10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X

An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."

Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."

And his son just "thought it was hilarious."

The son is correct...

It IS hilarious. It's legitimately an odd way to authenticate anyway, and less secure than fingerprints, and way less secure than constantly typing annoying passphrases. It should be no surprise that there's endless ways to fool it.

Missing the point

[sjbe]

Think TouchID or FaceID like a lock on your front door. Yes it can be hacked and bypassed. Sometimes in ways you might not expect. It's low grade security. But that isn't the point. The point is to keep out the majority of less determined individuals out while being a reasonable balance between security and convenience for typical usage. If you want greater security there are features (passwords, etc) you can utilize to strengthen the system. Most of the time these are overkill but sometimes they are a very good idea. Anyone expecting TouchID or FaceID to provide iron clad security has incorrect ideas about what they are for and what their limitations are.

Re:Locked?

Really depends what you use it for. If you only ever make calls, then you're only risking your phone book. That might not seem like a big deal, but phoning up a mark's relatives pretending that there's some urgent crisis (broken down car in the middle of nowhere, been mugged in an unfamiliar city, had a serious accident and in hospital outside your network etc) and that they need to wire money/provide details/etc is very common scam.

If you send or recieve messages, then you're risking your message history, including any confidential or private correspondence you might have sent (e.g. my bank sends me notifications for transactions that are quite handy for me, but would be very helpful to fraudsters trying to impersonate me).

If you use mobile web you're risking any passwords you have saved to the device and any data contained within those accounts.

If you take pictures, then you risk having them misused. Even innocuous images have embedded GPS data that could allow a thief to work out where you live and work. That's if the phone itself isn't linked to a google account that will cheerfully provide a map and schedule.

Basically, if you actually use your phone for anything it's an absolute goldmine for fraudsters. A casual thief probably won't be interested in that, but they will have no problem fencing it to someone who is. And if they are smart, disabling or remote wiping it after the fact won't help; thieves tend to turn phones off so they don't get tracked, and the next time it's turned on it'll be somewhere with no signal so the data can be safely lifted.

Re:That's funny...

[jbmartin6]

I recently encountered another issue with the TouchID. I'm not clear on the logic, but if you reboot the phone you need to use a PIN to unlock anyway. Only after the initial PIN unlock can you use TouchID. So use after reboot depends on remembering a rarely used PIN. A recipe for disaster when I traveled recently and my companion could not unlock her phone after turning it on since she could not remember the PIN after so long. Granted, that is user error, but I would never use TouchID since I have to use the PIN enough anyway to avoid forgetting it.