In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones (forbes.com)

← Back to Stories (view on slashdot.org)

In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones (forbes.com)

Posted by msmash on Thursday December 13, 2018 @02:40AM from the security-woes dept.

Forbes magazine tested four of the most popular handsets running Google's operating systems and Apple's iPhone to see how easy it'd be to break into them with a 3D-printed head. All of the Android handsets opened with the fake. Apple's phone, however, was impenetrable. From the report: For our tests, we used my own real-life head to register for facial recognition across five phones. An iPhone X and four Android devices: an LG G7 Linq, a Samsung S9, a Samsung Note 8 and a OnePlus 6. I then held up my fake head to the devices to see if the device would unlock. For all four Android phones, the spoof face was able to open the phone, though with differing degrees of ease. The iPhone X was the only one to never be fooled.

There were some disparities between the Android devices' security against the hack. For instance, when first turning on a brand new G7 Linq, LG actually warns the user against turning facial recognition on at all. No surprise then that, on initial testing, the 3D-printed head opened it straightaway. [...] The OnePlus 6 came with neither the warnings of the other Android phones nor the choice of slower but more secure recognition.

16 of 123 comments (clear)

Min score:

Reason:

Sort:

Biometrics are generally a bad idea by Seven+Spirals · 2018-12-13 02:48 · Score: 5, Insightful

You can't replace your fingerprints, iris, or head once they are compromised which happens about every 10 minutes these days.
1. Re:Biometrics are generally a bad idea by AmiMoJo · 2018-12-13 03:21 · Score: 4, Interesting
  
  Biometrics are better than nothing. In this case the attacker needs to scan your head and 3D print an actual-size model of it, so it's still better than a simple pattern unlock or nothing.
  It's all about understanding and evaluating the threat. Facial recognition is a cheap, fast and moderately secure system that will keep your friends and siblings and random thieves out.
  People who need real security on their phones use proper passwords.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Exactly by Artem+S.+Tashkinov · 2018-12-13 02:54 · Score: 2

IOW most if not all biometric authentication systems suck unless they are coupled with old boring passwords. You leave your fingerprints on everything you touch. Your face and retina can be remotely scanned, saved and duplicated. This leaves us with brainwaves but I'm not entirely sure they can't be copied as well. But you can be sure as hell brainwaves authentication will be incredibly difficult and expensive to implement for smartphone security.
Why weren't they able to crack Apple FaceID? Maybe because their 3D printer wasn't good enough as FaceID scans over 30 000 spatial dots in order to verify your identity but there were reports that it's already been cracked.
Biometrics are generally a brilliant idea by k2r · 2018-12-13 02:55 · Score: 4, Insightful

Thank you for pointing this out, again.
I'm sure a 4 digit code smeared on the display is a lot safer.
That is the alternative security measure for most people and thus most phones.
Biometrics that are hard to spoof within the 4 tries an adverary has before the device falls back to a 6+ character alphanumeric code are just brilliant and way more secure in real life.
1. Re:Biometrics are generally a brilliant idea by Anonymous Coward · 2018-12-13 03:02 · Score: 5, Informative
  
  At least in the US, yes, the 4 digit PIN smeared all over your device is a lot safer. You see, that 4 digit PIN has been declared to be protected under the 4th amendment. Fingerprint scans and facial recognition hasn't. So nobody needs to try to spoof it, they can just force you to unlock it and hold you in contempt until you do.
2. Re:Biometrics are generally a brilliant idea by Artem+S.+Tashkinov · 2018-12-13 03:08 · Score: 2, Insightful
  
  You only have six attempts to guess the right password: "If you enter the wrong passcode on an iOS device six times in a row, you'll be locked out and a message will say that your device is disabled."
  Good luck with that. And then it will be locked to your iCloud account which is nigh impossible to remove by anyone other Apple service centers. iPhone protection against theft is probably the best in the industry.
3. Re:Biometrics are generally a brilliant idea by Seven+Spirals · 2018-12-13 03:20 · Score: 4, Insightful
  
  aaand you miss the point ... again. You can change a fucking pin code. You can't change your iris-scan, dumbass. Not to mention the fact that you could have chose to use a password instead of a stupid ass PIN. You could have chose to use a dumbphone/dadphone and not have much information worth stealing on the device anyway, but you had to play Pokemon Go, right? We couldn't drag down your productivity by taking that away, I forgot... sorry.
4. Re:Biometrics are generally a brilliant idea by AmiMoJo · 2018-12-13 05:19 · Score: 2
  
  Aaand you miss the point... again.
  Under what circumstances would you want to change your iris? Your attacker makes a copy of your iris that is good enough to fool your phone into unlocking? Then your opponent is not your younger brother or an opportunistic thief, and you picked the wrong authentication method.
  If you are using biometrics as the only authentication factor in some critical application then you are doing it wrong. If you are just using it to stop your "friends" shitposting on your Facebook timeline then you are probably okay.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Security by fluffernutter · 2018-12-13 03:11 · Score: 2

No mobile phone is secure. Don't do things on a mobile phone that you want to keep secret.

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Re:Apple driven test? by mdm-adph · 2018-12-13 03:17 · Score: 2

Nope, it's just that Apple's face ID uses infrared -- it's probably looking for some sort of heat signature. A fake head wouldn't have that, and thus doesn't fool it.

--
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
I'm actually impressed by Headw1nd · 2018-12-13 03:35 · Score: 4, Informative

Considering that humans could quite possibly be fooled by a 3D printed head in similar conditions, I'm actually very impressed they weren't all cracked. I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head just to open it. Usually people would point to the government as a possible culprit here, but the government doesn't need to go to these lengths, they can use your actual face.
1. Re:I'm actually impressed by pz · 2018-12-13 05:15 · Score: 3, Informative
  
  Blinking, or other biomimetic movement, that's what ultimately makes a real head distinguishable from a statue, no matter how good the artist.
  Or, if you've got a decent imaging apparatus, you can detect blood pusations in real flesh (e.g., http://news.mit.edu/2010/pulse...)
  
  --
  
  Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
How about testing a Surface? by SocietyoftheFist · 2018-12-13 03:59 · Score: 2

I wonder about the facial recognition built in to the Microsoft surface devices.
Not many resources required by SuperKendall · 2018-12-13 05:07 · Score: 2

I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head
Not shown: How many of the same phones are also opened by a printout of the face.
Doesn't take many resources to take a picture of someone's face and print it out...
That's because a lot of the Android phones that use facial recognition are doing so from a single camera with no depth map, the way the iPhone works.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So soon by Impy+the+Impiuos+Imp · 2018-12-13 05:25 · Score: 2

Interesting, but this isn't the first 3D printed body part to convincingly mimic the real thing.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Re:Whoosh by wertigon · 2018-12-13 06:16 · Score: 2

Obligatory XKCD: https://xkcd.com/538/
That rabbit hole goes even deeper though. Is the information on your computer worth your life? Your daughters life? Your familys life?
And yes, even government officials can, have, and will resort to the above tactics if they deem it important enough.

--
systemd is not an init system. It's a GNU replacement.