A cybersecurity firm have apparently successfully tricked Face ID into unlocking with a specially made mask, imitating a real person’s face. The security researchers say they only unlocked the iPhone X with a real person’s face, so the iPhone could not learn false data from the mask.
How much of a security flaw this really represents is up for debate of course. Making the mask only cost $150 in materials, but required access to a detailed scan of the person’s facial features and many hours of work by artists …
The researchers say that much of the model was made using an off-the-shelf 3D printer whilst other elements like skin and nose were hand-made.
The resultant mask does not look humane at all, with only the eyes, nose and mouth area actually painted in. The researchers found that large portions of the face did not have to accurately depict the subject in order for Face ID to successfully unlock.
Apple says the Face ID system includes defences against such biometric attacks, although it doesn’t guarantee infallibility by any means. Here’s the relevant quote from the white paper:
An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks.
The practical value of this disclosure is arguable. Face ID being fooled by a photograph is one thing, being fooled by an accurate mask is quite a high barrier.
However, it does show that a targeted attack on specific important individuals could be possible. The researchers suggest that Face ID’s weaknesses mean it should not be used by CEOs or presidents, for instance.
For the layperson, Face ID is more than secure — it is too time-consuming for someone to make a mask of this quality in order to break into one random person’s phone.
It’s also worth noting that this mask would have been made with the cooperation of the person it is mimicking, which would not be the case for an attack on a CEO for example.
Moreover, Apple can use the findings from this research to make an even more secure algorithm for Face ID to be released in future software updates.
FTC: We use income earning auto affiliate links. More.