We wouldn’t worry about someone spoofing your iPhone X’s Face ID with an elaborate mask

“Touted as the iPhone X’s new flagship form of device security, Face ID is a natural target for hackers,” Taylor Hatmaker writes for TechCrunch. “Just a week after the device’s release, Vietnamese research team Bkav claims to have cracked Apple’s facial recognition system using a replica face mask that combines printed 2D images with three-dimensional features. The group has published a video demonstrating its proof of concept, but enough questions remain that no one really knows how legitimate this purported hack is.”

“Bkav claims to have pulled this off using a consumer-level 3D printer, a hand-sculpted nose, normal 2D printing and a custom skin surface designed to trick the system,” Hatmaker writes. “For its part, in speaking with TechCrunch, Apple appears to be pretty skeptical of the purported hack. Bkav has yet to respond to our questions, including why, if its efforts are legitimate, the group has not shared its research with Apple (we’ll update this story if and when we hear back). There are at least a few ways the video could have been faked, the most obvious of which would be to just train Face ID on the mask itself before presenting it with the actual face likeness. And it’s not like Apple never considered that hackers might try this methodology.”

“If you’re concerned that someone might want into your devices badly enough that they’d execute such an involved plan to steal your facial biometrics, well, you’ve probably got a lot of other things to worry about as well,” Hatmaker writes. “Prior to the Bkav video, Wired worked with Cloudflare to see if Face ID could be hacked through masks that appear far more sophisticated than the ones the Bkav hack depicts. Remarkably, in spite of their fairly elaborate efforts — including ‘details like eyeholes designed to allow real eye movement’ and ‘thousands of eyebrow hairs inserted into the mask intended to look more like real hair’ — Wired and Cloudflare didn’t succeed.”

Read more in the full article here.

MacDailyNews Take: Bkav’s claim, along with Apple’s skepticism and Wired + CloudFlare failing with more elaborate mask attempts, strikes us as rather specious.

Face ID matches against depth information, which isn’t found in print or 2D digital photographs. It’s designed to protect against spoofing by masks or other techniques through the use of sophisticated anti-spoofing neural networks. Face ID is even attention-aware. It recognizes if your eyes are open and looking towards the device. This makes it more difficult for someone to unlock your iPhone without your knowledge (such as when you are sleeping).Apple Inc., “About Face ID advanced technology”

Questions abound. For just three:

1. Was the person’s actual face used during Face ID setup on this iPhone X or was Face ID actually set up using the mask?

2. Was the iPhone X really not allowed to “learn” the mask (and the face) over time?

3. Was “Require Attention for Face ID” (Settings > Face ID & Passcode) disabled on the iPhone X?

These three questions, at the very least, need to be answered with actual proof, not just claims.

Until we see independent corroboration, we’re not buying it.

Cybersecurity firm tricks Apple’s Face ID with painstakingly built 3D mask – November 13, 2017


  1. It even seems likely that, possibly unintentionally, they showed the mask, when it didn’t unlock they entered the passcode, teaching the neural network that this is a trusted face. Over and over until they used the machine learning to learn the mask’s face. What I don’t believe is that it is remotely possible to trick the system that a flat printed paper represents the contours of a real face. The projection system would pick up on the mathematical surface model immediately and reject it.

  2. Wait so let me get this stright. They are going get me to sit still long enough to take a mold of my face, 3 print that, find someone talented enough to perfectly mold my nose and THEN get someone to make perfectly crafted skin all to get pictures of my dog?

    This is some Mission impossible stuff here.

    I’m so worried, even if true. NOT…

  3. Face ID uses a 3D IR (heat) image of one’s face.
    Hard to see how a cold 3D image, without any warm blood flowing through it, could trick Face ID into unlocking an iPhone 📲. Also, Face ID doesn’t work with eyes closed—an image doesn’t have real eyes 👀.

    1. Actually, it’s not a 3D heat image that’s being used but 30,000 infrared dots projected on your face with slightly different angles and then the Apple Neural Network calculates the reflected differences picked up by the 3D infrared sensor to calculate a 3D map. This map is then converted to a digital code which is stored in the Secure Enclave. It’s redone every time you look to unlock your iPhone and compared with the one in memory, when if sufficiently similar, unlocks the device, and then can be updated to improve accuracy.

  4. Trying hard to prove 3D Face ID is a failure. Samsung’s version of face recognition was fooled by a photograph and hardly anyone cared. Fortunately, for Apple, this elaborate attempt at showing Face ID can be beaten isn’t going to hinder iPhone X sales.

    1. My guess is no one cared since Samsung never promoted their version as the primary unlock method. By this time customers that have been keeping up with the features lists of smartphones know Samsung keeps trying new features whether they work well or not just getting the idea out there. Impressions may also be different since Apple is rumored to only release ‘perfect’ (or nearly so) ‘new’ features.

      1. Well you also have to consider that neither Touch ID or Face ID have ever been considered “primary” authentication. People still need a passcode. They both have been called “convenenience” forms of unlocking phones. Apple’s goal was to make it easy for people WHO DO NOT even set up a passcode, to do so and still have a relatively easy way to unlock their phone. When Apple first introduced Touch ID, 80% of their customers left their phones completely unlocked, because entering a passcode a 1,000 times a day was a pain. After Touch ID, those stats flipped.

    1. there are slews of things that are unnecessary if you want to get right down to it.. you don’t really need a smartphone, a flip phone will do right? As long as it remembers the phone numbers so you don’t have to? how many other things do you have you don’t really need? The list could be long…

      Face ID first generation is working pretty well and will only get better. As far as I am concerned it resolves a number of issues with Touch ID.. Much more reliable and all these attempts to fool it, are either fake or improper setup to begin with.

  5. Well, just how precise must the mask be to overcome Apple security?

    Is a secondary method of user identification need to preserve security?

    Is the reliance on a singular method needed to ensure security?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.