On-Prem

Personal Tech

Phones' facial recog tech 'fooled' by low-res 2D photo

Someone who looks a lot like you could also unlock it, says Which?


Samsung, Oppo and Nokia are among a range of Android phone makers with facial recognition scanning tech that can be "easily duped" by a printed 2D photo, according to tests undertaken by campaign group Which?

Resident techies that put a range of phones and brands through their paces (see box below) said the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.

Of the 48 phones Which? sent to labs for testing, 19 could be spoofed with photos and "worryingly" these were "not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper."

The vast majority of the phones that failed the simple biometric test were, unsurprisingly, low to mid-range in price, though Which? claimed there were exceptions, including the Xiaomi 13 and the Motorola Razr.

Of the phones that Which? reckons could be fooled, seven were made by Xiaomi, four came from Motorola, while two came from each of Nokia, Oppo and Samsung. One model made by Honor and another by Vivo was also found to be exploitable.

Under Android's requirements, phone makers must ensure devices and software are "Android compatible," which includes how often device security can be spoofed. Class 3 systems must not be duped more than 7 percent of the time, and Class 1 system are least secure, with a spot rate of 20 percent of the time to more.

Which? voiced worries that scammers could exploit the weakness to – for example – access Google Wallet to make payments to a limited value (£45 in the UK, about $56) without needing to unlock their phone. For larger transactions, Google asks users to use a Class 3 biometric lock, Which? said.

Google Wallets, as Reg readers know, contain credit or debt cards and may display the last four digits of a card number, and potentially information about recent transactions. This and other apps could be vulnerable to the 2D photo lock vulnerability.

The vulnerable phones it tested should be classified as Class 1 biometric, the campaign group added. "Android does not permit phones in this category being used by third party apps to sign in or to confirm important actions."

Banking apps can require other additional requirements or authentication methods for higher amount transactions. Though if you're an Apple user, none of this matters as all the iPhones tested passed due to a "more robust system" that includes a "3D depth map of your face" and explains why numerous banking apps allow just facial recognition measures on Apple's devices.

There are no laws in place that hold phone manufacturers' feet to the phone with regards to biometric security. There are voluntary standards, such as the European Telecommunications Standards Institute, which says "2D Facial recognition must not exceed being duped 1 in 50,000 times." The phones tested failed this metric, the campaign group reckons.

Which? said Google is working with others across industry on a certification program based on this standard. The consumer champion called on vendors to up their biometric game against spoofing and inform users of the limitations of some types of facial scanning tech.

Lisa Barber, tech editor at Which?, said in a statement: "It's unacceptable that brands are selling phones that can be easily duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people's security and susceptibility to scams.

"We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead."

Google told Which? that hardware OEMs select the tier of biometric security and it is their responsibility to ensure their products can meet the Android Compatibility Definition Document requirements. Google said it is "constantly working to raise the bar for user security."

Nokia phones tested by Which? have facial recognition software that do not have privileges in third party apps, the vendor told the campaign group. Nokia said it warns customers the phones can be unlocked by someone that looks "a lot" like them. It said it found no issues when testing the phones.

Samsung told the campaign group that its fingerprint reader was the "highest level of authentication," and Vivo agreed that at an industry level, 2D facial recognition is an "elementary security measure," telling users during the phone's set-up process that the affected phones can be unlocked by another individual that looks similar to them.

Honor, Motorola, Oppo and Xiaomi didn't respond to the campaign group to give their side of things. We asked those businesses to comment but at the time of publication, only one had replied.

A spokesperson at Oppo told The Register:

"OPPO adopts security features based on industry standards, providing various security options for users to unlock their phone. The 2D face recognition matches the owner with the phone through AI algorithms and is designed for quick unlocking. For the highest level of biometric security, we would advise using fingerprint method."

Motorola parent Lenovo, said: "Security has always been at the core of what we do, and the security of our consumers remains a top priority for Motorola. The highest level of security includes using fingerprint and complex passwords. The Face Unlock technology is intended to support convenient unlocking of the phone, although Motorola reminds and recommends during the setup process that consumers use a PIN, password, or pattern for enhanced security.

"Also, if a consumer chooses to use Face Unlock for convenience after consenting to use this feature, they will also need to choose a pattern, PIN, or password to secure their device." ®

Send us news
39 Comments

Exposed: Chinese smartphone farms that run thousands of barebones mobes to do crime

Operators pack twenty phones into a chassis – then rack 'em and stack 'em ready to do evil

Brits blissfully unbothered by snail-paced mobile network speeds

Too busy not using X to notice

Linux for older phones postmarketOS changes its init system

Good news, everyone! The world's favorite daemon, systemd, is coming to phones.

Bullitt Group had $256 cash in the bank at the end, PWC reveals

IP sold to founders in pre-pack administration, product warranties unaffected

Ruggedized phone group takes the Bullitt, calls in PWC as administrative receiver

Website 404ing, calls to switchboard go dead, 'sad reflection' of how tough it is to make money in smartphones

Greener, cheaper, what's not to love about a secondhand smartphone?

Price tag, hardware durability underpinning 'already lengthened replacement cycle'

Palantir boss says outfit's software the only reason the 'goose step' has not returned to Europe

Motor-mouth CEO Alex Karp claims biz stopped 'innumerable' terror attacks in Europe

Qualcomm inserts GenAI into smartphones at industry's mega tradeshow

Just what Android fans were missing, amirite? A 7 billion parameter LLM that accepts image and voice prompts?

Data watchdog tells off outsourcing giant for scanning staff biometrics despite 'power imbalance'

2,000 employees at 38 facilities had data processed 'unlawfully', ICO says

Euro shoppers popping more and more premium phones in the basket

Apple ousts Samsung as the people's choice in Q4, and the words 'refresh' and 'cycle' are whispered for 2024

Rice isn't nice for drying your iPhone, according to Apple

Old wives revise their official advice

Apple and Samsung tussle over whose gizmos are hardest to fix

Chromebooks earn 'Least Likely to Survive a Screwdriver' award