Video Apple's facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone.
Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems, and set out to do the same with Face ID when it got hold of a $999 iPhone X earlier this month. The team took less than a week to apparently crack Cupertino's vaunted new security mechanism, demonstrating that miscreants can potentially unlock a phone with a mask of the owner's face.
"Everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face," the biz said in an advisory last updated on Saturday.
"It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought."
After registering a person's face on the phone – and the handset should only unlock when it sees this face – the team built a 3D printed mask of the test subject using an off-the-shelf 3D printer. They then put 2D printouts of the user's eyes, upper cheekbones and lips over the mask and added a silicone nose for realism.
The creation wasn't able to defeat Face ID at first, as other folks with the same idea have found. But by sculpting and shading the false nose on one side to imitate shadow – plus a few other tweaks – the team managed to use the mask to fool the iPhone X into unlocking, it is claimed.
Brace yourselves, fanboys. Winter is coming. And the iPhone X can't handle the coldREAD MORE
The hack was cheap – Bkav estimates the total cost in materials for a face to hoodwink Face ID was around $150. It acknowledged that the hack isn’t for everyone to try out. It requires an in-depth knowledge of how Apple's face-scanning software works and what the weak points in the system are.
"With Face ID's being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, etc are the ones that need to know about the issue, because their devices are worth illegal unlock attempts," it said. "Exploitation is difficult for normal users, but simple for professional ones."
The team is still researching how to crack the system more easily and refining their methods. In the meantime the biz advises sticking to fingerprints for biometric security. ®