Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Say They've Broken Face ID a Week After iPhone X Release (wired.com)

Posted by msmash on from the security-woes dept.

Andy Greenberg, writing for Wired: When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make. But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it. Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

12 of 252 comments (clear)

  1. Still ok for general consumers by Camembert · · Score: 5, Insightful

    If you remember, Touchid was similarly soon broken, and it also required quite some commitment from the hacker.
    Still, for most people the security of TouchId was good enough and practical in use.
    I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.

    1. Re:Still ok for general consumers by Opportunist · · Score: 3, Insightful

      The problem is that it's not just for general consumers. You try to explain to the CEO of a high security company why you want to ruin his fun and not let him have his new toy.

      It's worse than trying to explain it to a 5 year old, with the difference that the 5 year old can't fire you and you can actually talk sensibly and reasonably with a 5 year old.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Still ok for general consumers by Anonymous Coward · · Score: 5, Insightful

      When I worked in support, the biggest security risks were always the higher up managers or CEOs that always wanted to be an exception to the security concept that they ordered.

    3. Re:Still ok for general consumers by tripleevenfall · · Score: 3, Insightful

      But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.

      You only have one face, and your face is public, which means it's less secure than TouchID was.

    4. Re:Still ok for general consumers by GameboyRMH · · Score: 3, Insightful

      I saw the same problem in the 2010s. Borderline computer-illiterate CEO wanted God Mode access to all file shares. Then something from the '80s did come along, file-wiping malware via email to the CEO...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. What is wrong with a passcode? by registrations_suck · · Score: 3, Insightful

    So, what exactly is wrong with having to enter a passcode, anyway?

  3. xkcd by tbannist · · Score: 4, Insightful

    FaceID reminds me of this xkcd comic.

    Except that you no longer need the wrench...

    --
    Fanatically anti-fanatical
  4. Re:Noit a secret by tripleevenfall · · Score: 3, Insightful

    Exactly. Apple seems to have thought public information would make a better key than a secret, which is the opposite of security.

  5. Re:Noit a secret by bluefoxlucid · · Score: 3, Insightful

    We can use two photographs of your face as a stereoscopic image, then composite a 3D model.

    --
    Support my political activism on Patreon.
  6. Re:Everyone but the marketing department knows... by e70838 · · Score: 2, Insightful

    fingerprint scanning increases the cost of the phone. Face recognition does not require any additional hardware.

  7. Re:Noit a secret by pr0fessor · · Score: 3, Insightful

    I'm guessing it would be easier to use your real face than creating a model or trying to beat a pin number out of you. I'm not seeing how this is good security.

    I'll take your wallet and your phone, now hold still while I use your face to unlock your phone.

  8. Re:Noit a secret by religionofpeas · · Score: 5, Insightful

    you'll see that this required a far more detailed scan of the face than could be recovered from stereoscopy alone. They had to use FLIR to get an accurate enough scan.

    There's a suitable camera in every iPhone X. Someone will figure out a hack to use that to scan someone else's face.