Slashdot Mirror
10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com)
An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."
Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."
And his son just "thought it was hilarious."
Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."
And his son just "thought it was hilarious."
I wonder, can monozygotic twins unlock each other's phones? That would be even more hilarious.
That's scary, that puts your children at risk at being kidnapped or being brought in by aggressive authorities in an attempt to get access to your device. Parents should rather avoid using this feature altogether.
I predicted this would be cracked with relative ease, but I had no idea it would crack itself. My prediction was based on FaceID using the exact same tech as Microsoft Hello, which was cracked within days of its release. I was more than a little surprised that FaceID was able to be cracked with only a partial mask, when Hello required a full mask. It could very well be that nobody tried the partial mask against Hello but, either way, this is truly disheartening as many people will rely on the feature as though it is actually secure.
The common defense, of course, is that "they trained it by entering the passcode." On its face, this seems a valid defense, but...
My wife asks me to do things on her phone all the time while she's driving, so she can keep her eyes on the road. I know her passcode so I can do these things, and FaceID tries to scan every time the screen is turned on. That means, intentional or not, if she had an iPhone X with FaceID enabled, I'd be training it to recognize my face every single time I unlocked it using the passcode. Eventually, we'd both be able to unlock it.
Since her and I look nothing alike, the phone would ostensibly unlock for anyone with facial features similar to hers or mine, in varied combinations; possibly even within a range between her facial features and mine. Since we look so different form each other, I would be less than surprised if the odds of a random match were way greater than 1:1,000,000, or even the 1:50,000 odds Apple claims for a random fingerprint match, on a device used in such a manner.
And I wouldn't think that usage pattern is too uncommon; most couples I know who are in healthy relationships ask each other to check messages and whatnot from time to time, which necessitates the sharing of passcodes.
The "learning" aspect of FaceID is its primary weakness. There are solutions, of course, and a proper implementation would apply them.
One possible solution would be a "guest" passcode, which does not trigger the learning mechanism. This could also lock out purchases and changes to certain settings. It would just be a good security measure, in general, regardless of FaceID. But, in the context of FaceID, it would all but solve the PIN/passcode "learning" weakness.
Doesn't do anything for kids or people with siblings, of course. Nor does it do anything for the fact that the 1:1,000,000 claim is explicitly limited to "random matching"; that is, if you pointed the phone at 1,000,000 random people, one of them would unlock it. If you point the phone at 5 people who look a lot like you, one of them will unlock it, as well, and we've seen that borne out in reality. I can take a picture of you as I'm stealing your phone and use it to find 5 people who look enough like you to likely be able to unlock it.
What I can't to is take a picture of you as I steal your phone and use it to find 5 people with similar fingerprints. The 1:50,000 odds are actually stringer than the 1:1,000,000 in this case, because there's no way around the randomness, other than a direct attack on the scanner itself. Of course, that's entirely possible and not all that difficult; but we've also seen that it's entirely possible and not all that difficult to attack FaceID, so the point is relatively moot, anyway.
I'd venture that it's easier to, say, walk down a busy city street with your victim's phone and photo and approach someone who looks similar enough to them and ask "have you seen the new iPhone yet?" as you hold it up to their face... than it is to find a clean enough print and reproduce it accurately enough to fool the fingerprint scanner. That's sad, here, is that the bar for fooling the fingerprint scanner was already too low. Apple must be trying to win a limbo competition with FaceID.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So if it was confused by lighting does that mean apple outright lied how it works? or is that just fanboys trying to make up excuses? if you have something that operates by infrared dots on your face that supposedly works in dark or light how the fuck do you get confused by lighting conditions.
One in a million basically means there are 7600 people who can unlock your phone just by looking at it. Due to the way evolution works, there is a good chance that some of those people are closely related to you.
I continue to use the good old pin number. Skipped Touch ID -- since the LEOs, by court decree, can force me to swipe my finger. The above posters is Not immune from a LEO forcing his finger across the fingerprint reader. That's a flaw in his "security" plan. I will skip the Face ID feature for the same reason -- the LEOs can force you to look at your phone, legally. Apple increased the pin number from 4 to 6 digits which increased security greatly. New gadgets work well but not so well with LEOs. LEO: You won't mind me searching your phone/camera/computer/car/house since you have nothing to hide, will you? ME: That's the very reason. Since I have nothing to hide and since I'm not involved, you are wasting precious LE time by search my car/house/computer/phone/camera when you could actually be working on profitable tasks.
I've been completely blackballed throughout entire corporations just because of the brand of mouse I chose to buy, or the fact I refuse to use Facebook.
Oh bullshit. No corporation will give a shit about what brand of mouse you use unless you are a flaming asshat about it or somehow manage to violate their corporate IT rules.
When I worked at Dell, our director made me get rid of my IBM Model M.
Moderate drunk! It's more fun that way!