10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com) 300
An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."
Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."
And his son just "thought it was hilarious."
Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."
And his son just "thought it was hilarious."
Sounds like excuses (Score:5, Funny)
You're looking at the phone wrong, etc., etc., etc........
Re:Sounds like excuses (Score:5, Funny)
boy is obviously a disguised russian hacker.
Re: (Score:3)
Re: (Score:3)
Yeah, because you're going to be using the phone under optimal lighting conditions all the time, anyway...
Just curious... (Score:4, Interesting)
Re:Just curious... (Score:5, Interesting)
Almost certainly.
https://www.macrumors.com/2017... [macrumors.com]
Dang those shape-shifting children's faces! (Score:5, Funny)
Re:Dang those shape-shifting children's faces! (Score:4, Funny)
Next item: FBI hires a bunch of 13 year old kids to unlock phones confiscated from criminal suspects.
Scary (Score:5, Interesting)
Re:Scary (Score:5, Insightful)
It also gives your child full access to your ApplePay account. which by default only requires FaceID to authenticate.
Biometrics are not passwords (Score:5, Insightful)
Biometrics are user-ids, not passwords.
There are three aspects to security: something you are, something you know, something you have. Implement two for rudimentary security, implement all three for good security.
- Something you are: User ID, biometrics, or some other public information that serves to identify the person.
- Something you know: Typically a password, used to prove the identity
- Something you have: Second factor, used to prove that the password and identity were not stolen.
Face-ID and fingerprints are insecure and easily fooled.
Re: (Score:3)
Re:Biometrics are not passwords (Score:5, Insightful)
Fingerprints seem to be pretty good in the real world. The FBI can't seem to crack them. UK security forces can't reliably crack them, so they have taken to following people until they unlock their phone and then staging a fake mugging to grab it in that state.
Okay, maybe the NSA can get in, but for most people a good fingerprint scanner seems to be a reasonable option. The main issue is the lack of a panic button on some of them, i.e. something you do to disable it and require require the passcode. Apple lets you press the power button 5 times quickly, on most Android devices holding the power button for a few seconds works.
Re: (Score:2)
Re: (Score:2)
I agree that you must use more than one authentication factor.
In fact, it is terribly dangerous to use biometrics, because when somebody stole your data you are doomed for the rest of your life. And to use in consumer products it is very irresponsible because those products, no matter the brand neither the price, won't be so well designed as security oriented machines.
Also ... light interferes, children younger than 13 years interfere, photocopies interfere ... this technology is useless on real life s
Re: (Score:2)
Biometrics are user-ids, not passwords.
Actually they're both but should never be used as the first factor of authentication.
Face-ID and fingerprints are insecure and easily fooled.
Yes and no.
Done properly these technologies are quite effective, however to do it properly you need a $5000 bit of kit at every door and a hefty back end. Fingerprint scanners at Immigration are quite good, but you wont get that level of quality on a £500 phone. So in order to make it work, corners are cut which makes them ineffective as a security measure.
Besides, people get distracted enough punching in a 4 ch
Lock and unlock (Score:2)
You're not really supposed to "unlock" an iPhoneX. The way FaceID is supposed to work, you pick it up from somewhere and when you instinctively look at the screen, it performs its magic and it's ready, no need to put the right finger on a sensor in the right way, or click on anything. After some time, you're probably going to forget it's actually authenticating you. Unfortunately, while in theory quite convenient, this has several drawbacks in terms of security and usability; it's not really a step forward
Re: (Score:2)
But it also lets you do better Snapchat masks and animated emojis
It's time to get rid of Tim Cook (Score:2)
Between this, the debacle of iOS 11 and the fact that the Mac lines have been languishing under him, it's clear they need to get rid of him.
And no, replacing him with the woman who runs the retail side is not good for the company no matter how good her number is or how desperately they want to put a woman in charge of the richest company in the world.
At this point, they need a Satya Nadella who can actually get in there, balance both product lines, come up with new ones and reacquire alienated Mac users who
Re: (Score:3)
Excellent (Score:3)
Security lesson: (Score:2)
Laugh today, innovate tomorrow (Score:3)
We laugh now, but we all know that next year's (or the year after's) flagship Android phones will have Face ID.
Re: (Score:2)
Next year?
https://findbiometrics.com/440... [findbiometrics.com]
confused by lighting? (Score:5, Interesting)
Re: (Score:2)
So if it was confused by lighting does that mean apple outright lied how it works? or is that just fanboys trying to make up excuses? if you have something that operates by infrared dots on your face that supposedly works in dark or light how the fuck do you get confused by lighting conditions.
Because optimally you should have good lighting conditions (IR and Visible light) and not obscure your face when training a facial recognition system which is what this couple did according to the article summary. Additionally if you wear something that obstructs the face you might also want to train your system while wearing said item. The FR gear is intended to recognise you under sub-optimal conditions based on a training data sets made under optimal conditions, it is not intended to be reliable if the t
Re: (Score:2)
This may surprise you, but infrared radiation is very close in wavelength to this thing we perceive as "light", so much so that our "lights" in our house used to give of more of this mythical technology thing called "infrared" than actual light we perceived at one stage.
If you think this interference means Apple is lying, I'm calling you ignorant. If you want to fix your ignorance look into the long history of using and sensing infrared in various fields, the history of TV remotes, IrDA, and even Nintendo's
Re: (Score:2)
Maybe it does work as they describe, but they had to turn down the % match limit to make it usable. People expect the phone to unlock quickly when they look at it, in all lighting conditions and from various angles. Although humans can't see IR, it is still there and able to interfere with the iPhone's weak IR projection.
Say it measures the distance between your eyes. To do that it has to find the corners of your eyes, from various angles and various distances. The resolution of the sensor is limited so the
I've been sort of expecting this to happen (Score:5, Insightful)
Tim Cook's claim that FaceID is 20x more accurate than TouchID was kinda ridiculous. It is a neat technology and from what i hear it works well, but it is impossible to have face recognition that doesn't trigger false positives with relative ease. Telling people there's a one in a million chance that FaceID will mistake someone else face with yours is irresponsible.
Yes, but (Score:2)
--Terry Pratchett
Re:I've been sort of expecting this to happen (Score:5, Interesting)
Re: (Score:2)
You mean genetics, not evolution.
Comment removed (Score:5, Funny)
Apple has already explained this (Score:2)
Re: (Score:2)
So it's broken, but they've explained so it's okay?
If I enter my pin code, it's just what it is. It doesn't magically transmogrify into allowing a different pin code. No explanation needed by vendor - it's pretty much 'a given'.
$1000 Paternity Test (Score:5, Funny)
Hilarious? (Score:2)
At least the boy now knows, that the mailman ain't his father.
His son and the rest of us (Score:2)
And his son just "thought it was hilarious."
well, not only his son, i think it is hilarious as well.
Locked? (Score:3)
Re: (Score:2)
...not so cool when you've used the browser to authenticate with Google, and you've logged in the facebook app, and you've connected up your email to the email app.
If you're never going to do those things, then yeah, don't bother with the lock. In fact, sell your phone and buy one of those cheap Nokias, as it'll do 90% of what you use your smart phone for, but at a fraction of the cost.
The point is, for calls and texts, yes, your provider can stop that service. For anything else, they can't do that for you,
Re: (Score:2, Informative)
Really depends what you use it for. If you only ever make calls, then you're only risking your phone book. That might not seem like a big deal, but phoning up a mark's relatives pretending that there's some urgent crisis (broken down car in the middle of nowhere, been mugged in an unfamiliar city, had a serious accident and in hospital outside your network etc) and that they need to wire money/provide details/etc is very common scam.
If you send or recieve messages, then you're risking your message history,
Missing the point (Score:5, Informative)
Think TouchID or FaceID like a lock on your front door. Yes it can be hacked and bypassed. Sometimes in ways you might not expect. It's low grade security. But that isn't the point. The point is to keep out the majority of less determined individuals out while being a reasonable balance between security and convenience for typical usage. If you want greater security there are features (passwords, etc) you can utilize to strengthen the system. Most of the time these are overkill but sometimes they are a very good idea. Anyone expecting TouchID or FaceID to provide iron clad security has incorrect ideas about what they are for and what their limitations are.
Re: (Score:3)
My mistake. I thought the point was so a cop could shove it in your face and have it unlock itself for him.
Re: (Score:2)
My mistake. I thought the point was so a cop could shove it in your face and have it unlock itself for him.
Make the password required and it's a non-issue.
Re: (Score:2)
If you're going to make the password required anyway, why bother with this nonsense...so you can gaze longingly at Siri, and have her ask you for your password?
Re: (Score:3)
Anyone expecting TouchID or FaceID to provide iron clad security has incorrect ideas about what they are for and what their limitations are.
Apple seems to do. ApplePay, for example, is authorized by FaceID by default.
Re: (Score:2)
you're missing the point, biometrics for secure access in 2017 is a farce yet it is touted as being sufficient to protect your payments, a nuke plant, etc.
low grade security indeed, but high grade uses are made
I knew Picassa was confused like this. (Score:3)
Very quickly I discovered it confused mothers with daughters. When our turn to host the pot-luck comes around, our guests used to gather around, let Picassa lose on the collection and laugh and marvel at the same time about its confusion.
I'm confused... (Score:2)
On my first phone, one could lock and unlock the keypad by pressing 0000. This was not security measure, just a way of preventing accidental phone calls.
Face ID is just the modern "keypad lock", the right photo of the person will probably also unlock the phone.
What a surprise (Score:2)
Re: (Score:2)
Well, if you add 'currently practical' to that, yes.
However, human faces are unique and very little is required for recognition - as long as the recognition engine is a human brain familiar with the subject. Eventually we should be able to mimic that with a computer algorithm.
Using facial recognition on an iPhone at this point, though, was an ill-conceived marketing ploy. It's simply still too easy to fool.
It's a new paternity test.. (Score:2)
And thus was born another chapter in the story of. (Score:2)
"Which parent does little Ammar look more like?"
LK
Arya!? (Score:2)
Re: (Score:2)
Cue me asking him why that hilariously overpriced phone then not only implemented it but also announced it as the biggest thing since sliced bread.
Re:cue the apple fanboy (Score:5, Interesting)
The common defense, of course, is that "they trained it by entering the passcode." On its face, this seems a valid defense, but...
My wife asks me to do things on her phone all the time while she's driving, so she can keep her eyes on the road. I know her passcode so I can do these things, and FaceID tries to scan every time the screen is turned on. That means, intentional or not, if she had an iPhone X with FaceID enabled, I'd be training it to recognize my face every single time I unlocked it using the passcode. Eventually, we'd both be able to unlock it.
Since her and I look nothing alike, the phone would ostensibly unlock for anyone with facial features similar to hers or mine, in varied combinations; possibly even within a range between her facial features and mine. Since we look so different form each other, I would be less than surprised if the odds of a random match were way greater than 1:1,000,000, or even the 1:50,000 odds Apple claims for a random fingerprint match, on a device used in such a manner.
And I wouldn't think that usage pattern is too uncommon; most couples I know who are in healthy relationships ask each other to check messages and whatnot from time to time, which necessitates the sharing of passcodes.
The "learning" aspect of FaceID is its primary weakness. There are solutions, of course, and a proper implementation would apply them.
One possible solution would be a "guest" passcode, which does not trigger the learning mechanism. This could also lock out purchases and changes to certain settings. It would just be a good security measure, in general, regardless of FaceID. But, in the context of FaceID, it would all but solve the PIN/passcode "learning" weakness.
Doesn't do anything for kids or people with siblings, of course. Nor does it do anything for the fact that the 1:1,000,000 claim is explicitly limited to "random matching"; that is, if you pointed the phone at 1,000,000 random people, one of them would unlock it. If you point the phone at 5 people who look a lot like you, one of them will unlock it, as well, and we've seen that borne out in reality. I can take a picture of you as I'm stealing your phone and use it to find 5 people who look enough like you to likely be able to unlock it.
What I can't to is take a picture of you as I steal your phone and use it to find 5 people with similar fingerprints. The 1:50,000 odds are actually stringer than the 1:1,000,000 in this case, because there's no way around the randomness, other than a direct attack on the scanner itself. Of course, that's entirely possible and not all that difficult; but we've also seen that it's entirely possible and not all that difficult to attack FaceID, so the point is relatively moot, anyway.
I'd venture that it's easier to, say, walk down a busy city street with your victim's phone and photo and approach someone who looks similar enough to them and ask "have you seen the new iPhone yet?" as you hold it up to their face... than it is to find a clean enough print and reproduce it accurately enough to fool the fingerprint scanner. That's sad, here, is that the bar for fooling the fingerprint scanner was already too low. Apple must be trying to win a limbo competition with FaceID.
Re:cue the apple fanboy (Score:4, Insightful)
This is true only if you are a close match to begin with. When a Face ID authentication fails, but is within a small failure threshold, and then the passcode is entered, another measurement is taken for training. The purpose of this is to learn as the face subtly changes, as they do. But if you and your wife are already a close match , and you know and enter the passcode, then it will augment its training from your face.
If you don't know or don't enter the passcode then no training is done.
So yes, this is definitely one more problem (among many) for Apple to solve, but it's not the huge security hole some are making it out to be. For me it's a tremendous convenience and reasonably safe, but if were in a situation where I was truly worried about security then I would disable it.
Re: (Score:2)
This is true only if you are a close match to begin with.
Got a cation for this, other than the same marketing wank that incorrectly claimed this would only be a problem for twins and kids under 13?
Re: (Score:2)
No this is a thread for the Android zealots.
Because the iPhone X had very few problems compared to the other phones that came out around the same time. So we are finding a small number of cases where there are some problems and it is our thread to celibate that our phone that we have purchased for whatever reason we purchased was a good idea and those who didn’t make the same voice are now realizing how wrong they are to oppose your viewpoint.
Or should the Apple Fanboys take a shot at finding all the
Re: (Score:3)
Why would we care?
Face Unlock on Android was broken years ago. Its taken this long for the iSnore to catch up *yawns*.
Re: (Score:2)
The solution to that is obvious.... implement a light-sensor switch in the hardware that considers any opening of the case, unless it has previously been expressly authorized, to be equivalent to having failed to enter the correct password after whatever limited number of failed attempts are defined before auto-deletion.
Re: cue the apple fanboy (Score:2)
Defective by obscurity (Score:2)
Yep.
Security by obscurity -> defective.
>> "the iPhone X was confused by the indoor/nighttime lighting"
Security by obscurity. Told you so.
Re: (Score:2)
Yep.
Security by obscurity -> defective.
>> "the iPhone X was confused by the indoor/nighttime lighting"
Security by obscurity. Told you so.
and they advertised it works perfectly fine in the dark, as your face is illuminated by 30,000 infrared dots from the true depth camera.
Re: (Score:2)
... he looks like his parents, but he can unlock both their phones, and they apparently can't unlock each others phones so they don't look like each other. But their 13 year old son looks like both of them.
Re: So it's defective by design then? (Score:5, Funny)
Perhaps they aren't from West Virginia.
Re: (Score:2)
I can't get on with fingerprint scanners on the front. The back is where my finger naturally lands as I put my hand in my pocket to get my phone out.
The front feels clunky and means I have to use two hands to unlock my phone.
Re: (Score:2)
Re: (Score:2)
I don't have to press anything on the front of the device to wake it up, I just put my finger on the fingerprint reader and it unlocks and wakes up.
Re: (Score:2)
I was under the impression that we were talking about iphones here... which still need to be woken up to use, even if you don't have fingerprint detection on.
Is your objection that Apple has put the home button on the front of the device in the first place?
Re: (Score:2)
I tried it out on my girlfriends phone, didn't like it.
Maybe it's because I have always had the scanner on the back and I'm just not used to it. It feels really unnatural.
Re: (Score:2)
as long as you don't have a case on the phone.
Re: (Score:2)
Bizarre as this may seem, the manufacturer of the case I use saw fit to include a cutout for the fingerprint reader.
Re: (Score:2)
So you type on your phone with it laying flat on the desk?
Again this is something that just feels unnatural to me, nearly always hold my phone while typing with one hand.
Re: (Score:2)
Because tapping your unlock code was even more work? Or is Android so fucked-up that you had one option or the other, but not both?
Re: (Score:2)
Of course, but legally you can, without anything special happening, be compelled to surrender your fingerprints to authorities for any investigation that they deem appropriate, even if you have not been personally convicted of any crime, or even if no crime has actually even occurred. Legally compelling you to surrender your pass code requires going to court first, where you at least have a chance of having a sympathetic judge.
Re: (Score:3)
The fingerprint reader on my $250 dollar Android phone keeps it safe enough and makes it quick to unlock.
Re: (Score:3, Insightful)
Quick to unlock, yes.
There is a real risk of "gelatin fingers". There are many videos, and some reliable newspaper stories, of people replicating fingerprints very successfully with gelatin or even Play-Doh. The approach was well documented in2002, at https://cryptome.org/gummy.htm [cryptome.org] .
Re: (Score:2)
That's why I qualified it with safe enough - for me it's the right balance between convenience and difficultly to break.
Re: (Score:2)
Re: (Score:2)
Dude, I'm much more worried about bolt cutters or even sharp knives with fingerprint-based security.
I like my fingers ATTACHED to my hand.
Two questions:
Re:That's funny... (Score:4, Interesting)
Re:That's funny... (Score:5, Informative)
Re: (Score:2)
Android seems to periodically ask for the unlock PIN/pattern when using fingerprint unlock, probably to make sure you don't forget it :)
Re: (Score:2)
I don't know about the phone you're using, but if I need to I can power down without unlocking at which point only the pin will unlock it again. Yes if an officer was quick and grabbed the phone before I was able to do so and physically forced my finger on the sensor then they could unlock the phone, but if they are so desperate to unlock my phone it's unlikely a PIN would stop them either [washingtonpost.com].
Re: (Score:2)
Which is a feature you can turn on on the iPhone too. So I don’t get your point.
I never bought into the hype of Apples million to one FaceID rate because how could they get a good random sample size from their employee work force. Even Apples size you tend to get the same sort of people. And you will not have many generations of people and twins to check it out.
That said Biometric are often still better than passwords because they are much easier to use and prevents people from having too simple pass
Re: (Score:2)
I never bought into the hype of Apples million to one FaceID rate because how could they get a good random sample size from their employee work force
In other words FaceID is really, really good at distinguishing between different types of man buns.
Re: That's funny... (Score:5, Insightful)
Biometrics are not better than a password as a single method of authentication unless your data is worthless.
Passwords can be changed/rotated indefinitely. You only have one face, two eyes and 10 fingers.
Only idiots leave passwords on sticky notes. Literally everybody leaves fingerprints around, unless they donâ(TM)t have finger prints, in which case a finger print reader is useless to them anyway.
How âoeeasyâ it is to get you to give up a password depends on you. How easy it is to force your finger onto a finger print reader, less so.
Biometrics, being a physical characteristic of a person are great for indentification, i.e. as a replacement for a username. Theyâ(TM)re also perfectly reasonable as part of a multi-factor authentication. Iâ(TM)ll combine finger print + the HMAC SHA challenge-response from yubikey or PKI from a smartcard for accessing my laptops for instance.
Re: (Score:3)
I kind of believe their rate, but you have to remember that they're counting it as if a random person in the entire world got your phone. People that are related to you or even just people with similar ancestry are far more likely to be a match.
Re: Embarrasment? (Score:2)
Re: Embarrasment? (Score:2)
Re: (Score:2)
We've seen on /. tons of examples of people losing their jobs over their opinions and activities. So it seems like there's a few things outside of work that can cost you your job if someone at the job doesn't like what you do outside of work.
Got issues? (Score:5, Insightful)
I've been completely blackballed throughout entire corporations just because of the brand of mouse I chose to buy, or the fact I refuse to use Facebook.
Oh bullshit. No corporation will give a shit about what brand of mouse you use unless you are a flaming asshat about it or somehow manage to violate their corporate IT rules. I don't use Facebook either and I have yet to run into a corporation that gives a shit about that even a little bit. Even if what you say is true that sounds like it is you that is the issue.
If you can't imagine anything in your phone (or not in it, for that matter) that anyone would take offense to, I suggest you either must not use it or you're just really naive.
If you work in a workplace that is THAT hypersensitive then I suggest you find a new and better employer. I can confidently say that there is absolutely nothing on or missing from my phone that I'm even a little worried about my coworkers getting offended over. That would be equally true of every employer I've ever worked for which at my age is quite a few of them. I would have some concerns about them getting access to some banking and financial info but that is the worst of it. Nothing there I'm the least bit embarrassed about including the contents of my emails and correspondence. I'm concerned about serious things like identity theft. That's not to say some people don't have some personal things they need to hide sometimes but if access to your phone is a concern then I suggest you keep such data off your phone.
Big companies generally devolve into popularity contests.
If you think that then I think you have serious social issues that no one here can help you with.
Re: (Score:2)
I would have some concerns about them getting access to some banking and financial info...
Careful there, you're dangerously close to noticing a crack in your own logical facade.
Re: (Score:2)
Careful there, you're dangerously close to noticing a crack in your own logical facade.
Nothing embarrassing about my financial info. There are reasons to worry about security but embarrassment shouldn't be one of them. Safety of physical person or assets is a reasonable argument. Embarrassment is not. If you have something embarrassing on your phone perhaps you should consider removing it from the phone.
Re:Got issues? (Score:5, Interesting)
I've been completely blackballed throughout entire corporations just because of the brand of mouse I chose to buy, or the fact I refuse to use Facebook.
Oh bullshit. No corporation will give a shit about what brand of mouse you use unless you are a flaming asshat about it or somehow manage to violate their corporate IT rules.
When I worked at Dell, our director made me get rid of my IBM Model M.
Brand loyalty (Score:2, Troll)
When I worked at Dell, our director made me get rid of my IBM Model M.
Given that Dell sells Dell branded keyboards that's hardly shocking. It's reasonable for companies to like their employees to show some brand loyalty for products they use on the job.
Re: (Score:2)
"fectal"???
Re: (Score:3)
"Anything else you might as well leave your phone unlocked or put a cheap pin on it so that your girlfriend isn't able to view your browser history."
When you've been on Slashdot for more than 10 years, do you get to have a girlfriend?
Re: (Score:2)