iPhone X Face ID Again Unlocked with Mask, Even with “Require Attention” Turned On

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,003
Vietnamese security company Bkav made headlines in mid-November after uploading a video featuring Face ID accessed by a mask, but there were several questions about the unlocking methods used in the video, including whether "Require Attention" was turned on. Now, Bkav has shared a second video with a new mask and a clearer look at how the mask was used to spoof Face ID.

Bkav claims the materials and tools used to create the mask are "casual for anyone" and that Face ID is "not secure enough to be used in business transactions," but it's worth noting that fooling Face ID in this way requires a 3D printer, several hundred dollars’ worth of materials, physical access to a person's iPhone X, and detailed facial photographs that can be used to reconstruct a person's face. Even then, if the 3D printed mask and the design of the infrared eyes aren't perfect, Face ID will fail after five attempts.
 

Paladin21

Gawd
Joined
Jun 22, 2004
Messages
529
I think it's also fair to assume that people (criminals, government, whatever) who are interested in this method will almost certainly have access to a 3d printer and a decent camera. The remark about requiring physical access is just...odd. If you want to call that a "deterrent", then having no locking feature at all has security because they still need your phone. Is this ever going to be a widespread problem? Almost certainly not. It does show that the security isn't as great as claimed though, and should you and/or your business transactions prove to be worth the time and effort involved then you should perhaps think about using a different security system on your phone.
 

Ocellaris

Fully [H]
Joined
Jan 1, 2008
Messages
19,080
I think it's also fair to assume that people (criminals, government, whatever) who are interested in this method will almost certainly have access to a 3d printer and a decent camera. The remark about requiring physical access is just...odd. If you want to call that a "deterrent", then having no locking feature at all has security because they still need your phone. Is this ever going to be a widespread problem? Almost certainly not. It does show that the security isn't as great as claimed though, and should you and/or your business transactions prove to be worth the time and effort involved then you should perhaps think about using a different security system on your phone.

Tap the power button five times when you get arrested, then the cops need your passcode.
 

Paladin21

Gawd
Joined
Jun 22, 2004
Messages
529
Again, I'm not saying it's worthless or there aren't ways to work with the system, I'm saying that it isn't as bulletproof as advertised and consumers should realize this. Also, do you really want to trust your privacy against law enforcement to having time and presence of mind to hit the button? I can think of all sorts of scenarios in which that might not be the case (or you get shot/tased for failing to drop your crap and put your hands up).

There's no perfect security. This demonstrates flaws in FaceID. Consumers should be aware of this and know what the security parameters actually are instead of just blindly accepting the marketing-speak about how unbreakably awesome it is.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,369
I think it's also fair to assume that people (criminals, government, whatever) who are interested in this method will almost certainly have access to a 3d printer and a decent camera. The remark about requiring physical access is just...odd. If you want to call that a "deterrent", then having no locking feature at all has security because they still need your phone. Is this ever going to be a widespread problem? Almost certainly not. It does show that the security isn't as great as claimed though, and should you and/or your business transactions prove to be worth the time and effort involved then you should perhaps think about using a different security system on your phone.

Don't even need a decent camera as the people likely targeted for this are out in public a lot anyways. Hey I just stole Jennifer Lawrence's cellphone! Let's visit Google Image Search! Plenty of photos around to reconstruct the face of celebs and other important people. So all you really need is a 3d printer and a stolen phone.
 

viper1152012

[H]ard|Gawd
Joined
Jun 20, 2012
Messages
1,025
Why 3d print when a manequin head and some clay will do?

Dang kids and their fancy spool medium printers. Spirograph from jelly I say
 

raz-0

Supreme [H]ardness
Joined
Mar 9, 2003
Messages
4,933
Why 3d print when a manequin head and some clay will do?

Dang kids and their fancy spool medium printers. Spirograph from jelly I say

Well clay won't do. In the previous video the guy pointed out that the mask was shaped from multiple 2d image sources and then dicked with with the silicone skin that looks liek an attempt to replicate bandages to me. This one they specifically omitted that and the mask looks of MUCH higher quality and accuracy. I suspect beyond the fact you aren't 3d printing in stone as they mentioned on some cheap 3d printer, that they have also added 3d scanning to the process as well as adding infrared imaging to the process.
 

hamm3rhead

Gawd
Joined
Jul 14, 2004
Messages
537
Wouldn't police or a robber just point the phone at your face after they carefully clubbed the back of your skull? Never the front, duh.
 
Joined
Aug 3, 2017
Messages
794
remember when you're a kid and you watched spy movies where iris ( and face) scanners are mentioned to be able to detect capillaries and blood flow, so as to not be easily fooled.

this so called problem and fix had been thought of how many decades before now?
 
Top