iPhone X Face ID Again Unlocked With Mask, Even With 'Require Attention' Turned On

[Thai]

So maybe it's good enough security for most, but the fact remains it's an "innovation" that's actually less effective than the feature it's replacing, and yet Apple's charging more for it. Are the features worth the price over the 8 (or heck - even over the 6S, which is still available)? With tech, the answer to that question really should almost always and entirely be objectively clear. Over the last several years with iPhone, however, it's been largely subjective, due primarily to step releases incorporating mostly style or minor usability features (e.g., "full" screen, 3d touch, live photo) with little or no real utility.

Apple will continue on this path because people keep buying the devices (particularly with the upgrade program providing a steady stream of recurring revenue), but most of us with common sense know the ability to animate a poop emoji or sing karaoke with a cartoon unicorn avatar isn't worth $1200, and janky facial recognition, outdated wireless charging, a notched "full screen" and slightly improved photo features aren't going to tip the scale. The 8, 7 and 6S might be "uglier" and "slower," but compared to them, the X is essentially an overpriced toy.

FaceID is actually MORE capable than TouchID...more features. It allows for silencing alarms when looked at. It allows for dimming of screen if you are not looking at screen (and vice versa). And the neatest part is that it authenticates websites that you have visited in past that requires password. None of this was doable with TouchID.

So, the price difference b/w X and 8+ is ONLY for the TrueDept camera? Really?! Better camera with the MUCH NEEDED OIS on telephoto lens and wider aperture? True HDR/DV display in all its glory? Better design with better materials (316L SS vs. alum)? Better front camera system (Portrait and emoji)? These don’t count in your math?!! Is that your “common sense” working overtime here?

Oh, and your TouchID can be bypassed with PLAYDOH. No 3D printer or scanner needed!

The ignorance is quite strong with this one....

 

[Jimrod]

I have written many posts about how hard the computational problems that FaceID is trying to solve are, and thus that we should not expect miracles from it, and I've taken a lot of flak for expressing that view. Still, my reaction to this story is 'so what?'. FaceID will work securely for most people most of the time.

Whilst I think this whole mask thing is ridiculous and irrelevant, your point is exactly what many who don't approve of FaceID were on about - Such a complex computational problem that requires multiple cameras, projectors and sensors, lighting, attention, a large notch and top heavy weighting... Where before they just used a button.

It's like the old "NASA spend millions developing a pen that would write in space, the Russians used a pencil." analogy. Same for the physical home button - in order to create taptic feedback they needed to add a large vibration engine, most likely the reason for the removal of the headphone jack as space is at a premium (I don't believe marketing departments when there are more logical reasons). Personally I think the push for taptic feedback was for "home button in screen" tech which Apple didn't manage to get working and subsequently replaced with FaceID, again I don't believe FaceID was the preferred solution based on that, there seemed little point in developing it for the iPhone 7 then removing the home button in the next generation product. Occam's Razor and all that.

 

[Thai]

Whilst I think this whole mask thing is ridiculous and irrelevant, your point is exactly what many who don't approve of FaceID were on about - Such a complex computational problem that requires multiple cameras, projectors and sensors, lighting, attention, a large notch and top heavy weighting... Where before they just used a button.

It's like the old "NASA spend millions developing a pen that would write in space, the Russians used a pencil." analogy. Same for the physical home button - in order to create taptic feedback they needed to add a large vibration engine, most likely the reason for the removal of the headphone jack as space is at a premium (I don't believe marketing departments when there are more logical reasons). Personally I think the push for taptic feedback was for "home button in screen" tech which Apple didn't manage to get working and subsequently replaced with FaceID, again I don't believe FaceID was the preferred solution based on that, there seemed little point in developing it for the iPhone 7 then removing the home button in the next generation product. Occam's Razor and all that.

FaceID is actually MORE capable than TouchID...more features. It allows for silencing alarms when looked at. It allows for dimming of screen if you are not looking at screen (and vice versa). And the neatest part is that it authenticates websites that you have visited in past that requires password. None of this was doable with TouchID.

So, although FaceID replaces TouchID for unlocking and buying stuff, FaceID is actually more capable and will only GAIN capability overtime vs. a stagnant TouchID that only does one thing (and is far easier to bypassed).

 

[Smith288]

This is like proving out you can get into some guy's gym locker. Face ID isn't supposed to be NSA level security here. It's a convenience feature and needed when they made it a full screen. Nothing more.

 

[SSandy]

But again that might not work if the Face ID was setup several weeks ago. At least, hoping so.

I think your comment is the most important here. These guys just set up faceID at the moment of testing (because they had to, otherwise no one would believe the test). Hopefully, over time, faceID learns more subtle aspects of the users face. It would be interesting to see if, after using faceID for a while (with his own face), the mask trick would stop working.

Sandy

 

[KdParker]

To be fair, it sounds like these guys enjoyed an unfettered access to the phone and probably had hundreds of failures before this one mask worked. Correct me if I'm wrong, but won't the X disable Face ID after 6 odd failures (not got an X myself but I assumed it was the same logic as TouchID)?

Not only that, but how much does it cost to make one of the FaceID fooling masks.

Most of us are safe since nobody really wants to invest that much time and money into breaking into our phones.

 

[mi7chy]

Face ID is good enough for the commoners. For high profile people that require higher security they'll use iris scanner with 1 in 1.4 trillion false positive rate.

 

[Kramerjn]

Sure. Assuming the government can articulate criminal probable cause in a warrant application to search the contents of your phone and then convince a judge to sign the warrant.

I have no problem with that as that's what's required to search your home, safe deposit box, car, workplace, and any other property you may have that potentially contains evidence of a crime you have committed.

Absent a search warrant, any collected evidence from an illegal search (i.e., a search without a search warrant) would be inadmissible in a criminal trial. And I'm OK with that, as well.

Not only that, but all it takes is a few seconds of squeezing the side and either volume buttons to disable FaceID. Doesn't help with thieves or no-knock search warrants, but if you get pulled over it only takes 3 seconds.

 

[Sowelu]

I don't understand the time and effort that is put into these things. I guess they are going for views, clicks, and likes. I see no difference in duplicating someone's fingerprint to achieve the same thing with TouchID (and it would probably take less time and effort, too). FaceID is new, and different... people tend to be afraid of new and different things which usually leads to to idiotic behavior.

 

[Thai]

I posted this a few pages ago...but this "hack" looks weird.

1. He (Vietnamese guy in video) barely moved his head when scanning for FaceID. (This is Apple's fault for not making the registration process more precise or harder.) He basically just scanned his forehead and upper face.

2. What is that saying in computer: garbage in, garbage out. These guys (in videos) are pros...they know how to trick the registration process.

3. Next when placing the phone in front of the mask...notice how firm his arm is...notice the exact distance he is maintaining his arm...AND notice how he moves the phone from up to down motion.

Basically, he registered his forehead and upper face (if at all)...and the phone unlock when it scans his upper face/forehead.

This is why previous attempts failed at hacking FaceID (see WIRED article). IF you register your face correctly, then this hack is a non-issue.

Does anyone else see this??? I see a few LIKES but you agree or not?

 

[mrzz]

I thought it had a 1,000,000 in one shot of fooling it..

apple will tell you anything to get some $, they know very well that their 1/1M statement can't be reasonably verified. Anyway, if you insist on security you just have to use stronger passcode

 

[MacknTosh]

...and I bet they started months ago.

Months ago?? I doubt Apple gave them an advanced copy of the X to see if they can fool the FaceID....

 

[pat500000]

Um, the Government for one.

How will they do that?

 

[thebeans]

Yea, just ask the FBI how much it costs to do that.

That was because they didn't get it rolling quickly enough. They didn't pay to spoof TouchID. They paid to hack the phone by other means. It would be difficult for law enforcement to spoof either TouchID or FaceID before it times out and requires a passcode. Looks like it is 48 hours for FaceID. From Apple:

You might need to enter your passcode or Apple ID instead of using Face ID in these situations:

• The device has just been turned on or restarted.
• The device hasn’t been unlocked for more than 48 hours.
• The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn't unlocked the device in the last 4 hours.
• The device has received a remote lock command.
• After five unsuccessful attempts to match a face.
• After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
• If the device's battery is below 10%.

 

[BaltimoreMediaBlog]

Good news, next year's iPhone will have Face ID but will include a dongle for your nostril to allow you to insert a finger up your nose for ID purposes. /s

Touch ID will be back when Consumer Reports does a full review of the iPhone X. Just wait. Tick tock...
Consumer Reports already said in a first look that Face ID doesn't work when wearing a baseball cap pulled down low or in the car at a glance.
These are not limitations that Touch ID has. If you can't get Turn by Turn driving instructions to work in the car driving, what's the point?

Face ID is a gimmick compared to Touch ID which is proven working tech in many devices.

 

[Thai]

Touch ID will be back when Consumer Reports does a full review of the iPhone X. Just wait. Tick tock...
Consumer Reports already said in a first look that Face ID doesn't work when wearing a baseball cap pulled down low or in the car at a glance.
These are not limitations that Touch ID has. If you can't get Turn by Turn driving instructions to work in the car driving, what's the point?

Mine works fine in car on Lifeproof Activ holder on dash.

 

[citysnaps]

Not only that, but all it takes is a few seconds of squeezing the side and either volume buttons to disable FaceID. Doesn't help with thieves or no-knock search warrants, but if you get pulled over it only takes 3 seconds.

I guess that's good to know if your phone contains evidence of crimes you have committed and you want to evade being held accountable. Still, a search warrant signed by a judge is required it access that evidence. Otherwise, it's tossed out at trial.

 

[BaltimoreMediaBlog]

Mine works fine in car on Lifeproof Activ holder on dash.

I don't have to go to that trouble. I can just continue driving safely and blindly touch the iPhone with my finger without running off the road.

I'm only repeating what Consumer Reports already said in its first look.
And that still doesn't explain the HAT problem. Can't wear hats! LOL

Go attack them. They said it.

 

[FelixDerKater]

Extra points with the algorithm for that little mustache.

 

[jclardy]

This video was much more impressive, but doesn't really worry me much, given you need a precise recreation of my face, my phone in your possession, and hope that it actually works on one of the 5 tries you have to unlock it (given he precisely positions the phone in a specific spot makes me think this was shot many times before getting it right.)

Also there is a question of training...does Face ID become more accurate or just more forgiving over time, meaning if I setup my iPhone 2 months ago could this even work.

 

[thebeans]

Playdoh is not considered equipment average person would have?

Because Playdoh can be used to bypass TouchID!

Yes if you have a mold of the person's finger. Not just a fingerprint, such as would be lifted from the phone itself or a glass or something. If you can get a mold of the person's finger, just use their finger to begin with. That's the thing with all these "hacks". They are interesting and point out interesting characteristics of TouchID / FaceID. But to truly be a hack, you need to be able to take a locked phone and unlock it by creating a fake finger or mask after the fact and without access to the owners face or finger other than you would have in a real world scenario. You need to do it by lifting their fingerprint off something they have touched and creating a fake finger for TouchID or taking a photo of them from some distance and creating a mask that works. All before the phone times out and requires a passcode. Can it be done? Sure, if everything goes just right and you have the correct equipment. But it is not as easy as just getting a blob of Playdough and going to work.

 

[BWhaler]

Sorry, didn't get that complaint. Shall I look for it on the web ?

Sorry, I don’t understand. Can you clarify?

 

[Thai]

I don't have to go to that trouble. I can just continue driving safely and blindly touch the iPhone with my finger without running off the road.

I'm only repeating what Consumer Reports already said in its first look.
And that still doesn't explain the HAT problem. Can't wear hats! LOL

Go attack them. They said it.

Well, if you wear your hat down covering your eyes, then yeah. But hat is not an issue. Many YouTube’s for you to see instead of just rehashing that.

Actually, for FaceID in my car, i just glance at it and it unlocks.

 

[M.PaulCezanne]

FaceID is actually MORE capable than TouchID...more features. It allows for silencing alarms when looked at. It allows for dimming of screen if you are not looking at screen (and vice versa). And the neatest part is that it authenticates websites that you have visited in past that requires password. None of this was doable with TouchID.

So, the price difference b/w X and 8+ is ONLY for the TrueDept camera? Really?! Better camera with the MUCH NEEDED OIS on telephoto lens and wider aperture? True HDR/DV display in all its glory? Better design with better materials (316L SS vs. alum)? Better front camera system (Portrait and emoji)? These don’t count in your math?!! Is that your “common sense” working overtime here?

Oh, and your TouchID can be bypassed with PLAYDOH. No 3D printer or scanner needed!

The ignorance is quite strong with this one....

Lol. Have fun with your toy.

 

[eoblaed]

Love my FaceID (wasn’t sure that I would), and I love that people like this make these discoveries and post about them.

As ridiculously unlikely as it is that anyone would ever use this method to get into anyone’s phone maliciously, it only means FaceID will get better and better for it.