Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Say They've Broken Face ID a Week After iPhone X Release (wired.com)

Posted by msmash on from the security-woes dept.

Andy Greenberg, writing for Wired: When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make. But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it. Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

38 of 252 comments (clear)

  1. wait a minute.... by zantafio · · Score: 3, Funny

    .... ain't all asian all look alike anyway?

    1. Re: wait a minute.... by Shotgun · · Score: 2

      Are you saying you don't remember what happened to Tim Tebow when he kneeled? Hint: He wasn't declared ".[A-Za-z] of the Year".

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
  2. Noit a secret by Anonymous Coward · · Score: 2, Informative

    Authentication is predicated upon knowing a secret, which your face isn't

    1. Re:Noit a secret by tripleevenfall · · Score: 3, Insightful

      Exactly. Apple seems to have thought public information would make a better key than a secret, which is the opposite of security.

    2. Re:Noit a secret by Austerity+Empowers · · Score: 4, Interesting

      I guess if someone manages to make a mold of my face, I've got bigger problem than someone accessing the (wishful thinking) nudes on my phone.

      The only scenario that matters here is a hacker getting sufficient information to construct this mold without the user knowing, and then lifting the phone by conventional means to break it. I don't think casual thieves are going to be able to pull this exploit off, which is adequate protection for a phone. Maybe I wouldn't use this (and only this) to guard nuclear launch codes.

    3. Re:Noit a secret by bluefoxlucid · · Score: 3, Insightful

      We can use two photographs of your face as a stereoscopic image, then composite a 3D model.

      --
      Support my political activism on Patreon.
    4. Re:Noit a secret by Narcocide · · Score: 3, Informative

      Did it occur to you that all casual thieves would need to collect this data is another iPhone?

    5. Re:Noit a secret by pr0fessor · · Score: 3, Insightful

      I'm guessing it would be easier to use your real face than creating a model or trying to beat a pin number out of you. I'm not seeing how this is good security.

      I'll take your wallet and your phone, now hold still while I use your face to unlock your phone.

    6. Re:Noit a secret by religionofpeas · · Score: 5, Insightful

      you'll see that this required a far more detailed scan of the face than could be recovered from stereoscopy alone. They had to use FLIR to get an accurate enough scan.

      There's a suitable camera in every iPhone X. Someone will figure out a hack to use that to scan someone else's face.

  3. Still ok for general consumers by Camembert · · Score: 5, Insightful

    If you remember, Touchid was similarly soon broken, and it also required quite some commitment from the hacker.
    Still, for most people the security of TouchId was good enough and practical in use.
    I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.

    1. Re:Still ok for general consumers by Opportunist · · Score: 3, Insightful

      The problem is that it's not just for general consumers. You try to explain to the CEO of a high security company why you want to ruin his fun and not let him have his new toy.

      It's worse than trying to explain it to a 5 year old, with the difference that the 5 year old can't fire you and you can actually talk sensibly and reasonably with a 5 year old.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Still ok for general consumers by Anonymous Coward · · Score: 5, Insightful

      When I worked in support, the biggest security risks were always the higher up managers or CEOs that always wanted to be an exception to the security concept that they ordered.

    3. Re:Still ok for general consumers by tripleevenfall · · Score: 3, Insightful

      But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.

      You only have one face, and your face is public, which means it's less secure than TouchID was.

    4. Re:Still ok for general consumers by GameboyRMH · · Score: 3, Insightful

      I saw the same problem in the 2010s. Borderline computer-illiterate CEO wanted God Mode access to all file shares. Then something from the '80s did come along, file-wiping malware via email to the CEO...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    5. Re:Still ok for general consumers by phayes · · Score: 4, Interesting

      FaceID constructs a 3D model of your face which is then updated over time so that gradual changes (facial hair, etc) can be integrated into the model. These updates take place after FaceID successfully recognises your face -- and after unsuccessful face-id challenges followed by the use of the passcode/password.

      https://support.apple.com/en-u...

      The claimed hack gives absolutely no information on whether "the hack" was performed using a 3D printed model that had never been shown to the iPhone or whether they trained the iPhone to recognise the 3D model by showing it to the iPhone and repeatedly typing the password after every failure.

      If you already have the passcode/password which _always works_, FaceID is already bypassed.

      Until more details come out and others reproduce it, I'd take the claim that FaceID has been hacked with a _large_ grain of salt.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    6. Re:Still ok for general consumers by TheFakeTimCook · · Score: 2

      It defaults you to use 6-digit and doesn't make the UI to decline obvious, but if you are persistent you can make it accept a 4-digit passcode.

      I'd say it's pretty damned obvious how to select what type of passcode/passphrase you want:

      https://www.imore.com/how-to-s...

    7. Re:Still ok for general consumers by Carewolf · · Score: 2

      But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.

      You only have one face, and your face is public, which means it's less secure than TouchID was.

      They need a bit more than a photo of your face. If I understand it correctly they need a 3D image of your face. You might be able to get them for a large number of images or detailed video, but it is a bit harder.

  4. This is the same company that claimed by wisebabo · · Score: 2

    ... that its "Bphone the best smartphone the world" (2015). It sank without a trace.

    I'd treat that their claims that "Apple has done this not so well" and "Face ID can be fooled by mask, which means it is not an effective security measure" with a grain of salt. Of course their company is from Vietnam, "land of fakes" https://tuoitrenews.vn/news/ci... where scandal after scandal of dangerous, counterfeit and frank outright fraud is commonplace.

    Unfortunately I have firsthand experience of this :(

  5. What is wrong with a passcode? by registrations_suck · · Score: 3, Insightful

    So, what exactly is wrong with having to enter a passcode, anyway?

    1. Re:What is wrong with a passcode? by mark-t · · Score: 2

      Isn't it obvious? It requires more effort.

      Ignore the fact that a passcode that one actually keeps secret is, in general, going to be far more secure than the usage of any kind of biometric data could ever hope to be. People are friggen lazy. Full stop.

      --
      File under 'M' for 'Manic ranting'
    2. Re:What is wrong with a passcode? by registrations_suck · · Score: 2

      Yeah....enter a whole six digits to use your phone.......what a nightmare!

      As for prints on your screen....you know, you could clean it once in a while.

      The real problem with passwords is all the apps on the phone want their own password, rather than relying on you having already entered one to access the phone itself. THAT is the pain in the ass here.

      I'd pay extra of all the apps on the phone had a "use phone password option". In this scenario, if you are on the phone, no password is required to use the app - it just logs you right the fuck in. But I'd settle for just having to enter the phone's password again - rather than having to have a different password for every app (requiring independent password management).

      And no, shit like 1Password is not what I am talking about. That thing sucks ass. Bought it. Quickly decided it was a waste of money.

    3. Re:What is wrong with a passcode? by Dog-Cow · · Score: 3, Funny

      If FaceId is a pain in the ass, you're holding it wrong.

  6. xkcd by tbannist · · Score: 4, Insightful

    FaceID reminds me of this xkcd comic.

    Except that you no longer need the wrench...

    --
    Fanatically anti-fanatical
  7. Good morning, Mr. Phelps by RogueWarrior65 · · Score: 5, Funny

    Your mission, should you choose to accept it, is to somehow sedate the subject and create a life cast of their face without them figuring out that you're doing it. You must then jump though a bunch of other hoops in order to unlock the subject's phone. You are under no circumstances to use the subject's own face to unlock their phone. Should you or any of your IM force be caught or killed, you will be mocked mercilessly on Slashdot.

  8. FBI and NSA will love Face ID by Anonymous Coward · · Score: 4, Interesting

    If you get arrested, they unlock the phone by holding it up to your face. That doesn't even require a mask. It's the opposite of security.

    1. Re:FBI and NSA will love Face ID by Dog-Cow · · Score: 2

      I have a radical idea. If you're doing something that might lead to your arrest, disable FaceId. And if you live in place where you might be arrested for looking at your shoes funny, don't enable it in the first place.

  9. What happens when.. by fluffernutter · · Score: 4, Interesting

    What happens when a person suffers an injury to their face? A serious black eye, swelling, etc? Do they get locked out of their phone at a time when that's probably the last thing they want to have to deal with?

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:What happens when.. by 110010001000 · · Score: 5, Funny

      You use your passcode and stop dating NFL players.

  10. Re:Everyone but the marketing department knows... by e70838 · · Score: 2, Insightful

    fingerprint scanning increases the cost of the phone. Face recognition does not require any additional hardware.

  11. Interesting question on how it was trained by Wrath0fb0b · · Score: 4, Interesting

    The researcher shows that the phone unlocks when presented with his face, but it doesn't show the enrollment or training phase.

    For the sake of transparency, it would be nice to see that enrollment was done on his normal face without using any part of the mask or other shenanigans. And since the scanner apparently 'learns' from failed scans where you immediately enter the (correct) passcode, that's another route by which he could corrupt the enrolled data -- he could scan the mask and then enter his passcode enough times that it 'learns' the wrong thing.

    If either of those are true, it only shows that the authorized user can enroll data that's close enough to both his real face and a mask that both unlock it.

  12. Re:Everyone but the marketing department knows... by dj245 · · Score: 5, Informative

    fingerprint scanning increases the cost of the phone. Face recognition does not require any additional hardware.

    Not true. There is both a structured light transmitter and receiver which are additional hardware compared to previous iphones. There may also be a separate processor for data processing of these modules.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  13. Face ID is great for people that don't matter by ilsaloving · · Score: 2

    Assuming that it's sufficiently accurate, Face ID is a great authentication system for inconsequential people. IE: People who don't have a lot of money nor power, which is a very large portion of the population.

    For those that do have some kind of responsibility, ie: managers, IT staff, etc, it's bad.

    If said individuals work for a major corporation and/or deal with sensitive information, it's downright idiotic. A biometric authentication system that doesn't even require you to be near the individual to unlock a device with sensitive data is foolish, especially today when people have access to 3D cameras and printers, and can do a targeted attack relatively inexpensively.

    It's not Mission Impossible type stuff, but it's not far off.

  14. Total non-story.... by Arkham · · Score: 2

    The researchers concede, however, that their technique would require a detailed measurement or digital scan of a the face of the target iPhone's owner. The researchers say they used a handheld scanner that required about five minutes of manually scanning their test subject's face.

    So they haven't really broken anything. It turns out if you sit there and let them scan your face for 5 minutes they can make a model that can bypass a scanner in a consumer device. I'm surprised that it isn't possible to make a perfectly matched face that could fool a human with that kind of scanning.

    Non-story.

    --
    - Vincit qui patitur.
  15. How is that worse than a thumbprint? by Brannon · · Score: 2

    In either case you can press the power button 5 times quickly to disable TouchID and require the passcode to be entered.

  16. okay, but HOW IS THIS WORSE THAN A THUMBPRINT? by Brannon · · Score: 3, Informative

    If it is no worse than a thumbprint, then why is it news? We've had fingerprint based unlocking for years--did you just now find out about it?.

    Also, FaceID doesn't work if you're unconscious.

    Also, if somebody is willing to beat you to death to get into your locked phone, then what form of security is going to stop that?

    It seriously took 10 seconds to completely destroy your argument, maybe try harder next time.

    1. Re:okay, but HOW IS THIS WORSE THAN A THUMBPRINT? by BronsCon · · Score: 2

      One out of 50,000 people have similar enough fingerprints to you to unlock your phone, only one out of 1 million people have similar enough faces to unlock your phone.

      It's much easier to identify the one in 1 million who might unlock your phone with their face than it is to identify the one in 50,000 who might do so with their fingerprints, unless you already have a fingerprint to compare to, in which case why do you need to find that one in 50,000 in the first place? Totally irrelevant. Plus, I can change which finger is registered but I only have one face.

      In your link they trained it on both faces.

      You assume that, of course.

      That's bullshit, you're completely wrong, stop getting all your info from Breitbart.

      You read this, just like I did:

      Face ID is even attention-aware. It recognizes if your eyes are open and looking towards the device. This makes it more difficult for someone to unlock your iPhone without your knowledge (such as when you are sleeping).

      The difference is that I've also handled the actual device. I've seen the configuration options, I've tried them, and I've unlocked an iPhone X trained on my face with my eyes closed.

      While looking for a screenshot of the settings screen, I did learn that the default changed in the final release, so I'll correct my earlier statement: the more secure option is now the default. It was not the default on the development model my Apple engineer friend showed me, and it can still be disabled.

      Seriously, does the fact that Apple exists bother you so much that you feel the need to manufacture lies on the internet, and then desperately hope that noone will call you on your bullshit?

      The MacBook Pro in my lap says "no." Does the fact that Apple is not a flawless company and they do, in fact, make mistakes, often involving security, bother you so much that you have to attack people who point them out?

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  17. Emulating the IR structured light pattern? by schweini · · Score: 2

    Out of curiosity: IIRC, the iPhone projects some IR dots on the face, and reconstructs a 3D model based on the distortion of the projected pattern using a rather regular 2D camera.

    Is that pattern fixed?
    If so, would it be possible to block the projection, and "simply" show the sensor the pattern that should appear?
    I bet it's not that easy, but i'd like to know why?

  18. Oh really, how do you authenticate your child? by Brannon · · Score: 2

    Does she give you a secret passcode when you pick her up from daycare? No? Then how do you know that she's not an imposter? After all, her appearance is public knowledge.

    Here's how:
    1. trusted authentication hardware/sensors : You trust your own eyes, you are pretty certain that no one has done a MIM attack in the path from your visual cortex to the child's face.
    2. weighing cost-to-defeat vs. benefit : sure it's possible to find another child and do elaborate plastic surgery or a mask, but that's a fantastical notion considering the costs involved when weighed against any possible benefit
    3. chain of custody : Your daughter has been with you or with people you trust the entire time. One of them likely would have warned you that a black van appeared, took your daughter for a couple hours, and then returned her

    4. If any of #1-#3 are in doubt then you can always fall back to asking her something only she would know (i.e., a secret)

    This is, more or less, exactly the way that TouchID or FaceID works. The sensors are in a secure, encrypted domain that's outrageously difficult to hack and would require getting your phone out of your possession without you knowing it. Successfully hacking into your phone would be extremely expensive and thus not worth it. And whenever Apple becomes a little suspicious that someone is trying to hack in (i.e., when the phone gets rebooted, when you hit the power button 5 times, when the SW is updated, after 48 hours of you not logging in) then it reverts to a mode where it insists on you entering a secret.

    You have made the child-like mistake of thinking that any form of security that is theoretically breakable is worthless. In fact, there is no such thing as perfect security--the goal is ALWAYS to increase the cost & effort required such that breaking the security is not economically practical.