Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Iphone Apple Technology

Hackers Say They've Broken Face ID a Week After iPhone X Release (wired.com) 252

Andy Greenberg, writing for Wired: When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make. But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it. Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

Hackers Say They've Broken Face ID a Week After iPhone X Release

Comments Filter:
  • by zantafio ( 5009115 ) on Monday November 13, 2017 @09:08AM (#55539825)
    .... ain't all asian all look alike anyway?
  • Noit a secret (Score:2, Informative)

    by Anonymous Coward

    Authentication is predicated upon knowing a secret, which your face isn't

    • Re:Noit a secret (Score:4, Insightful)

      by tripleevenfall ( 1990004 ) on Monday November 13, 2017 @09:49AM (#55540041)

      Exactly. Apple seems to have thought public information would make a better key than a secret, which is the opposite of security.

      • Re:Noit a secret (Score:5, Interesting)

        by Austerity Empowers ( 669817 ) on Monday November 13, 2017 @09:54AM (#55540063)

        I guess if someone manages to make a mold of my face, I've got bigger problem than someone accessing the (wishful thinking) nudes on my phone.

        The only scenario that matters here is a hacker getting sufficient information to construct this mold without the user knowing, and then lifting the phone by conventional means to break it. I don't think casual thieves are going to be able to pull this exploit off, which is adequate protection for a phone. Maybe I wouldn't use this (and only this) to guard nuclear launch codes.

        • Re:Noit a secret (Score:4, Insightful)

          by bluefoxlucid ( 723572 ) on Monday November 13, 2017 @09:56AM (#55540077) Homepage Journal

          We can use two photographs of your face as a stereoscopic image, then composite a 3D model.

        • Re: (Score:3, Informative)

          by Narcocide ( 102829 )

          Did it occur to you that all casual thieves would need to collect this data is another iPhone?

        • Re:Noit a secret (Score:4, Insightful)

          by pr0fessor ( 1940368 ) on Monday November 13, 2017 @10:28AM (#55540303)

          I'm guessing it would be easier to use your real face than creating a model or trying to beat a pin number out of you. I'm not seeing how this is good security.

          I'll take your wallet and your phone, now hold still while I use your face to unlock your phone.

          • In either case you can press the power button 5 times quickly to disable TouchID and require the passcode to be entered.
            • Still easier to beat the passcode out of you than to try and break it...

            • So I run up behind you and beat you in the head 5 times before you can even think of pressing the power button once.




              Then I unlock your phone using your unconscious face.
              • by Brannon ( 221550 ) on Monday November 13, 2017 @01:03PM (#55541285)
                If it is no worse than a thumbprint, then why is it news? We've had fingerprint based unlocking for years--did you just now find out about it?.

                Also, FaceID doesn't work if you're unconscious.

                Also, if somebody is willing to beat you to death to get into your locked phone, then what form of security is going to stop that?

                It seriously took 10 seconds to completely destroy your argument, maybe try harder next time.
                • If it is no worse than a thumbprint, then why is it news?

                  If it's no better than a fingerprint, then why is it needed? And it is worse than a fingerprint: twins [gadgethacks.com] can't fingerprint-unlock each others' phones. Hell, even non-twin adult siblings can face-unlock the same phone [qz.com]. And you can only put one face in the phone, so no, they didn't do it by putting both faces in the phone.

                  Also, FaceID doesn't work if you're unconscious.

                  Got a citation for this? There's a mode that requires "attention" (e.g. open eyes), but it is not the default. Without that setting being enabled, your iPhone X will unlock if your eyes are cl

                  • ugh... "knocked out", not "being unconscious" which, of course, includes "sleeping". My fault for not proofreading.
      • In fairness, the quality of biometric security isn't wholly dependent on the information being secret. As much as anything, it's a question of how easily the sensors can be fooled.

      • Does she give you a secret passcode when you pick her up from daycare? No? Then how do you know that she's not an imposter? After all, her appearance is public knowledge.

        Here's how:
        1. trusted authentication hardware/sensors : You trust your own eyes, you are pretty certain that no one has done a MIM attack in the path from your visual cortex to the child's face.
        2. weighing cost-to-defeat vs. benefit : sure it's possible to find another child and do elaborate plastic surgery or a mask, but that's a fant
    • Authentication is predicated upon knowing a secret, which your face isn't

      Authentication has nothing inherently to do with secrets. It's merely the act of proving you are who you say you are or verifying some other fact. In some cases secret information can aid in this or make it more dependable but most authentication is actually done with publicly available non-secret information. People recognize your face on a daily basis which is the most basic form of authentication. Sometimes it is useful to layer a secret passcode onto some item you possess or some bio-metric identifi

  • by Camembert ( 2891457 ) on Monday November 13, 2017 @09:15AM (#55539847)
    If you remember, Touchid was similarly soon broken, and it also required quite some commitment from the hacker.
    Still, for most people the security of TouchId was good enough and practical in use.
    I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.
    • by Opportunist ( 166417 ) on Monday November 13, 2017 @09:36AM (#55539969)

      The problem is that it's not just for general consumers. You try to explain to the CEO of a high security company why you want to ruin his fun and not let him have his new toy.

      It's worse than trying to explain it to a 5 year old, with the difference that the 5 year old can't fire you and you can actually talk sensibly and reasonably with a 5 year old.

      • by Anonymous Coward on Monday November 13, 2017 @09:44AM (#55540009)

        When I worked in support, the biggest security risks were always the higher up managers or CEOs that always wanted to be an exception to the security concept that they ordered.

      • by Dog-Cow ( 21281 )

        If the CEO is a stupid shit, short the stock and let him do what he wants. Don't make up stupid scenarios that have no basis in reality.

      • The problem is that it's not just for general consumers. You try to explain to the CEO of a high security company why you want to ruin his fun and not let him have his new toy.

        I don’t think that’s your job - that’s the job of the music major he’s put in charge of online security.

    • by tripleevenfall ( 1990004 ) on Monday November 13, 2017 @09:51AM (#55540053)

      But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.

      You only have one face, and your face is public, which means it's less secure than TouchID was.

      • by Dog-Cow ( 21281 )

        You should have your face bashed in, just for being such an ignorant, stupid, fuck-up.

      • This is why I prefer TouchID.

        Another reason is that a finger print scan is a deliberate action. Finger goes on a scanner, and it functions as an acknowledgement that I am buying a bag of Dungeon Yums from a vending machine.

        A face scan isn't a definite action. You pick up your device to look at it, is different from having TouchID register an explicitly pressed home button.

      • You can't replicate my fingerprints from a picture of me that you found on facebook.

        Come out drinking with me, I'll have a detailed print from both your hands on your desk by the morning.

        Or ... just go for a toilet break. I can get them from your mouse too while you're not looking.

      • by danlor ( 309557 )

        Come back when you can actually demonstrate this as an attack.

      • But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.

        You only have one face, and your face is public, which means it's less secure than TouchID was.

        They need a bit more than a photo of your face. If I understand it correctly they need a 3D image of your face. You might be able to get them for a large number of images or detailed video, but it is a bit harder.

    • You can also create fake finger prints if you can get a good model print.

    • by ljw1004 ( 764174 )

      If you remember, Touchid was similarly soon broken, and it also required quite some commitment from the hacker. Still, for most people the security of TouchId was good enough and practical in use. I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.

      It won't take commitment from a hacker. I reckon that within six months there'll be online services where for $45 you upload to them 5 high resolution photos of a target's face from various angles, and they reconstruct a 3d model from those photos, and build a silicone face for you to unlock the target's phone. The initial market will be for people wanting to snoop on their partner's or children's phones.

      My brother already has bought a 3d hologram from a scan of his face, just a touristy gimmick from a scie

    • by phayes ( 202222 ) on Monday November 13, 2017 @10:31AM (#55540317) Homepage

      FaceID constructs a 3D model of your face which is then updated over time so that gradual changes (facial hair, etc) can be integrated into the model. These updates take place after FaceID successfully recognises your face -- and after unsuccessful face-id challenges followed by the use of the passcode/password.

      https://support.apple.com/en-u... [apple.com]

      The claimed hack gives absolutely no information on whether "the hack" was performed using a 3D printed model that had never been shown to the iPhone or whether they trained the iPhone to recognise the 3D model by showing it to the iPhone and repeatedly typing the password after every failure.

      If you already have the passcode/password which _always works_, FaceID is already bypassed.

      Until more details come out and others reproduce it, I'd take the claim that FaceID has been hacked with a _large_ grain of salt.

      • You know you will only get down-voted for not screaming against Apple products right? Most sane response to the post gets a score of 2, and on a day I don't have mod points...
    • Still, for most people

      Most people are happy with drawing a 'Z' on the front of their screens or using 0000 as the password. That doesn't negate the security needs of some specific people ... people who may buy into the Apple marketing of this new system being so incredibly secure.

  • by wisebabo ( 638845 ) on Monday November 13, 2017 @09:26AM (#55539903) Journal

    ... that its "Bphone the best smartphone the world" (2015). It sank without a trace.

    I'd treat that their claims that "Apple has done this not so well" and "Face ID can be fooled by mask, which means it is not an effective security measure" with a grain of salt. Of course their company is from Vietnam, "land of fakes" https://tuoitrenews.vn/news/ci... [tuoitrenews.vn] where scandal after scandal of dangerous, counterfeit and frank outright fraud is commonplace.

    Unfortunately I have firsthand experience of this :(

  • by jon3k ( 691256 )
    You also have to have the equipment, time and expertise to pull this off. And I guess some kind of 3D model of the person's head? Not sure, haven't read TFA. Personally if I lost my phone I'd immediately have it wiped and locked via MDM. So unless this was all carefully orchestrated before hand, I think I'm ok.
    • 3D model is easy. Fake head isn't.
    • I think the point is that this is what it takes today. It's not difficult to believe others will improve the process now that there's proof it can be done.

      And while you may wipe and lock your phone immediately if you lost it, I bet there's a lot of people who wouldn't take that step (if they could) until much too late.

      • by phayes ( 202222 )

        They appear to have trained the iPhone to recognise the 3D Scan by using the passcode/password to update the model after multiple failures until it finally worked.

        How fortunate Android users are to NOT be vulnerable to to exploitation when the bad guys have:
        - the Phone
        - A detailed 3D model and print
        - the passcode/password

  • by registrations_suck ( 1075251 ) on Monday November 13, 2017 @09:28AM (#55539933)

    So, what exactly is wrong with having to enter a passcode, anyway?

    • by mark-t ( 151149 )

      Isn't it obvious? It requires more effort.

      Ignore the fact that a passcode that one actually keeps secret is, in general, going to be far more secure than the usage of any kind of biometric data could ever hope to be. People are friggen lazy. Full stop.

    • It's a pain in the ass entering the passcode every time you want to access your phone. Of course, face id sounds like a pain in the ass too so there was not really anything solved.
    • Guessable, terrible passwords, prints left on screen reveal the password, etc.
      • Yeah....enter a whole six digits to use your phone.......what a nightmare!

        As for prints on your screen....you know, you could clean it once in a while.

        The real problem with passwords is all the apps on the phone want their own password, rather than relying on you having already entered one to access the phone itself. THAT is the pain in the ass here.

        I'd pay extra of all the apps on the phone had a "use phone password option". In this scenario, if you are on the phone, no password is required to use the app

        • by phayes ( 202222 )

          Anyone using a passcode & not a password deserves to get hacked anyway.

          I use 1password on Android/IOS/MacOS/Windows because I have thousands of unique passwords (clients). That you think it is a waste of money merely shows that you don't know how to use it.

  • xkcd (Score:5, Insightful)

    by tbannist ( 230135 ) on Monday November 13, 2017 @09:32AM (#55539947)

    FaceID reminds me of this xkcd comic [xkcd.com].

    Except that you no longer need the wrench...

    • by mark-t ( 151149 )

      Actually, what would be an interesting passcode system would be one that integrates with some sort of wetware system, and which not only relies on biometric data and a secret key, but also analyzes the state of mind of the user requesting access, and denies entry, even via an authorized password and in the presence of authorized biometric data, when the user is under any kind of stress or duress. Obviously, on a device like a phone, critical emergency functions would still work without such authorization

  • by RogueWarrior65 ( 678876 ) on Monday November 13, 2017 @09:42AM (#55540001)

    Your mission, should you choose to accept it, is to somehow sedate the subject and create a life cast of their face without them figuring out that you're doing it. You must then jump though a bunch of other hoops in order to unlock the subject's phone. You are under no circumstances to use the subject's own face to unlock their phone. Should you or any of your IM force be caught or killed, you will be mocked mercilessly on Slashdot.

  • by Anonymous Coward on Monday November 13, 2017 @09:43AM (#55540003)

    If you get arrested, they unlock the phone by holding it up to your face. That doesn't even require a mask. It's the opposite of security.

    • by Dog-Cow ( 21281 )

      I have a radical idea. If you're doing something that might lead to your arrest, disable FaceId. And if you live in place where you might be arrested for looking at your shoes funny, don't enable it in the first place.

    • by Arkham ( 10779 )

      If you get arrested, they unlock the phone by holding it up to your face. That doesn't even require a mask. It's the opposite of security.

      You have to look at the screen for it to unlock. And if you hold the button on the right, it will require a passcode. There are lots of safety mechanisms in place.

  • Now I need to get a new face!

  • What happens when.. (Score:5, Interesting)

    by fluffernutter ( 1411889 ) on Monday November 13, 2017 @09:46AM (#55540025)
    What happens when a person suffers an injury to their face? A serious black eye, swelling, etc? Do they get locked out of their phone at a time when that's probably the last thing they want to have to deal with?
  • Face recognition is less secure than good fingerprint scanning, which includes capillary response and other non-visible checks. I'm frankly surprised it took them this long.
  • by Wrath0fb0b ( 302444 ) on Monday November 13, 2017 @10:21AM (#55540249)

    The researcher shows that the phone unlocks when presented with his face, but it doesn't show the enrollment or training phase.

    For the sake of transparency, it would be nice to see that enrollment was done on his normal face without using any part of the mask or other shenanigans. And since the scanner apparently 'learns' from failed scans where you immediately enter the (correct) passcode, that's another route by which he could corrupt the enrolled data -- he could scan the mask and then enter his passcode enough times that it 'learns' the wrong thing.

    If either of those are true, it only shows that the authorized user can enroll data that's close enough to both his real face and a mask that both unlock it.

  • They'll be able to have a 3d printer at their HQ, photograph the recipient, and viola - privacy violated.

  • Well it looks like the police won't need to rely on the prisoner to divulge a password anymore. They can just do a 3D mug-shot, make a mask and open up the phone.
  • "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

    Isn't that true of any biometric-only authentication system? Fingerprint, face, iris, voice... they can all be emulated with enough effort. It's a darn convenient security measure, however, which under the right circumstances is augmented by a strong passcode.

  • by ilsaloving ( 1534307 ) on Monday November 13, 2017 @11:03AM (#55540505)

    Assuming that it's sufficiently accurate, Face ID is a great authentication system for inconsequential people. IE: People who don't have a lot of money nor power, which is a very large portion of the population.

    For those that do have some kind of responsibility, ie: managers, IT staff, etc, it's bad.

    If said individuals work for a major corporation and/or deal with sensitive information, it's downright idiotic. A biometric authentication system that doesn't even require you to be near the individual to unlock a device with sensitive data is foolish, especially today when people have access to 3D cameras and printers, and can do a targeted attack relatively inexpensively.

    It's not Mission Impossible type stuff, but it's not far off.

  • by Arkham ( 10779 ) on Monday November 13, 2017 @11:16AM (#55540587)

    The researchers concede, however, that their technique would require a detailed measurement or digital scan of a the face of the target iPhone's owner. The researchers say they used a handheld scanner that required about five minutes of manually scanning their test subject's face.

    So they haven't really broken anything. It turns out if you sit there and let them scan your face for 5 minutes they can make a model that can bypass a scanner in a consumer device. I'm surprised that it isn't possible to make a perfectly matched face that could fool a human with that kind of scanning.

    Non-story.

  • It is more and more obvious that face recognition-based authentication does not solve any significant problems, while introducing issues of its own - most notably, as many have already pointed out, once your face as been compromised, you can't easily change it. The bottom line is, this will deter the opportunistic agents. Those sufficiently well funded and determined (and, on the basis of the article, the do not have to be all that well funded or determined) will still crack it. ANd the truth is that there
  • It's still harder to fake than a finger scan, potentially saving planes from being redirected mid flight [independent.co.uk] You leave prints everywhere and can be scanned while asleep or non compliant. You don't as of yet leave a highly detailed face scan everywhere and it won't work with your eyes closed or face contorted. You are required to use a password in any case. If the faceID gets a couple of fails you need to use the password to unlock even if you then provide the right face; this was demonstrated live on tv at th [macrumors.com]
  • Just have one guy hold the person still while you hold the phone up to their face? I still can't believe anybody thought this was a good idea.
  • by schweini ( 607711 ) on Monday November 13, 2017 @01:28PM (#55541525)
    Out of curiosity: IIRC, the iPhone projects some IR dots on the face, and reconstructs a 3D model based on the distortion of the projected pattern using a rather regular 2D camera.

    Is that pattern fixed?
    If so, would it be possible to block the projection, and "simply" show the sensor the pattern that should appear?
    I bet it's not that easy, but i'd like to know why?

Unix is a Registered Bell of AT&T Trademark Laboratories. -- Donn Seeley

Working...