Slashdot Mirror
10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com)
An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."
Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."
And his son just "thought it was hilarious."
Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."
And his son just "thought it was hilarious."
You're looking at the phone wrong, etc., etc., etc........
I wonder, can monozygotic twins unlock each other's phones? That would be even more hilarious.
Kids as skeleton keys, that would be so funny if it weren't the security desaster it actually is. What remains to be shown now is that a random group of, say, 10 children with no relation to an iPhonX (previous...) owner has a more than 10% chance of unlocking Face ID.
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
That's scary, that puts your children at risk at being kidnapped or being brought in by aggressive authorities in an attempt to get access to your device. Parents should rather avoid using this feature altogether.
Biometrics are user-ids, not passwords.
There are three aspects to security: something you are, something you know, something you have. Implement two for rudimentary security, implement all three for good security.
- Something you are: User ID, biometrics, or some other public information that serves to identify the person.
- Something you know: Typically a password, used to prove the identity
- Something you have: Second factor, used to prove that the password and identity were not stolen.
Face-ID and fingerprints are insecure and easily fooled.
Enjoy life! This is not a dress rehearsal.
I predicted this would be cracked with relative ease, but I had no idea it would crack itself. My prediction was based on FaceID using the exact same tech as Microsoft Hello, which was cracked within days of its release. I was more than a little surprised that FaceID was able to be cracked with only a partial mask, when Hello required a full mask. It could very well be that nobody tried the partial mask against Hello but, either way, this is truly disheartening as many people will rely on the feature as though it is actually secure.
The common defense, of course, is that "they trained it by entering the passcode." On its face, this seems a valid defense, but...
My wife asks me to do things on her phone all the time while she's driving, so she can keep her eyes on the road. I know her passcode so I can do these things, and FaceID tries to scan every time the screen is turned on. That means, intentional or not, if she had an iPhone X with FaceID enabled, I'd be training it to recognize my face every single time I unlocked it using the passcode. Eventually, we'd both be able to unlock it.
Since her and I look nothing alike, the phone would ostensibly unlock for anyone with facial features similar to hers or mine, in varied combinations; possibly even within a range between her facial features and mine. Since we look so different form each other, I would be less than surprised if the odds of a random match were way greater than 1:1,000,000, or even the 1:50,000 odds Apple claims for a random fingerprint match, on a device used in such a manner.
And I wouldn't think that usage pattern is too uncommon; most couples I know who are in healthy relationships ask each other to check messages and whatnot from time to time, which necessitates the sharing of passcodes.
The "learning" aspect of FaceID is its primary weakness. There are solutions, of course, and a proper implementation would apply them.
One possible solution would be a "guest" passcode, which does not trigger the learning mechanism. This could also lock out purchases and changes to certain settings. It would just be a good security measure, in general, regardless of FaceID. But, in the context of FaceID, it would all but solve the PIN/passcode "learning" weakness.
Doesn't do anything for kids or people with siblings, of course. Nor does it do anything for the fact that the 1:1,000,000 claim is explicitly limited to "random matching"; that is, if you pointed the phone at 1,000,000 random people, one of them would unlock it. If you point the phone at 5 people who look a lot like you, one of them will unlock it, as well, and we've seen that borne out in reality. I can take a picture of you as I'm stealing your phone and use it to find 5 people who look enough like you to likely be able to unlock it.
What I can't to is take a picture of you as I steal your phone and use it to find 5 people with similar fingerprints. The 1:50,000 odds are actually stringer than the 1:1,000,000 in this case, because there's no way around the randomness, other than a direct attack on the scanner itself. Of course, that's entirely possible and not all that difficult; but we've also seen that it's entirely possible and not all that difficult to attack FaceID, so the point is relatively moot, anyway.
I'd venture that it's easier to, say, walk down a busy city street with your victim's phone and photo and approach someone who looks similar enough to them and ask "have you seen the new iPhone yet?" as you hold it up to their face... than it is to find a clean enough print and reproduce it accurately enough to fool the fingerprint scanner. That's sad, here, is that the bar for fooling the fingerprint scanner was already too low. Apple must be trying to win a limbo competition with FaceID.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Just shows how crap face-id really is, and it also shows how Apple has tested this feature... like not..
The fingerprint reader on my $250 dollar Android phone keeps it safe enough and makes it quick to unlock.
Criminals will start using children under the age of 13 to unlock iphones... lol
We laugh now, but we all know that next year's (or the year after's) flagship Android phones will have Face ID.
Perhaps they aren't from West Virginia.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
So if it was confused by lighting does that mean apple outright lied how it works? or is that just fanboys trying to make up excuses? if you have something that operates by infrared dots on your face that supposedly works in dark or light how the fuck do you get confused by lighting conditions.
Tim Cook's claim that FaceID is 20x more accurate than TouchID was kinda ridiculous. It is a neat technology and from what i hear it works well, but it is impossible to have face recognition that doesn't trigger false positives with relative ease. Telling people there's a one in a million chance that FaceID will mistake someone else face with yours is irresponsible.
Apple officials said "You are holding it wrong, in this case in front of the wrong person."
Don't fight for your country, if your country does not fight for you.
There has been numerous articles like this now. Apple has already explained that Face ID stores info about a persons face once a successful PIN code is entered to keep up with the users appearance over time. So whats most likely happened again is that the parents give their phones to their kids to try, the Face ID scan first fails and when the parents then put in the correct PIN code the phone stores information about the kids face together with the parents until eventually it learns to accept the kids face too. Read more here, https://www.theverge.com/2017/...
If your kid can't unlock your iPhone X, maybe you should have a little chat with your wife.
Biometrics are not better than a password as a single method of authentication unless your data is worthless.
Passwords can be changed/rotated indefinitely. You only have one face, two eyes and 10 fingers.
Only idiots leave passwords on sticky notes. Literally everybody leaves fingerprints around, unless they donâ(TM)t have finger prints, in which case a finger print reader is useless to them anyway.
How âoeeasyâ it is to get you to give up a password depends on you. How easy it is to force your finger onto a finger print reader, less so.
Biometrics, being a physical characteristic of a person are great for indentification, i.e. as a replacement for a username. Theyâ(TM)re also perfectly reasonable as part of a multi-factor authentication. Iâ(TM)ll combine finger print + the HMAC SHA challenge-response from yubikey or PKI from a smartcard for accessing my laptops for instance.
Quick to unlock, yes.
There is a real risk of "gelatin fingers". There are many videos, and some reliable newspaper stories, of people replicating fingerprints very successfully with gelatin or even Play-Doh. The approach was well documented in2002, at https://cryptome.org/gummy.htm .
"Anything else you might as well leave your phone unlocked or put a cheap pin on it so that your girlfriend isn't able to view your browser history."
When you've been on Slashdot for more than 10 years, do you get to have a girlfriend?
I've calculated my velocity with such exquisite precision that I have no idea where I am.
This is true only if you are a close match to begin with. When a Face ID authentication fails, but is within a small failure threshold, and then the passcode is entered, another measurement is taken for training. The purpose of this is to learn as the face subtly changes, as they do. But if you and your wife are already a close match , and you know and enter the passcode, then it will augment its training from your face.
If you don't know or don't enter the passcode then no training is done.
So yes, this is definitely one more problem (among many) for Apple to solve, but it's not the huge security hole some are making it out to be. For me it's a tremendous convenience and reasonably safe, but if were in a situation where I was truly worried about security then I would disable it.
I got a new phone a couple months ago & I've still not got around to locking it. I don't have Android pay or whatever set up (these things will make you set up a password). So what? If I lose it or it gets stolen, I call the provider & get the service shut off. It's sure is convenient to use right now. Am I missing something here?
SLOWER TRAFFIC KEEP RIGHT
Think TouchID or FaceID like a lock on your front door. Yes it can be hacked and bypassed. Sometimes in ways you might not expect. It's low grade security. But that isn't the point. The point is to keep out the majority of less determined individuals out while being a reasonable balance between security and convenience for typical usage. If you want greater security there are features (passwords, etc) you can utilize to strengthen the system. Most of the time these are overkill but sometimes they are a very good idea. Anyone expecting TouchID or FaceID to provide iron clad security has incorrect ideas about what they are for and what their limitations are.
I kind of believe their rate, but you have to remember that they're counting it as if a random person in the entire world got your phone. People that are related to you or even just people with similar ancestry are far more likely to be a match.
I've been completely blackballed throughout entire corporations just because of the brand of mouse I chose to buy, or the fact I refuse to use Facebook.
Oh bullshit. No corporation will give a shit about what brand of mouse you use unless you are a flaming asshat about it or somehow manage to violate their corporate IT rules. I don't use Facebook either and I have yet to run into a corporation that gives a shit about that even a little bit. Even if what you say is true that sounds like it is you that is the issue.
If you can't imagine anything in your phone (or not in it, for that matter) that anyone would take offense to, I suggest you either must not use it or you're just really naive.
If you work in a workplace that is THAT hypersensitive then I suggest you find a new and better employer. I can confidently say that there is absolutely nothing on or missing from my phone that I'm even a little worried about my coworkers getting offended over. That would be equally true of every employer I've ever worked for which at my age is quite a few of them. I would have some concerns about them getting access to some banking and financial info but that is the worst of it. Nothing there I'm the least bit embarrassed about including the contents of my emails and correspondence. I'm concerned about serious things like identity theft. That's not to say some people don't have some personal things they need to hide sometimes but if access to your phone is a concern then I suggest you keep such data off your phone.
Big companies generally devolve into popularity contests.
If you think that then I think you have serious social issues that no one here can help you with.
Very quickly I discovered it confused mothers with daughters. When our turn to host the pot-luck comes around, our guests used to gather around, let Picassa lose on the collection and laugh and marvel at the same time about its confusion.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Did anyone really expect this to be more than a modern "keypad lock"?
On my first phone, one could lock and unlock the keypad by pressing 0000. This was not security measure, just a way of preventing accidental phone calls.
Face ID is just the modern "keypad lock", the right photo of the person will probably also unlock the phone.
AAPL is at a 5+ year high. Why would they get rid of Tim Cook?
Why would we care?
Face Unlock on Android was broken years ago. Its taken this long for the iSnore to catch up *yawns*.
Calling someone a "hater" only means you can not rationally rebut their argument.
I continue to use the good old pin number. Skipped Touch ID -- since the LEOs, by court decree, can force me to swipe my finger. The above posters is Not immune from a LEO forcing his finger across the fingerprint reader. That's a flaw in his "security" plan. I will skip the Face ID feature for the same reason -- the LEOs can force you to look at your phone, legally. Apple increased the pin number from 4 to 6 digits which increased security greatly. New gadgets work well but not so well with LEOs. LEO: You won't mind me searching your phone/camera/computer/car/house since you have nothing to hide, will you? ME: That's the very reason. Since I have nothing to hide and since I'm not involved, you are wasting precious LE time by search my car/house/computer/phone/camera when you could actually be working on profitable tasks.
I recently encountered another issue with the TouchID. I'm not clear on the logic, but if you reboot the phone you need to use a PIN to unlock anyway. Only after the initial PIN unlock can you use TouchID. So use after reboot depends on remembering a rarely used PIN. A recipe for disaster when I traveled recently and my companion could not unlock her phone after turning it on since she could not remember the PIN after so long. Granted, that is user error, but I would never use TouchID since I have to use the PIN enough anyway to avoid forgetting it.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.