10-Year-Old Unlocks Face ID on His Mother's iPhone X as Questionable Mask Spoofing Surfaces

[dude-x]

How does that make any sense? Isn’t your face scanned with infrared light from the phone itself?

It may not make sense that ambient lighting affects the quality, but it may make sense that it uses the TrueDepth sensor and the FaceTime HD camera to discern details other than depth.

I notice my X has a few failures in unlocking when I turn off the lights in my bedroom and the distance is right.

 

[newyorksole]

Well thats cleared that up then. If Apple says its fine, its fine. Panic over.

Dont worry if you've blown a grand on this phone they'll get it right next year, just give them another $1000.

Lmao I’m sure people give Apple WAY more more than that on the other products they buy. Face ID IS secure. Do you ever leave your phone around randomly and worry that someone with a 3D model of your face can get into it? No.

Someone can also guess your passcode too. Are you worried about that? All of that people that I demoed Face ID for are NOT able to get into my phone.

Stop making it sound like Face ID isn’t secure.
[doublepost=1510720570][/doublepost]

Where did I post that I was worried?

I have reservations about it, so I use it with some caveats. As an aside, I feel there is absolutely nothing wrong with people treating security seriously.

It seems like everyone is so worried and up in arms because apparently if you leave your phone laying around someone can use a 3D model of your face and *possibly* get into it. It just sounds ridiculous.

If someone sat around randomly typing in my 6 digit passcode then that can be just as “insecure” as me leaving my phone somewhere and someone going thru the hassle of printing a 3D image of my face.

 

[califlorida]

IMHO this is a well written article on Face ID that anybody curious should read

https://www.google.com/amp/s/www.imore.com/face-id?amp

 

[Benjamid]

Hmm, no biggie for me. It is a bit worriesome though since you can guess how might be able to unlock your phone based on looks while with touch id you would have to find someone totally random. For example if got Hilary Clintons phone I would have to find a doppelganger of her. Seems much easier than looking randomly for someone with a similar fingerprint.

 

[kstotlani]

FaceID is the worst for security. #1 Passcode #2 TouchID #3 FaceID which in my personal opinion is just a gimmick. Apple was pressured to put a new piece of tech in a phone and we got FaceID. TouchID under the screen would have been a lot more WOW / impressive to me at least. What's next VoiceID?

This is the right question. It’s a great technology but was it needed. It’s inventing a space pen when a pencil would have been fine. Only if Face ID leads to some sort of augmented reality projection of your face etc. but I don’t think this technology is there yet. If the true depth camera system is only a way of authenticating then there was no need for such a system which led to that ugly notch. I love Apple but some decisions like the touch bar on Mac and now Face ID don’t seem completely thought out. I know Face ID is here to stay at least for the next 2-3 generations but if there aren’t more applications for it then this was just a forced technology. Some times it would be good if Apple execs really gave non cryptic interviews of the vision of a product.

 

[Wowereit]

Do we know how the phone was trained, and how much time it was used before it given to her son? If the password was ever entered just before the device saw his face for the first time?

Like the mask, it lacks full context.

I have managed to scan 2 faces.
Did take about 7 or 8 tries until it worked, but at the end both were able to unlock the device in some cases.
Was that working reliable? No.
Was it working good enough to make a video after a few fails? Sure.

 

[Unregistered 4U]

I have managed to scan 2 faces.
Did take about 7 or 8 tries until it worked, but at the end both were able to unlock the device in some cases.
Was that working reliable? No.
Was it working good enough to make a video after a few fails? Sure.

Sounds like a sure fire million views money making opportunity to me!!

 

[BvizioN]

Apple and apologists could positive spin it as a 'family emergency access' feature.

On the opposite side, haters would do the opposite thing. Portray Face ID as a faliure based on a YouTube video. And they really love that, don’t they?

 

[C DM]

As much as you guys put down on Samsung's iris scanner and fingerprint reader....all i can do is just laugh Everyone is hacking Face ID.......only took a week

It's fun to just ignore pages and pages of discussion.

 

[bmwman3241]

I am able to unlock both of my dads iPhone X's with FaceID. One works flawlessly and unlocks every time and one takes a few tries.
Had him try to unlock my iPhone X with FaceID but no luck.

 

[FelixDerKater]

In an optimum setting, both FaceID and TouchID would have been combined for layered security...

 

[uiterlix]

Face ID is a hell of a lot better than entering a password, and much easier than using Touch ID. If I lose my phone, It will keep people out until I can remotely wipe it. Not concerned at all.

Is it that hard to put your finger on the home button? Glad Apple finslly sorted that then...

This thread is another typical adopters versus non-adopters discussion, with the adopters fiercely defending their purchase and the non-adopters their postponed or non-existent purchasing intents. All just a waste of enery, as is this reply...

 

[charlituna]

Cook said in the keynote that family members could end up matching on each others phones, especially twins etc. so this kid and Mom matching is not really a shock.

and given that the mask was made to look like the guy it was basically a twin scenario and again not a shock

 

[thering1975]

With reference to the mask test. Doesn't matter how close it looks to the originator the point it makes them appear like a twin should be irrelevant

Apple states

"Face ID matches against depth information, which isn’t found in print or 2D digital photographs. It's designed to protect against spoofing by masks or other techniques through the use of sophisticated anti-spoofing neural networks"

So I guess that's just a load of Pr bull which is forgotten if proven incorrect

 

[ascender]

There's clearly going to be gangs of under 12s rampaging the streets looking for iPhone X's to steal and break in to. Be on your guard people!

 

[sdz]

makes absolute sense. Typing in my 16 digit alphanumeric symbolized password while trying to checkout with apple pay at a register. Make as much as sense as paying $1k+ for a phone.

People behind you will love you

 

[himanshumodi]

According to the article in Wired, when the mother rescanned her face in better lighting, her son was not able to unlock the phone. Anyway, this is first gen tech. Imagine the 2nd or 3rd gen of FaceID!

Isn't the face scanning Infra red and independent of the lighting conditions?

 

[savvycomdev]

Hm, I dont know what is true or false, but BKAV explain for this hack technique:

• Require Attention.
• FaceID only receives the mask at a fixed angle, you change it is no longer recognizable. This is understandable because the security nature of FaceID is still very good
• The BKAV says they are only trying to show that FaceID has a potential vulnerability, the proof of concept, but the actual attack will be difficult because it requires a variety of factors, The machine comes to prototype and test, lighting conditions. They have built some possible attack scenarios with FaceID but will not share them with the public but only share them with the manufacturer to fix them.
• When I try to use a new iPhone completely learning the surface of the owner and then scan the mask it does not receive. BKAV said it would receive it but they would have to re-calibrate the mask or adjust the angle of the iPhone accordingly. This can also be understood as mentioned above. According to the BKAV, it took them 3 days to create the final mask, successfully testing all but 8-9 hours now. It may be shorter.
• Thursday, I tried reset FaceID, so it scanned the mask as a sample instead of scanning people. This will get the mask but not the person. This shows FaceID is wrong right from the sampling operation, as it should not allow masking. Actually, this does not affect the use, because no one is going to take the mask to be the sample, just try it.
• Lastly, for your question about whether BKAV has an iPhone X mask to cheat people or not, I think not. Because when we try to learn the mask, the iPhone X will unlock in many different angles, while their demo only get in the right place.

ANyone test it and show your opinion?

 

[smacrumon]

Easy to replicate

setup Face ID
make sure it works for you
now pass to sibling/child, it will fail to unlock.
have them hold the phone and put in passcode
now, they can unlock with Face ID.

The only caveat is that they have to at least somewhat resemble you so that the iPhone temporarily adds their face scan as additional data to the initial scan

This is detailed in the Face ID white paper.

Well if that is the case, clearly you can see the FaceID system is completely flawed. Following the same method with a TouchID device will not allow someone to unlock it.

What I would like is an iris scan if its safe. It would be similar to FaceID in its method of use, but just like TouchID, the iris is unique and not easily fooled like the FaceID.
[doublepost=1510737187][/doublepost]

Face ID can be tricked. When you intentionally trick it...
Like I said. More to the story. Or, maybe I just like to think independently.
You should read up on how exactly Face ID works. Not just the setup process.
Well...maybe read up on how two similar faces could be used during the setup, since the phone does two scans.
Also, I wonder why no one shows the part where they set up Face ID (it takes a few seconds) then hand the phone to the other person.
Hmmmmmm

It's not a very good system, too many caveats, too finicky to set up.
IrisID. Now that would be best.

 

[Fiachers]

You can’t have everything. Sorry.

There are opportinuty costs in life. Want convenience with some security? Use Face ID. Want total security? Use a long alphanumeric password. Want pure, unadulterated security? Get off the grid.

Actually you pretty much can, if you use TouchID. You're just avoiding the substance of the point here, which is that FaceID is not nearly as secure as we have been led to believe.

Sorry.
[doublepost=1510737574][/doublepost]Crafting a fake thumb to fool Touch ID is one thing. A family member's face unlocking Face ID is another.

 

[DeepIn2U]

Do we know how the phone was trained, and how much time it was used before it given to her son? If the password was ever entered just before the device saw his face for the first time?

Like the mask, it lacks full context.

Moreover I’m curios how many or less success, if we agree these instances are 100% legit, occur as the Bionic chip learns more of the authorized face to unlock. I’m hoping further review of those that posted these failed videos are done.

 

[djgamble]

Regardless if true or not, in practical real world usuage, Face ID is not more secure than Touch ID. Facts.

Or a password (including a 4 digit number). I dunno if the tech has improved but if it’s anything like iPhoto’s, then a cardboard cut-out of Obama can unlock my friend’s phone. And uuum... yeah... my brother could unlock my wife’s (he’s Italian and in his 40’s, she’s Vietnamese and in her 20’s FWIW).

 

[Marshall73]

Well if that is the case, clearly you can see the FaceID system is completely flawed. Following the same method with a TouchID device will not allow someone to unlock it.

What I would like is an iris scan if its safe. It would be similar to FaceID in its method of use, but just like TouchID, the iris is unique and not easily fooled like the FaceID.
[doublepost=1510737187][/doublepost]
It's not a very good system, too many caveats, too finicky to set up.
IrisID. Now that would be best.

Flawed? You need to put your code in. and it only temporarily remembers the additional data if the code is entered immediately after the failure.

 

[Ploki]

it's new tech. First iteration of touchID compared to iPhone 8 or 7 is abyssmally slow and inaccurate. + you can always use a pass if you're so concerned.

also, this is not supposed to be a vault lock.

 

[Sevendaymelee]

Regardless if true or not, in practical real world usuage, Face ID is not more secure than Touch ID. Facts.

And touch ID not as secure as a password. But it's faster, right? That's all consumers ever care about... convenience. It's the holy grail.