Hackers Say They've Broken Face ID a Week After iPhone X Release

Andy Greenberg, writing for Wired: When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make. But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it. Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

FBI and NSA will love Face ID

If you get arrested, they unlock the phone by holding it up to your face. That doesn't even require a mask. It's the opposite of security.

What happens when..

[fluffernutter]

What happens when a person suffers an injury to their face? A serious black eye, swelling, etc? Do they get locked out of their phone at a time when that's probably the last thing they want to have to deal with?

Re:Noit a secret

[Austerity+Empowers]

I guess if someone manages to make a mold of my face, I've got bigger problem than someone accessing the (wishful thinking) nudes on my phone.

The only scenario that matters here is a hacker getting sufficient information to construct this mold without the user knowing, and then lifting the phone by conventional means to break it. I don't think casual thieves are going to be able to pull this exploit off, which is adequate protection for a phone. Maybe I wouldn't use this (and only this) to guard nuclear launch codes.

Interesting question on how it was trained

[Wrath0fb0b]

The researcher shows that the phone unlocks when presented with his face, but it doesn't show the enrollment or training phase.

For the sake of transparency, it would be nice to see that enrollment was done on his normal face without using any part of the mask or other shenanigans. And since the scanner apparently 'learns' from failed scans where you immediately enter the (correct) passcode, that's another route by which he could corrupt the enrolled data -- he could scan the mask and then enter his passcode enough times that it 'learns' the wrong thing.

If either of those are true, it only shows that the authorized user can enroll data that's close enough to both his real face and a mask that both unlock it.

Re:Still ok for general consumers

[phayes]

FaceID constructs a 3D model of your face which is then updated over time so that gradual changes (facial hair, etc) can be integrated into the model. These updates take place after FaceID successfully recognises your face -- and after unsuccessful face-id challenges followed by the use of the passcode/password.

https://support.apple.com/en-u...

The claimed hack gives absolutely no information on whether "the hack" was performed using a 3D printed model that had never been shown to the iPhone or whether they trained the iPhone to recognise the 3D model by showing it to the iPhone and repeatedly typing the password after every failure.

If you already have the passcode/password which _always works_, FaceID is already bypassed.

Until more details come out and others reproduce it, I'd take the claim that FaceID has been hacked with a _large_ grain of salt.