Security company says a mask fooled Face ID on iPhone X

November 15, 2017 by Tim Johnson, Mcclatchy Washington Bureau

Less than a week after the Apple iPhone X went on the market, a cybersecurity firm said it had already defeated the new phone's vaunted face recognition system using a $150 mask made on a 3-D printer.

"Apple Face ID is not an effective security measure," a Vietnam-based cybersecurity firm, Bkav, said in a statement and video on its website.

But U.S. security experts aren't as quick to dismiss the security of the device. The iPhone X, which became available Nov. 3, has numerous other security functions that would make most such methods impractical for all but the most dedicated criminals, and perhaps still unachievable, those experts said.

For most people, according to Terry Ray, chief technology officer at Imperva, a Redwood Shores, Calif., cybersecurity firm, "Face ID is probably just fine."

It's a key debate in the ongoing evolution of biometrics to verify users of computers and other devices and allow them to make purchases and sign into apps with a simple action.

Motorola introduced fingerprint readers on a smartphone in 2011, and Apple followed in 2013 with Touch ID on its iPhones. Most major smartphone makers now use such sensors.

Face recognition is the next iteration of biometric identification. At a presentation announcing iPhone X's capabilities Sept. 12, nearly two months before its Nov. 3 release, Apple Senior Vice President Phil Schiller said engineering teams developed artificial intelligence to help the product distinguish between real owners and .

"They have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID," Schiller said.

Apple says the iPhone X uses infrared imaging and a depth map of a user's face with 30,000 invisible dots to ensure identity. It says chances that a random person could grab the phone and unlock it are one in a million, and that the phone recognizes if its owner is asleep to prevent someone from unlocking the phone without the owner's knowledge.

Face ID allows users to unlock the iPhone X by looking at it, then make purchases from the Apple store or conduct other Apple Pay transactions using stored payment-card data.

The Vietnamese cybersecurity firm said it obtained an iPhone X Nov. 5 and immediately began using a 3-D printer to create a mask of the iPhone's owner. It said in a statement that an artist fashioned the mask's nose by hand and that artificial skin was also made by an artist.

It said the approximate cost of the mask was $150. The firm said it only intended to show a "proof of concept" that Face ID can be skirted and that such techniques would not target regular users but more likely "billionaires (and) leaders of major corporations."

Bkav did not give details of how long it took for its iPhone X to unlock with the mask. The iPhone model requires a six-digit alphanumeric passcode if a user makes five unsuccessful attempts to match a face.

"What they didn't disclose was how many attempts and what level of effort it took to get the mask to work flawlessly," Paul Norris, senior systems engineer at Tripwire, a Portland, Ore. software security company, said in a statement Monday.

"In order to compromise Face ID authentication, the attacker would have to have a detailed map of the face of the user, create a mask that would map the exact details of the victim's face, unlock the phone within five attempts, and do all of this within 48 hours. This seems like an unlikely sequence of events," Norris said.

Face recognition doesn't work if the iPhone X has been locked for two days.

"The attacker has 48 hours to unlock the phone so they can't spend too much time working out fixes for their five tries or else the phone locks with a passcode," Ray said.

Apple declined to comment on the controversy beyond a statement on its website that noted Face ID's security features, which it said involved "some of the most advanced hardware and software that we've ever created."

Explore further: Q&A: How Apple's Face ID facial recognition works

4 shares

Related Stories

Q&A: How Apple's Face ID facial recognition works

September 27, 2017

In mid-September, Apple unveiled its new Face ID facial recognition system , which is due to debut with the iPhone X on Nov. 3. The system lets users unlock their phones just by glancing at them, but has also raised privacy ...

Are you OK with using your face to unlock your iPhone?

September 14, 2017

Your passcode can be hacked, but your face is yours and yours alone. That's the thinking behind Apple's latest security measure, which is more high-tech and a bit more intimate than anything else on the market.

Apple's iPhone X hits Asia stores as profits soar

November 3, 2017

Apple's flagship iPhone X hit stores in Asia Friday, as the world's most valuable company predicted bumper sales despite the handset's eye-watering price tag and celebrated a surge in profits.

Recommended for you

Apple closing iPhone security gap used by law enforcement

June 14, 2018

Apple is closing a security gap that allowed outsiders to pry personal information from locked iPhones without a password, a change that will thwart law enforcement agencies that have been exploiting the vulnerability to ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.