Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Say They've Broken Face ID a Week After iPhone X Release (wired.com)

Posted by msmash on from the security-woes dept.

Andy Greenberg, writing for Wired: When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make. But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it. Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

6 of 252 comments (clear)

  1. Still ok for general consumers by Camembert · · Score: 5, Insightful

    If you remember, Touchid was similarly soon broken, and it also required quite some commitment from the hacker.
    Still, for most people the security of TouchId was good enough and practical in use.
    I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.

    1. Re:Still ok for general consumers by Anonymous Coward · · Score: 5, Insightful

      When I worked in support, the biggest security risks were always the higher up managers or CEOs that always wanted to be an exception to the security concept that they ordered.

  2. Good morning, Mr. Phelps by RogueWarrior65 · · Score: 5, Funny

    Your mission, should you choose to accept it, is to somehow sedate the subject and create a life cast of their face without them figuring out that you're doing it. You must then jump though a bunch of other hoops in order to unlock the subject's phone. You are under no circumstances to use the subject's own face to unlock their phone. Should you or any of your IM force be caught or killed, you will be mocked mercilessly on Slashdot.

  3. Re:What happens when.. by 110010001000 · · Score: 5, Funny

    You use your passcode and stop dating NFL players.

  4. Re:Everyone but the marketing department knows... by dj245 · · Score: 5, Informative

    fingerprint scanning increases the cost of the phone. Face recognition does not require any additional hardware.

    Not true. There is both a structured light transmitter and receiver which are additional hardware compared to previous iphones. There may also be a separate processor for data processing of these modules.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  5. Re:Noit a secret by religionofpeas · · Score: 5, Insightful

    you'll see that this required a far more detailed scan of the face than could be recovered from stereoscopy alone. They had to use FLIR to get an accurate enough scan.

    There's a suitable camera in every iPhone X. Someone will figure out a hack to use that to scan someone else's face.