BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Apple Face ID 'Fooled Again' -- This Time By $200 Evil Twin Mask

Following
This article is more than 6 years old.

The Vietnamese hackers who claimed earlier this month to have fooled Apple's Face ID with a mask costing less than $150 are back. But this time, their evidence is more compelling.

Whereas in their previous attack researchers from Vietnamese cybersecurity company Bkav didn't show the enrolment process, or how long it took from that point to opening an iPhone X with the mask, in a new proof of concept, they appear to do both. A video shows the Face ID facial recognition enrolment being reset. Then the researcher enrols his own face and seconds later unlocks it with a mask made of a 3D-printed visage constructed of stone powder, with 2D-printed eyes stuck on.

The researchers dubbed their mask the "artificial twin," as it was similar to the way an identical (or close to identical) sibling could unlock an iPhone X. Indeed, video evidence of such trickery has emerged since the launch of the iPhone X. In at least one case, a female user's 10-year-old son was able get into the device by just looking at it. Apple, during the iPhone X launch, admitted that in some cases where family members looked similar enough, there was a chance Face ID would allow them access. But it claimed to have worked with Hollywood studios to test out various mask-based hacks.

Bkav hasn't been shy in criticizing Apple's facial recognition technology, though. "About two weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc., should be cautious when using Face ID," said Ngo Tuan Anh, Bkav's vice president of cybersecurity. "However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions."

Apple hadn't responded to a request for comment at the time of publication. Users who are concerned about using facial recognition on their iPhone X can just fall back to using a passcode.

A spokesperson for Bkav said it had decided not to tell Apple about about its newest techniques as the iPhone maker had chosen not to respond to media reports when its last hack was released.

Explaining more on the process of creating the mask, the spokesperson said the company used a 3D scanning booth to take the original images. "For example, if you are standing in the middle of booth, it will take photos of you at different angles in just two seconds. And we take an infrared image of your face.

"Then, we will make 3D object of your face from the photos... Then, with the 3D object, we use a 3D printer, using stone powder as material, to print the twin mask of your face. It will be the original mask by the printer, no modification is needed.

"Then, using the infrared image of your face, we cut the eye's parts from the image. We know how to cut the eye's parts so that it can trick Face ID, but cannot disclose... Then, we glued the eye parts to the 3D twin mask of your face. Then, it is done. No other modification needed."

Real world attacks possible?

What Bkav didn't address in its release Monday was the applicability of a mask-based attack in the real world. An attacker would need to be able to get an accurate scan of a target's face, then spend the time and effort creating the mask (a process that hasn't been fully-detailed by Bkav). It's also apparent from the video that the iPhone has to be aligned with the mask at a specific angle for the attack to work.

Security and encryption expert Professor Alan Woodward, from the University of Surrey in the U.K., said there were still questions about the researchers' approach. "What we still don't know is how much effort it took to produce that particular mask and how many attempts it took to match the mask and face. As a threat it proves that Face ID is not totally reliable, but as a risk we should all worry about in everyday life I'm less convinced," Woodward said.

"What the experiment does show is that a static mask can fool the Apple technology that is supposed to ensure that only a living face is recognised. Once that is possible it then becomes theoretically possible to produce a static mask to open the device.

"However, you can see from the way this experiment is done it is very tricky to position the device just so. That suggests that mask has to be used in very particular circumstances."

Follow me on TwitterCheck out my websiteSend me a secure tip