Slashdot Mirror

← Back to Stories (view on slashdot.org)

10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com)

Posted by EditorDavid on from the I-see-what-you-did-there dept.

An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."

Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."

And his son just "thought it was hilarious."

8 of 300 comments (clear)

  1. Biometrics are not passwords by bradley13 · · Score: 5, Insightful

    Biometrics are user-ids, not passwords.

    There are three aspects to security: something you are, something you know, something you have. Implement two for rudimentary security, implement all three for good security.

    - Something you are: User ID, biometrics, or some other public information that serves to identify the person.

    - Something you know: Typically a password, used to prove the identity

    - Something you have: Second factor, used to prove that the password and identity were not stolen.

    Face-ID and fingerprints are insecure and easily fooled.

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:Biometrics are not passwords by AmiMoJo · · Score: 5, Insightful

      Fingerprints seem to be pretty good in the real world. The FBI can't seem to crack them. UK security forces can't reliably crack them, so they have taken to following people until they unlock their phone and then staging a fake mugging to grab it in that state.

      Okay, maybe the NSA can get in, but for most people a good fingerprint scanner seems to be a reasonable option. The main issue is the lack of a panic button on some of them, i.e. something you do to disable it and require require the passcode. Apple lets you press the power button 5 times quickly, on most Android devices holding the power button for a few seconds works.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Re:Scary by viperidaenz · · Score: 5, Insightful

    It also gives your child full access to your ApplePay account. which by default only requires FaceID to authenticate.

  3. I've been sort of expecting this to happen by Lisandro · · Score: 5, Insightful

    Tim Cook's claim that FaceID is 20x more accurate than TouchID was kinda ridiculous. It is a neat technology and from what i hear it works well, but it is impossible to have face recognition that doesn't trigger false positives with relative ease. Telling people there's a one in a million chance that FaceID will mistake someone else face with yours is irresponsible.

  4. Re: That's funny... by bsDaemon · · Score: 4, Insightful

    Biometrics are not better than a password as a single method of authentication unless your data is worthless.

    Passwords can be changed/rotated indefinitely. You only have one face, two eyes and 10 fingers.

    Only idiots leave passwords on sticky notes. Literally everybody leaves fingerprints around, unless they donâ(TM)t have finger prints, in which case a finger print reader is useless to them anyway.

    How âoeeasyâ it is to get you to give up a password depends on you. How easy it is to force your finger onto a finger print reader, less so.

    Biometrics, being a physical characteristic of a person are great for indentification, i.e. as a replacement for a username. Theyâ(TM)re also perfectly reasonable as part of a multi-factor authentication. Iâ(TM)ll combine finger print + the HMAC SHA challenge-response from yubikey or PKI from a smartcard for accessing my laptops for instance.

  5. Re:That's funny... by Antique+Geekmeister · · Score: 2, Insightful

    Quick to unlock, yes.

    There is a real risk of "gelatin fingers". There are many videos, and some reliable newspaper stories, of people replicating fingerprints very successfully with gelatin or even Play-Doh. The approach was well documented in2002, at https://cryptome.org/gummy.htm .

  6. Re:cue the apple fanboy by Paradise+Pete · · Score: 4, Insightful

    My wife asks me to do things on her phone all the time while she's driving, so she can keep her eyes on the road. I know her passcode so I can do these things, and FaceID tries to scan every time the screen is turned on. That means, intentional or not, if she had an iPhone X with FaceID enabled, I'd be training it to recognize my face every single time I unlocked it using the passcode. Eventually, we'd both be able to unlock it.

    This is true only if you are a close match to begin with. When a Face ID authentication fails, but is within a small failure threshold, and then the passcode is entered, another measurement is taken for training. The purpose of this is to learn as the face subtly changes, as they do. But if you and your wife are already a close match , and you know and enter the passcode, then it will augment its training from your face.

    If you don't know or don't enter the passcode then no training is done.

    So yes, this is definitely one more problem (among many) for Apple to solve, but it's not the huge security hole some are making it out to be. For me it's a tremendous convenience and reasonably safe, but if were in a situation where I was truly worried about security then I would disable it.

  7. Got issues? by sjbe · · Score: 5, Insightful

    I've been completely blackballed throughout entire corporations just because of the brand of mouse I chose to buy, or the fact I refuse to use Facebook.

    Oh bullshit. No corporation will give a shit about what brand of mouse you use unless you are a flaming asshat about it or somehow manage to violate their corporate IT rules. I don't use Facebook either and I have yet to run into a corporation that gives a shit about that even a little bit. Even if what you say is true that sounds like it is you that is the issue.

    If you can't imagine anything in your phone (or not in it, for that matter) that anyone would take offense to, I suggest you either must not use it or you're just really naive.

    If you work in a workplace that is THAT hypersensitive then I suggest you find a new and better employer. I can confidently say that there is absolutely nothing on or missing from my phone that I'm even a little worried about my coworkers getting offended over. That would be equally true of every employer I've ever worked for which at my age is quite a few of them. I would have some concerns about them getting access to some banking and financial info but that is the worst of it. Nothing there I'm the least bit embarrassed about including the contents of my emails and correspondence. I'm concerned about serious things like identity theft. That's not to say some people don't have some personal things they need to hide sometimes but if access to your phone is a concern then I suggest you keep such data off your phone.

    Big companies generally devolve into popularity contests.

    If you think that then I think you have serious social issues that no one here can help you with.