Security Firm Claims to Thwart iPhone X’s Face ID with a Mask

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Security researchers at Bkav claim to have thwarted Face ID by using a specially-built mask. Rather than strive for absolute realism, the team built its mask with the aim of tricking the depth-mapping technology. The creation uses hand-crafted "skin" made specifically to exploit Face ID, while 3D printing produced the face model. Other parts, such as the eyes, are 2D images.

The researchers maintain that they didn't have to “cheat” to make this work. The iPhone X was trained from a real person's face, and it only required roughly $150 in supplies (not including the off-the-shelf 3D printer). The demo shows Face ID working in one try, too, although it's not clear how many false starts Bkav had before producing a mask that worked smoothly.
 
Well now that that is out there, it is only a matter of time until some company starts to offer to sell these. I wonder how Apple will respond?
 
their whole deal was "no seriously guys, this time it cant be fooled!"

we've had face unlock phones for years now that could be fooled.
 
So face recognition camera is less secure than fingerprints ? *shocked*

apple can try and sell their BS , but its obvious the only reason they went with this crap is because they didn't want a rear fingerprint reader a-la-Galaxy S8
 
doesn't affect 99% of iphonex users.

This is much more complicated than fooling the samsung Galaxy with a selfie.

What normal iphone user is going to have or buy a 3d printer and make "special skin" just for this?
 
That Q and A reads very poorly and their entire method is way too complicated.

I don't think this proves Face ID is not secure by any means. It just means it can be fooled under very specific circumstances.

I guess it ultimately proves that governments can break into the phones.
 
Go back in time to when TouchID was launched. Some researchers published an article on obtaining a good fingerprint sample, then using some kind of gel-based crap with the fingerprint on it to fool TouchID. This same process worked on other finger printer scanners as well.

The process outlined in the article I don't doubt works - but it is a lot of work and most people are not going to have the resources to do this. It's likely its not worth anyones time to get on your phone. Mine? You'll find a few boring emails, lots of family pictures, a couple of games, and not much else. Really doubt it's worth the time and effort. (Of course, things will get interesting when we get a legal case in which the FBI or similar needs access to a phone protected by FaceID. Might be worth their time to do the process.)

If you want better security, use a strong password.
 
Biometrics should be used to augment security - not replace it.
I think the point of the article is Apple said "This is impossible to crack" and then it gets cracked a week or so later.
I'm in my master's program in Information Security and Assurance and wanted to attempt something along these lines - but being in the program remote and me not wanting to pony up the $$ for the phone killed that idea. Definitely fun to watch the speed that workarounds appear.
 
eldertru said:
Biometrics should be used to augment security - not replace it.
I think the point of the article is Apple said "This is impossible to crack" and then it gets cracked a week or so later.
I'm in my master's program in Information Security and Assurance and wanted to attempt something along these lines - but being in the program remote and me not wanting to pony up the $$ for the phone killed that idea. Definitely fun to watch the speed that workarounds appear.
Click to expand...

Apple never said it's impossible to crack. They just said it was harder to crack then TouchID - And they're right.

Further, Apple only uses these things to augment security as you say. Ultimately you need to enter the PIN/Password after a set number of hours as it is.
 
Kdawg said:
doesn't affect 99% of iphonex users.

This is much more complicated than fooling the samsung Galaxy with a selfie.

What normal iphone user is going to have or buy a 3d printer and make "special skin" just for this?
Click to expand...

A normal iPhone user? They probably won't have the 3d printer. But, someone out there will, and they will make custom faces.
 
lilbabycat said:
I stole your $1000 phone. You have a facebook. I print your face from a suitable picture on my 3d mask. I now have your $1000 phone + all personal/financial information you put on it.
Click to expand...

Negative. Unless you are able to do that within a few hours iOS requires the PIN/Passcode as well, and you're also assuming that person doesn't mark the phone as stolen with Apple which would completely lock it down anyways.
 
Mchart said:
Negative. Unless you are able to do that within a few hours iOS requires the PIN/Passcode as well, and you're also assuming that person doesn't mark the phone as stolen with Apple which would completely lock it down anyways.
Click to expand...

Wrong again, buddy. I'm in my zero-signal basement and Apple sending out a kill-command ain't doing a damn thing for your phone, and yes, I printed out your face in a few hours. I did scope out your completely predictable route, since you post about it on aforementioned facebook, daily.

(this is all hypotheticals to prove a point btw, eventually these guys will figure out exactly how the face-id "sees" a face and make it even easier to trick than a 3d printed faced.)
 
lilbabycat said:
Wrong again, buddy. I'm in my zero-signal basement and Apple sending out a kill-command ain't doing a damn thing for your phone, and yes, I printed out your face in a few hours. I did scope out your completely predictable route, since you post about it on aforementioned facebook, daily.

(this is all hypotheticals to prove a point btw, eventually these guys will figure out exactly how the face-id "sees" a face and make it even easier to trick than a 3d printed faced.)
Click to expand...

Your common thief will not do this within a couple of hours.

Yes, I fully agree if a nation-state is after your data they will get it. Regardless of Face ID.

I don't support Apple, but you're really missing the mark here. Apple never said this was a 100% secure method. They only said it was more secure then TouchID - Which it is. Touch ID requires far less equipment to get around, although even TouchID was enough to prevent your typical thief/local PD from getting into the phone fast enough.
 
I'm curious if they had some sort of heat added to the mask. I was under the impression that IR was used to help ensure the face was a person not a mask. Regardless, I only use biometrics on my iPad, which is largely used as a media consumption device. My phone requires a pass code.
 
I dont like passcodes... way to easy for people to see you entering the code and you will do it many many times a day.
 
the cam is old tech. (might be new to put in a phone form factor ) next phone will have functions that detect heat signature and pulse next.
 
aokman said:
I dont like passcodes... way to easy for people to see you entering the code and you will do it many many times a day.
Click to expand...

That is the best retort to using a pin/passcode I've ever read, but it cracks me up that all the go to retorts from others about biometric failures and cracking is the time sensitive passcode. Must be a few of those responses above here.
My take is why all the extra step verifications, it always comes down to the passcode for the final wall of security anyway, I still haven't seen a great reason for all the extra steps (until now with aokman's take on passcodes, to which I say, be careful about how you use it) to get into a phone; seems to me people are just enamored with the tech geek cool factor of biometrics on devices, but it continues to sell devices and stimulate the economy.
 
RayderR6 said:
That is the best retort to using a pin/passcode I've ever read, but it cracks me up that all the go to retorts from others about biometric failures and cracking is the time sensitive passcode. Must be a few of those responses above here.
My take is why all the extra step verifications, it always comes down to the passcode for the final wall of security anyway, I still haven't seen a great reason for all the extra steps (until now with aokman's take on passcodes, to which I say, be careful about how you use it) to get into a phone; seems to me people are just enamored with the tech geek cool factor of biometrics on devices, but it continues to sell devices and stimulate the economy.
Click to expand...

Biometric gets you in easy. You only need the passcode on reset or if you haven’t used the phone in 12 hours. That’s the point of it. You get into the phone faster and it’s secure enough that if you loose your phone or it gets stolen it’s not getting broken into unless you’ve been specifically targeted which means nothing at that point will protect you anyways.

At this point I wouldn’t want a phone without a fingerprint scanner like TouchID. It’s a great quality of life feature on a phone.
 
Mchart said:
Biometric gets you in easy. You only need the passcode on reset or if you haven’t used the phone in 12 hours. That’s the point of it. You get into the phone faster and it’s secure enough that if you loose your phone or it gets stolen it’s not getting broken into unless you’ve been specifically targeted which means nothing at that point will protect you anyways.

At this point I wouldn’t want a phone without a fingerprint scanner like TouchID. It’s a great quality of life feature on a phone.
Click to expand...

K, I clearly understand that, but that makes all the biometric failures perfectly valid as a security hole for 12 hours and all the passcode preaching savior arguments fall flat for 12 hours. My point is people are arguing both ways about it and one can't have it both ways (both ways being total security and convenience). One is simply sacrificing total security for convenience of access on a time limited basis. Biometrics is not so much about multistep security as so many want to suggest, it's about convenience of access while retaining some form of security (as you state).

SvenBent above makes a good point as well. Passcode is the best security and care can be taken that people don't see it, but even that practice can have its flaw if you are constantly accessing in a crowded area, as aokman experiences.
 
They're coming to carefully make a mask of your face!! I bet Apple - and recently reputationally-damaged high-quality mask-makers - are seriously shitting their pants.
 
Current biometrics are mostly a Rube Goldberg way of handing security. Similar to IoT devices being Rube Goldberg machines to carry out the simplest of tasks. KEEP IT SIMPLE STUPID
 
Kdawg said:
doesn't affect 99% of iphonex users.

This is much more complicated than fooling the samsung Galaxy with a selfie.

What normal iphone user is going to have or buy a 3d printer and make "special skin" just for this?
Click to expand...

This isn't about normal iPhone users. This is about the jackass cokehead CEO carrying around the personal info of millions of people on his goddamn iPhone. Knowing Apple the fucktards will probably put this face crap on their laptops too.
 
niconx said:
This isn't about normal iPhone users. This is about the jackass cokehead CEO carrying around the personal info of millions of people on his goddamn iPhone. Knowing Apple the fucktards will probably put this face crap on their laptops too.
Click to expand...

facecrap already on HP business line of laptops about 3+ (prob alot longer. Can't bother to check but my old one has it) years back.
 
I always if you can make a lock, someone else can find a way to unlock it.
 
lilbabycat said:
I stole your $1000 phone. You have a facebook. I print your face from a suitable picture on my 3d mask. I now have your $1000 phone + all personal/financial information you put on it.
Click to expand...

Not to mention that this is a very effective way for the "authorities" to be able to get into a locked phone.
 
lilbabycat said:
Wrong again, buddy. I'm in my zero-signal basement and Apple sending out a kill-command ain't doing a damn thing for your phone, and yes, I printed out your face in a few hours. I did scope out your completely predictable route, since you post about it on aforementioned facebook, daily.

(this is all hypotheticals to prove a point btw, eventually these guys will figure out exactly how the face-id "sees" a face and make it even easier to trick than a 3d printed faced.)
Click to expand...

That's assuming that all financial information is actually stored on the phone and you can get it. Most people's financial apps require Internet connection.
Even if you have all of that, then you have to know how to actually get the money without getting caught.

But all of our information is already out their for evil people thanks to Equifax, Yahoo, etc. So they don't have to bother trying to steal your phone.

Reminds me of the guy that was paranoid that someone could tackle him, hold his face still, keep his eyes open, and then unlock his phone. Really?
You don't think it would be easier to do the same thing with fingerprint reader. Or just hold a gun to you and tell you to unlock it?
Best advice. Stop carrying sensitive info with you everywhere you go with an internet connected device.
 
Mchart said:
Your common thief will not do this within a couple of hours.

Yes, I fully agree if a nation-state is after your data they will get it. Regardless of Face ID.

I don't support Apple, but you're really missing the mark here. Apple never said this was a 100% secure method. They only said it was more secure then TouchID - Which it is. Touch ID requires far less equipment to get around, although even TouchID was enough to prevent your typical thief/local PD from getting into the phone fast enough.
Click to expand...

Apple put out a white paper saying faceid was more secure than touchid, but I do have to wonder if that was before or after production issues caused them to radically reduce the number of dots in the dot field projector?

I'm also wondering how much the bandaged and wounded look factors in to exploiting the AI algorithm. If it reduces precision if it scores high for something the AI perceives as injured.
 
raz-0 said:
Apple put out a white paper saying faceid was more secure than touchid, but I do have to wonder if that was before or after production issues caused them to radically reduce the number of dots in the dot field projector?

I'm also wondering how much the bandaged and wounded look factors in to exploiting the AI algorithm. If it reduces precision if it scores high for something the AI perceives as injured.
Click to expand...

It's a good question; I think it's the perfect thing to explore from a scientific perspective and write a paper on if I were a uni student looking to do a thesis on biometrics in general. I'd love to see which is actually a better method for biometrics, and if Apple's claims are actually true.

I personally prefer TouchID as I prefer the idea of having to touch my thumb in that one spot to unlock it versus the phone just automatically seeing my face and deciding to unlock.

My belief is that Apple is going to push FaceID hard simply because from a manfacturing perspective it'll be cheaper then TouchID in the long run. Apple can claim FaceID is more secure all they want, but at the end of the day they are making the change because of $.
 
right now most phones are locked via a pin code. but IF face biometric ID becomes a norm, what happens when such a device is used by some criminal. Can the court order you to look at the phone to unlock it? Its not like you can say i forgot my code, when its your face or finger print
 
katanaD said:
right now most phones are locked via a pin code. but IF face biometric ID becomes a norm, what happens when such a device is used by some criminal. Can the court order you to look at the phone to unlock it? Its not like you can say i forgot my code, when its your face or finger print
Click to expand...

Again - The court can order you to unlock the phone with your fingerprint, face, or whatever - Ultimately though (at least with iPhones) they require you to re-enter your PIN/or/Passcode after a 12 hour period, if the phone is reset, you identify it as stolen, or you quick hit the 'oh shit' button combo; At that point they only have 10 PIN/Password tries before the phone wipes itself.
 
lilbabycat said:
Wrong again, buddy. I'm in my zero-signal basement and Apple sending out a kill-command ain't doing a damn thing for your phone, and yes, I printed out your face in a few hours. I did scope out your completely predictable route, since you post about it on aforementioned facebook, daily.

(this is all hypotheticals to prove a point btw, eventually these guys will figure out exactly how the face-id "sees" a face and make it even easier to trick than a 3d printed faced.)
Click to expand...


I don't think you could easily print a 3d face based on a few 2d pictures. It has depth sensing, so you'd have to get all the measurements right.
 
Ars did a good write up on their research:

https://arstechnica.com/information...-apples-face-id-heres-why-were-not-convinced/

My initial assessment about this bypass still seems to hold true. It's not much of a security bypass if it required the target to make the mask.

The fact that they side-step this question is telling of just how much of a non-issue this research is:

Q: Are the dimensions of a person's face needed? How would those be obtained without a target sitting for them?

The 1st point is, everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.

Apple has done this not so well. I remember reading an article on Mashable, in which Apple told that iPhone X had been planned to be rolled out in 2018, but the company then decided to release it one year earlier. This shows that they haven’t carried out scientific and serious estimation before deciding to replace Touch ID with Face ID.

The 2nd point is, in cyber security, we call it Proof of Concept, which is useful for both sides, the hackers and the users. The hackers, they can find out a simpler way to exploit users’ device based on such PoC. While with users, if they know about such possibility, they will not use the feature to keep themselves safe. Just like the KRACK attack, it is not easy to be successfully exploited but users are urged to update the patch ASAP, because the threats are real. With Face ID’s being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, ect. are the ones that need to know about the issue, because their devices are worth illegal unlock attempts. Exploitation is difficult for normal users, but simple for professional ones.
Click to expand...

They don't give any details whatsoever. It would seem that they would still need the correct dimensions for at least half the face. Unless they follow up with more detailed research on how a mask like this can be created without the target's knowledge, or involving them in any way, then it seems as secure as Apple claims for the time being.
 
Last edited:
katanaD said:
right now most phones are locked via a pin code. but IF face biometric ID becomes a norm, what happens when such a device is used by some criminal. Can the court order you to look at the phone to unlock it? Its not like you can say i forgot my code, when its your face or finger print
Click to expand...

Apple protects against this by disabling biometric security if you tap the Wake button 5 times (on iOS 11 and higher). After that the phone can only be unlocked with the PIN or password and then biometrics will be enabled again.

There is no way to set up either TouchID or FaceID without a PIN or password so the disable feature is always a a last ditch fallback if you're ever worried about your security.

Hell, you can even just turn the phone off that way it will require the PIN on the next boot.
 
Last edited:
niconx said:
This isn't about normal iPhone users. This is about the jackass cokehead CEO carrying around the personal info of millions of people on his goddamn iPhone. Knowing Apple the fucktards will probably put this face crap on their laptops too.
Click to expand...
LOL. CEOs don't carry around millions of people's personal info on their phones. CEOs don't typically have access to the databases that are exploited. If they need info, they put in a request to whomever controls those databases or has the tools to extract the required info.
Even in companies with a 1000 employees, the CEO doesn't have direct access to that info (and they wouldn't want it).
 
cyclone3d said:
Not to mention that this is a very effective way for the "authorities" to be able to get into a locked phone.
Click to expand...
Yes, but since they don't need your permission to hold your phone up to your face (regardless of whether you're alive or not), it probably doesn't matter.
 
Sonicks said:
Ars did a good write up on their research:

https://arstechnica.com/information...-apples-face-id-heres-why-were-not-convinced/

My initial assessment about this bypass still seems to hold true. It's not much of a security bypass if it required the target to make the mask.

The fact that they side-step this question is telling of just how much of a non-issue this research is:



They don't give any details whatsoever. It would seem that they would still need the correct dimensions for at least half the face. Unless they follow up with more detailed research on how a mask like this can be created without the target's knowledge, or involving them in any way, then it seems as secure as Apple claims for the time being.
Click to expand...
Not an expert, but I'm going to guess that if you got a picture from the front and one from the side, you could probably extrapolate the info you need. Now it's possible that they'd need something in the picture that they know the size of to get the dimensions right, but i think that's doable.

For now, it's probably not something the typical thief could pull off, but I suspect this is more likely to be used by various types of spies with fairly big budgets.
 
You must log in or register to reply here.
Back
Top