Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Iphone Security

In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones (forbes.com) 123

Forbes magazine tested four of the most popular handsets running Google's operating systems and Apple's iPhone to see how easy it'd be to break into them with a 3D-printed head. All of the Android handsets opened with the fake. Apple's phone, however, was impenetrable. From the report: For our tests, we used my own real-life head to register for facial recognition across five phones. An iPhone X and four Android devices: an LG G7 Linq, a Samsung S9, a Samsung Note 8 and a OnePlus 6. I then held up my fake head to the devices to see if the device would unlock. For all four Android phones, the spoof face was able to open the phone, though with differing degrees of ease. The iPhone X was the only one to never be fooled.

There were some disparities between the Android devices' security against the hack. For instance, when first turning on a brand new G7 Linq, LG actually warns the user against turning facial recognition on at all. No surprise then that, on initial testing, the 3D-printed head opened it straightaway. [...] The OnePlus 6 came with neither the warnings of the other Android phones nor the choice of slower but more secure recognition.

This discussion has been archived. No new comments can be posted.

In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones

Comments Filter:
  • is that not a bit retro? in `mission impossible' they had rubber masks which pretty much fool everybody .... not just dumb smartphones.
  • by Seven Spirals ( 4924941 ) on Thursday December 13, 2018 @09:48AM (#57797704)
    You can't replace your fingerprints, iris, or head once they are compromised which happens about every 10 minutes these days.
    • by k2r ( 255754 ) on Thursday December 13, 2018 @09:55AM (#57797738)

      Thank you for pointing this out, again.
      I'm sure a 4 digit code smeared on the display is a lot safer.

      That is the alternative security measure for most people and thus most phones.

      Biometrics that are hard to spoof within the 4 tries an adverary has before the device falls back to a 6+ character alphanumeric code are just brilliant and way more secure in real life.

      • by Anonymous Coward on Thursday December 13, 2018 @10:02AM (#57797780)

        At least in the US, yes, the 4 digit PIN smeared all over your device is a lot safer. You see, that 4 digit PIN has been declared to be protected under the 4th amendment. Fingerprint scans and facial recognition hasn't. So nobody needs to try to spoof it, they can just force you to unlock it and hold you in contempt until you do.

        • by Anonymous Coward

          That sounds like a good idea until you realize you unlocked your phone in the elevator to call your lawyer and the video camera now has your passcode. Passcodes are utter insecure shit.

          • by bob4u2c ( 73467 )

            until you realize you unlocked your phone in the elevator to call your lawyer

            Why are you calling your lawyer in the elevator? Unless your going to chat about the weather I wouldn't risk someone else listening in on the conversation. Also pass codes can be changed; your fingers, face, and voice are quite a bit harder to change.

            Yes I know there are times and places you need to put in a pin (say for a debit card), in those places I usually fake a few button presses first, then put in my real pin, then a few more fake presses. Then when I'm done I lightly swipe the keypad to preve

        • At least in the US, yes, the 4 digit PIN smeared all over your device is a lot safer.

          What a hilarious gaffe you made repeating the very statement that proves you wrong!

          You see, that 4 digit PIN has been declared to be protected

          That protects you legally from having to reveal your passcode...

          However if you think back to that sentence you copied, they know from the smears on the screen the digits of your passcode. Making it very likely they could simply guess it.

          With an iPhone, if you see them holding a phon

          • Obligatory XKCD: https://xkcd.com/538/ [xkcd.com]

            That rabbit hole goes even deeper though. Is the information on your computer worth your life? Your daughters life? Your familys life?

            And yes, even government officials can, have, and will resort to the above tactics if they deem it important enough.

            • Is the information on your computer worth your life? Your daughters life? Your familys life?

              That depends - for me pretty much not, but for other people it may be.

              My privacy as an abstract concept is worth enough to being willing to miss flights over though, so that's all I ask of technology - to make it hard enough that someone seizing my phone would have to use more "extreme" measures to convince me to unlock something. Yes as soon as they pull out any kind of physical force I am giving them my password,

        • by AmiMoJo ( 196126 )

          If I were worried about a court being able to demand I unlock my phone I'd use more than 4 digits. Much more.

      • Re: (Score:3, Insightful)

        You only have six attempts to guess [apple.com] the right password: "If you enter the wrong passcode on an iOS device six times in a row, you'll be locked out and a message will say that your device is disabled."

        Good luck with that. And then it will be locked to your iCloud account which is nigh impossible to remove by anyone other Apple service centers. iPhone protection against theft is probably the best in the industry.

      • by Seven Spirals ( 4924941 ) on Thursday December 13, 2018 @10:20AM (#57797860)
        aaand you miss the point ... again. You can change a fucking pin code. You can't change your iris-scan, dumbass. Not to mention the fact that you could have chose to use a password instead of a stupid ass PIN. You could have chose to use a dumbphone/dadphone and not have much information worth stealing on the device anyway, but you had to play Pokemon Go, right? We couldn't drag down your productivity by taking that away, I forgot... sorry.
        • Let's pretend you aren't a secret agent and the purpose of locking the phone is to deter theft not guard against APTs. Idiot.
        • by AmiMoJo ( 196126 )

          Aaand you miss the point... again.

          Under what circumstances would you want to change your iris? Your attacker makes a copy of your iris that is good enough to fool your phone into unlocking? Then your opponent is not your younger brother or an opportunistic thief, and you picked the wrong authentication method.

          If you are using biometrics as the only authentication factor in some critical application then you are doing it wrong. If you are just using it to stop your "friends" shitposting on your Facebook time

          • Well given that fingerprints and faces are almost trivial to fake easily with items a middle-schooler has access, too, then yeah. I don't doubt that there might also be "one easy trick" to duplicate iris scans, too. Either way it doesn't matter. The point is that you cannot change your biometrics, most can be duplicated easily, and that people tend to under-utilize security. Is it a good thing so that people like you can use it for extra convenience or is it a bad thing that people (surely not yourself - oh
            • Your face is obviously not a secret, but authentication doesn't require secrets. How do you authenticate your wife everyday?

              You trust your eyes, and you trust that [eventhough it's technically possible] it's not worth the substantial effort it would take for someone to try to fool your eyes.

              Biometric security works the same way. The iPhone has a pretty bullet-proof & un-hackable chain of trust between the 3D sensor and the authentication circuitry--and it's really difficult & expensive to try t
              • Good luck authenticating folks in IT without secrets. That'll go over great at your next security meeting, I'm sure. Maybe they will let you in now that you just passed your CISSP and are obviously another "security expert" with all the proper condescending buzzword bullshit lectures that entails. Suggest they switch corporate authentication to "handshake and a smile" and see how everyone will finally recognize your genius.
                • I have no idea what a CISSP is and couldn't care less. There's nothing trendy about facial & voice recognition for authentication--it's literally how humans have authenticated one another for the last several millenia. It works really well and it's very hard to trick (despite Mission Impossible 3D mask BS). Critically, it *does not* rely on secrets (although it does rely on 'trusted hardware'). I realize that's hard for you to understand, but take a minute and think hard--you'll get it. I believe in you
                  • Let me know how that meeting with security goes. I'm sure they will love your "just use faces" idea. If they don't, lecture them about the world changing too fast. Maybe that'll somehow lend some credence to your ridiculous point.
                    • Secret-based authentication is a reasonable approach--that's one factor. Biometric (face recognition) is another factor. Put them together and you have 2-factor authentication. That's a fine solution for when you need the enhanced security provided by 2-factor authentication.

                      The whole thread was about your little tantrum that "you can't change your face". That's childish little quip is borne out of you not understanding that biometric authentication doesn't require secrets--and thus there's no reason to e
                    • As others have already said repeatedly, more succinctly, and with less hand-waving, tap-dancing, backpedaling bullshit: Biometrics are a username, not a password. You can't see any difference between someone disagreeing with you versus actually being mistaken. The world *is* changing, but as it thrashes through a lot of trial and error with new technology trying to get it right, there are missteps. You seem to be allergic to anyone pointing out those missteps because you have too much emotional investment
                    • If my phone was only protected by a username then you could get into it easily, since my username is not a secret. But if you had my phone in your hand right now there's no reasonable way you could get into it--even if you had a picture of my face or hell even if you had a full 3D model of my face. So explain to me how FaceID is no better than a username.

                      The problem is this: stupid IT morons can't understand secret-less authentication, they only understand username:password. They keep trying to understand
                    • You are high. Nobody cares if you think single-factor-use-your-face is a great idea except other people wearing black turtlenecks and hornrims using consumer grade devices and having no actual need for security beyond "good enough" which is all it's meant for along a continuum of smartphone options (mostly poor ones). You have apparently never heard of costumes, impersonation, sculpture, 3D printing, fiberglass, fake hair, latex, disguises, actors, or any number of other zillion year old "technology" that c
                    • Show me a single news story of somebody fooling FaceID with a photograph. It doesn't exist because FaceID *DOESN'T USE THE CAMERA*!

                      Pretty much nobody uses more than single-factor for access to their smartphone. The whole point of FaceID (and TouchID before that) is that most people were still using 0-factor. Decent security is better than no security.

                      You are falling into the classic security myth that if security isn't perfect then it is useless. People who understand security know that ALL security is
                    • Dude, you can't make shit up then argue with yourself. Well, you can, I guess, but I won't participate in that. I never said half the shit you are straw-manning up. At this point you are just arguing with your own lack of reading comprehension. Like I said, you are high and a bit retarded. I'm sorry the world is too complex for you.
        • Perhaps you should ask Linus about where he took his rage control lessons. I think they'd benefit you, too.
      • by Shaitan ( 22585 )

        The four digit pin is fine, and as someone else pointed out legally protected. Biometrics do have a serious issue, for one you just lowered the bar for biometric security to a smartphone that the carrier, feds, and Apple have backdoors into. Since those groups, and potentially their lowest common denominator of trust employee has your biometrics and can spoof them at will what are you going to use for the bank vault where you keep your diamonds?

        All these mass hacks dumping credentials? Soon enough they'll b

      • by tlhIngan ( 30335 )

        Thank you for pointing this out, again.
        I'm sure a 4 digit code smeared on the display is a lot safer.

        That is the alternative security measure for most people and thus most phones.

        Actually, it is. (And on iPhone, it's a 6 digit PIN). Legally too PINs are better.

        HOWEVER, people are human. And it turns out the use cases for phones is hundreds to thousands of quick glimpses at the phone throughout the day. So for the vast majority of people faced with either a PIN (or pattern or whatever), it gets in their way

    • by AmiMoJo ( 196126 ) on Thursday December 13, 2018 @10:21AM (#57797864) Homepage Journal

      Biometrics are better than nothing. In this case the attacker needs to scan your head and 3D print an actual-size model of it, so it's still better than a simple pattern unlock or nothing.

      It's all about understanding and evaluating the threat. Facial recognition is a cheap, fast and moderately secure system that will keep your friends and siblings and random thieves out.

      People who need real security on their phones use proper passwords.

    • by Anonymous Coward

      This. Which is why biometrics are fine for user name, and not for password. No one with any technical skill ever recommends biometrics for security credentials.
      Sadly the talking heads and MBAs love buzzwords and don't listen to actual code monkeys.

    • You can't replace your fingerprints, iris, or head once they are compromised which happens about every 10 minutes these days.

      How is my iris "compromised every 10 minutes?"

      The only people with a hash of my iris-pair are the Canada Border Services Agency, and you can't reverse-engineer a pair of irises from a hash of them.

      • That's because biometrics aren't used much, if iris scans where used to log in every web site then they would be immediately compromised the moment you logged in. Also how do you know that Canada Border Services Agency only holds the hash, did you examine the scanner code?
      • Also consider that cameras gain resolution all the time. Most of us who live in a city walk past multiple cameras in many situations. Humans don't have a very reflective tapetum in their eye, but some light still does get reflected out. A camera of sufficiently high resolution could capture your fingerprints, iris scan, and face with enough detail to reproduce any of the three. The are already good enough that a skilled sculptor could reproduce your face from. Fingerprints get left everywhere you go for any
        • Most of us who live in a city walk past multiple cameras in many situations. Humans don't have a very reflective tapetum in their eye, but some light still does get reflected out. A camera of sufficiently high resolution could capture your fingerprints, iris scan, and face with enough detail to reproduce any of the three.

          Luckily I have a wicked-awesome specially-made tinfoil hat that prevents this.

    • True (I would like some citation that this happens every 10 minutes), However this type of information requires a targeted attack, meaning the hacker wants to break into the system with a particular persons credentials. This is a lot of work, as there are often easier ways around it. I am still baffled on why the FBI cannot break the encryption on an iPhone, where all they need to do is open up the device take out the SSD chip and download the data onto an other computer with an OS that will not delete th

      • I exaggerated, but we all walk past cameras every day and leave our fingerprints all over. Iris scans would only require more resolution (which gets better all the time). I share your curiosity about the PIN-brute-forcing. I'd be surprised if that hasn't already been tried or is the current state of the art for the cops already. I also agree with you about the fact that most successful authentication attacks are results of implementation errors or social engineering.
  • by Artem S. Tashkinov ( 764309 ) on Thursday December 13, 2018 @09:54AM (#57797732) Homepage

    IOW most if not all biometric authentication systems suck unless they are coupled with old boring passwords. You leave your fingerprints on everything you touch. Your face and retina can be remotely scanned, saved and duplicated. This leaves us with brainwaves but I'm not entirely sure they can't be copied as well. But you can be sure as hell brainwaves authentication will be incredibly difficult and expensive to implement for smartphone security.

    Why weren't they able to crack Apple FaceID? Maybe because their 3D printer wasn't good enough as FaceID scans over 30 000 spatial dots [apple.com] in order to verify your identity but there were reports [gizmodo.com] that it's already been cracked.

    • by Anonymous Coward

      Face ID was cracked less than a month after the original iPhone X was released. In short, they're doing it wrong if they can't fool it with their head. (Most likely they screwed up the eyes. The iPhone really likes the details around the eyes.)

    • IIRC Apple looks specifically for eye movement, and probably looks at IR (aka heat) along with, or instead of, just visible light. I bet the 3D model could work using a hair dryer to heat up the outer surfaces in a lifelike manner, along with some moveable glass eyes. Not especially practical (right now), but with enough demand, a literal framework with internal heating and moving eyes could be created pretty easily, and a head model could be 3D printed around that.

      Still prefer my fingerprint sensor.

      • I bet the 3D model could work using a hair dryer to heat up the outer surfaces in a lifelike manner, along with some moveable glass eyes.

        That sounds plausible, so it's just a question of sufficient resources and time.

      • by Anonymous Coward

        It doesn't look for eye movement and it doesn't measure heat off the face. It uses IR, but not that kind of IR. IR is actually a fairly large band of EMR - the type Apple uses for the iPhone is "near-infrared" while the band used for thermal imaging of human body temperatures is "long-wavelength infrared."

        What it does look for is that the eyes are open and that it can see the iris. And that's almost certainly what this "3D head" was missing - eyes that the iPhone would see as being "open."

  • Is that possible?

    • Nope, it's just that Apple's face ID uses infrared -- it's probably looking for some sort of heat signature. A fake head wouldn't have that, and thus doesn't fool it.

  • I have a laptop with "Windows Hello", which is a terrible name for their version of FaceID. It actually works very well after going through some sort of machine learning curve. My phone is too old to have such a feature, but my wife liked it enough to ask if we could do it with the webcam on the desktop. No-go there without a new webcam, as only some support it. I looked into it only briefly, but I believe in addition to some security features, it used infrared or similar spectrum to ensure it was looki
  • by fluffernutter ( 1411889 ) on Thursday December 13, 2018 @10:11AM (#57797816)
    No mobile phone is secure. Don't do things on a mobile phone that you want to keep secret.
    • Especially if you've been handing out high-quality 3D replicas of your head, don't use facial recognition and expect it to be secure.

      But yeah pretty much don't expect any technology made after about 1850 to be secure. If you're a spy, a piece of paper and a one time pad might be the way to go.

  • by Headw1nd ( 829599 ) on Thursday December 13, 2018 @10:35AM (#57797952)
    Considering that humans could quite possibly be fooled by a 3D printed head in similar conditions, I'm actually very impressed they weren't all cracked. I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head just to open it. Usually people would point to the government as a possible culprit here, but the government doesn't need to go to these lengths, they can use your actual face. [forbes.com]
    • I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head

      Not shown: How many of the same phones are also opened by a printout of the face.

      Doesn't take many resources to take a picture of someone's face and print it out...

      That's because a lot of the Android phones that use facial recognition are doing so from a single camera with no depth map, the way the iPhone works.

    • by pz ( 113803 ) on Thursday December 13, 2018 @12:15PM (#57798486) Journal

      Blinking, or other biomimetic movement, that's what ultimately makes a real head distinguishable from a statue, no matter how good the artist.

      Or, if you've got a decent imaging apparatus, you can detect blood pusations in real flesh (e.g., http://news.mit.edu/2010/pulse... [mit.edu])

      • Those are good ideas. It's pretty tough to believe a skilled sculptor couldn't reproduce someone's face/head quickly and with cheap materials using just a simple photo. They usually start with Styrofoam then use clay, waxes, and other items to make the face look realistic. Ever been to a wax museum? I seriously doubt you'd need to be even close to that skilled to fool a smartphone. After all, the phone has to be pretty forgiving to work for the person in different outfits, hats, weather, etc... I've known s
  • by SocietyoftheFist ( 316444 ) on Thursday December 13, 2018 @10:59AM (#57798108)

    I wonder about the facial recognition built in to the Microsoft surface devices.

  • Physical security shouldn't be taken lightly. Keep your hands on your stuff.
  • by Impy the Impiuos Imp ( 442658 ) on Thursday December 13, 2018 @12:25PM (#57798556) Journal

    Interesting, but this isn't the first 3D printed body part to convincingly mimic the real thing.

  • The next step is you attach a device to the phone which has independent displays feeding each camera.
    After you calibrate the signal, you can pass you can pass your AR world with a dynamic fake head, that blinks and moves.

    Should be closer to reality and you don't have to carry around a fake head to unlock your phone ...

    I guess for security, you could use such a device to increase security, by using a fake head model that is not your own or even real. Perhaps Luke Skywalker with bunny ears.

    Perhaps a randomly

  • Who would ever think that all the methods that have continually worked over and over to defeat biometric methods would continue to work?

    P.S.: Train your data sets with reality, not with artificial segments of reality.

  • Instead, use a strong alphanumeric passcode, recommended Matt Lewis, research director at cybersecurity contractor NCC Group.

    And if you want to make your strong passcode even more secure, configure your phone so it doesn't briefly show each character of your passcode as you enter it. Looking over someone's shoulder is even easier than building a fancy fake head.

Over the shoulder supervision is more a need of the manager than the programming task.

Working...