Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Researcher Cancels Public Talk on Hacking Face ID After Employer Calls it 'Misleading'

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,142
38,914



Chinese security researcher Wish Wu was set to give a talk on hacking Face ID at the Black Hat Asia hacking conference in Singapore in March 2019, but at the request of his employer, he's canceled the talk, reports Reuters.

His presentation, called "Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms," supposedly offered details on a way to get past Face ID on the iPhone X "under certain conditions."

iphone-x-face-id-800x475.jpg

Curiously, the Wu says that his hack did not work on the iPhone XS and XS Max. Given that the three smartphones use the same Face ID system, it's not entirely clear why a bypass method that works on the iPhone X wouldn't also work on Apple's newer devices.

According to an abstract of the talk, Face ID was able to be hacked on the iPhone X with an image printed on a black and white printer and some tape.

Wu was asked by his employer, Ant Financial, to withdraw from the talk. Ant Financial is known for its Alipay mobile and online payments platform, which works with Face ID.
Wu told Reuters that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max.

"In order to ensure the credibility and maturity of the research results, we decided to cancel the speech," he told Reuters in a message on Twitter.
Click to expand...
In a statement, Ant Financial told Reuters that the research on the Face ID verification mechanism is "incomplete" and would be "misleading" if it were to be presented at Black Hat Asia. Despite this, the Black Hat conference said Wu's talk was accepted in the first place because Wu "convinced its review board he could pull off the hack."

A Face ID bypass or hacking method would be major news, as the feature uses 3D facial recognition technology to prevent it from being fooled by photographs, masks, and other means.

As Reuters points out, there have been no reports of a successful Face ID hack that others have been able to replicate since Face ID was introduced in 2017. Vietnamese company Bkav posted a few videos of Face ID being bypassed with a well-made mask, but other researchers have not been able to duplicate those results.

Face ID is not infallible, however, and has issues with facial recognition with children and identical twins.

Article Link: Security Researcher Cancels Public Talk on Hacking Face ID After Employer Calls it 'Misleading'
 
Article Link
https://www.macrumors.com/2019/01/03/face-id-hacking-talk-canceled/
Amacfa said:
More proof that Apple is the best and android is a joke
Click to expand...
There's no mention of Android (but I agree). This just shows that Apple's Face ID is more complex than we think it is and to be indeed bypassed, there has to be serious work involved.

But since they claim it doesn't work on the newer iPhones, why bother that much? Of course the one on the X is outdated and the Xs uses more advanced algorithms, so it's more secure, in a way.
 
  • Like
Reactions: martyjmclean, Ghost31 and coolfactor
alpi123 said:
There's no mention of Android (but I agree). This just shows that Apple's Face ID is more complex than we think it is and to be indeed bypassed, there has to be serious work involved.

But since they claim it doesn't work on the newer iPhones, why bother that much? Of course the one on the X is outdated and the Xs uses more advanced algorithms, so it's more secure, in a way.
Click to expand...
Since there are endless posts of Apple hate rushing to be the first comment, I decided to rush in with love.
 
  • Like
Reactions: bchery21, pianophile, nyctravis and 10 others
Curiously, the Wu says that his hack did not work on the iPhone XS and XS Max. Given that the three smartphones use the same Face ID system, it's not entirely clear why a bypass method that works on the iPhone X wouldn't also work on Apple's newer devices.
Click to expand...

I think you answered your own question. You assumed that the X, XS and XS Max all use the "same Face ID system". However, these phones are touting different processors, with the XS and XS Max having a newer generation, supposedly with more advanced data analysis capabilities. So while the input tech (ie. camera, dot projector) may not have changed much, what the phones do with the scanned facial data may be entirely different inside, with the XS and XS Max having more precision in matching facial profiles.
 
  • Like
Reactions: chabig and martyjmclean
If a hack was (or potentially already has been) found, wouldn't those people not necessarily want to publicize it, but instead wait for the opportunity to capitalize on it? I'm not discounting Face ID, but the group that hacked that 5c for the government, for example, was paid almost a million dollars for it.
 
coolfactor said:
I think you answered your own question. You assumed that the X, XS and XS Max all use the "same Face ID system". However, these phones are touting different processors, with the XS and XS Max having a newer generation, supposedly with more advanced data analysis capabilities. So while the input tech (ie. camera, dot projector) may not have changed much, what the phones do with the scanned facial data may be entirely different inside, with the XS and XS Max having more precision in matching facial profiles.
Click to expand...

Yup, I think I found some evidence of the Xs using the (new) neural engine for Face ID:


4D880DD7-1DF7-4074-85FF-678409F4FA31.jpeg
 
I'm sure it's possible to fool FaceID, but the question is how. The basic idea is to either give it the input it expects (which is the idea behind a mask) or just blast it with something that's so unexpected that the sensor says "yes."

The problem with the latter is that there is very little feedback given by the OS. You can't tell if you're warm, cold, whatever...it's just a yes/no.
 
It’s probably as “simple” as using a piece of tape to cover the dot projector, and presenting a black and white dot image of the enrolled face to the FaceID camera.

Of course, the part that’s left unsaid is where the dot image of the enrolled face would be obtained.
 
chabig said:
It’s probably as “simple” as using a piece of tape to cover the dot projector, and presenting a black and white dot image of the enrolled face to the FaceID camera.

Of course, the part that’s left unsaid is where the dot image of the enrolled face would be obtained.
Click to expand...
By degrading the projections you also make them harder to detect, less likely to authenticate the face.
 
alpi123 said:
There's no mention of Android (but I agree). This just shows that Apple's Face ID is more complex than we think it is and to be indeed bypassed, there has to be serious work involved.

But since they claim it doesn't work on the newer iPhones, why bother that much? Of course the one on the X is outdated and the Xs uses more advanced algorithms, so it's more secure, in a way.
Click to expand...

Not in a way. Again all apple has to do is an update and it’s done! The iPhone X he might used might be on an older versions for all we know. There was a video made by forbes group going to uk and have a 3D print of your exact face and still couldn’t gain access. From what I am wonder is when you wear glasses or hat scarf and etc. would you be about to fool it while having it on the dummy face? Need someone to test that theory.
 
I7guy said:
I'm about 98%. Even lying in bed, sleepy, I figured out the correct angle so that face id unlocks immediately.
Click to expand...
I am enthusiastic about the superior technology of Apple's FaceID.
Your comment annoyed me anyway.
The more people like you weigh Apple in peace, the less this is recognized as a problem there.

The bed scenario cannot be fulfilled with Face-ID without new furniture. For a minimalist like me, it's actually an unsightly taboo. Even this scenario does not work:
e2.png

In fact, the iPhone XS needs a minimum angle of 25° (based on distance 30 cm / 12 inches and height difference to bed 20 cm / 8 inches).

To avoid buckling of the lightning connector (I don't like electro smog and slow charging) you need a kind of pedestal.

Therefore I have to deactivate FaceID for the night, because I have to run the iPhone three times on average at night. Unfortunately, there is no system setting to automatically switch back from code entry to FaceID during the day. With the fingerprint sensor on my beloved SE I never had this problem.

Update:
Of course, the system runs perfectly if you hold the iPhone in your hand and look at it... That's what you do in about 16 out of 24 hours.
But the recognition area for Face-ID is not 180° for technical reasons. The more you look sideways at the sensor, the more difficult the recognition process becomes. If you don't want to hold the iPhone in your hand, the detection horizon is not always sufficient for a flat bed with iPhone laying on the floor. Especially with the setting "Require Attention for Face ID", it's hardly solvable, even for that brilliant system. By the way, this is generally known. For the rest of us. ;-)
 
Last edited:
Morgenland said:
I am enthusiastic about the superior technology of Apple's FaceID.
Your comment annoyed me anyway.
The more people like you weigh Apple in peace, the less this is recognized as a problem there.

The bed scenario cannot be fulfilled with Face-ID without new furniture. For a minimalist like me, it's actually an unsightly taboo. Even this scenario does not work:
View attachment 813992
In fact, the iPhone XS needs a minimum angle of 25° (based on distance 30 cm / 12 inches and height difference to bed 20 cm / 8 inches).

To avoid buckling of the lightning connector (I don't like electro smog and slow charging) you need a kind of pedestal.

Therefore I have to deactivate FaceID for the night, because I have to run the iPhone three times on average at night. Unfortunately, there is no system setting to automatically switch back from code entry to FaceID during the day. With the fingerprint sensor on my beloved SE I never had this problem.
Click to expand...
What problem are you discussing that I’m having that I don’t know about? As I said, I’m not having an issue, but I understand the bed is one scenario where it would be nice to have a “security kill” switch.
 
Morgenland said:
I am enthusiastic about the superior technology of Apple's FaceID.
Your comment annoyed me anyway.
The more people like you weigh Apple in peace, the less this is recognized as a problem there.

The bed scenario cannot be fulfilled with Face-ID without new furniture. For a minimalist like me, it's actually an unsightly taboo. Even this scenario does not work:
View attachment 813992
In fact, the iPhone XS needs a minimum angle of 25° (based on distance 30 cm / 12 inches and height difference to bed 20 cm / 8 inches).

To avoid buckling of the lightning connector (I don't like electro smog and slow charging) you need a kind of pedestal.

Therefore I have to deactivate FaceID for the night, because I have to run the iPhone three times on average at night. Unfortunately, there is no system setting to automatically switch back from code entry to FaceID during the day. With the fingerprint sensor on my beloved SE I never had this problem.
Click to expand...
I agree with the original poster. I have no issues laying in bed half asleep and having face ID work. Is your situation that you feel you should be able to lay in bed without looking at the phone and be able to unlock it? You don't make it clear what the actual problem is you are having. So yes, those of us that have no issue with face ID are going to comment on how well it works for us.
 
Wu told Reuters that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max.

"In order to ensure the credibility and maturity of the research results, we decided to cancel the speech," he told Reuters in a message on Twitter.
Click to expand...

Isn't this what the vast majority of hacks are??
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back