![]()
Since the iPhone X launched earlier this month, people have been attempting to fool Face ID, the new biometric facial recognition feature built into the device as a primary security feature. Face ID has thus far been tricked by
twins,
children, and even a mask.
Vietnamese security company Bkav
made headlines in mid-November after uploading a video featuring Face ID accessed by a mask, but there were several questions about the unlocking methods used in the video, including whether "Require Attention" was turned on. Today, Bkav shared a second video with a new mask and a clearer look at how the mask was used to spoof Face ID.
As described in an accompanying
blog post, Bkav used a 3D printed mask made of stone powder, which cost approximately $200 to produce. 2D infrared images of eyes were then taped over the mask to emulate real eyes.
Bkav reset Face ID on camera and then set it up anew with the demonstrator's face. "Require Attention for Face ID" and "Attention Aware Features" were both shown to be enabled on the iPhone X. For those unaware, "Require Attention for Face ID" is meant to add an extra layer of security by requiring you to look at your iPhone to use Face ID, and it's one of the features that's supposed to prevent Face ID from unlocking with a mask, with a photograph, or when you're looking away from your phone.
After activating Face ID, the Bkav demonstrator unlocks the iPhone X normally with his own face, and then unlocks it once again with the mask. The mask appears to be able to unlock the iPhone X right away, with no failed attempts and no learning, as Face ID was set up from scratch just before the test. The mask's 2D infrared eyes also appear to fool the "Require Attention for Face ID" setting.
Bkav claims the materials and tools used to create the mask are "casual for anyone" and that Face ID is "not secure enough to be used in business transactions," but it's worth noting that fooling Face ID in this way requires a 3D printer, several hundred dollars worth of materials, physical access to a person's iPhone X, and detailed facial photographs that can be used to reconstruct a person's face. Even then, if the 3D printed mask and the design of the infrared eyes aren't perfect, Face ID will fail after five attempts.
Bkav believes Face ID is less secure than Touch ID because it's easier to capture photographs from afar than it is to obtain a fingerprint, but this is still a very complex replication process that the average user does not need to be concerned with.
Apple's Face ID security white paper [
PDF] outlines several scenarios where Face ID has a higher probability of being fooled, including with twins, siblings that look alike, and children under the age of 13, but masks are of particular interest because Face ID features a neural network that was "trained to spot and resist spoofing" to protect against "attempts to unlock your phone with photos or masks." From
Apple:When Touch ID, Face ID's predecessor, was first released in the iPhone 5s in 2013, there were many similar demonstrations of how it could be
fooled with a fake fingerprint, but there's little evidence that these methods were ever used to unlock devices in the real world on a wide scale basis, and it turned out to be something most iPhone users did not need to worry about. The same is likely true of Face ID.
Apple has made several improvements to Touch ID over the years, making it faster and more accurate, and similar improvements will undoubtedly be made to Face ID in the future. In the meantime, while Face ID can be fooled by a twin or a complicated facial replication process, it's largely secure for most users and has received
mostly positive reviews for its security and ease of use.
Article Link:
iPhone X Face ID Again Unlocked With Mask, Even With 'Require Attention' Turned On
