicone, 3D printing, makeup, printouts. Oh, and they have to borrow your face to make the measurements. Apple should be chuckling.
Think about it, no money to gain and the perpetrator is on the front line of the legal system.
What gets me is that I correctly predicted, based upon the fine work with 3D printing, image recognition, and the actual parameters and technology used to FaceID, that this was possible, and, indeed, probable.
But you thought "oh no, Mr Bill, the Security Gods have promised us it's secure".
Look, if you want to be safe, turn off your Bluetooth and don't let your WiFi connect to other services that aren't secure, and don't use fingerprint or FaceID.
It's that simple.
-- Tigger warning: This post may contain tiggers! --
Everything runs on LINUX now. Nothing worth anything runs on iOS or Mac OSX. Exception is making movies and music on Mac's because they can sucker more price out of Mac users. Mac users think they got a great OS.
Try FreeBSD plebs. It is the grandfather of everything cool about Mac OSX and is still free and is still wiser and better than Mac.
freebsd.org
(requires ability to follow instructions to install, that is all. run it in VirtualBox for ease.)
You somehow managed to internalize the exact opposite of the moral of that xkcd strip. Bravo.
He is pro a certain version of America that not all Americans like. All I know is that I personally am not particularly winning at the moment.
What said face id IS/WAS an "effective security measure" to begin with?
Then do what with it afterwards, stare at a useless command prompt? its 2017, not 1987. We want to get things done. That doesn't mean make a career out of making an OS work. No idea what criteria you're using to determine "better", but desktop use, a boon for OSX, isn't one of them. There isn't one single thing freebsd can do on the desktop that OSX isn't already doing better.
It seemed a lot easier to just trot out the twin :)
Local reporter has a twin...they had no problem breaking it that way. Apple warning was a bit understated about that....it didn't balk at all.
>> Hackers Say They've Broken Face ID a Week After iPhone X Release
It was already broken at the demo.
aaaaaaa
Otherwise it doesn't count!
It is not racist, it is called the cross-race effect. We are wired to identify facial features of our own race while other races look alike. It is also another reason eyewitness testimony is often unreliable.
Great, now not only is your iPhone hacked, you also have to go through the rest of your life looking like Nicolas Cage: https://en.wikipedia.org/wiki/...