back to article iPhone X Face ID fooled again by 'evil twin' mask

Security researchers have once again claimed a simple mask can hoodwink Apple's Face ID authentication system, which graces the tech giant's $1,000 iPhone X. Earlier this month, bods at Bkav, based in Vietnam, demonstrated it was possible to bypass the face-recognizing login mechanism using a $150 3D-printed mask, effectively …

  1. John H Woods Silver badge

    Does anyone really have to say it?

    Biometrics are usernames and not passwords

    1. Charles 9

      Re: Does anyone really have to say it?

      And what if that's ALL you have to work with because you're dealing with people with bad memories?

      1. sabroni Silver badge

        Re: what if that's ALL you have to work with

        Then that user has no password and their device isn't secure.

        1. Charles 9

          Re: what if that's ALL you have to work with

          And they NEED a secure device. So how do we propose going about this if ALL they have is what they ARE (since they can't reliably KNOW anything and can't be counted on to keep something to HAVE due to that memory).

          That's my problem. I have friends and family I'm trying to protect, and some of them are VERY far away.

  2. Lorribot

    So son two has a One:5t or whatever it is called and his twin brothers' face unlock his phone, go figure the weirdness of an accurate representaion of a persons face working in this way, probably the easiest to copy or simulate, can unlock a phone.

    Can we go back to finger prints, vein scans or eye ball recongnition for the important stuff now?

    1. oldcoder

      Even finger prints, fein scans, and eye ball recognition can be hacked.

      ANY biometric can be duplicated.

      1. Anonymous Coward
        Anonymous Coward

        And it can't be changed

        1. Charles 9

          Neither can poor memory. What else can you use that doesn't rely on unreliable recall.

          1. Kane
            Joke

            "Neither can poor memory..."

            You seem to have forgotten that you have posted this comment already.

            1. Charles 9

              No, I just haven't gotten an answer. This is dead serious; I have a real-world problem regarding this. I'm talking people who can't remember safe combinations to save their lives, yet important things like benefits REQUIRE this kind of access.

              1. charles_chevaux

                Write your passcode on a piece of paper in ink that only shows up when you illuminate it with your UV pocket pen lamp, and keep that piece of paper in an obscure corner of your wallet.

                1. Charles 9

                  Until it gets nicked and taken to a dance club or whatever that ALSO uses black lights. And, of course, there's the matter of LOSING the pen lamp or it running out of batteries.

          2. handleoclast
            Coat

            Re: What else can you use that doesn't rely on unreliable recall.

            You could perhaps rely on unreliable recall itself.

            Phone asks questions. Attacker answers. Real owner can't remember the answers to some of the questions. Add a touch of magic AI powder to detect patterns in the failure to answer and you have a recognition system.

            I think I left my phne in my coat pocket ---->

        2. CrazyOldCatMan Silver badge

          And it can't be changed

          I think you'll find that diabetic retinaopthy (speeling? Doesn't look right) can sort out changing your retina for you..

      2. Anonymous Coward
        Anonymous Coward

        ANY biometric can be duplicated.

        Except for my 1inch long banana, because no one else wants to.

    2. Anonymous Coward
      Anonymous Coward

      Ball

      I missed the “eye” part of your “eye ball” comment the first read, and quickly thought how that would be difficult to explain when the police get called.

    3. jgarbo
      Facepalm

      How about a complex geometric pattern (my Samsung Note) or a longish passphrase, eg about yRcH1ldhdh0m3, minus a few vowels? Important thing, you can change it anytime, not like face or fingerprint. Another Apple gadget that fails in use.

      1. Michael H.F. Wilkinson Silver badge

        Good iris recognition systems are pretty secure. You can easily test the presence of a real eyeball in two important ways. If it is a printed digital image of an iris, the regular printing pattern will leave easily detected spikes in the Fourier spectrum. This doesn't work on old-fashioned prints from negatives. However, briefly raising light levels (e.g. using the flash) will make the pupil contract, which is fairly trivial to detect. I also wonder whether the saccade-fixate motion of the eye can be detected as evidence of a real live face, although that might be mimicked easily.

        1. Charles 9

          "However, briefly raising light levels (e.g. using the flash) will make the pupil contract, which is fairly trivial to detect."

          I would think it's also pretty easy to fake with an appropriate aperture and a photometer hidden behind the image. Frankly, I have my doubts as to the inability to fake vein patterns as well. Something I've heard often: what man can create, man can RE-create. And all these detectors are man-made.

  3. Kevin McMurtrie Silver badge

    I hope Apple fixes this cheap 3D printer trick. I'm about ready to power up the fusion reactor in my new underground evil twin factory and I have bills to pay.

  4. pyrasanth

    Slackers...

    Nicholas Cage would be appalled. These people just don't do it like the old days...

  5. Anonymous Coward
    Anonymous Coward

    Still more secure than fingerprints

    Even if this hack is easier than their first cut at it, that's still a lot more work required than to fool fingerprint authentication, or any other phone's face scanner or iris scanner for that matter. It isn't as if these guys are selling a phone with unbeatable biometrics so I'm not sure what their point is other than trying to score some free publicity.

    If someone is using their phone to pay for stuff and instead of using biometrics is typing in a PIN or password it isn't that hard to shoulder surf it via video - easier than putting together a 3D model of their face with pictures of their eyes glued on it (that would be a little obvious at the Starbucks checkout)

    If you want payment security, don't use your phone to pay for stuff because NOTHING is really secure if you assume people can take physical possession of your phone at will. Of course, the same is true for credit/debit cards whether signature or PIN, and is extra true for cash since no "hacking" is needed to use someone else's $100 bill...

  6. Anonymous Coward
    Anonymous Coward

    What about evil doppelgangers stealing iPhones?

    Do people need to be aware of the dangers?

  7. Lord Elpuss Silver badge

    "...Sadly, payers of the Cupertino idiot tax..."

    Grow the fuck up, Iain.

    1. sabroni Silver badge

      Sore point?

      1. Lord Elpuss Silver badge

        Yep. Check my previous posts.

        1. sabroni Silver badge

          Quality!! :-)

  8. Lord Elpuss Silver badge

    Obligatory

    https://xkcd.com/538/

    1. Anonymous Coward Silver badge
      Pirate

      Re: Obligatory

      aka "rubber hose cryptography"

      1. Charles 9

        Re: Obligatory

        But what happens if your subject is a masochist (gets off from that kind of stuff) or a wimp (faints at the mere sight of it)?

        1. Lord Elpuss Silver badge

          Re: Obligatory

          "But what happens if your subject is a masochist (gets off from that kind of stuff) or a wimp (faints at the mere sight of it)?"

          Doesn't matter. As long as you can manoeuvre their thumb onto the sensor/point their face at the camera, you can break crypto. Whether or not they enjoy the process is irrelevant...

          1. Charles 9

            Re: Obligatory

            I would think the masochist would mash his own face and fingers. Meanwhile, the wimp's face will likely become too ashen and his fingers too cold (low blood pressure) to be taken as genuine.

  9. Anonymous Coward
    Anonymous Coward

    Would an identical twin always be able to unlock the phone? Many (most?) so called identical twins have faces that are mirror images - and all faces have some asymmetrical features between the left and right sides. Pictures that replicate a face from just its left or right side halves will produce two distinctly different faces.

    1. Anonymous Coward
      Anonymous Coward

      Fascinating trivia

      I hadn't heard of this before so looked it up. Apparently a quarter of identical or monozygotic twins are 'mirror twins', about 5 million pairs in the world. Their mirroring even goes so far as to have opposite handedness and sometimes their internal organs are reversed too!

      1. charles_chevaux

        Re: Fascinating trivia

        mirror mirror on the wall ...

  10. gnasher729 Silver badge

    Simple to do when you are the owner of that phone. But can they do it without the cooperation of the owner, that is without having a passcode, and without the owner being present while creating the mask? Without passcode, you have five attempts to create a mask that will be recognised. Without passcode, FaceID doesn't train itself to the mask (if you use a mask, it fails, then you enter the passcode, then FaceID assumes that the person with the mask was the owner, because they had the passcode). Without passcode, after five attempts you are 100% stuck.

    And in case it isn't obvious, if you have the passcode, then it doesn't matter whether you can track the phone into recognising a mask, because with the passcode you can unlock it anyway.

    I don't expect that theregister will be able to find out about this important detail. Ars Technica tried during the first round, and they didn't get any answers that were not totally evasive.

    1. charles_chevaux

      "But can they do it ... without the owner being present while creating the mask?"

      You don't need to make a clay mask on their physical face.

      You (literally) can glean much 3d information from a single photo inferred through shading and reflectivity. And with more photos, including side shots, allows further reduction in error.

      This puts anybody with publicly available photos at risk - felons with mug shots on record, actors, models, politicians, Mark Zuckerberg (https://www.theverge.com/2017/9/18/16327906/3d-model-face-photograph-ai-machine-learning), Mr or Ms anybody with a bunch of photos on facebook.

      But still, the victims would need to be targeted with planning - it's not a huge risk for someone who phone got pick pocketed at random.

  11. Michael H.F. Wilkinson Silver badge
    Happy

    DynamicFaceID a.k.a. Haka-ID (TM) anyone?

    As a variant on Face-ID and drawing a complex pattern, why not require users to pull a face or sticking out a tongue (like the faces pulled at the end of the All-Blacks' Haka) to unlock their phone. It would combine user name (the biometric of face recognition) with a password (the complex sequence of movements). Should be a lot safer than just boring old face-ID.

    The best bit of course would be seeing people pulling weird faces and sticking out their tongues to open their (no doubt very expensive) phone.

    I wonder if I can get a student to develop something like this as a thesis project.

    1. JimboSmith Silver badge

      Re: DynamicFaceID a.k.a. Haka-ID (TM) anyone?

      As a variant on Face-ID and drawing a complex pattern, why not require users to pull a face or sticking out a tongue (like the faces pulled at the end of the All-Blacks' Haka) to unlock their phone. It would combine user name (the biometric of face recognition) with a password (the complex sequence of movements). Should be a lot safer than just boring old face-ID.

      I think Frankie Boyle had that aspect covered when he wrote this tweet:

      Set your Apple Face ID to your comeface, so that if someone mugs you for your phone they at least have to wank you off first

  12. Charlie Clark Silver badge

    Security and convenience

    FaceID isn't secure and anyone who thinks it is will at some point get a nasty surprise. Apple have implemented an extremely complicated convenience function essentially, as far as I can tell, to demonstrate how cool their facial recognition technology is. Arguing about the technology is largely missing the point: users want to be able to use the phone in some situations without having to unlock it.

    I have argued elsewhere that for the use case not having a screen lock on at all times is better solved by something like Google's SmartLock approach: not infallible and not making any claims to be but useful all the same.

    1. Charles 9

      Re: Security and convenience

      "Arguing about the technology is largely missing the point: users want to be able to use the phone in some situations without having to unlock it."

      Problem is, those VERY situations can be exploited, and we KNOW criminals to be patient enough to wait for just the right moment.

      1. Charlie Clark Silver badge

        Re: Security and convenience

        Problem is, those VERY situations can be exploited, and we KNOW criminals to be patient enough to wait for just the right moment.

        Which is why the screen lock isn't really about security…

  13. el kabong

    One more apple gadget that fails in use.

    1. Deltics
      Meh

      To be fair, the fact that Apple's implementation of a flawed idea is itself flawed does not alter the fact that it is the very idea that is flawed, rather than being an Apple failure per se.

      Apple's mistake was believing in their own greatness to think - and to claim - that they could and had overcome the inherent flaws in that idea.

  14. Anonymous Coward
    Anonymous Coward

    Biometric master key

    A pissed off girl will get in to a drunk guys phone every time.

  15. D@v3

    $150 3D-printed mask

    In the scenario, there is mention of a $150 3D-printed mask. What i want to know is, what is the $150 being spent on?

    As someone with no 3D printer and no facial scanning equipment is $150 enough for me to produce one of these masks?

    Or is it that, once you have the correct equipment to be able to produce these masks (costing $X in the first place) these masks would then cost $150 each to produce (materials etc..).

    I get that this is a case of proving the technology is beatable, but, it still seems that if someone were to be mugged in the street, the mugger wouldn't be able to use this to unlock the stolen phone.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like