Employees of the Vietnamese security firm Bkav claim to have hacked the Face ID security of the latest iPhone. They managed to fool Apple's face recognition software with a mask made of plastic and silicone. The trick will have to be repeated by other researchers though, before Apple needs to worry.
For years, we had to enter a PIN code to unlock our mobile phone. Then phone manufacturers gave us fingerprint scanners, and just last week the new iPhone X hit the market, which only unlocks when it recognizes the owners face. The Apple device makes a photo of your face and compares this with the image programmed into the telephone directly when initiating it for the first time. If it finds a match between the images, then the phone is unlocked. The iPhone X is innovative in that it doesn’t just take a photo, but builds up a 3D map of your face.
But this security has a leak, claims the Vietnamese computer security firm Bkav just a week after the launch of the expensive smartphone. The company made its claim last Friday in a blog post, reported Wired. This shows us the face mask that employees made of one of their colleagues and with which the brand new iPhone X is unlocked in this video:
The mask is made largely of plastic, formed to the required facial contours using a 3D printer. The mask’s nose is of silicone rubber. The most striking thing about the mask is the eyes, as the makers used images of eyes, which they then printed out with a standard (two-dimensional) colour printer.
Easier than expected
In total, these Vietnamese specialists worked for roughly a week on this hack, using some 150 dollars (130 euros) of materials. ‘It was all much easier than we had expected. The Apple system required just half a face to recognise the user – you could even try this at home’, they write in an update to their blog post.
But the Bkav staff doesn’t think ordinary users have anything to worry about when it comes to this alleged weakness in the security of their iPhone X. The hack is far too much work and subtlety, and requires a lot of skill.
The most complicated aspect of this hack is probably recreating the facial contours of the smartphone’s owner. After all, the iPhone X scans the owner's face using infrared light. The software then compares the constructed 3D image with the scan that the owner made of his or her face when setting up the new phone. If the two images align, then the telephone is unlocked.
3D-scan of face
To fool this system, you therefore need to make a good three-dimensional scan of the face. This is becoming increasingly feasible technically, but it requires a great deal of know-how and work to do this with a manageable device. ‘The victims of such potential hacks are therefore most likely to be found among billionaires, CEOs, government leaders and secret agents,’ according to the security experts from Vietnam.
The hack of the new iPhone appears at first glance to be a major breakthrough and a blow to Apples reputation. But it's too soon to draw that conclusion. Other computer security experts must now repeat the trick. And the employees at Bkav have yet to divulge most of the technical details of their hack – these are to follow shortly.
It could be that Bkav is just playing a big game to generate a nice bit of free corporate advertising. It's possible that they have deliberately trained the telephone with a simple model of the owner's face. In this way, they might have ‘taught’ the telephone to recognise a face that looks like a mask (and not a real lifelike face). This would be cheating and erase the problem for Apple for the time being. After all, the features of a genuine human face are very complex and subtle.
Pieces of paper
However, if the hack of these Vietnamese does hold up to scrutiny, then the most striking aspect is that the telephone can be fooled by eyes of two printed pieces of paper, a security expert explained to Wired. Patents from Apple appear to suggest that Face ID also measures eye movement to ensure that only a living person can log in. But if Bkav is proved correct, then the iPhone X can be fooled by holding it up to the face of the owner while he is asleep, or even – and now we're getting all sinister – tied up or dead.
If you found this article interesting, then subscribe for free to our weekly newsletter.
Image material Bkav
Vond je dit een interessant artikel, abonneer je dan gratis op onze wekelijkse nieuwsbrief.