Last week, researchers at the Vietnamese cybersecurity firm Bkav announced that they had made a mask that could fool the iPhone X’s facial recognition system, Face ID. The mask consists of a 3D-printed frame, a silicone nose that was hand-sculpted by artists, and a few photos that were layered on top of the mask.
The mask only required about $150 worth of materials, but don’t expect to see everyone creating security-destroying masks at home any time soon. The mask also required a sophisticated facial scanning system to get the features just right, as well as the work of a professional artist to tweak the nose so it would fool Face ID.
In their write-up about the mask, however, the Bkav researchers said that breaking Face ID “was even simpler than we ourselves had thought.”
“After nearly 10 years of development, face recognition is not mature enough to guarantee security for computers and smartphones,” the researchers wrote. “With Face ID's being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, etc. are the ones that need to know about the issue, because their devices are worth illegal unlock attempts. Exploitation is difficult for normal users, but simple for professional ones.”
Bkav claims to be the first to use a mask to fool Face ID, an impressive feat considering how much effort Apple put into designing the facial recognition feature to ensure this wouldn’t happen. Each time Face ID is used to unlock an iPhone X, it essentially creating a topographical map of a user’s face based on a 30,000 point scan. A neural network is then used to compare this scan with an initial scan provided by the user to determine a match and prevent spoofing.
According to Apple, the neural network behind Face ID was trained on over 1 billion faces. During a presentation last September, the company said it even enlisted the help of special effects professionals to design masks meant to trick Face ID during the testing process. As a result, the company said the odds of some rando being able to use Face ID to unlock your iPhone X is about 1 in a million—although the security system can easily be fooled by identical twins.
For most users, this sort of hack probably shouldn’t be of much concern—it takes too much time and energy to make a mask to fool the iPhone X, not to mention the consent of the user. The real threat is for public figures, whose facial figures readily available in photos and relatively easier for an artist to replicate from these photos. It’s also not hard to see how similar techniques could be used by law enforcement agencies for easy access to a locked iPhone X.
Apple never claimed Face ID is perfectly secure. But the fact that this Vietnamese security firm was able to break it within just a week of the phone’s release is a timely reminder that biometric security has a long way to go.