Phones' facial recog tech 'fooled' by low-res 2D photo
Someone who looks a lot like you could also unlock it, says Which?
Samsung, Oppo and Nokia are among a range of Android phone makers with facial recognition scanning tech that can be "easily duped" by a printed 2D photo, according to tests undertaken by campaign group Which?
Resident techies that put a range of phones and brands through their paces (see box below) said the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.
Of the 48 phones Which? sent to labs for testing, 19 could be spoofed with photos and "worryingly" these were "not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper."
The vast majority of the phones that failed the simple biometric test were, unsurprisingly, low to mid-range in price, though Which? claimed there were exceptions, including the Xiaomi 13 and the Motorola Razr.
Of the phones that Which? reckons could be fooled, seven were made by Xiaomi, four came from Motorola, while two came from each of Nokia, Oppo and Samsung. One model made by Honor and another by Vivo was also found to be exploitable.
Under Android's requirements, phone makers must ensure devices and software are "Android compatible," which includes how often device security can be spoofed. Class 3 systems must not be duped more than 7 percent of the time, and Class 1 system are least secure, with a spot rate of 20 percent of the time to more.
Which? voiced worries that scammers could exploit the weakness to – for example – access Google Wallet to make payments to a limited value (£45 in the UK, about $56) without needing to unlock their phone. For larger transactions, Google asks users to use a Class 3 biometric lock, Which? said.
Google Wallets, as Reg readers know, contain credit or debt cards and may display the last four digits of a card number, and potentially information about recent transactions. This and other apps could be vulnerable to the 2D photo lock vulnerability.
The vulnerable phones it tested should be classified as Class 1 biometric, the campaign group added. "Android does not permit phones in this category being used by third party apps to sign in or to confirm important actions."
Banking apps can require other additional requirements or authentication methods for higher amount transactions. Though if you're an Apple user, none of this matters as all the iPhones tested passed due to a "more robust system" that includes a "3D depth map of your face" and explains why numerous banking apps allow just facial recognition measures on Apple's devices.
There are no laws in place that hold phone manufacturers' feet to the phone with regards to biometric security. There are voluntary standards, such as the European Telecommunications Standards Institute, which says "2D Facial recognition must not exceed being duped 1 in 50,000 times." The phones tested failed this metric, the campaign group reckons.
Which? said Google is working with others across industry on a certification program based on this standard. The consumer champion called on vendors to up their biometric game against spoofing and inform users of the limitations of some types of facial scanning tech.
Lisa Barber, tech editor at Which?, said in a statement: "It's unacceptable that brands are selling phones that can be easily duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people's security and susceptibility to scams.
"We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead."
- Live Nation CFO on Taylor Swift ticket chaos: Don't blame me, bots made me crazy
- Fitbit users will have to sign into Google from 2023
- Smart homes are hackable homes if not equipped with updated, supported tech
- Clock blocker: Woman sues bosses over fingerprint clock-in tech
Google told Which? that hardware OEMs select the tier of biometric security and it is their responsibility to ensure their products can meet the Android Compatibility Definition Document requirements. Google said it is "constantly working to raise the bar for user security."
Nokia phones tested by Which? have facial recognition software that do not have privileges in third party apps, the vendor told the campaign group. Nokia said it warns customers the phones can be unlocked by someone that looks "a lot" like them. It said it found no issues when testing the phones.
Samsung told the campaign group that its fingerprint reader was the "highest level of authentication," and Vivo agreed that at an industry level, 2D facial recognition is an "elementary security measure," telling users during the phone's set-up process that the affected phones can be unlocked by another individual that looks similar to them.
Honor, Motorola, Oppo and Xiaomi didn't respond to the campaign group to give their side of things. We asked those businesses to comment but at the time of publication, only one had replied.
A spokesperson at Oppo told The Register:
"OPPO adopts security features based on industry standards, providing various security options for users to unlock their phone. The 2D face recognition matches the owner with the phone through AI algorithms and is designed for quick unlocking. For the highest level of biometric security, we would advise using fingerprint method."
Motorola parent Lenovo, said: "Security has always been at the core of what we do, and the security of our consumers remains a top priority for Motorola. The highest level of security includes using fingerprint and complex passwords. The Face Unlock technology is intended to support convenient unlocking of the phone, although Motorola reminds and recommends during the setup process that consumers use a PIN, password, or pattern for enhanced security.
"Also, if a consumer chooses to use Face Unlock for convenience after consenting to use this feature, they will also need to choose a pattern, PIN, or password to secure their device." ®