In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones

Forbes magazine tested four of the most popular handsets running Google's operating systems and Apple's iPhone to see how easy it'd be to break into them with a 3D-printed head. All of the Android handsets opened with the fake. Apple's phone, however, was impenetrable. From the report: For our tests, we used my own real-life head to register for facial recognition across five phones. An iPhone X and four Android devices: an LG G7 Linq, a Samsung S9, a Samsung Note 8 and a OnePlus 6. I then held up my fake head to the devices to see if the device would unlock. For all four Android phones, the spoof face was able to open the phone, though with differing degrees of ease. The iPhone X was the only one to never be fooled.

There were some disparities between the Android devices' security against the hack. For instance, when first turning on a brand new G7 Linq, LG actually warns the user against turning facial recognition on at all. No surprise then that, on initial testing, the 3D-printed head opened it straightaway. [...] The OnePlus 6 came with neither the warnings of the other Android phones nor the choice of slower but more secure recognition.

Re:

[JoeyRox]

Wasn't a troll. I can't stand Apple myself but they're the lesser of two evils when it comes to smartphones - I would never trust my data and privacy to the Android platform.

Re:

[Shaitan]

A company obsessed with a completely closed platform and total ownership of that platform is never the lesser of two evils.

That said, if you are already using a smartphone connected to a carrier it's a little late to pretend the security of your data and privacy are important to you. You already sold them for convenience. At that point the questions are how many Johns; do you speak greek; what are your rates; and about just a little metadata?

Re:

[JoeyRox]

I'll take the company obsessed with a completely closed platform over a company obsessed with monetizing every last piece of privacy their customers thought they had.

As for the carrier and my data and privacy, how exactly are they able to peer into my data considering all of it is encrypted at rest on the iPhone and all of it that moves off my phone over their pipes is encrypted as well?

Re:

[Oh really now]

Right. The smartest ones are those that pay 3x more to have the same technology, but with a fruit figure etched into its frame.

The irony of your comment is lost on you, isn't it? Especially considering the content of the article on which you're commenting.

Re:

[l0ungeb0y]

Yes, what matters is that it's not from Apple, who cares if the shit actually works?

mission impossible

[e**(i pi)-1]

is that not a bit retro? in `mission impossible' they had rubber masks which pretty much fool everybody .... not just dumb smartphones.

Re:

[sarren1901]

Yep, and none of this will stop the police from holding your skull in place and forcing your index finger onto the phone to unlock it. They aren't afraid to get handsie and they tend to come in enough numbers to overwhelm you. Not to mention defending yourself against the police just gets you in more trouble.

Have fun with your "safe" phone.

Re: mission impossible

[Jackson]

If I was involved in the sorts of dealings that could land me in a room full of cops wanting to search my stuff , I'd be smart enough not to use facial recognition or fingerprint security.

Can't force your eyes open

[SuperKendall]

Yep, and none of this will stop the police from holding your skull in place

Even if they do that as long as your eyes are closed it won't unlock the phone.

Especially if you saw there might be an issue and tapped the power button five times, which makes all iPhones require a passcode to unlock instead of biometrics...

Apple is the only one with a truly secure approach, in public view use biometrics to unlock your device, instead of using your password in public in view of many cameras. Then when entering secu

Re:

[quenda]

Apple is the only one with a truly secure approach,

Number 538!

Re:

[jimbo]

If the RCMP wants a look at my phone I'll happily unlock it for them. What's important to me is that if a random meth-head or similar thieving opportunist steals my phone they can't grab my personal data for nefarious purposes.

If I was into serious stuff and using my daily phone for it, I'd disable biometrics. Until then FaceId is brilliant and safe for my use case.

Biometrics are generally a bad idea

[Seven Spirals]

You can't replace your fingerprints, iris, or head once they are compromised which happens about every 10 minutes these days.

Biometrics are generally a brilliant idea

[k2r]

Thank you for pointing this out, again.
I'm sure a 4 digit code smeared on the display is a lot safer.

That is the alternative security measure for most people and thus most phones.

Biometrics that are hard to spoof within the 4 tries an adverary has before the device falls back to a 6+ character alphanumeric code are just brilliant and way more secure in real life.

Re:Biometrics are generally a brilliant idea

[Anonymous Coward]

At least in the US, yes, the 4 digit PIN smeared all over your device is a lot safer. You see, that 4 digit PIN has been declared to be protected under the 4th amendment. Fingerprint scans and facial recognition hasn't. So nobody needs to try to spoof it, they can just force you to unlock it and hold you in contempt until you do.

Re:

[Anonymous Coward]

That sounds like a good idea until you realize you unlocked your phone in the elevator to call your lawyer and the video camera now has your passcode. Passcodes are utter insecure shit.

Re:

[bob4u2c]

until you realize you unlocked your phone in the elevator to call your lawyer

Why are you calling your lawyer in the elevator? Unless your going to chat about the weather I wouldn't risk someone else listening in on the conversation. Also pass codes can be changed; your fingers, face, and voice are quite a bit harder to change.

Yes I know there are times and places you need to put in a pin (say for a debit card), in those places I usually fake a few button presses first, then put in my real pin, then a few more fake presses. Then when I'm done I lightly swipe the keypad to preve

Whoosh

[SuperKendall]

At least in the US, yes, the 4 digit PIN smeared all over your device is a lot safer.

What a hilarious gaffe you made repeating the very statement that proves you wrong!

You see, that 4 digit PIN has been declared to be protected

That protects you legally from having to reveal your passcode...

However if you think back to that sentence you copied, they know from the smears on the screen the digits of your passcode. Making it very likely they could simply guess it.

With an iPhone, if you see them holding a phon

Re:

[wertigon]

Obligatory XKCD: https://xkcd.com/538/ [xkcd.com]

That rabbit hole goes even deeper though. Is the information on your computer worth your life? Your daughters life? Your familys life?

And yes, even government officials can, have, and will resort to the above tactics if they deem it important enough.

Re:

[SuperKendall]

Is the information on your computer worth your life? Your daughters life? Your familys life?

That depends - for me pretty much not, but for other people it may be.

My privacy as an abstract concept is worth enough to being willing to miss flights over though, so that's all I ask of technology - to make it hard enough that someone seizing my phone would have to use more "extreme" measures to convince me to unlock something. Yes as soon as they pull out any kind of physical force I am giving them my password,

Re:

[AmiMoJo]

If I were worried about a court being able to demand I unlock my phone I'd use more than 4 digits. Much more.

Re:

[Artem S. Tashkinov]

You only have six attempts to guess [apple.com] the right password: "If you enter the wrong passcode on an iOS device six times in a row, you'll be locked out and a message will say that your device is disabled."

Good luck with that. And then it will be locked to your iCloud account which is nigh impossible to remove by anyone other Apple service centers. iPhone protection against theft is probably the best in the industry.

Re:Biometrics are generally a brilliant idea

[Seven Spirals]

aaand you miss the point ... again. You can change a fucking pin code. You can't change your iris-scan, dumbass. Not to mention the fact that you could have chose to use a password instead of a stupid ass PIN. You could have chose to use a dumbphone/dadphone and not have much information worth stealing on the device anyway, but you had to play Pokemon Go, right? We couldn't drag down your productivity by taking that away, I forgot... sorry.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

Let's pretend you aren't a secret agent and the purpose of locking the phone is to deter theft not guard against APTs. Idiot.

Re:

[narcc]

I'm not sure how that works. Does the thief ask you if your phone is protected by a password before they take it?

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

Tell me you aren't that fucking stupid. They pick it up and try to use it, then discovering that it is useless put it down again, or turn it in in hopes of a reward.

Re:

[narcc]

So you use a password because you often leave your phone unattended in places filled with untrustworthy strangers?

Re:

[Seven Spirals]

Then you'd be a moron. Locking phones doesn't deter theft worth a shit considering they are easy to factory reset. Dumbfuck.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

You are a fucking idiot. Most drug addicts don't even know what factory reset is, never mind how to accomplish it. Your stupidity is astounding.

Re:

[Seven Spirals]

Drug addicts... no. Can people who buy stolen phones reset them? Of course. Did grandma damage your brain with that coat hanger or what? Too bad she didn't finish the job.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

Dear idiot. The drug addict wants a phone to contact his drug dealer or that he can pawn. He does not have the ability to reset it, nor is any pawn shop going to accept it if he can't unlock it. They are looking for easy money, like the easy money one would get betting you have literally no knowledge or understanding of the subject matter you are pretending to grasp.

Re:

[Seven Spirals]

Wrong again. I've reset both Android and iPhones. They are easily factory reset. Thus your point is still 100% easy to see bullshit. It's just bullshit with an extra side of frustration as you clearly are angry that you've long since lost the argument.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

So you are telling us you are a typical drug addict who steals phones then? Seriously, just STFU. You've already broadcast to the world what a phenomenally stupid motherfucker you are.

Re:

[Seven Spirals]

Nah, it just calls into question if you make a single cogent point that isn't easily deflated in moments or are you just a poorly skilled troll?

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

You are a moron who is too stupid to understand what I wrote, and who I actually believe is so stupid that he thinks he didn't make a fool of himself while making it painfully obvious that he is too stupid to understand what was written.

Re:

[AmiMoJo]

Aaand you miss the point... again.

Under what circumstances would you want to change your iris? Your attacker makes a copy of your iris that is good enough to fool your phone into unlocking? Then your opponent is not your younger brother or an opportunistic thief, and you picked the wrong authentication method.

If you are using biometrics as the only authentication factor in some critical application then you are doing it wrong. If you are just using it to stop your "friends" shitposting on your Facebook time

Re:

[Seven Spirals]

Well given that fingerprints and faces are almost trivial to fake easily with items a middle-schooler has access, too, then yeah. I don't doubt that there might also be "one easy trick" to duplicate iris scans, too. Either way it doesn't matter. The point is that you cannot change your biometrics, most can be duplicated easily, and that people tend to under-utilize security. Is it a good thing so that people like you can use it for extra convenience or is it a bad thing that people (surely not yourself - oh

You don't understand biometrics

[Brannon]

Your face is obviously not a secret, but authentication doesn't require secrets. How do you authenticate your wife everyday?

You trust your eyes, and you trust that [eventhough it's technically possible] it's not worth the substantial effort it would take for someone to try to fool your eyes.

Biometric security works the same way. The iPhone has a pretty bullet-proof & un-hackable chain of trust between the 3D sensor and the authentication circuitry--and it's really difficult & expensive to try t

Re:

[Seven Spirals]

Good luck authenticating folks in IT without secrets. That'll go over great at your next security meeting, I'm sure. Maybe they will let you in now that you just passed your CISSP and are obviously another "security expert" with all the proper condescending buzzword bullshit lectures that entails. Suggest they switch corporate authentication to "handshake and a smile" and see how everyone will finally recognize your genius.

I'm sorry the world is changing too fast for you.

[Brannon]

I have no idea what a CISSP is and couldn't care less. There's nothing trendy about facial & voice recognition for authentication--it's literally how humans have authenticated one another for the last several millenia. It works really well and it's very hard to trick (despite Mission Impossible 3D mask BS). Critically, it *does not* rely on secrets (although it does rely on 'trusted hardware'). I realize that's hard for you to understand, but take a minute and think hard--you'll get it. I believe in you

Re:

[Seven Spirals]

Let me know how that meeting with security goes. I'm sure they will love your "just use faces" idea. If they don't, lecture them about the world changing too fast. Maybe that'll somehow lend some credence to your ridiculous point.

There will always be passwords

[Brannon]

Secret-based authentication is a reasonable approach--that's one factor. Biometric (face recognition) is another factor. Put them together and you have 2-factor authentication. That's a fine solution for when you need the enhanced security provided by 2-factor authentication.

The whole thread was about your little tantrum that "you can't change your face". That's childish little quip is borne out of you not understanding that biometric authentication doesn't require secrets--and thus there's no reason to e

Re:

[Seven Spirals]

As others have already said repeatedly, more succinctly, and with less hand-waving, tap-dancing, backpedaling bullshit: Biometrics are a username, not a password. You can't see any difference between someone disagreeing with you versus actually being mistaken. The world *is* changing, but as it thrashes through a lot of trial and error with new technology trying to get it right, there are missteps. You seem to be allergic to anyone pointing out those missteps because you have too much emotional investment

A username provides zero protection.

[Brannon]

If my phone was only protected by a username then you could get into it easily, since my username is not a secret. But if you had my phone in your hand right now there's no reasonable way you could get into it--even if you had a picture of my face or hell even if you had a full 3D model of my face. So explain to me how FaceID is no better than a username.

The problem is this: stupid IT morons can't understand secret-less authentication, they only understand username:password. They keep trying to understand

Re:

[Seven Spirals]

You are high. Nobody cares if you think single-factor-use-your-face is a great idea except other people wearing black turtlenecks and hornrims using consumer grade devices and having no actual need for security beyond "good enough" which is all it's meant for along a continuum of smartphone options (mostly poor ones). You have apparently never heard of costumes, impersonation, sculpture, 3D printing, fiberglass, fake hair, latex, disguises, actors, or any number of other zillion year old "technology" that c

So now you're just lying

[Brannon]

Show me a single news story of somebody fooling FaceID with a photograph. It doesn't exist because FaceID *DOESN'T USE THE CAMERA*!

Pretty much nobody uses more than single-factor for access to their smartphone. The whole point of FaceID (and TouchID before that) is that most people were still using 0-factor. Decent security is better than no security.

You are falling into the classic security myth that if security isn't perfect then it is useless. People who understand security know that ALL security is

Re:

[Seven Spirals]

Dude, you can't make shit up then argue with yourself. Well, you can, I guess, but I won't participate in that. I never said half the shit you are straw-manning up. At this point you are just arguing with your own lack of reading comprehension. Like I said, you are high and a bit retarded. I'm sorry the world is too complex for you.

Re:

[gshegosh]

Perhaps you should ask Linus about where he took his rage control lessons. I think they'd benefit you, too.

Re:

[Seven Spirals]

Perhaps you should study some Marcus Aurelius and learn to cope with the world around you as it is, not as you wish it to be.

Re:

[gshegosh]

Apply your advice to yourself. Why are you so bothered about someone missing YOUR point if you're coping with the world as it is? :)

Re:

[Seven Spirals]

Life is good, man. I ain't bothered by you, him, or fuck all else. *shrug*

Re:

[Shaitan]

The four digit pin is fine, and as someone else pointed out legally protected. Biometrics do have a serious issue, for one you just lowered the bar for biometric security to a smartphone that the carrier, feds, and Apple have backdoors into. Since those groups, and potentially their lowest common denominator of trust employee has your biometrics and can spoof them at will what are you going to use for the bank vault where you keep your diamonds?

All these mass hacks dumping credentials? Soon enough they'll b

Re:

[tlhIngan]

Thank you for pointing this out, again.
I'm sure a 4 digit code smeared on the display is a lot safer.

That is the alternative security measure for most people and thus most phones.

Actually, it is. (And on iPhone, it's a 6 digit PIN). Legally too PINs are better.

HOWEVER, people are human. And it turns out the use cases for phones is hundreds to thousands of quick glimpses at the phone throughout the day. So for the vast majority of people faced with either a PIN (or pattern or whatever), it gets in their way

Re:Biometrics are generally a bad idea

[AmiMoJo]

Biometrics are better than nothing. In this case the attacker needs to scan your head and 3D print an actual-size model of it, so it's still better than a simple pattern unlock or nothing.

It's all about understanding and evaluating the threat. Facial recognition is a cheap, fast and moderately secure system that will keep your friends and siblings and random thieves out.

People who need real security on their phones use proper passwords.

Re:

[Anonymous Coward]

This. Which is why biometrics are fine for user name, and not for password. No one with any technical skill ever recommends biometrics for security credentials.
Sadly the talking heads and MBAs love buzzwords and don't listen to actual code monkeys.

Re:

[CohibaVancouver]

You can't replace your fingerprints, iris, or head once they are compromised which happens about every 10 minutes these days.

How is my iris "compromised every 10 minutes?"

The only people with a hash of my iris-pair are the Canada Border Services Agency, and you can't reverse-engineer a pair of irises from a hash of them.

Re:

[ewibble]

That's because biometrics aren't used much, if iris scans where used to log in every web site then they would be immediately compromised the moment you logged in. Also how do you know that Canada Border Services Agency only holds the hash, did you examine the scanner code?

Re:

[Seven Spirals]

Also consider that cameras gain resolution all the time. Most of us who live in a city walk past multiple cameras in many situations. Humans don't have a very reflective tapetum in their eye, but some light still does get reflected out. A camera of sufficiently high resolution could capture your fingerprints, iris scan, and face with enough detail to reproduce any of the three. The are already good enough that a skilled sculptor could reproduce your face from. Fingerprints get left everywhere you go for any

Re:

[CohibaVancouver]

Most of us who live in a city walk past multiple cameras in many situations. Humans don't have a very reflective tapetum in their eye, but some light still does get reflected out. A camera of sufficiently high resolution could capture your fingerprints, iris scan, and face with enough detail to reproduce any of the three.

Luckily I have a wicked-awesome specially-made tinfoil hat that prevents this.

Re:

[jellomizer]

True (I would like some citation that this happens every 10 minutes), However this type of information requires a targeted attack, meaning the hacker wants to break into the system with a particular persons credentials. This is a lot of work, as there are often easier ways around it. I am still baffled on why the FBI cannot break the encryption on an iPhone, where all they need to do is open up the device take out the SSD chip and download the data onto an other computer with an OS that will not delete th

Re:

[Seven Spirals]

I exaggerated, but we all walk past cameras every day and leave our fingerprints all over. Iris scans would only require more resolution (which gets better all the time). I share your curiosity about the PIN-brute-forcing. I'd be surprised if that hasn't already been tried or is the current state of the art for the cops already. I also agree with you about the fact that most successful authentication attacks are results of implementation errors or social engineering.

Exactly

[Artem S. Tashkinov]

IOW most if not all biometric authentication systems suck unless they are coupled with old boring passwords. You leave your fingerprints on everything you touch. Your face and retina can be remotely scanned, saved and duplicated. This leaves us with brainwaves but I'm not entirely sure they can't be copied as well. But you can be sure as hell brainwaves authentication will be incredibly difficult and expensive to implement for smartphone security.

Why weren't they able to crack Apple FaceID? Maybe because their 3D printer wasn't good enough as FaceID scans over 30 000 spatial dots [apple.com] in order to verify your identity but there were reports [gizmodo.com] that it's already been cracked.

Re:

[Anonymous Coward]

Face ID was cracked less than a month after the original iPhone X was released. In short, they're doing it wrong if they can't fool it with their head. (Most likely they screwed up the eyes. The iPhone really likes the details around the eyes.)

Re: Exactly

[StikyPad]

IIRC Apple looks specifically for eye movement, and probably looks at IR (aka heat) along with, or instead of, just visible light. I bet the 3D model could work using a hair dryer to heat up the outer surfaces in a lifelike manner, along with some moveable glass eyes. Not especially practical (right now), but with enough demand, a literal framework with internal heating and moving eyes could be created pretty easily, and a head model could be 3D printed around that.

Still prefer my fingerprint sensor.

Re:

[Artem S. Tashkinov]

I bet the 3D model could work using a hair dryer to heat up the outer surfaces in a lifelike manner, along with some moveable glass eyes.

That sounds plausible, so it's just a question of sufficient resources and time.

Re:

[Anonymous Coward]

It doesn't look for eye movement and it doesn't measure heat off the face. It uses IR, but not that kind of IR. IR is actually a fairly large band of EMR - the type Apple uses for the iPhone is "near-infrared" while the band used for thermal imaging of human body temperatures is "long-wavelength infrared."

What it does look for is that the eyes are open and that it can see the iris. And that's almost certainly what this "3D head" was missing - eyes that the iPhone would see as being "open."

Apple driven test?

[aglider]

Is that possible?

Re:

[mdm-adph]

Nope, it's just that Apple's face ID uses infrared -- it's probably looking for some sort of heat signature. A fake head wouldn't have that, and thus doesn't fool it.

Infrared?

[Gilgaron]

I have a laptop with "Windows Hello", which is a terrible name for their version of FaceID. It actually works very well after going through some sort of machine learning curve. My phone is too old to have such a feature, but my wife liked it enough to ask if we could do it with the webcam on the desktop. No-go there without a new webcam, as only some support it. I looked into it only briefly, but I believe in addition to some security features, it used infrared or similar spectrum to ensure it was looki

Re:

[LordHighExecutioner]

...and neither your phone nor the called people will notice any difference!

Security

[fluffernutter]

No mobile phone is secure. Don't do things on a mobile phone that you want to keep secret.

Especially after giving away your head

[raymorris]

Especially if you've been handing out high-quality 3D replicas of your head, don't use facial recognition and expect it to be secure.

But yeah pretty much don't expect any technology made after about 1850 to be secure. If you're a spy, a piece of paper and a one time pad might be the way to go.

Re:

[fluffernutter]

I doubt you would need more than a photo from the side and one from the front.

I'm actually impressed

[Headw1nd]

Considering that humans could quite possibly be fooled by a 3D printed head in similar conditions, I'm actually very impressed they weren't all cracked. I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head just to open it. Usually people would point to the government as a possible culprit here, but the government doesn't need to go to these lengths, they can use your actual face. [forbes.com]

Not many resources required

[SuperKendall]

I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head

Not shown: How many of the same phones are also opened by a printout of the face.

Doesn't take many resources to take a picture of someone's face and print it out...

That's because a lot of the Android phones that use facial recognition are doing so from a single camera with no depth map, the way the iPhone works.

Re:I'm actually impressed

[pz]

Blinking, or other biomimetic movement, that's what ultimately makes a real head distinguishable from a statue, no matter how good the artist.

Or, if you've got a decent imaging apparatus, you can detect blood pusations in real flesh (e.g., http://news.mit.edu/2010/pulse... [mit.edu])

Re:

[Seven Spirals]

Those are good ideas. It's pretty tough to believe a skilled sculptor couldn't reproduce someone's face/head quickly and with cheap materials using just a simple photo. They usually start with Styrofoam then use clay, waxes, and other items to make the face look realistic. Ever been to a wax museum? I seriously doubt you'd need to be even close to that skilled to fool a smartphone. After all, the phone has to be pretty forgiving to work for the person in different outfits, hats, weather, etc... I've known s

How about testing a Surface?

[SocietyoftheFist]

I wonder about the facial recognition built in to the Microsoft surface devices.

Which only reinforces the obvious

[kaizendojo]

Physical security shouldn't be taken lightly. Keep your hands on your stuff.

So soon

[Impy the Impiuos Imp]

Interesting, but this isn't the first 3D printed body part to convincingly mimic the real thing.

next step: direct digital face model

[dmahurin]

The next step is you attach a device to the phone which has independent displays feeding each camera.
After you calibrate the signal, you can pass you can pass your AR world with a dynamic fake head, that blinks and moves.

Should be closer to reality and you don't have to carry around a fake head to unlock your phone ...

I guess for security, you could use such a device to increase security, by using a fake head model that is not your own or even real. Perhaps Luke Skywalker with bunny ears.

Perhaps a randomly

I am shocked, shocked I tell you!

[WillAffleckUW]

Who would ever think that all the methods that have continually worked over and over to defeat biometric methods would continue to work?

P.S.: Train your data sets with reality, not with artificial segments of reality.

Passwords

[Translation Error]

Instead, use a strong alphanumeric passcode, recommended Matt Lewis, research director at cybersecurity contractor NCC Group.

And if you want to make your strong passcode even more secure, configure your phone so it doesn't briefly show each character of your passcode as you enter it. Looking over someone's shoulder is even easier than building a fancy fake head.