Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Galaxy S10 Facial Recognition Fooled by a Video of the Phone Owner (zdnet.com)

Posted by msmash on from the security-woes dept.

Experts have proven once again that facial recognition on modern devices remains hilariously insecure and can be bypassed using simple tricks such as showing an image or a video in front of a device's camera. From a report: The latest device to fall victim to such attacks is Samsung Galaxy S10, Samsung's latest top tier phone and considered one of the world's most advanced smartphones to date. Unfortunately, the Galaxy S10's facial recognition feature remains just as weak as the one supported in its previous versions or on the devices of its competitors, according to Lewis Hilsenteger, a smartphone reviewer better known as Unbox Therapy on YouTube. Hilsenteger showed in a demo video uploaded on his YouTube channel last week how putting up a video of the phone owner in front of the Galaxy S10 front camera would trick the facial recognition system into unlocking the device.

60 comments

  1. 3D and IR by goombah99 · · Score: 5, Insightful

    There's a reason apple went with costly 3D imaging. Yes of course there's the prospect of spoofing it with a 3D mask but that's a pretty invasive and premeditated attack. You can't do it on the fly like a video. As has been noted many times, given some preparation it's possible to spoof fingerprint scanners. indeed it seems it's probably easier to spoof fingerprint scanners in many implementations.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:3D and IR by Anonymous Coward · · Score: 0

      This is why they went with a 3D ultrasonic fingerprint scanner. With facial recognition software, you don't need fakes. You just need to wave the phone in front of their face and presto, unlocked! At least with a finger, you have a chance at resisting.

    2. Re:3D and IR by goombah99 · · Score: 2

      I thought the reason they used ultrasonic was because it's more compatible with going through the screen. And the reason they used 3D ultrasonics is because it takes more information than the simple ultrasonic reflectance to decode the uniqueness. I don't think it was motivated by disriminating fakes. That was just a nice benefit for making phantom fingers harder to create in hindsight.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re:3D and IR by Freischutz · · Score: 1

      This is why they went with a 3D ultrasonic fingerprint scanner. With facial recognition software, you don't need fakes. You just need to wave the phone in front of their face and presto, unlocked! At least with a finger, you have a chance at resisting.

      I went with an iPhone 8 rather than one of the X models because of the fingerprint scanner. I can unlock the iPhone 8 without looking at it, whereas with the face recognition I have to hold the thing in front of my face which is annoying.

    4. Re:3D and IR by Anonymous Coward · · Score: 0

      As has been noted many times, given some preparation it's possible to spoof fingerprint scanners...

      By "preparation" I'm assuming you mean hackers lighting the bong before opening the pack of Gummi Bears...

    5. Re:3D and IR by SuperKendall · · Score: 2

      I can unlock the iPhone 8 without looking at it

      Aren't you going to be looking at it at some point? What value is there in unlocking a phone you do not see.

      with the face recognition I have to hold the thing in front of my face which is annoying.

      Lots more annoying to have to take gloves off in winter to unlock a device, or even to have to think about unlocking at all. With FaceID I don't think about unlocking, I pull out the phone and it's unlocked by my holding it.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    6. Re:3D and IR by kingbilly · · Score: 1

      I wish the X supported both. I had the iPhone 6 until this year. There are a number of times per week I have to type in my code because the face recognition won't work.

      - Wearing sunglasses in the car - Sitting in my car after I get home at night (too dark) - Wearing my gamma rays and turtle beach while playing games - other things I can't remember With the phone being a completely touchscreen, I was hoping the X would allow my thumb at the bottom. Nope.

    7. Re:3D and IR by FictionPimp · · Score: 1

      Yes and no, I can't unlock my phone in the car to change songs (something I could do without face ID). I can't unlock the phone without it being in the right position, with my eyes looking at it, etc. This means I can't unlock my phone in conversation to glance at a push notification. FaceID is a terrible product.

    8. Re:3D and IR by Aqualung812 · · Score: 1

      This means I can't unlock my phone in conversation to glance at a push notification.

      I do this all of the time. I just raise the phone and look at it, and it unlocks to view the notification.

      --
      Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
    9. Re: 3D and IR by Anonymous Coward · · Score: 0

      You need the New iFart unlock

      In addition to smelling your own farts While drivning your so-called selfdriving teslas you can also unlock your New iphoneXXX and take a selfie of yourselves smelling your own farts While drivning and jacking off to the sight of your shiny car and phone

    10. Re:3D and IR by AmiMoJo · · Score: 1

      And there is a reason Samsung didn't bother with costly 3D imaging. This isn't supposed to be a super secure system. Someone can unlock your phone by pointing it at your face, perhaps while you are asleep, even with the Apple system.

      Face unlock is for people who only want to protect against people they don't know stealing their phone. It stops random thieves from getting their data and makes it much harder for them to factory reset and sell the phone on.

      It's for people who are so lazy that even fingerprint unlock is too much hassle, let along a long PIN/password.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:3D and IR by Anubis+IV · · Score: 1

      Exactly. Moreover, even the 3D mask attacks sound like they only work if you rig the system. The first (only?) 3D mask attack that I've actually seen demonstrated wasn't able to be reproduced by any other researchers (at the time; maybe things have changed since then?), and it was later determined to have only worked for those particular researchers because they inadvertently trained the phone on the mask*. When they attempted to prove their methodology's reproducibility by resetting everything and giving the phone a few days of use before introducing the mask (i.e. actually simulating real world conditions), their mask was never able to unlock the phone and they were never able to reproduce their own, original results.

      *The iPhone is, by necessity, more tolerant of variations right after it's set up with FaceID, since it continues to refine its understanding of what the owner's face looks like under different conditions (e.g. glasses, stubble, hair cut, etc.). In the case of the successful attack, the owner's face was shown to the phone during setup, then never again, giving it no chance to refine and improve as it normally would during the first few days of typical use. Instead, they immediately started showing it a similar "face"—the mask—which it understood to be a variation on the owner's appearance, thus effectively training it that the owner's face was the mask.

    12. Re:3D and IR by Anonymous Coward · · Score: 0

      "Looking at it" is not same thing as "place your face on field of view of the frontal camera".

      With a fingerprint scanner, I can't use such when wearing gloves in -30C temperature, and I really do not want to take gloves away to just open the phone. But I can answer to the phone by using my nose to slide the answer slider. I hope that I could have a physical volume rocker to be such by tapping it couple times UP for answer.

      But often I have phone on a table or on a bed, somewhere facing upward. And I am not at all in the field of view of the camera. Yet I can open the phone just to check something, while I am over 45 degree away from the phone, and yet I can see and read the screen totally fine. To use the phone, i do not need to stare it from straight front. I don't want to do that. In a car, I can have the phone on the wheel and I can operate it from there without really looking at it.

      The face recognition and then face identification are two separate things, yet very very illogical to be used for such things as the device use for unlock. And anyways the idea that the phone would be scanning and imaging my face, is scary. Why I have a tape on the smartphone front camera and a slider at the rear camera just like I have on the laptops.

      It really is privacy risk that at any given time something can access the camera, location etc.

      Since the first time when the laptops got the webcams (IIRC it was late 90's or something) I have made only two video calls. One was between me and my 70th year old father who had never seen such possibility. The second time was with my sister daughter of 2 years old.

      I don't see any good reason to use video call feature for anything. I don't take selfies, as I do self-portraits as an photographer as third profession (first one is network engineer) and there is no good reason to have any device to be opening anything by a image of my face. It is as stupid idea really as the fingerprint scanner on the door, where all the keys that your fingers has, are transferred to the door handle just next to it.
      That is same reason why I don't have anything sensitive on my smartphone. And I am even responsible for all the contact information in it, so I need to keep those off-access from every application out there.

      But when your smartphone is really just a remote control for a camera, a notepad and a GPS, it doesn't matter if it gets stolen or someone access to it via fingerprint scanner.

      But to open device by looking at it, stupid...

    13. Re:3D and IR by fluffernutter · · Score: 0

      A lot of people don't like looking like dweebs iPhone fanbois in public if they can help it.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    14. Re:3D and IR by shilly · · Score: 2

      Someone can unlock your phone by pointing it at your face, perhaps while you are asleep, even with the Apple system.

      Confidently wrong. I like your style!

      "When a face is detected, Face ID confirms attention and intent to unlock by detecting that your eyes are open and directed at your device"
      FaceID security white paper

    15. Re:3D and IR by BringsApples · · Score: 1

      If you are unconscious, your phone can be pointed at your face, or your finger can be used, and the phone is unlocked.

      No, I swear by the password when it comes to security. I can't think a way that a password can be stolen, provided I never tell anyone, and no key loggers are installed on the device.

      --
      Politics; n. : A religion whereby man is god.
    16. Re:3D and IR by Solandri · · Score: 1

      There's a reason apple went with costly 3D imaging. Yes of course there's the prospect of spoofing it with a 3D mask but that's a pretty invasive and premeditated attack.

      Why bother with a mask? The police or a mugger will just hold you down while they point your phone at you.

      People forget that signing into a phone is not just validation of your ID, it's also your way of signaling that you actually want to sign in. Passive sign-ins like fingerprint or facial scans allow others to sign in on your behalf regardless of whether or not you actually want to sign in. (Of course they could just beat you with a wrench until you gave up your password, but that will at least leave physical bruising and scars as evidence of their wrongdoing. With passive sign-ins, there's no way to distinguish voluntary from involuntary logins. You file a lawsuit saying the police forced you to unlock your phone. They just say "no we didn't, you voluntarily unlocked it.")

    17. Re:3D and IR by zlives · · Score: 1

      iProbe is on the way, its got all the buzz words 3D, Ultrasonic. self lubing and vibrating models are bit higher in price.
      one squeeze and it authenticates the device and no one is going to try stealing that.

    18. Re:3D and IR by fluffernutter · · Score: 1

      Wow! Does it do the prostate? Prostate massages feel like using an iPhone.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    19. Re:3D and IR by goombah99 · · Score: 1

      Why do people bring up these ludicrous edge cases?

      --
      Some drink at the fountain of knowledge. Others just gargle.
    20. Re: 3D and IR by Anonymous Coward · · Score: 0

      That's why the next Pixel phone will have the Ultra 5D Psychic Wave Face Finger Phallic Sensor Extreme.

      Unlike the current generation of sensors it will literally touch you all over before it unlocks.... kinda like the TSA in a Phone.

      Nothing will be more secure than that.

  2. QA? by Anonymous Coward · · Score: 0

    How could this not be the first unhappy test case?

    1. Re:QA? by Anonymous Coward · · Score: 0

      Maybe second or third, but definitely at the top of the list.

      My guess is that they knew it was flawed like every other implementation and they couldn't ship without it. The PR damage is small.

    2. Re:QA? by Anonymous Coward · · Score: 0

      You don't decide.

  3. tears & innocence shortage remedy by Anonymous Coward · · Score: 0

    cease fire stand down,, truth+mercy=justice,, that's the spirit.. further pretense is just more wasted energy?

  4. The non-equivalence of optical flow and lidar by goombah99 · · Score: 1

    The thing that surprised me here is that in the field of 3D resonstruction, passive optical flow methods have come to dominate Lidar or moire patterns in probably all use cases aside from cars. And even in cars, for daylight operations it's arguably better than lidar for many practical issues.

    But it's not the same as this example beautifully shows.

    Optical flow is the technique of inverting a 3D object by the camera-or-object motion such that the parallax effect gives you the information you need to figure out the z-dimension. Lidar just times the distances, and Moire patterns figure out Z from spreading/bending angles of projected lines. Those require active illumination. Whereas optical flow just requires a video (or series of snapshots) from different angles on an object.

    THe two reasons optical flow dominates is that first it's insanley cheap and compact (just a tiny camera) and second, because you get the texture/coloring/reflectance values at the same time, but perhaps most of all because it isn't a fixed field of view. Lidar and moire images are from a fixed field of view so you only get a 3D extrusion and you cant rotate the object on screen to see around the side. For that you would need the lidar point of view to move too and at that point you might as well have used optical flow. Of course for perfect metrology Lidar can be better, but seldom is that precision needed, even in a car. THe reason to use it in a car is just for diambiguation and night time driving. IN cars you don't get multiple points of view on distance object either so the optical flow only works on object close by where there's some parallax, but by then you might have driven under the flatbed trailer.

    In this case the video image can allow the samsung to do 3D reconstructions. I don't know if they are bothering with that or just going with pure image reconstruction or not. It could be they don't even try to go the extra mile to verify the subject is 3D. I would hope they did since otherwise a photo might suffice to unlock. But here the video supplies the info it could use to a 3D optical flow reconstruction.

    And surpise! its not actually measuring real 3D like lidar does.

    The thing for me was realizing theses methods differ on that point. Sure I knew it all along, but I hadn't thought about it in this way before.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  5. Why is this a surprise? by Anonymous Coward · · Score: 1

    The sensor is a video sensor. It's not exactly human eyes and brain.

  6. Re:i took a picture of a shit by Anonymous Coward · · Score: 0

    That also works with any of the Slashdot editors.

  7. Re:i took a picture of a shit by Anonymous Coward · · Score: 0

    true
    but if you show it a picture of a desirable naked adult woman
    only creimer's phone automatically shuts off

  8. It's an ongoing escalating war by cellocgw · · Score: 2

    Consider all the flap about recent AI systems generating artificial head shots that most people can't distinguish from real photos. An algorithm that can create those can, with some existing add-ons, analyze a photo and decide what the Z-axis values are, thus producing a 3-D object. Might be a bit more difficult to fabricate, but I bet these phones can't tell what size the "head" they're looking at is.
    If they could capture cicadic movement, that might be cool, but I don't think the cameras have the frame rate to do so.

    --
    https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
    1. Re:It's an ongoing escalating war by Anonymous Coward · · Score: 0

      *saccadic. The migration of insects is besides the point.

  9. Wrong for iPhone by SuperKendall · · Score: 1

    With facial recognition software, you don't need fakes. You just need to wave the phone in front of their face and presto, unlocked!

    Would not work on an iPhone if the subject had eyes shut, or had triggered the "temporarily disable FaceID" feature before entering an area they thought the phone was at risk.

    You seriously think it's HARDER to grab someone's hand and forcibly press one finger on a device? Two people, maybe eve one, could easily manage this with anyone.

    You cannot force someone eyes open in a way that FaceID would accept the face as valid...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Wrong for iPhone by Altus · · Score: 1

      I'm pretty sure I could get you to put your finger on the sensor after hitting you a few times with a 5 dollar wrench.

      --

      "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

    2. Re:Wrong for iPhone by goombah99 · · Score: 1

      getting far fetched. You could also just whack someone with a tire iron and then press their finger on the phone.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re:Wrong for iPhone by Anonymous Coward · · Score: 0

      With facial recognition software, you don't need fakes. You just need to wave the phone in front of their face and presto, unlocked!

      Would not work on an iPhone if the subject had eyes shut, or had triggered the "temporarily disable FaceID" feature before entering an area they thought the phone was at risk.

      You seriously think it's HARDER to grab someone's hand and forcibly press one finger on a device? Two people, maybe eve one, could easily manage this with anyone.

      You cannot force someone eyes open in a way that FaceID would accept the face as valid...

      Even if someone can force you to open your eyes, you just need to be looking at something else. Unless you are looking at the phone, it won't unlock. Now they have to find a way to force your eyeballs to stare at the phone...

    4. Re:Wrong for iPhone by CastrTroy · · Score: 1

      Good old Rubber Hose Cryptanalysis

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  10. Another reason not to like "Face ID" by LesPeters · · Score: 1

    Easy to combine this 'feature' with the near-omnipresent surveillance state. No need to be asked to submit your face to unlock your phone: good chance they already have sufficient video to do it themselves.

    1. Re:Another reason not to like "Face ID" by UnknowingFool · · Score: 3, Informative

      Apple’s Face ID relies on 3D imaging so a video or photo doesn’t work. Other implementations of facial recognition does not so they are susceptible to different attacks.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    2. Re:Another reason not to like "Face ID" by Locke2005 · · Score: 0

      Apple's Face ID is easily fooled by people with similar faces, e.g. close relatives... Hopefully you don't have a problem with your siblings being able to unlock your phone.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    3. Re:Another reason not to like "Face ID" by Anonymous Coward · · Score: 0

      Apple's Face ID is easily fooled by people holding your phone up to your own face.

    4. Re:Another reason not to like "Face ID" by UnknowingFool · · Score: 1

      I don’t know if that true that similar faces would fool Face ID; however, that would fool other facial recognition based on photos and videos. My point isn’t that Face ID is infallible. My point was that Face ID isn’t fallible to this particular attack.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    5. Re:Another reason not to like "Face ID" by Anonymous Coward · · Score: 0

      If a person has access to both your phone and your face and has evil intent, you're kinda fucked already, no?

    6. Re:Another reason not to like "Face ID" by Locke2005 · · Score: 1

      Yes, Apple face ID was designed to not be vulnerable to a simple attack using 2D picture of the face; that's the advantage of using 3D imaging. What I'm saying is, how much harder is it to make a 3D image of the face for an attack?

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
  11. simple explanation of what's going on here... by Anonymous Coward · · Score: 0

    For facial recognition you need a 3d camera. Without it you can fool it with video. There's actually many ways to fool it.
    Airport cameras too.

    1. Re:simple explanation of what's going on here... by Locke2005 · · Score: 1

      You can fool 3D cameras with 3D models of faces too... I suspect you can fool 2D cameras with still pictures, not just video.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
  12. Samsung Doesn't Recommend You Use it by Paxtez · · Score: 2

    They specifically call it a low security type lock. The iris scanner was removed to make the hole punch smaller.

    The recommend using the fingerprint for biometrics.

  13. But... by Locke2005 · · Score: 1

    Does it recognized dark faces? My personal prediction is that when the robot uprising comes, only the darkies will survive because the robots never figured out how to recognize dark faces...

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  14. Kendall you know nothing about this, stop talking by Anonymous Coward · · Score: 0

    You're completely stupid Kendall lol, you missed the entire point of this.

  15. Use the 3d fingerscanner instead by Anonymous Coward · · Score: 2, Insightful

    If I recall corectly, Samsung were pretty upfront about this, that the face scanning is less secure than the fingerprint scanner.

    It's not a bug, it's by design. :)

  16. Who would have thought by OneHundredAndTen · · Score: 1

    The lesson after all these years of biometrics is that, to a concerningly large extent, security mechanisms based on biometrics can be bypassed, often by ridiculously pedestrian and simple approaches. Trust biometrics at your own peril.

    1. Re:Who would have thought by Anonymous Coward · · Score: 0

      Biometrics, if the only security, don't even need to be bypassed. I can TAKE your biometrics. I can't take a password or a pin, assuming you haven't written it down.

    2. Re:Who would have thought by Anonymous Coward · · Score: 0

      Biometrics, if the only security, don't even need to be bypassed. I can TAKE your biometrics. I can't take a password or a pin, assuming you haven't written it down.

      That's why you use biometrics AND a password/PIN.

    3. Re:Who would have thought by Henriok · · Score: 1

      Ahem.. It's pretty easy to just watch someone type in their passcode. You can even use a video recording device if you don't trust your ability to discern it at first glance or if you want to do it from a considerable distance. That'd be pretty unintrusive and you won't need physical access to the device or the owner.

      --

      - Henrik

      - when the Shadows descend -
  17. Kendall you know nothing about this, stop talking by Anonymous Coward · · Score: 0

    You're completely stupid Kendall, you missed the entire point of this.

  18. Sunglasses should work by SuperKendall · · Score: 2

    Wearing sunglasses in the car

    All of the sunglasses I have work fine with the iPhone X, just make sure what you use does not block IR.

    Sitting in my car after I get home at night (too dark)

    FaceID works in pitch blackness since it uses an IR emitter to illuminate your face. It cannot be "too dark" for it to work. I use it at night in unlit rooms... and also at night in my car.

    Wearing my gamma rays and turtle beach while playing games

    Why does this not work. FaceID is pretty flexible.

    If you really truly need to wear something that will not pass IR all the time, train your face with that on as an alternate face and disable the attention requirement so it doesn't need to see your eyes to unlock.

    I was hoping the X would allow my thumb at the bottom.

    Not quite sure I follow, what does "allow my thumb at the bottom" mean?

    I've had the iPhone X since last year and I miss nothing about TouchID at all, I find FaceID vastly better in every way.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  19. biometrics are simply a bad idea by Anonymous Coward · · Score: 0

    biometrics should never be used for security purposes because they are UNREVOKABLE.

    from a privacy perspective they are also a bad idea.

    given these risks, is it worth using them at all?

    it is a convenient way to prevent accidental unlocking and thwart direct access by unsophisticated everyday adversaries (insiders).

    why not just stick to swipe patterns/passcodes and the like?

    1. Re:biometrics are simply a bad idea by Anonymous Coward · · Score: 0

      of course the real solution is for a common standard to be adopted by device manufacturers for wireless token authentication (security tokens) that are self generated and managed ( burned in keys at initialization) with revocation via delegated group member authority.

      we may never get to this holy grail though due to competing incentives and low demand.

  20. works as intended.. by Anonymous Coward · · Score: 0

    broken biometrics that are easy to trick are by design. i'm sure the feds (among others) want it that way and have indicated their desire in one secret way or another with manufacturers.