A team of hackers say that the iPhone X’s flagship facial recognition system can be hacked.
All you need is about $150, a 3D scanner, a 3D printer, makeup, some paper, and unrestrained access to the victim’s face. Vietnam-based Bkav say they used these materials to put together a composite mask that was then used to unlock an iPhone X.
The claims should be taken with a few grains of salt, with multiple implausibilities prompting concern among journalists who themselves took more elaborate measures in their own attempts to spoof Face ID; Wired, for example, spent thousands of dollars on custom special effects masks, and still failed to fool the system. For one thing, the mask’s eyes don’t move, and therefore can’t make eye contact to activate the device’s ‘attention aware’ feature – though it may be worth noting here that this feature can be deactivated.
In the group’s own post on the work, Bkav’s researchers note that the targets of such an elaborate spoofing method would probably “not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI”; and they emphasize that their method is a “Proof of Concept” that still demands more research. At the same time, they assert that their method proves that “Face ID is not an effective security measure,” and that “for biometric security, fingerprint is the best.”
Still, Wired itself asserts that Bkav’s history of successful spoofing of older facial recognition technologies “lends its demonstration some credence.” And Bkav’s claims do help to highlight one important security concern: The iPhone X only has one biometric modality for authentication. It’s Face ID or nothing. Meanwhile, other smartphone makers have advanced the mobile biometric revolution kickstarted by Apple’s Touch ID system by seeking multimodality in their devices, with Samsung, for example, pairing iris recognition with fingerprint recognition on this year’s flagship smartphones. Security experts widely agree that multimodality is the better approach for any kind of security, and Apple has perhaps shown some hubris in betting everything on its Face ID system – especially if it really can be spoofed as easily as Bkav says it can.