“Touted as the iPhone X’s new flagship form of device security, Face ID is a natural target for hackers,” Taylor Hatmaker writes for TechCrunch. “Just a week after the device’s release, Vietnamese research team Bkav claims to have cracked Apple’s facial recognition system using a replica face mask that combines printed 2D images with three-dimensional features. The group has published a video demonstrating its proof of concept, but enough questions remain that no one really knows how legitimate this purported hack is.”
“Bkav claims to have pulled this off using a consumer-level 3D printer, a hand-sculpted nose, normal 2D printing and a custom skin surface designed to trick the system,” Hatmaker writes. “For its part, in speaking with TechCrunch, Apple appears to be pretty skeptical of the purported hack. Bkav has yet to respond to our questions, including why, if its efforts are legitimate, the group has not shared its research with Apple (we’ll update this story if and when we hear back). There are at least a few ways the video could have been faked, the most obvious of which would be to just train Face ID on the mask itself before presenting it with the actual face likeness. And it’s not like Apple never considered that hackers might try this methodology.”
“If you’re concerned that someone might want into your devices badly enough that they’d execute such an involved plan to steal your facial biometrics, well, you’ve probably got a lot of other things to worry about as well,” Hatmaker writes. “Prior to the Bkav video, Wired worked with Cloudflare to see if Face ID could be hacked through masks that appear far more sophisticated than the ones the Bkav hack depicts. Remarkably, in spite of their fairly elaborate efforts — including ‘details like eyeholes designed to allow real eye movement’ and ‘thousands of eyebrow hairs inserted into the mask intended to look more like real hair’ — Wired and Cloudflare didn’t succeed.”
Read more in the full article here.
MacDailyNews Take: Bkav’s claim, along with Apple’s skepticism and Wired + CloudFlare failing with more elaborate mask attempts, strikes us as rather specious.
Face ID matches against depth information, which isn’t found in print or 2D digital photographs. It’s designed to protect against spoofing by masks or other techniques through the use of sophisticated anti-spoofing neural networks. Face ID is even attention-aware. It recognizes if your eyes are open and looking towards the device. This makes it more difficult for someone to unlock your iPhone without your knowledge (such as when you are sleeping). — Apple Inc., “About Face ID advanced technology”
Questions abound. For just three:
1. Was the person’s actual face used during Face ID setup on this iPhone X or was Face ID actually set up using the mask?
2. Was the iPhone X really not allowed to “learn” the mask (and the face) over time?
3. Was “Require Attention for Face ID” (Settings > Face ID & Passcode) disabled on the iPhone X?
These three questions, at the very least, need to be answered with actual proof, not just claims.
Until we see independent corroboration, we’re not buying it.
Cybersecurity firm tricks Apple’s Face ID with painstakingly built 3D mask – November 13, 2017