On-Prem

Personal Tech

Phones' facial recog tech 'fooled' by low-res 2D photo

Someone who looks a lot like you could also unlock it, says Which?


Samsung, Oppo and Nokia are among a range of Android phone makers with facial recognition scanning tech that can be "easily duped" by a printed 2D photo, according to tests undertaken by campaign group Which?

Resident techies that put a range of phones and brands through their paces (see box below) said the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.

Of the 48 phones Which? sent to labs for testing, 19 could be spoofed with photos and "worryingly" these were "not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper."

The vast majority of the phones that failed the simple biometric test were, unsurprisingly, low to mid-range in price, though Which? claimed there were exceptions, including the Xiaomi 13 and the Motorola Razr.

Of the phones that Which? reckons could be fooled, seven were made by Xiaomi, four came from Motorola, while two came from each of Nokia, Oppo and Samsung. One model made by Honor and another by Vivo was also found to be exploitable.

Under Android's requirements, phone makers must ensure devices and software are "Android compatible," which includes how often device security can be spoofed. Class 3 systems must not be duped more than 7 percent of the time, and Class 1 system are least secure, with a spot rate of 20 percent of the time to more.

Which? voiced worries that scammers could exploit the weakness to – for example – access Google Wallet to make payments to a limited value (£45 in the UK, about $56) without needing to unlock their phone. For larger transactions, Google asks users to use a Class 3 biometric lock, Which? said.

Google Wallets, as Reg readers know, contain credit or debt cards and may display the last four digits of a card number, and potentially information about recent transactions. This and other apps could be vulnerable to the 2D photo lock vulnerability.

The vulnerable phones it tested should be classified as Class 1 biometric, the campaign group added. "Android does not permit phones in this category being used by third party apps to sign in or to confirm important actions."

Banking apps can require other additional requirements or authentication methods for higher amount transactions. Though if you're an Apple user, none of this matters as all the iPhones tested passed due to a "more robust system" that includes a "3D depth map of your face" and explains why numerous banking apps allow just facial recognition measures on Apple's devices.

There are no laws in place that hold phone manufacturers' feet to the phone with regards to biometric security. There are voluntary standards, such as the European Telecommunications Standards Institute, which says "2D Facial recognition must not exceed being duped 1 in 50,000 times." The phones tested failed this metric, the campaign group reckons.

Which? said Google is working with others across industry on a certification program based on this standard. The consumer champion called on vendors to up their biometric game against spoofing and inform users of the limitations of some types of facial scanning tech.

Lisa Barber, tech editor at Which?, said in a statement: "It's unacceptable that brands are selling phones that can be easily duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people's security and susceptibility to scams.

"We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead."

Google told Which? that hardware OEMs select the tier of biometric security and it is their responsibility to ensure their products can meet the Android Compatibility Definition Document requirements. Google said it is "constantly working to raise the bar for user security."

Nokia phones tested by Which? have facial recognition software that do not have privileges in third party apps, the vendor told the campaign group. Nokia said it warns customers the phones can be unlocked by someone that looks "a lot" like them. It said it found no issues when testing the phones.

Samsung told the campaign group that its fingerprint reader was the "highest level of authentication," and Vivo agreed that at an industry level, 2D facial recognition is an "elementary security measure," telling users during the phone's set-up process that the affected phones can be unlocked by another individual that looks similar to them.

Honor, Motorola, Oppo and Xiaomi didn't respond to the campaign group to give their side of things. We asked those businesses to comment but at the time of publication, only one had replied.

A spokesperson at Oppo told The Register:

"OPPO adopts security features based on industry standards, providing various security options for users to unlock their phone. The 2D face recognition matches the owner with the phone through AI algorithms and is designed for quick unlocking. For the highest level of biometric security, we would advise using fingerprint method."

Motorola parent Lenovo, said: "Security has always been at the core of what we do, and the security of our consumers remains a top priority for Motorola. The highest level of security includes using fingerprint and complex passwords. The Face Unlock technology is intended to support convenient unlocking of the phone, although Motorola reminds and recommends during the setup process that consumers use a PIN, password, or pattern for enhanced security.

"Also, if a consumer chooses to use Face Unlock for convenience after consenting to use this feature, they will also need to choose a pattern, PIN, or password to secure their device." ®

Send us news
39 Comments

HMD Fusion: A budget repairable smartphone with modular flair

Expansion port on the back lets you add Outfits with added functions

Police arrest suspect in murder of UnitedHealthcare CEO, with grainy pics the only tech involved

McDonald's worker called it in, cops swooped, found 'gun, suppressor, manifesto'

Smile! UK cops spend tens of millions on live facial recognition tech

Labour government keen, though critics paint it as a severe threat to privacy

Hardware barn denies that .004 seconds of facial recognition violated privacy

Claims it was just spotting shoppers who threatened staff at Bluey's favorite big box store

Arm's royalty revenues boom, execs talk up hopes for AI bonanza

Q2 climbs 23% on Armv9 adoption, but licensing dips

EU charges Corning with antitrust violations over Gorilla Glass dominance

US firm made OEMs, glass processors sign exclusivity deals, tattle on competitors, claims Euro Commish

Cops love facial recognition, and withholding info on its use from the courts

Withholding exculpatory evidence from suspects isn't a great look when the tech is already questionable

Feature phones all the rage as parents try to shield kids from harm

Dad, why does this button say ABC? It's a short term trend, says analyst

Woman stuck upside down under rock for hours after trying to retrieve dropped phone

Emergency services had to move a boulder to get her out

HMD delivers Android Digital Detox feature to stop you scrolling your life away

Update for Skyline phone brings selective distraction blocking

Trump campaign arms up with 'unhackable' phones after Iranian intrusion

Florida man gets his hands on 'the best ever'

Remote ID verification tech is often biased, bungling, and no good on its own

Only 2 out of 5 tested products were equitable across demographics