Earlier this month, a video from cybersecurity firm Bkav made the rounds for successfully being able to “trick” Face ID using a carefully constructed mask that mimicked a real person’s face. Now, the firm is back with a new attempt at tricking Face ID, showcasing a more advanced 3D printed mask…
Ecobee HomeKit Thermostat
The research firm explains that the new mask is made of stone powder with 2D infrared images of eyes taped over the mask. Thus, to Face ID, the mask mimics a real face with eyes.
In the video, seen below, Bkav’s demonstrator sets up Face ID normally with his face and shows that “Require Attention for Face ID” is enabled in Settings. This means that Face ID must detect that the user is looking at the camera in order for the iPhone X to be unlocked.
From there, Bkav is successfully able to unlock the iPhone X using just the 3D printed mask, even with attention detection enabled. This is because Face ID mistakenly recognizes the infrared images as real eyes.
Following its original video earlier this month, Bkav recommended that “very important people” such as national leaders be wary of using Face ID. Now, the research firm says that “causal users” should also be cautious as it does not view Face ID as “secure enough to be used in business transactions.”
“About 2 weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc. should be cautious when using Face ID. However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions.”
Bkav compares the method used in its newest video to a case of a twin unlocking their sibling’s iPhone X, which we’ve seen a few instances of in the past.
The process, as simple as Bkav likes to make it sound, is still rather complex. You need a high quality image of the person whose phone you’re trying to access, as well as access to a 3D printer and various other materials, not to mention direct access to the person’s phone. All in all, Bkav estimates the process runs around $200.
The important thing to note here is that the mask has to be accurate enough to fool Face ID within the first 5 tries. If Face ID fails to recognize within 5 tries, it will lock and require a passcode.
The video can be seen below. What do you make of these efforts to trick Face ID? Are they a valid security concern? Let us know down in the comments.