Hackers Claim to Defeat iPhone X 'Face ID' Authentication3D Printer Plus Handmade Nose Equals Bad Day for Apple Biometrics?
The face-off between security researchers and the latest biometric authentication techniques continues, with a group from Vietnam claiming to have fooled the facial-recognition system, called Face ID, that's built into Apple's latest iPhone.
See Also: How Can Mobile Banking Apps Fight Back?
Face ID allows a user to unlock their iPhone X, make purchases from various Apple digital stores and authenticate Apple Pay transactions to pay using stored payment card data.
Researchers from Vietnam-based information security firm Bkav say that since they first obtained an iPhone X on Nov. 5, they've been working nonstop to find a way to bypass the Face ID feature.
On Friday, the researchers claimed to have been successful, and they published a video demonstrating their "proof of concept" hack, saying that Face ID is "not as secure" as Apple has suggested.
"The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool [the] AI of Face ID," says Ngo Tuan Anh, Bkav's vice president of cybersecurity. His face was used as the model for the mask and then to unlock an iPhone X on which his face had been registered with Face ID.
Apple didn't immediately respond to a request for comment.
A Face Made for Authentication
When Apple announced the iPhone X at an event on Sept. 13, it claimed that there is only a one in a million chance that the wrong face could be used to unlock Face ID and said that the feature could not be fooled by masks.
But Bkav claims that it has found a fake face fix that does the trick. The company says its recipe combines a handmade silicone nose that the company commissioned - it required unspecified tweaking before working - plus printouts from a 3D printer as well as two-dimensional printouts and handmade artwork, especially for the skin.
The total cost of materials was $150, Bkav says.
The company says potential targets of this type of attack could be "billionaires, leaders of major corporations, [national] leaders.".
No Longer 'Mission Impossible'
Having a team of researchers go to "Mission Impossible" lengths to craft a fake face that can be used to fool Apple's Face ID might seem to be an unlikely threat.
Attackers would need to gain physical access to a powered-on iPhone X as well as launch a successful attack within 48 hours. That's because Face ID has the same timeouts as Apple's Touch ID feature. A user's passcode or password must be entered after any restart, if 48 hours have elapsed since the device unlocked or if there have been more than five unrecognized access attempts in a row. Users can also remotely disable Face ID if they lose their iPhone.
But as Bkav emphasizes, applying their knowledge about how the iPhone X attempts to verify a face allowed them to put together a mask that defeated that system after just five days of work.
"It just goes to show that biometrics are still not the panacea that some hope they will one day become," says Alan Woodward, a professor of computer science at the University of Surrey. "And until all of these wrinkles are out of biometrics, we have the problem that once copied, unlike passwords, you can't change it."
Expect Apple to issue an update for the Face ID software or new generations of the iPhone with hardware designed to block these circumvention techniques. But biometrics remains a cat-and-mouse game (see Biometrics: Advances Smack Down Workarounds).
"These hacks may be made more expensive to mount, but the problem is that once successful, the biometric effectively becomes useless for that individual, Woodward says. "It makes an excellent way of hacking high-value targets - something criminals are doing in increasing numbers."
Until biometrics can be made perfect, Woodward recommends users rely on tried-and-true security defenses.
"I suspect it will be a long time before we have a universally acceptable biometric, or any other single form of access control," he says. "Until then, we really do need to take two-factor authentication as the benchmark."