Vietnamese researcher shows iPhone X face ID ‘hack’

A 3D mask and an iPhone X are seen during a demonstration of recognition ID at the office of Bkav, a Vietnamese cybersecurity firm in Hanoi
A 3D mask and an iPhone X are seen during a demonstration of recognition ID at the office of Bkav, a Vietnamese cybersecurity firm in Hanoi, Vietnam November 14, 2017. REUTERS/Kham

November 15, 2017

By Mai Nguyen

HANOI (Reuters) – A researcher in Vietnam has demonstrated how he apparently fooled Apple Inc’s face recognition ID software on its new iPhone X using a mask made with a 3D printer, silicone and paper tape.

An announcement on Friday by Bkav, a Vietnamese cybersecurity firm, that it had cracked Apple’s Face ID, and a subsequent video apparently showing an iPhone being unlocked when pointed at a mask, were greeted with some skepticism.

Ngo Tuan Anh, Bkav’s vice president, gave Reuters several demonstrations, first unlocking the phone with his face and then by using the mask. It appeared to work each time.

However, he declined to register a user ID and the mask on the phone from scratch because, he said, the iPhone and mask need to be placed at very specific angles, and the mask to be refined, a process he said could take up to nine hours.

Apple declined to comment, referring journalists to a page on its website that explains how Face ID works.

That page says the probability of a random person unlocking another user’s phone with their face was approximately 1-in-a-million, compared to 1-in-50,000 for the previously used fingerprint scanner. It also says Face ID allows only five unsuccessful match attempts before a passcode is required.

Anh acknowledged that preparing the mask wasn’t easy, but he said he believed the demonstration showed facial recognition as a way to authenticate users would be risky for some.

“It’s not easy for normal people to do what we do here, but it’s a concern for people in the security sector and important people like politicians or heads of corporations,” he said.

“(These) important people should absolutely not lend their iPhone X to anyone if they have activated the Face ID function.”

It’s the first reported case of researchers apparently being able to fool the Face ID software.

Cybersecurity experts said the issue was not so much whether Face ID could be hacked, but how much effort a hack required.

“Nothing is 100 percent secure,” wrote Terry Ray, chief technology officer at U.S.-based cybersecurity company Imperva, in a note. “Where there’s a will, there’s a way. The questions are: How much trouble would someone go to, and how much would they spend, to get your data?”

Bkav’s Anh said the research took about a week, and included numerous failures. The mask frame was made of plastic, covered with paper tape to resemble skin, with a silicone nose and paper for eyes and mouth.

As far back as 2009, Bkav researchers highlighted what they said were problems with using facial recognition as a way to authenticate users. They said then that they had hacked three laptop manufacturers which used webcams to authenticate users.

(Reporting by Mai Nguyen; Writing and additional reporting by Jeremy Wagstaff; Editing by Ian Geoghegan)

  • James Owen

    What concerns me the most about these biometric locks is that crooks will literally hack parts off people in order to try to get by them. That’s what the mask looks like. There is a lot of money at stake, if there is a fingerprint recognition, facial recognition, or retinal scan lock on a bank vault, for example. Just about every violent criminal will think of this when they get high on weed, and even though it usually won’t work, they’ll think it’s a brilliant idea.
    It’s less savage to force someone to open the lock with a weapon, or claim their family is being held hostage, but given sufficient motivation to get through one of these security systems, someone will do it.
    A woman used her husband’s print to unlock his phone while he was sleeping, found out he was having an affair, and created a disturbance on the flight they were on that required landing the plane and kicking them off. There will be a lot of other such incidents.

  • Pingback: Vietnamese researcher shows iPhone X face ID 'hack' | | HueWire()

  • Pingback: Vietnamese researcher shows iPhone X face ID 'hack' | | HueWire()

  • Jesse

    So what if I get all beat up in a fight or car wreck? I cant use my face id?

    • sonicbrew2

      thats why you can still use a passcode if face ID doesn’t work. Problem solved.

  • anotherday

    So now instead of cutting someone’s finger off…

  • intimeforthedime

    I remember back in the early 2000s Sony came out with its new CD encryption methods, and a guy from Japan had it cracked the day the first CD shipped. All he did was use a Black Sharpie to cover the first 1/4 inch of the inside track near the hole. This would trick the CD player into thinking it was a “non-encrypted” CD and to just play it.
    There is nothing that cannot be hacked, some hacks are easy than others.

  • wildfire1944

    Leave it to charlie always was a slickie boy.

  • Roy Beane

    The old axiom is still true….”There’s not a horse that can’t be rode, a gun that’s not faster, nor a computer system that can’t be hacked”. This thing is barely out and already the hackers have it figured out.