Hackers Say They've Broken Face ID a Week After iPhone X Release (wired.com) 252
Andy Greenberg, writing for Wired: When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make. But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it. Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."
wait a minute.... (Score:3, Funny)
Re: (Score:2)
get out my uber and I'm rating you a 1
Re: (Score:2)
".... ain't all asian all look alike anyway?"
No that's just racist, but a couple of hundred twins 'hacked' it on day one.
Re: (Score:3)
Are you saying you don't remember what happened to Tim Tebow when he kneeled? Hint: He wasn't declared ".[A-Za-z] of the Year".
Noit a secret (Score:2, Informative)
Authentication is predicated upon knowing a secret, which your face isn't
Re:Noit a secret (Score:4, Insightful)
Exactly. Apple seems to have thought public information would make a better key than a secret, which is the opposite of security.
Re:Noit a secret (Score:5, Interesting)
I guess if someone manages to make a mold of my face, I've got bigger problem than someone accessing the (wishful thinking) nudes on my phone.
The only scenario that matters here is a hacker getting sufficient information to construct this mold without the user knowing, and then lifting the phone by conventional means to break it. I don't think casual thieves are going to be able to pull this exploit off, which is adequate protection for a phone. Maybe I wouldn't use this (and only this) to guard nuclear launch codes.
Re:Noit a secret (Score:4, Insightful)
We can use two photographs of your face as a stereoscopic image, then composite a 3D model.
Re: (Score:2)
"Well Mr. Anderson, if you won't unlock your phone for us we'll just 3D-print your face and unlock it anyway, so you might as well."
Re:Noit a secret (Score:5, Insightful)
you'll see that this required a far more detailed scan of the face than could be recovered from stereoscopy alone. They had to use FLIR to get an accurate enough scan.
There's a suitable camera in every iPhone X. Someone will figure out a hack to use that to scan someone else's face.
Re: (Score:2)
Hell, this could be a much bigger worry you bring up. Apple, you better secure the crap out of your camera.
Re: (Score:2)
Which is available in phones.
https://www.cnet.com/products/cat-s60/ [cnet.com]
Re: (Score:2)
Except that if you read the article, you'll see that this required a far more detailed scan of the face than could be recovered from stereoscopy alone.
Or maybe they just require more than 2 weeks of tinkering with it. Think about what you just said. If you need something better than stereoscopy to fool a stereoscopy based system then you haven't put the right amount of effort in.
It's not like the iPhone X can see the back of your head or something.
Re: (Score:3, Informative)
Did it occur to you that all casual thieves would need to collect this data is another iPhone?
Re:Noit a secret (Score:4, Insightful)
I'm guessing it would be easier to use your real face than creating a model or trying to beat a pin number out of you. I'm not seeing how this is good security.
I'll take your wallet and your phone, now hold still while I use your face to unlock your phone.
How is that worse than a thumbprint? (Score:3)
Re: (Score:2)
Still easier to beat the passcode out of you than to try and break it...
Re: (Score:2)
Then I unlock your phone using your unconscious face.
okay, but HOW IS THIS WORSE THAN A THUMBPRINT? (Score:4, Informative)
Also, FaceID doesn't work if you're unconscious.
Also, if somebody is willing to beat you to death to get into your locked phone, then what form of security is going to stop that?
It seriously took 10 seconds to completely destroy your argument, maybe try harder next time.
Re: (Score:2)
If it is no worse than a thumbprint, then why is it news?
If it's no better than a fingerprint, then why is it needed? And it is worse than a fingerprint: twins [gadgethacks.com] can't fingerprint-unlock each others' phones. Hell, even non-twin adult siblings can face-unlock the same phone [qz.com]. And you can only put one face in the phone, so no, they didn't do it by putting both faces in the phone.
Also, FaceID doesn't work if you're unconscious.
Got a citation for this? There's a mode that requires "attention" (e.g. open eyes), but it is not the default. Without that setting being enabled, your iPhone X will unlock if your eyes are cl
Re: (Score:2)
Re: (Score:3)
One out of 50,000 people have similar enough fingerprints to you to unlock your phone, only one out of 1 million people have similar enough faces to unlock your phone.
It's much easier to identify the one in 1 million who might unlock your phone with their face than it is to identify the one in 50,000 who might do so with their fingerprints, unless you already have a fingerprint to compare to, in which case why do you need to find that one in 50,000 in the first place? Totally irrelevant. Plus, I can change which finger is registered but I only have one face.
In your link they trained it on both faces.
You assume that, of course.
That's bullshit, you're completely wrong, stop getting all your info from Breitbart.
You read this, just like I did:
Face ID is even attention-aware. It recognizes if your eyes are open and looking towards the device. This makes it more difficult for someone to unlock your iPhone without your knowledge (such as when you are sleeping).
The difference is that I've also handled the actual devic
Re: (Score:2)
In fairness, the quality of biometric security isn't wholly dependent on the information being secret. As much as anything, it's a question of how easily the sensors can be fooled.
Oh really, how do you authenticate your child? (Score:3)
Here's how:
1. trusted authentication hardware/sensors : You trust your own eyes, you are pretty certain that no one has done a MIM attack in the path from your visual cortex to the child's face.
2. weighing cost-to-defeat vs. benefit : sure it's possible to find another child and do elaborate plastic surgery or a mask, but that's a fant
Re: (Score:2)
It would be easier for a mugger to knee cap you and make you hold still than it would be to break a 4 digit passcode or beat a passcode out of you.
Authentication does not require secrets (Score:2)
Authentication is predicated upon knowing a secret, which your face isn't
Authentication has nothing inherently to do with secrets. It's merely the act of proving you are who you say you are or verifying some other fact. In some cases secret information can aid in this or make it more dependable but most authentication is actually done with publicly available non-secret information. People recognize your face on a daily basis which is the most basic form of authentication. Sometimes it is useful to layer a secret passcode onto some item you possess or some bio-metric identifi
Still ok for general consumers (Score:5, Insightful)
Still, for most people the security of TouchId was good enough and practical in use.
I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.
Re:Still ok for general consumers (Score:4, Insightful)
The problem is that it's not just for general consumers. You try to explain to the CEO of a high security company why you want to ruin his fun and not let him have his new toy.
It's worse than trying to explain it to a 5 year old, with the difference that the 5 year old can't fire you and you can actually talk sensibly and reasonably with a 5 year old.
Re:Still ok for general consumers (Score:5, Insightful)
When I worked in support, the biggest security risks were always the higher up managers or CEOs that always wanted to be an exception to the security concept that they ordered.
Re: (Score:2)
When I worked in support, the biggest security risks were always the higher up managers or CEOs that always wanted to be an exception to the security concept that they ordered.
This isn't the 1980s anymore.
Those who cannot grasp a concept as simple as "weakest link" get what they deserve in today's world.
Re:Still ok for general consumers (Score:4, Insightful)
I saw the same problem in the 2010s. Borderline computer-illiterate CEO wanted God Mode access to all file shares. Then something from the '80s did come along, file-wiping malware via email to the CEO...
Re: (Score:2)
Bzzt. Wrong. But thank you for playing.
You know what actually happens? CEO fucks up and you get fired for it or at least have to spend an unpaid weekend fixing his bullshit while he takes a jump with his golden parachute.
These people literally have jester's license.
Re: (Score:2)
If the CEO is a stupid shit, short the stock and let him do what he wants. Don't make up stupid scenarios that have no basis in reality.
Re: (Score:2)
The problem is that it's not just for general consumers. You try to explain to the CEO of a high security company why you want to ruin his fun and not let him have his new toy.
I don’t think that’s your job - that’s the job of the music major he’s put in charge of online security.
Re: (Score:2)
I sing in the shower, that should make me at least as qualified.
Re: (Score:2)
That won't work as everyone who has tried to do it already knows.
"Sir, you can't use FaceID if you give your password and your phone and a high resolution 3D print of your face to someone so that they can retrain FaceID to recognise the 3D print over a dozens/hundreds/thousands of failed attempts until it works and uses it to unlock your phone!"
Because having the password/passcode isn't already game over, duh.
Re: (Score:2)
"Sir, you can't use FaceID on the off chance that someone 3D prints your face, takes a high-resolution picture and tapes it to the outside of it and uses it to unlock your phone!"
That sentence is too long, you lost them a third of the way through. Rethink it and imagine you have to convince Donald Trump.
Re: (Score:2)
It defaults you to use 6-digit and doesn't make the UI to decline obvious, but if you are persistent you can make it accept a 4-digit passcode.
Re: (Score:3)
It defaults you to use 6-digit and doesn't make the UI to decline obvious, but if you are persistent you can make it accept a 4-digit passcode.
I'd say it's pretty damned obvious how to select what type of passcode/passphrase you want:
https://www.imore.com/how-to-s... [imore.com]
Re:Still ok for general consumers (Score:4, Insightful)
But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.
You only have one face, and your face is public, which means it's less secure than TouchID was.
Re: (Score:2)
You should have your face bashed in, just for being such an ignorant, stupid, fuck-up.
Re: (Score:2)
This is why I prefer TouchID.
Another reason is that a finger print scan is a deliberate action. Finger goes on a scanner, and it functions as an acknowledgement that I am buying a bag of Dungeon Yums from a vending machine.
A face scan isn't a definite action. You pick up your device to look at it, is different from having TouchID register an explicitly pressed home button.
Re: (Score:2)
You can't replicate my fingerprints from a picture of me that you found on facebook.
Come out drinking with me, I'll have a detailed print from both your hands on your desk by the morning.
Or ... just go for a toilet break. I can get them from your mouse too while you're not looking.
Re: (Score:2)
Come back when you can actually demonstrate this as an attack.
Re: (Score:3)
But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.
You only have one face, and your face is public, which means it's less secure than TouchID was.
They need a bit more than a photo of your face. If I understand it correctly they need a 3D image of your face. You might be able to get them for a large number of images or detailed video, but it is a bit harder.
Re: (Score:2)
Yes, precisely.
The most secure thing I can use is a strong passphrase that exists only in the phone, encrypted, and in my mind. Anything else is less secure.
Re: (Score:2)
Yes, I just have to follow you with a piece of tape and wait for you to touch anything. Or lets by honest here. If I have your phone, take it off the screen.
I know right, like you wear gloves and never touch anything. Your fingerprints are literally everywhere, all over every object withing feet from you. They are incredibly easy to get. I bet I can get them off the doorknob to your front door, or even your mailbox while you're at work.
Is it anymore broken than finger prints? (Score:2)
You can also create fake finger prints if you can get a good model print.
Re: (Score:2)
If you remember, Touchid was similarly soon broken, and it also required quite some commitment from the hacker. Still, for most people the security of TouchId was good enough and practical in use. I expect the same with FaceID. For the utmost in security, users can always opt for a passcode.
It won't take commitment from a hacker. I reckon that within six months there'll be online services where for $45 you upload to them 5 high resolution photos of a target's face from various angles, and they reconstruct a 3d model from those photos, and build a silicone face for you to unlock the target's phone. The initial market will be for people wanting to snoop on their partner's or children's phones.
My brother already has bought a 3d hologram from a scan of his face, just a touristy gimmick from a scie
Re:Still ok for general consumers (Score:5, Interesting)
FaceID constructs a 3D model of your face which is then updated over time so that gradual changes (facial hair, etc) can be integrated into the model. These updates take place after FaceID successfully recognises your face -- and after unsuccessful face-id challenges followed by the use of the passcode/password.
https://support.apple.com/en-u... [apple.com]
The claimed hack gives absolutely no information on whether "the hack" was performed using a 3D printed model that had never been shown to the iPhone or whether they trained the iPhone to recognise the 3D model by showing it to the iPhone and repeatedly typing the password after every failure.
If you already have the passcode/password which _always works_, FaceID is already bypassed.
Until more details come out and others reproduce it, I'd take the claim that FaceID has been hacked with a _large_ grain of salt.
Re: (Score:2)
Re: (Score:2)
Still, for most people
Most people are happy with drawing a 'Z' on the front of their screens or using 0000 as the password. That doesn't negate the security needs of some specific people ... people who may buy into the Apple marketing of this new system being so incredibly secure.
This is the same company that claimed (Score:3)
... that its "Bphone the best smartphone the world" (2015). It sank without a trace.
I'd treat that their claims that "Apple has done this not so well" and "Face ID can be fooled by mask, which means it is not an effective security measure" with a grain of salt. Of course their company is from Vietnam, "land of fakes" https://tuoitrenews.vn/news/ci... [tuoitrenews.vn] where scandal after scandal of dangerous, counterfeit and frank outright fraud is commonplace.
Unfortunately I have firsthand experience of this :(
Ok (Score:2)
Re: (Score:2)
Re: (Score:2)
I think the point is that this is what it takes today. It's not difficult to believe others will improve the process now that there's proof it can be done.
And while you may wipe and lock your phone immediately if you lost it, I bet there's a lot of people who wouldn't take that step (if they could) until much too late.
Re: (Score:2)
They appear to have trained the iPhone to recognise the 3D Scan by using the passcode/password to update the model after multiple failures until it finally worked.
How fortunate Android users are to NOT be vulnerable to to exploitation when the bad guys have:
- the Phone
- A detailed 3D model and print
- the passcode/password
What is wrong with a passcode? (Score:4, Insightful)
So, what exactly is wrong with having to enter a passcode, anyway?
Re: (Score:3)
Isn't it obvious? It requires more effort.
Ignore the fact that a passcode that one actually keeps secret is, in general, going to be far more secure than the usage of any kind of biometric data could ever hope to be. People are friggen lazy. Full stop.
Re: (Score:2)
Re: (Score:2)
Re:What is wrong with a passcode? (Score:4, Funny)
If FaceId is a pain in the ass, you're holding it wrong.
Re: (Score:2)
Re: (Score:3)
Yeah....enter a whole six digits to use your phone.......what a nightmare!
As for prints on your screen....you know, you could clean it once in a while.
The real problem with passwords is all the apps on the phone want their own password, rather than relying on you having already entered one to access the phone itself. THAT is the pain in the ass here.
I'd pay extra of all the apps on the phone had a "use phone password option". In this scenario, if you are on the phone, no password is required to use the app
Re: (Score:2)
Anyone using a passcode & not a password deserves to get hacked anyway.
I use 1password on Android/IOS/MacOS/Windows because I have thousands of unique passwords (clients). That you think it is a waste of money merely shows that you don't know how to use it.
xkcd (Score:5, Insightful)
FaceID reminds me of this xkcd comic [xkcd.com].
Except that you no longer need the wrench...
Re: (Score:2)
Actually, what would be an interesting passcode system would be one that integrates with some sort of wetware system, and which not only relies on biometric data and a secret key, but also analyzes the state of mind of the user requesting access, and denies entry, even via an authorized password and in the presence of authorized biometric data, when the user is under any kind of stress or duress. Obviously, on a device like a phone, critical emergency functions would still work without such authorization
Re: (Score:2)
If you are alleging that the wrench is only about 10% effective in the first place, sure. If you are being beaten with a wrench you are both under duress *AND* stress, so you still wouldn't be able to unlock the device for a person who is requesting it if it had such security measures installed.
It's almost a password equivalent to a dead-man's switch for disabling access to the device, except it is reversible in that one can potentially re-enable the device at a later time.
Re: (Score:2)
Good morning, Mr. Phelps (Score:5, Funny)
Your mission, should you choose to accept it, is to somehow sedate the subject and create a life cast of their face without them figuring out that you're doing it. You must then jump though a bunch of other hoops in order to unlock the subject's phone. You are under no circumstances to use the subject's own face to unlock their phone. Should you or any of your IM force be caught or killed, you will be mocked mercilessly on Slashdot.
FBI and NSA will love Face ID (Score:4, Interesting)
If you get arrested, they unlock the phone by holding it up to your face. That doesn't even require a mask. It's the opposite of security.
Re: (Score:3)
I have a radical idea. If you're doing something that might lead to your arrest, disable FaceId. And if you live in place where you might be arrested for looking at your shoes funny, don't enable it in the first place.
Re: (Score:2)
If you get arrested, they unlock the phone by holding it up to your face. That doesn't even require a mask. It's the opposite of security.
You have to look at the screen for it to unlock. And if you hold the button on the right, it will require a passcode. There are lots of safety mechanisms in place.
Damn (Score:2)
Now I need to get a new face!
What happens when.. (Score:5, Interesting)
Re:What happens when.. (Score:5, Funny)
Re: (Score:2)
Obviously you need to take backups of your face on a regular basis, like, you know, 3D-print plastic, silicone masks with makeup and simple paper cutouts. Duh.
Everyone but the marketing department knows... (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Re:Everyone but the marketing department knows... (Score:5, Informative)
fingerprint scanning increases the cost of the phone. Face recognition does not require any additional hardware.
Not true. There is both a structured light transmitter and receiver [wccftech.com] which are additional hardware compared to previous iphones. There may also be a separate processor for data processing of these modules.
Re: (Score:2)
Whoever modded you insightful is as stupid and ignorant as you are.
Re: (Score:2)
Android devices didn't use any additional hardware, and some actually wanted you to blink before they would authenticate. However, Apple uses a number of subsystems to do the FaceID authentication, including a processor dedicated to facial recognition. TouchID is a lot lighter, and just requires a home button.
Android devices have another item solved too... with the fingerprint reader on the back. No space on the front needed.
Re: (Score:2)
Face recognition does not require any additional hardware
What an absurd claim given the amount of hardware on the front of the phone specifically put there for the sole purpose of FaceID.
FaceID does not use the front-facing camera. (Score:2)
You seem to think FaceID uses visual data. (Score:2)
Interesting question on how it was trained (Score:5, Interesting)
The researcher shows that the phone unlocks when presented with his face, but it doesn't show the enrollment or training phase.
For the sake of transparency, it would be nice to see that enrollment was done on his normal face without using any part of the mask or other shenanigans. And since the scanner apparently 'learns' from failed scans where you immediately enter the (correct) passcode, that's another route by which he could corrupt the enrolled data -- he could scan the mask and then enter his passcode enough times that it 'learns' the wrong thing.
If either of those are true, it only shows that the authorized user can enroll data that's close enough to both his real face and a mask that both unlock it.
Police will love it (Score:2)
They'll be able to have a 3d printer at their HQ, photograph the recipient, and viola - privacy violated.
Police will love this (Score:2)
Come see the [flaw] inherent in the system. (Score:2)
"Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."
Isn't that true of any biometric-only authentication system? Fingerprint, face, iris, voice... they can all be emulated with enough effort. It's a darn convenient security measure, however, which under the right circumstances is augmented by a strong passcode.
Face ID is great for people that don't matter (Score:3)
Assuming that it's sufficiently accurate, Face ID is a great authentication system for inconsequential people. IE: People who don't have a lot of money nor power, which is a very large portion of the population.
For those that do have some kind of responsibility, ie: managers, IT staff, etc, it's bad.
If said individuals work for a major corporation and/or deal with sensitive information, it's downright idiotic. A biometric authentication system that doesn't even require you to be near the individual to unlock a device with sensitive data is foolish, especially today when people have access to 3D cameras and printers, and can do a targeted attack relatively inexpensively.
It's not Mission Impossible type stuff, but it's not far off.
Total non-story.... (Score:3)
The researchers concede, however, that their technique would require a detailed measurement or digital scan of a the face of the target iPhone's owner. The researchers say they used a handheld scanner that required about five minutes of manually scanning their test subject's face.
So they haven't really broken anything. It turns out if you sit there and let them scan your face for 5 minutes they can make a model that can bypass a scanner in a consumer device. I'm surprised that it isn't possible to make a perfectly matched face that could fool a human with that kind of scanning.
Non-story.
This is a solution looking for a problem to solve (Score:2)
Bad summary yet again (Score:2)
The 0$ alternative (Score:2)
Emulating the IR structured light pattern? (Score:3)
Is that pattern fixed?
If so, would it be possible to block the projection, and "simply" show the sensor the pattern that should appear?
I bet it's not that easy, but i'd like to know why?
Re: (Score:2)
Re: (Score:2)
You're quite behind the times.
iOS since at least version 4 and possibly earlier has allowed 6 digit code and even an alphanumeric passcodes. Only recently (with the addition of TouchID) have the phones *defaulted* to 6 digit passcodes.. but 4 digit hasn't been the only option for more than 7 years.
Re: (Score:2)
So, don't cross a bridge? Don't go in a house? Don't walk on a pavement?
Where the fuck are you writing this from?
Re: (Score:2)
iOS has required a 6-digit PIN (or passphrase) to use TouchID for ages. I doubt they've regressed for FaceID.