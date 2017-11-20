Follow Slashdot stories on Twitter

 


10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com) 136

Posted by EditorDavid
An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."

Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."

And his son just "thought it was hilarious."

  • Sounds like excuses (Score:2, Funny)

    by Anonymous Coward

    You're looking at the phone wrong, etc., etc., etc........

  • That's funny... (Score:1)

    by Anonymous Coward
    The password on my $79 android phone seems to keep it safe...

    • Re: (Score:3)

      by AC-x ( 735297 )

      The fingerprint reader on my $250 dollar Android phone keeps it safe enough and makes it quick to unlock.

      • Re: (Score:2, Insightful)

        by Antique Geekmeister ( 740220 )

        Quick to unlock, yes.

        There is a real risk of "gelatin fingers". There are many videos, and some reliable newspaper stories, of people replicating fingerprints very successfully with gelatin or even Play-Doh. The approach was well documented in2002, at https://cryptome.org/gummy.htm [cryptome.org] .

    • Which is a feature you can turn on on the iPhone too. So I don’t get your point.
      I never bought into the hype of Apples million to one FaceID rate because how could they get a good random sample size from their employee work force. Even Apples size you tend to get the same sort of people. And you will not have many generations of people and twins to check it out.
      That said Biometric are often still better than passwords because they are much easier to use and prevents people from having too simple pass

      • I never bought into the hype of Apples million to one FaceID rate because how could they get a good random sample size from their employee work force

        In other words FaceID is really, really good at distinguishing between different types of man buns.

      • Granted you kid getting access to your phone is often embarrassing, but if one of your coworkers or your boss or a stranger gets access to it it could be devastating.

        If your coworkers getting access to your phone results in significant embarrassment I have to ask what on earth you are doing that you should be so embarrassed about. Yes it would be a problem but embarrassment should be pretty far down the list of worries if a coworker were to access your phone.

        • If you have to ask that then you have squandered your time on this planet.

        • Re: (Score:1, Insightful)

          by Narcocide ( 102829 )

          I've been completely blackballed throughout entire corporations just because of the brand of mouse I chose to buy, or the fact I refuse to use Facebook. If you can't imagine anything in your phone (or not in it, for that matter) that anyone would take offense to, I suggest you either must not use it or you're just really naive. Big companies generally devolve into popularity contests.

          • Got issues? (Score:2, Insightful)

            by sjbe ( 173966 )

            I've been completely blackballed throughout entire corporations just because of the brand of mouse I chose to buy, or the fact I refuse to use Facebook.

            Oh bullshit. No corporation will give a shit about what brand of mouse you use unless you are a flaming asshat about it or somehow manage to violate their corporate IT rules. I don't use Facebook either and I have yet to run into a corporation that gives a shit about that even a little bit. Even if what you say is true that sounds like it is you that is the issue.

            If you can't imagine anything in your phone (or not in it, for that matter) that anyone would take offense to, I suggest you either must not use it or you're just really naive.

            If you work in a workplace that is THAT hypersensitive then I suggest you find a new and better employer. I can confidently say that there is

      • Biometrics are not better than a password as a single method of authentication unless your data is worthless.

        Passwords can be changed/rotated indefinitely. You only have one face, two eyes and 10 fingers.

        Only idiots leave passwords on sticky notes. Literally everybody leaves fingerprints around, unless they donâ(TM)t have finger prints, in which case a finger print reader is useless to them anyway.

        How âoeeasyâ it is to get you to give up a password depends on you. How easy it is to force your

      • Re: (Score:3)

        by Imrik ( 148191 )

        I kind of believe their rate, but you have to remember that they're counting it as if a random person in the entire world got your phone. People that are related to you or even just people with similar ancestry are far more likely to be a match.

  • I wonder, can monozygotic twins unlock each other's phones? That would be even more hilarious.

  • ... and on the front too, not the back.

    I.e. you need to give people an option for no security, passcode, fingerprint or FaceID and let them decide on what balance of security and convenience they want.

    Right now it seems like the industry is either putting fingerprint scanners on the back or omitting them entirely. It's another example of a useful feature being omitted for mostly aesthetic reasons - i.e. bezel-less displays. Of course it saves on component cost too.

    • I can't get on with fingerprint scanners on the front. The back is where my finger naturally lands as I put my hand in my pocket to get my phone out.

      The front feels clunky and means I have to use two hands to unlock my phone.

  • The son is correct... (Score:1, Informative)

    by Anonymous Coward

    It IS hilarious. It's legitimately an odd way to authenticate anyway, and less secure than fingerprints, and way less secure than constantly typing annoying passphrases. It should be no surprise that there's endless ways to fool it.

  • Dang those shape-shifting children's faces! (Score:3, Funny)

    by antek9 ( 305362 ) on Monday November 20, 2017 @03:58AM (#55585369)
    Kids as skeleton keys, that would be so funny if it weren't the security desaster it actually is. What remains to be shown now is that a random group of, say, 10 children with no relation to an iPhonX (previous...) owner has a more than 10% chance of unlocking Face ID.

  • So it's defective by design then? (Score:1)

    by Anonymous Coward

    "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate."

    So what they're saying is that all you need are a few foam heads with some generic features, and you should be able to unlock any iPhone X out there?

    What sort of bullshit security is this? By admitting this, they've basically admitted the entire feature cannot be trusted.

  • Scary (Score:5, Interesting)

    by Jonathan Carter™ ( 5162815 ) on Monday November 20, 2017 @04:15AM (#55585411)
    That's scary, that puts your children at risk at being kidnapped or being brought in by aggressive authorities in an attempt to get access to your device. Parents should rather avoid using this feature altogether.

  • Biometrics are not passwords (Score:5, Insightful)

    by bradley13 ( 1118935 ) on Monday November 20, 2017 @04:19AM (#55585427) Homepage

    Biometrics are user-ids, not passwords.

    There are three aspects to security: something you are, something you know, something you have. Implement two for rudimentary security, implement all three for good security.

    - Something you are: User ID, biometrics, or some other public information that serves to identify the person.

    - Something you know: Typically a password, used to prove the identity

    - Something you have: Second factor, used to prove that the password and identity were not stolen.

    Face-ID and fingerprints are insecure and easily fooled.

    • And even as a user-id it fails miserably as seen in TFA

    • Re: (Score:3)

      by AmiMoJo ( 196126 )

      Fingerprints seem to be pretty good in the real world. The FBI can't seem to crack them. UK security forces can't reliably crack them, so they have taken to following people until they unlock their phone and then staging a fake mugging to grab it in that state.

      Okay, maybe the NSA can get in, but for most people a good fingerprint scanner seems to be a reasonable option. The main issue is the lack of a panic button on some of them, i.e. something you do to disable it and require require the passcode. Apple l

    • I agree that you must use more than one authentication factor.

      In fact, it is terribly dangerous to use biometrics, because when somebody stole your data you are doomed for the rest of your life. And to use in consumer products it is very irresponsible because those products, no matter the brand neither the price, won't be so well designed as security oriented machines.

      Also ... light interferes, children younger than 13 years interfere, photocopies interfere ... this technology is useless on real life s

  • You're not really supposed to "unlock" an iPhoneX. The way FaceID is supposed to work, you pick it up from somewhere and when you instinctively look at the screen, it performs its magic and it's ready, no need to put the right finger on a sensor in the right way, or click on anything. After some time, you're probably going to forget it's actually authenticating you. Unfortunately, while in theory quite convenient, this has several drawbacks in terms of security and usability; it's not really a step forward

  • Between this, the debacle of iOS 11 and the fact that the Mac lines have been languishing under him, it's clear they need to get rid of him.

    And no, replacing him with the woman who runs the retail side is not good for the company no matter how good her number is or how desperately they want to put a woman in charge of the richest company in the world.

    At this point, they need a Satya Nadella who can actually get in there, balance both product lines, come up with new ones and reacquire alienated Mac users who

  • Just shows how crap face-id really is, and it also shows how Apple has tested this feature... like not..
  • Criminals will start using children under the age of 13 to unlock iphones... lol

  • We laugh now, but we all know that next year's (or the year after's) flagship Android phones will have Face ID.

  • confused by lighting? (Score:5, Interesting)

    by gravewax ( 4772409 ) on Monday November 20, 2017 @05:06AM (#55585551)
    So if it was confused by lighting does that mean apple outright lied how it works? or is that just fanboys trying to make up excuses? if you have something that operates by infrared dots on your face that supposedly works in dark or light how the fuck do you get confused by lighting conditions.

    • So if it was confused by lighting does that mean apple outright lied how it works? or is that just fanboys trying to make up excuses? if you have something that operates by infrared dots on your face that supposedly works in dark or light how the fuck do you get confused by lighting conditions.

      Because optimally you should have good lighting conditions (IR and Visible light) and not obscure your face when training a facial recognition system which is what this couple did according to the article summary. Additionally if you wear something that obstructs the face you might also want to train your system while wearing said item. The FR gear is intended to recognise you under sub-optimal conditions based on a training data sets made under optimal conditions, it is not intended to be reliable if the t

    • This may surprise you, but infrared radiation is very close in wavelength to this thing we perceive as "light", so much so that our "lights" in our house used to give of more of this mythical technology thing called "infrared" than actual light we perceived at one stage.

      If you think this interference means Apple is lying, I'm calling you ignorant. If you want to fix your ignorance look into the long history of using and sensing infrared in various fields, the history of TV remotes, IrDA, and even Nintendo's

    • To be clear, I'm not defending Apple here; using this technology for authentication is a stupid gimmick and quite possibly criminally negligent, too.

      However, for an important key to understanding how ambient lighting could confuse the everliving fuck out of sensors based on reading IR dots, I have one word for you: candles.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Maybe it does work as they describe, but they had to turn down the % match limit to make it usable. People expect the phone to unlock quickly when they look at it, in all lighting conditions and from various angles. Although humans can't see IR, it is still there and able to interfere with the iPhone's weak IR projection.

      Say it measures the distance between your eyes. To do that it has to find the corners of your eyes, from various angles and various distances. The resolution of the sensor is limited so the

  • Tim Cook's claim that FaceID is 20x more accurate than TouchID was kinda ridiculous. It is a neat technology and from what i hear it works well, but it is impossible to have face recognition that doesn't trigger false positives with relative ease. Telling people there's a one in a million chance that FaceID will mistake someone else face with yours is irresponsible.

    • "one-in-a-million chances crop up nine times out of ten."
      --Terry Pratchett

    • Re: (Score:2)

      by jrumney ( 197329 )
      One in a million basically means there are 7600 people who can unlock your phone just by looking at it. Due to the way evolution works, there is a good chance that some of those people are closely related to you.

  • You are holding it wrong (Score:4, Funny)

    by houghi ( 78078 ) on Monday November 20, 2017 @05:44AM (#55585657)

    Apple officials said "You are holding it wrong, in this case in front of the wrong person."

  • There has been numerous articles like this now. Apple has already explained that Face ID stores info about a persons face once a successful PIN code is entered to keep up with the users appearance over time. So whats most likely happened again is that the parents give their phones to their kids to try, the Face ID scan first fails and when the parents then put in the correct PIN code the phone stores information about the kids face together with the parents until eventually it learns to accept the kids fac

    • So it's broken, but they've explained so it's okay?

      If I enter my pin code, it's just what it is. It doesn't magically transmogrify into allowing a different pin code. No explanation needed by vendor - it's pretty much 'a given'.

  • If your kid can't unlock your iPhone X, maybe you should have a little chat with your wife.

  • At least the boy now knows, that the mailman ain't his father.

  • And his son just "thought it was hilarious."

    well, not only his son, i think it is hilarious as well.

  • Locked? (Score:3)

    by Bruinwar ( 1034968 ) <bruinwarNO@SPAMhotmail.com> on Monday November 20, 2017 @07:31AM (#55586011)
    I got a new phone a couple months ago & I've still not got around to locking it. I don't have Android pay or whatever set up (these things will make you set up a password). So what? If I lose it or it gets stolen, I call the provider & get the service shut off. It's sure is convenient to use right now. Am I missing something here?

    • ...not so cool when you've used the browser to authenticate with Google, and you've logged in the facebook app, and you've connected up your email to the email app.

      If you're never going to do those things, then yeah, don't bother with the lock. In fact, sell your phone and buy one of those cheap Nokias, as it'll do 90% of what you use your smart phone for, but at a fraction of the cost.

      The point is, for calls and texts, yes, your provider can stop that service. For anything else, they can't do that for you,

  • Missing the point (Score:3)

    by sjbe ( 173966 ) on Monday November 20, 2017 @07:38AM (#55586039)

    Think TouchID or FaceID like a lock on your front door. Yes it can be hacked and bypassed. Sometimes in ways you might not expect. It's low grade security. But that isn't the point. The point is to keep out the majority of less determined individuals out while being a reasonable balance between security and convenience for typical usage. If you want greater security there are features (passwords, etc) you can utilize to strengthen the system. Most of the time these are overkill but sometimes they are a very good idea. Anyone expecting TouchID or FaceID to provide iron clad security has incorrect ideas about what they are for and what their limitations are.

    • My mistake. I thought the point was so a cop could shove it in your face and have it unlock itself for him.

      • Re: (Score:2)

        by sjbe ( 173966 )

        My mistake. I thought the point was so a cop could shove it in your face and have it unlock itself for him.

        Make the password required and it's a non-issue.

    • Anyone expecting TouchID or FaceID to provide iron clad security has incorrect ideas about what they are for and what their limitations are.

      Apple seems to do. ApplePay, for example, is authorized by FaceID by default.

    • you're missing the point, biometrics for secure access in 2017 is a farce yet it is touted as being sufficient to protect your payments, a nuke plant, etc.

      low grade security indeed, but high grade uses are made

  • I had more than 50,000 snaps of family members and friends and relatives because when the digital cameras came along I became a obsessed shutter bug. When Picassa debuted face recognition I saw it as a boon to organize my photo collection.

    Very quickly I discovered it confused mothers with daughters. When our turn to host the pot-luck comes around, our guests used to gather around, let Picassa lose on the collection and laugh and marvel at the same time about its confusion.

  • Did anyone really expect this to be more than a modern "keypad lock"?

    On my first phone, one could lock and unlock the keypad by pressing 0000. This was not security measure, just a way of preventing accidental phone calls.

    Face ID is just the modern "keypad lock", the right photo of the person will probably also unlock the phone.
  • Once again, biometrics showing that they are an almost empty shell.
  • Look at my phone. It Unlocked! You are the father!

-- Wernher von Braun

