Citation record for Incident 26
Suggested citation format
CSET Taxonomy ClassificationsTaxonomy Details
In November 2017, Vietnamese security firm Bkav bypassed Apple's Face ID authentication system by creating a mask made by using photos, stone powder, and 2D printed infrared images. Their experiment was designed to demonstrate the ease of unlocking, low cost (of about $200), and risk posed by using Face ID versus fingerprint-based Touch ID. This experiment provided further evidence from past claims made one month prior.
Vietnamese security firm Bkav created an improved mask to bypass Apple's Face ID
Harm to intangible property
AI System Description
1:1 matching facial recognition system to verify and grant access to Apple devices employing Face ID.
Sector of Deployment
Information and communication
Relevant AI functions
Perception, Cognition, Action
One billion training images, infrared facial scan of individual user
ibtimes.co.uk · 2017
Apple's brand new iPhone X (pronounced 'Ten' by the way) has gone one step further to secure your smartphone by doing away with the Touch ID fingerprint scanner and will now use your face to unlock the device.
Using a new system called Face ID the iPhone X employs biometric facial recognition to authenticate owners and is claimed to be a 'state-of-the-art' system.
Hidden at the top of the front display is a camera system called 'TrueDepth', which is made up of a dot projector, infrared camera and flood illuminator to map the face of the iPhone owner.
It projects more than 30,000 invisible dots onto a user's face and the recorded pattern is fed through a neural network to create a mathematical model of the face.
The purpose for the projection is so that if users decide to change their appearance such as putting on glasses, changing your hair or growing a beard it will have enough points of reference to recognise that the person is still the iPhone owner.
What's even smarter is that the Face ID system learns the user's face and will adapt to it over time.
Can Face ID be hacked?
Hackers looking to 'spoof' the system might have a hard time too, as Apple claims it has worked hard to ensure secure FaceID by allowing users to only unlock the iPhone if they look at the device – requiring attention is a key part of Apple's security.
At the iPhone X keynote the company also revealed that it developed the system's smarts by working with Hollywood special effects studios to create lifelike face masks of users to conduct tests to see if it could be easily fooled.
Apple joked that the only chance it could be fooled is if a user's evil twin somehow got hold of the device. No doubt security researchers will go to town to crack the system from the moment the device is available on 3 November.
Apple explains the move to facial recognition is far more secure with the chances of someone else unlocking your iPhone at one in a million. Whereas Touch ID, while still secure, has a 1 in 50,000 chance of it being unlocked by the wrong fingerprint.
Where's the data stored?
For users who may be worried that they're giving up their most personal of data – their face – they can rest easy as Apple will only store the data within the iPhone in a reassuringly named place called the 'secure enclave'. Apple says it "works hard to protect your face data" and like Touch ID, the data is never sent back to Apple servers, rather it remains on the device.
How quick is Face ID?
With the new system requiring users to look at the phone then swiping up to unlock, iPhone owners who have perfected the skill of unlocking their handsets as they pull it out of their pocket will have to wait maybe a split second longer. In demonstrations of the system at the iPhone X it was seamlessly quick.
wired.com · 2017
When Apple announced the iPhone X last month—its all-screen, home-button-less, unlock-with-a-look flagship—it placed an enormous bet on facial recognition as the future of authentication. For hackers around the world, Face ID practically painted a glowing target on the phone: How hard could it be, after all, to reproduce a person's face—which sits out in public for everyone to see—and use it to bypass the device's nearly unbreakable encryption without leaving a trace?
Pretty damn hard, it turns out. A month ago, almost immediately after Apple announced Face ID, WIRED began scheming to spoof Apple's facial recognition system. We'd eventually enlist an experienced biometric hacker, a Hollywood face-caster and makeup artist, and our lead gadget reviewer David Pierce to serve as our would-be victim. We ultimately spent thousands of dollars on every material we could imagine to replicate Pierce's face, down to every dimple and eyebrow hair.
For any reader with face-hacking ambitions, let us now save you some time and cash: We failed. Did we come close to cracking Face ID? We don't know. Face ID offers no hints or scores when it reads a face, only a silently unlocked padlock icon or a merciless buzz of rejection. All we learned from our rather expensive experiment is that Face ID is, at the very least, far from trivial to spoof.
Someone will no doubt successfully crack the system sooner or later—we haven't given up yet ourselves—just as hackers broke Apple's Touch ID fingerprint reader within days of the release of the iPhone 5. But Apple has successfully crafted an unlocking mechanism that's mostly effortless for a phone's owner and yet, for the moment, beyond our efforts to defeat it.
"Apple has really thought about the obvious attack scenarios," says Marc Rogers, a well-known hacker and researcher for the web security firm Cloudflare, whom WIRED enlisted to help with the Face ID cracking. Rogers gained distinction in the field as one of the first hackers to break Touch ID in 2013. "It's clear they tested against a range of materials, and built a model that’s robust enough to resist some pretty convincing attacks."
Not Just Another Pretty Face Recognition System
Apple's iPhone X keynote, earlier leaked materials, and patent filings Rogers dug up all indicated that the phone would do far more than just a two-dimensional face check. Simpler, flat-image scans had allowed earlier laptops and phones like the Samsung Galaxy S8 to be fooled by a mere photograph. Instead, the iPhone X projects a grid of 30,000 infrared dots onto a face, and then uses an infrared camera to read the distortion of that grid, creating a three-dimensional model.
Makeup artist Margaret Caragan made masks duplicating WIRED writer David Pierce's face in silicone, gelatin, vinyl, plaster and plastic. David Pierce/Wired
And we knew that a model alone wouldn't cut it; Face ID uses "liveness detection" to ensure that the phone unlocks only when someone looks at it, not merely when the phone's sensors see its owner's face nearby.
Color, Rogers argued, likely wouldn't be a key element of Face ID's algorithm, since the technology would have to work in a variety of instances when someone's face color changes. Think different lighting scenarios, or a dark room, when you're sick or get a suntan. So we focused on proportions and texture as key to fooling Face ID's infrared eye.
In his keynote, Apple's Phil Schiller had boasted that the company had hired Hollywood artists to create masks to hone Face ID, showing a photo of incredibly life-like artificial faces on the screen behind him. But those faces had fixed eyes. And besides, Schiller had never actually stated that all of those masks had actually failed at spoofing Face ID, only that they'd been used to test it. (On Tuesday, the Wall Street Journal also published its own video showing an attempt to spoof Face ID with a silicone mask. But it appears that they tried only one material, didn't bother with eyebrows—a potentially key feature—and their mask didn't actually extend to the edges of the spoofer's face, leaving a visible border. We thought we could do better, thanks to some wildly misplaced hubris.)
Sorry About Your Hair, David
In mid-October, we began the process of stealing the face of our would-be victim, WIRED senior writer and longtime iPhone reviewer David Pierce. Pierce sat in a chair in the Oakland studio of Margaret Caragan, the founder of Pandora FX, who has worked for more than a decade in making prosthetics and masks for TV and film. (She was also a contestant on season six of the SyFy makeup artist reality television competition Faceoff.)
Caragan put Pierce in a smock, and then smeared the front half of his head with lifecasting Smooth-on Silk-brand silicone, all the way up to the middle of his scalp. Smooth-on claims on its website that it detaches from short hair when it sets. Somehow Pierce was not so lucky, and in a freak mishap lost several hundred hairs. We'd
standard.co.uk · 2017
ES Lifestyle newsletter The latest lifestyle, fashion and travel trends ES Lifestyle newsletter The latest lifestyle, fashion and travel trends Enter your email address Continue Please enter an email address Email address is invalid Fill out this field Email address is invalid You already have an account. Please log in Register with your social account or click here to log in I would like to receive trends and interviews from fashion, lifestyle to travel every week, by email Update newsletter preferences
Hackers have fooled the iPhone X’s Face ID security system with a 3D-printed mask.
Vietnamese security firm Bkav posted a video online showing the new Apple smartphone unlocking when presented with a fake face.
The team created the mask by printing a 3D facial frame, adding on a silicone nose and printed images of the owner’s eyes and mouth.
The mask is said to have cost just £115 to make.
Bkav hasn’t released full details of how its mask works, with other tests involving life-like mask renderings proving unsuccessful.
“It is quite hard to make the "correct" mask without certain knowledge of security,” a Bkav blog post states. “We were able to trick Apple's AI, because we understood how their AI worked and how to bypass it.”
The post adds: “Potential targets [for Face ID hacking attempts] shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue.”
In its keynote presentation introducing the iPhone X, Apple claimed that it had used masks in testing Face ID to make sure they could not fool the security software.
Apple iPhone X launch - In pictures 20 show all Apple iPhone X launch - In pictures 1/20 Apple iPhone X launch - In pictures Jeremy Selwyn 2/20 Marco Pierre White Junior 3rd in the queue at the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 3/20 Apple iPhone X launch - In pictures Jeremy Selwyn 4/20 Apple iPhone X launch - In pictures Jeremy Selwyn 5/20 Marco Pierre White Junior 3rd in the queue the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 6/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 7/20 Melissa Klein and her dog Nemo at the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 8/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 9/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 10/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 11/20 Marco Pierre White Junior 3rd in the queue at the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 12/20 The first customer to the Apple Omotesando store holds a box containing his iPhone X as he poses to the media on November 3, 2017 in Tokyo, Japan Getty Images 13/20 Employees welcome the first person to enter an Apple store during the launch of the new iPhone X at Dubai Mall in Duba EPA 14/20 People look at iPhone X during its launch at the Apple store in Singapore Reuters 15/20 Customers wait outside an Apple store during the launch of the new iPhone X at Dubai Mall in Dubai EPA 16/20 Customers queue outside an Apple store during the launch of the new iPhone X at Dubai Mall in Duba EPA 17/20 People queue overnight for the iPhone X launch outside the Apple store in Singapor Reuters 18/20 People look at iPhone X during its launch at the Apple store in Singapore REUTERS 19/20 First customers display their iPhone X sets at an Apple showroom in Sydney AFP/Getty Images 20/20 Apple Store staff shout and whistle to encourage the queue of people on a street awaiting the worldwide release of the iPhone X to the general public at the Apple Store in Sydney, Australia EPA 1/20 Apple iPhone X launch - In pictures Jeremy Selwyn 2/20 Marco Pierre White Junior 3rd in the queue at the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 3/20 Apple iPhone X launch - In pictures Jeremy Selwyn 4/20 Apple iPhone X launch - In pictures Jeremy Selwyn 5/20 Marco Pierre White Junior 3rd in the queue the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 6/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 7/20 Melissa Klein and her dog Nemo at the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 8/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 9/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 10/20 Apple iPhone X launch queue at Regent Street Jeremy Selwyn 11/20 Marco Pierre White Junior 3rd in the queue at the Apple iPhone X launch queue in Regent Street Jeremy Selwyn 12/20 The first customer to the Apple Omotesando store holds a box containing his iPhone X as he poses to the media on November 3, 2017 in Tokyo, Japan Getty Images 13/20 Employees welcome the first person to enter an Apple store during the launch of the new iPhone X at Dubai Mall in Duba EPA 14/20 People look at iPhone X during its launch at the Apple store in Singapore Reuters 15/20 Customers wait outside an Apple store during the launch of the new iPhone X at Dubai Mal
techrepublic.com · 2017
A Vietnamese company was recently able to trick Apple's facial recognition security feature, but security experts don't believe there's a big risk for business users.
Video: 5 things to know about Apple's Face ID Curious about Apple's Face ID? Here are five things to know about the facial recognition technology that comes with the iPhone X.
The release of the iPhone X earlier this month included a new facial recognition security feature called Face ID. Designed to replace the iPhone's Touch ID feature, Face ID uses face-based authentication via infrared screening to identify the user and provide access to the iPhone X as well as authorize purchases via Apple Pay. Banks are starting to utilize this feature as well.
Apple said Face ID uses 30,000 points of reference to map out a user's face, making the likelihood that the feature could be fooled extremely low, but recently, a Vietnamese company called Bkav has circumvented this technology with a mask made from 3-D parts. This development spells out what may only be the beginning of a string of potential flaws surrounding this new feature. So should business users be worried?
"Apple's facial recognition was never intended to be a security measure for strong authentication," said Josh Mayfield, director of product marketing at FireMon. "Strong authentication cannot be faked, gamed, or manipulated. Apple's facial recognition begins with the opening assumption that the user gazing at the screen is likely to be the correct user. From there, the recognition system only seeks to confirm its assumption...never to seek to prove its assumption wrong."
SEE: Mobile device computing policy (Tech Pro Research)
Paul Norris, senior systems engineer at Tripwire, stated that hacks like the one Bkav carried out take a great deal of time and effort. "Detailed dimensions would have had to be taken to create the mask and the security firm alluded to the fact that they had to use a special material on the mask too," he said. "What they didn't disclose was how many attempts and what level of effort it took to get the mask to work flawlessly." Norris also pointed out that certain security details built into Apple's Face ID can mitigate risk. Five failed attempts to authenticate users via facial means will force the user to enter a passcode, which is required for Face ID to function. In addition, the passcode must be entered when the device:
Has just been turned on or restarted
Hasn't been unlocked via Face ID in the last four hours
Hasn't been unlocked via the passcode in the past six and a half days
Hasn't been unlocked at all for more than 48 hours
Has received a remote lock command
Has initiated the Emergency SOS function
Terry Ray, CTO of cybersecurity firm Imperva, pointed out that Apple concedes that a user's twin or other close family member could look similar enough to a user to trigger a false positive. Worse, researchers have been able to brute force facial authentication in the past.
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
Ray said that false negatives can happen too. If the owner of the phone undergoes a notable appearance change - such as shaving a beard or getting a drastically different haircut, then Face ID could fail to authenticate and the passcode will be required in order to set up Face ID again to match the user's updated looks.
However, said Ray, "The average consumer is probably not at risk from a facial recognition attack or a false positive authorization, unless of course, they possess a devious identical twin,"
A hack like the one Bhav pulled off would cost about $150 in 3D supplies, which is not financially crippling to a potential attacker but also not something not likely to be invested in on a widescale basis. It would also require access to the phone itself, at which point some physical security would have already been compromised. Finally, the mask would have to be authentic enough to unlock the phone within five attempts inside a 48-hour time window.
"Is the value in one phone worth this effort?" said Ray. "Probably to someone with a particular agenda, but not likely an issue for most users."
Ray said that a common question in the security realm is whether the technology being considered is good and easy enough for your purposes: "Nothing is perfect and the right technology is one you feel comfortable to use and one that keeps you acceptably secure."
Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays Sign up today Sign up today
gearbrain.com · 2017
Apple's new Face ID unlock system on the iPhone X can reportedly be tricked with paper eyes and pizza toppings.
Yes, you read that correctly, but let us explain. Life-size eyes printed onto paper, then placed on the face of a 'sleeping' iPhone X owner, who had their phone nearby, were enough to bypass Face ID — at least according to a new video from FaceTec, a biometric security company pushing out its own facial recognition app, Zoom.
FaceTec conducted its short experiment, pushing the concept a step further, placing various pizza toppings on the iPhone owner's face. Black olives on top of slices of mushrooms (instead of the paper eyes) also appeared to unlock Face ID, and so did a pair of bottle caps, although that took multiple attempts.
The company says this works, even when an iPhone X setting called 'Require Attention for Face ID' is switched on. This extra level of security is designed to prevent the iPhone from unlocking when the owner is not looking at it.
Unlike Face ID and other facial recognition systems, Zoom is meant to map your face from one distance, then a second, closer distance. This requires users to hold the phone steady, then move it towards them and hold it steady again — zooming in, hence the name. ZoOm uses the front-facing camera of an iPhone or Android device to scan the owner's face, which is stored as an encrypted data file (a "facemap") in the devices secure zone, and used for future authentication.
GearBrain tried out Zoom, and while it works quickly and reliably, we found the offset location of the Google Pixel 2 XL's front camera made zooming in on our face tricky at first. That being said, the app was not phased by difficult lighting conditions, and we can see the appeal to financial companies looking to employ biometric security that claims to work on "five billion" smartphones worldwide — in other words, every device with a front camera.
The Zoom app seen here is only a demonstration of how the San Diego-based FaceTec's technology works, but the company says its unlocking system has been shipping to developers for several months now, and will appear in banking applications soon. Zoom integration is free for small businesses and nonprofits, but is charged on a per active user, per year basis for enterprise-level customers.
Zoom claims to be more secure than Face ID, by using just one camera FaceTec demo app via App Store
Naturally, FaceTec has said little about how its system works, but claiming to have one up on Face ID, Touch ID and other systems like Samsung's iris scanner is a bold move for a startup. Zoom is "the only mobile biometric that cannot be spoofed by photos or videos, making it far more secure than legacy biometrics, including fingerprint, 2D face recognition and even eye scans," the developers say.
wired.com · 2017
This article has been updated below with another, more convincing video demonstration of Bkav's Face ID spoofing, which the firm revealed two weeks after the original.
When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. A week later, hackers on the actual other side of the world claim to have successfully duplicated someone's face to unlock his iPhone X—with what looks like a simpler technique than some security researchers believed possible.
On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.
But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it.
Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."
In the video posted to YouTube, shown above, one of the company's staff pulls a piece of cloth from a mounted mask facing an iPhone X on a stand, and the phone instantly unlocks. Despite the phone's sophisticated 3-D infrared mapping of its owner's face and AI-driven modeling, the researchers say they were able to achieve that spoofing with a relatively basic mask: little more than a sculpted silicone nose, some two-dimensional eyes and lips printed on paper, all mounted on a 3-D-printed plastic frame made from a digital scan of the would-be victim's face.
The researchers concede, however, that their technique would require a detailed measurement or digital scan of the face of the target iPhone's owner. The researchers say they used a handheld scanner that required about five minutes of manually scanning their test subject's face. That puts their spoofing method in the realm of highly targeted espionage, rather than the sort of run-of-the-mill hacking most iPhone X owners might face. 1
"Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID's issue," the Bkav researchers write. They also suggest that future versions of their technique might be performed with a quick smartphone scan of a victim’s face, or even a model created from photographs, but didn't make any predictions about how easy those next steps might be to engineer.
'It was even simpler than we ourselves had thought.' Bkav Researchers
Aside from the challenge of acquiring an accurate face scan, the researchers’ simpler setup outperformed more expensive techniques for attempted Face ID trickery—namely, the ones we at WIRED tried earlier this month. With the help of a special effects artist, and at a cost of thousands of dollars, we created full masks cast from a staffer's face in five different materials, ranging from silicone to gelatin to vinyl. Despite details like eyeholes designed to allow real eye movement, and thousands of eyebrow hairs inserted into the mask intended to look more like real hair to the iPhone's infrared sensor, none of our masks worked.
By contrast, the Bkav researchers say they were able to crack Face ID with a cheap mix of materials, 3-D printing rather than face-casting, and perhaps most surprisingly, fixed, two-dimensional printed eyes. The researchers haven't yet revealed much about their process, or the testing that led them to that technique, which may prompt some skepticism. But they say that it was based in part on the realization that Face ID's sensors only checked a portion of a face's features, which WIRED had previously confirmed in our own testing.
Masks WIRED made for our own test of Face ID, none of which fooled the iPhone X. David Pierce/Wired
"The recognition mechanism is not as strict as you think," the Bkav researchers write. "We just need a half face to create the mask. It was even simpler than we ourselves had thought."
Without more details on its process, however, plenty about Bkav's work remains unclear. The company didn't respond to the majority of a long list of questions from WIRED, saying that it plans to reveal more in a press conference later this week.
'I would say if this is all confirmed, it does mean Face ID is less secure than Touch ID.' Marc Rogers, Cloudflare
Most prominent among those questions, points out security researcher Marc Rogers, is how exactly the phone was registered and trained on its owner's real face. Bkav's
alphr.com · 2017
Apple no longer wants you to unlock your iPhone with touch. With the iPhone X, it’s all about your face.
Face ID was the standout feature of the iPhone X, and one that differentiates it from the iPhone 8 range and anything that’s come before. It’s Apple’s latest biometric authentication system and works using a new camera array on the front of the screen.
Apple claims the error rating on the iPhone X’s Face ID is one in a million. TouchID had a 1 in 50,000 chance of unlocking for the wrong fingerprint. The tech giant also said Face ID can tell the difference between twins (although the error rating drops when it comes to relatives) and doesn’t get ‘spooked’ by a photograph or even a mask of someone’s face.
READ NEXT: iPhone X review
The latter has now been called into question. After WIRED tried, and failed, to use a mask to trick the system, Vietnamese security firm Bkav claims to have mastered it using a (frankly terrifying) 3D-printed mask and a prosthetic nose. It said that creating the mask was simple, using simple 3D scanning software like that found on the Sony XZ1, and a silicone nose.
In a blog post, and accompanying video, the researchers explain: "We were able to trick Apple's AI because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops...Apple has done this not so well." In the video, the team is shown removing a cover from the mask positioned in front of the iPhone X. The handset then automatically unlocks.
Bkav was the first company to "break" facial recognition for laptops following its introduction on a range of Toshiba, Lenovo and Asus laptops. That particular exploit was publicly demonstrated and confirmed in 2008. The Face ID proof-of-concept hack has not yet been confirmed in this way so it should be taken with a pinch of salt.
Video of How Bkav tricked iPhone X's Face ID with a mask
When asked why Bkav has been successful where other websites and firms have failed, it vaguely said: "It is because...we are the leading cyber security firm ;) It is because we understand how AI of Face ID works and how to bypass it." It is not clear, therefore, how the initial face was registered on the phone and how the mask specifically differs from others.
Mark James, security specialist at ESET told Alphr: "Although the video itself does leave a few questions to be answered, we need to understand that any of the 'extra' ID features of this, and indeed any previous, iPhone have always been aimed at the average user. TouchID and Facial recognition are there for ease, not added security; both of these features can and have been duped by technology- the question you need to ask yourself is 'does this feature make my life easier?'. If the answer is yes and your phone just contains the 'normal' run of the mill level of private stuff, then you're good to go."
Alphr has contacted Apple for comment.
Apple Face ID: What is Face ID?
On the iPhone X, Apple has removed the home button, and with it, Touch ID. In its place is Face ID powered by a so-called TrueDepth camera system built into the front of the phone where the earpiece currently sits on the iPhone 7 range.
READ NEXT: Apple drops the price of iPhone 7 following launch of iPhone 8
This camera system features a number of sensors designed to recognise a person’s face including a dot projector, infrared camera and flood illuminator (which is a fancy name for what is effectively a flash). Glancing at this system will allow you to automatically unlock your iPhone X, but can also be used for Apple Pay and to unlock compatible apps, including banking apps.
Apple Face ID: How does Face ID work?
When the camera array identifies a person’s face and gaze it projects 30,000 invisible infrared dots to effectively ‘map’ the shape and contours of the face. When a user's face is first stored on the phone, the pattern of these dots is fed to the iPhone X’s A11 Bionic chip and its neural networks.
These neural networks, designed to work like a human brain, create a mathematical model of your face using the dot pattern and stores this model in a “secure enclave” on the iPhone X itself – it is not uploaded to a cloud server or similar.
READ NEXT: Apple unveils the iPhone 8 and iPhone 8 Plus
Next time you look at your iPhone X, the same dots are mapped onto your face and compared to the stored mathematical model. If the pattern matches the model, the phone unlocks. This happens in less than a second. The more the TrueDepth system is used, the more in-tune it becomes to your face and, from the start, can identify face shapes regardless of changes to skin tone, hairstyles, whether you’re wearing glasses or a hat, for example.
The flood illuminator helps illuminate the face so the dots know where to be placed and means Face ID works in the dark.
Apple Face ID: Is Face ID secure?
Apple claims the error rating on the iPhone X’s Face ID is one in a million. TouchID had
cnet.com · 2017
Did Apple's vaunted Face ID facial recognition system on the iPhone X already get hoodwinked?
That's what a Vietnamese security company says it did -- using only a $150 3D-printed mask. BKAV uploaded a video demonstration as a proof of concept on Friday, showing an iPhone X unlocking after exposing it to a customized mask, which only had cutouts of eyes, a silicon nose and a mouth on a 3D-printed frame.
Ngo Tuan Anh, BKAV's vice president of cybersecurity, then unlocked the Face ID using his own face, to show that it worked on his too. You can see it here.
Face ID is one of the signature features on Apple's flagship iPhone X. While facial recognition isn't new, Apple says it's created the most secure version yet.
Skeptics were quick to predict that someone would be able to fool Face ID after it was unveiled in September. Facial recognition has shown its pitfalls before, with hackers tricking security by putting a photo in front of the camera. Apple points out that it uses infrared sensors and mapping dots to scan for 3D images. The company even went as far as working with Hollywood mask makers to train the biometric against falling for props.
BKAV, which built a reputation on fooling facial recognition, quickly touted toppling Face ID, writing that Apple didn't have enough "scientific and serious estimation before deciding to replace Touch ID with Face ID."
Apple declined to comment, referring to its Face ID security report for details. In the security guide, last updated this month, Apple wrote that Face ID had "an additional neural network that's trained to spot and resist spoofing," including from masks like BKAV's.
Now playing: Watch this: Hackers claim to trick iPhone X Face ID with mask
But there are a few issues with the methods behind the video, none of which BKAV's blog post quite answered. Typically, with a major security flaw, researchers will publish a technical paper revealing how they found it, and who is vulnerable, showing the methodology behind the discovery.
BKAV, which is also trying to break into the phone business, hasn't provided those details, but said it would answer questions in a press conference this week. BKAV didn't respond to a request for comment, but here are our questions.
What's registered on BKAV's iPhone X's Face ID?
A mask could easily unlock an iPhone X if it's the "face" that's actually registered with Face ID.
BKAV failed to walk viewers through its research process, and this is a glaring hole in its transparency. You can register Face ID on anything with a face, including the mask.
Because Face ID runs on artificial intelligence that learns each time it's used, the algorithm could have been trained to learn the human's face based off the mask in reverse.
How often did they try to use Face ID and fail?
Like the previous question, this one is important to note based on how Face ID's algorithm learns. If your Face ID scan fails five times, you're forced to enter a passcode.
Each time you enter a passcode, Face ID learns the new scan and registers it as a positive entry.
"If Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data," Apple said in its white paper.
It's entirely possible that the masks could have failed more than five times, and after the researchers entered the passcode, it registered the mask as a positive scan to work in the future.
But BKAV said that it "applied the strict rule of 'absolutely no passcode' when crafting the mask," which would mean that the mask fooled Face ID in less than five attempts. The company never specified how many attempts it made.
How long did it take to make the mask?
The "no passcode" rule makes this task particularly tough.
Face ID has to be used about every four hours, or else it'll prompt the person to enter a password. The facial recognition is also disabled if the iPhone X hasn't been unlocked for more than two days.
BKAV said in its Q&A that it started working on the mask, including 3D models and the silicon nose, after it received the iPhone X on Nov. 5.
That would give them a 48-hour window from the moment they turned the device on to create a mask that worked. They did not specify how long it took to create the spoof.
The mask would also have to trick Face ID within the first four hours after registering the human face. It's not impossible, but that's an impressive number of hurdles to jump in a short amount of time without using a password, as BKAV said.
How practical is this?
When Face ID was first announced, there was a lot of discussion about how secure the facial recognition was. A major consideration was a person's threat model: looking at what risks that you as an individual encounter.
If your threats are a pickpocket at a bar, it's highly unlikely the thief will also have your facial structure and a scan of your face ready to 3D-print and
telegraph.co.uk · 2017
Apple claims the facial recognition system on the new iPhone X is impervious to being fooled by photos, impersonators and masks, but a team of hackers claim to have beaten the technology after just a week.
Cyber security firm Bkav says a 3D-printed mask costing just $150 (£115) to make has fooled the Face ID software, which is used to unlock the iPhone X, authorise payments and log in to apps.
The researchers said it proved that Face ID is "not an effective security measure", although making the mask did require a detailed facial scan, and would be difficult for normal users to replicate.
However, the researchers' demonstration has not been independently verified, and the video does not go through the entire set-up process, so there are likely to be doubts about the supposed flaw.
When the iPhone X was unveiled in September, Apple touted the security benefits of Face ID, saying there is a one in a million chance of another person being able to unlock it, and that it had stress-tested the technology using silicone masks made by Hollywood studios.
Bkav constructed the mask using a combination of 3D printing, a silicone nose and printed images of the eyes. A video released by the company appears to show Face ID being fooled when a cloth covering the mask is removed, although it does not show Face ID being set up, so it cannot be confirmed that the technique works.
cultofmac.com · 2017
Hackers may have already proven that Face ID isn’t quite as secure as secure as Apple claims.
Using a simple 3D printed mask, Vietnamese security firm Bkav, has posted a video showing an iPhone X being unlocked after unveiling a composite 3D-printed mask made of plastic, makeup, silicone and paper cutouts for some facial features.
Bkav detailed how it hacked Face ID in a blog post but has not publicly demonstrated the process yet. It also hasn’t been confirmed by a third-party yet. Normal iPhone X users shouldn’t really be alarmed either because for now it requires a lot of time to 3D scan your face. Still, Bkav says it shows Face ID is less secure than Touch ID.
“Apple has done this not so well,” wrote Bkav. “Face ID can be fooled by mask, which means it is not an effective security measure.”
Fooling Face ID
The mask used by the hackers consisted of a 3D-printed frame of the victim’s face. They then attached a sculpted silicone nose, two-dimensional eyes and lips printed on papers. It’s a much simpler solution than the Hollywood-quality masks commissioned by WIRED that had much more detailed hair and facial features that failed to trick Face ID.
“The recognition mechanism is not as strict as you think,” wrote Bkav. “We just need a half face to create the mask. It was even simpler than we ourselves had thought.”
Even though Bkav claims to have beat Face ID, there’s still a lot of questions on how legitimate the hack is. It’s still unclear how the phone was registered and trained on the owner’s real face. To pull off the hack you need access to 3D scan the person’s face for 5 minutes.
Bkav said it made four masks that failed to unlock Face ID and then got it right on the fifth attempt. Billionaires and top CEOS could be potential targets of the hack, but most iPhone X owners have nothing to worry about.
dailymail.co.uk · 2017
It's one of the most wanted features in the iPhone X, but it seems that Face ID may not be as safe as Apple thinks.
Cyber-security researchers claim they have fooled the face recognition technology with a mask that costs just £114 ($150) to make.
The findings suggest that face recognition is not yet mature enough to guarantee security for computers and smartphones, according to the researchers.
Scroll down for video
Cyber-security researchers claim they have fooled the face recognition technology with a mask that costs just £114 ($150) to make
THE MASK The main frame of the face was created with a 3D printer, and the nose was created by an artist from silicone. The eyes were represented with 2D images, while the 'skin was also hand-made to trick Apple's AI', according to the researchers. Worryingly, the mask took just six days to complete, and cost £114 ($150), suggesting that the technique could be replicated by hackers.
The mask was made just one week after the iPhone X officially went on sale, by researchers from Ha Noi-based Bkav.
The researchers set up the Face ID feature as normal with a human face, before creating a mask of that face using a 3D printer.
Mr Ngo Tuan Anh, Vice President of Cybersecurity at Bkav, said: 'The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID.'
The main frame of the face was created with a 3D printer, and the nose was created by an artist from silicone.
The main frame of the face was created with a 3D printer, and the nose was created by an artist from silicone
The eyes were represented with 2D images, while the 'skin was also hand-made to trick Apple's AI', according to the researchers.
Bkav has released a video showing the mask unlocking the iPhone X in seconds - although it does not reveal the making of the mask, or how many attempts it took to unlock the device.
It is also unclear whether the researchers disabled Apple's Attention Aware feature, which means the device can only be unlocked when your eyes are open.
Bkav has released a video showing the mask (pictured right) unlocking the iPhone X in seconds
CONCERNS OVER FACE ID Several people have raised concerns about Face ID. These include: - Concerns that thieves could quickly unlock your device after they've stolen it - Worries that Apple would store data collected from Face ID images - Concerns that the system could be unlocked with a picture of your face - Worries that Face ID could have a racial bias - Concerns that police could unlock your device without permission
The mask took just six days to complete, and cost £114 ($150), suggesting that the technique could be replicated by hackers.
The researchers said: 'Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue.'
Apple could not provide comment, but pointed MailOnline to its information manual about Face ID security.
The researchers suggest that despite Apple's claims, face recognition is not yet secure enough.
They added: 'After nearly 10 years of development, face recognition is not mature enough to guarantee security for computers and smartphones.
'As for biometric security, fingerprint is the best.'
lifehacker.com · 2017
When Apple first announced Face ID for the iPhone X, it claimed the new feature was significantly more secure than Touch ID and couldn’t be fooled by even the most realistic of masks. But it turns out that might not be the case.
Vietnamese cyber security firm Bkav claims to have already tricked Face ID using a custom-made a mask—but don’t return your iPhone X just yet. Before you freak out, here’s what the news actually means for your smartphone security.
How Bkav Beat Face ID
According to Bkav, all you need to make a mask that can trick Face ID is a scan of the person’s face and about $150 worth of materials.
The second part is easy. The mask was made using some sculpted silicon, printer plastic, makeup and paper cutouts. Key areas, like the eyes and mouth, were actually recreated with 2D photos pasted onto the 3D surface. The design was based on the discovery that Face ID only scans about half of your face and allegedly doesn’t require eye movements to work, making it surprisingly easy to fool.
The first part is a little more complicated, though. Bkav used a handheld scanner that took five minutes to work. So the only way to scans someone’s face is to be in the same room, with their participation (either by choice or forced).
Why You Shouldn’t Be Worried
The fact that someone would need to be in the same room with you means this Face ID hack isn’t much of a threat to most people. Bkav notes that world leaders and CEOs could be at risk from a targeted attack, but for the rest of us, it’s not worth worrying about.
Down the line, it’s possible you could get the same results by quickly scanning someone’s face with a smartphone camera or even using photographs. But again, you don’t need to worry about that at the moment.
We also still don’t know how legitimate Bkav’s claims really are. The company may have purposefully done a poor job setting up Face ID so it was easier to trick, which would discredit the results. Bkav declined to answer a list of questions from Wired, but said it would reveal more at a press conference this week, so we should learn more soon.
Until then, there’s no reason to stop using Face ID, unless you simply find it annoying to use.
arstechnica.com · 2017
Security researchers say they used a $150 mask to break the Face ID facial recognition system that locks Apple's new iPhone X. The work may be a significant, it may be little more than a stunt with few real-world consequences, or it could possibly be something in the middle. So far, it's impossible to know because the researchers have evaded key questions about how they went about breaking into the device.
The supposed hack was carried out by researchers from Vietnamese security firm Bkav, which in 2009 demonstrated a way to bypass face-based authentication in Toshiba and Lenovo laptops. On Friday, company researchers published a video showing them unlocking an iPhone X by presenting it with a custom-made mask instead of the live human face that Apple has repeatedly insisted is the only thing that can satisfy the requirements of the facial recognition system.
The researchers said they designed their mask using 2D and 3D printers and that an artist made the nose by hand using silicone materials. Other features of the mask used 2D images and "special processing on the cheeks and around the face, where there are large skin areas" in a successful attempt to defeat the artificial intelligence Face ID uses to distinguish real faces from images, videos, or masks.
"It is quite hard to make the 'correct' mask without certain knowledge of security," a Bkav representative wrote in an e-mail to Ars. "We were able to trick Apple's AI, as mentioned in the writing, because we understood how their AI worked and how to bypass it."
The truth is out there
The video and accompanying press release omitted key details that are needed for other researchers to assess if the results represent a true bypass of an authentication system Apple has spent years developing. One of the most important details is whether the mask successfully unlocked the iPhone immediately after it was set up to use the real human face for authentication or if the bypass succeeded only over a period of time following the face enrollment. The distinction is crucial. According to a white paper Apple published earlier this month, Face ID takes additional captures over time and uses them to augment enrolled Face ID data. If the researchers trained Face ID over time to work with the mask, they were giving themselves an advantage a real-world attacker wouldn't have.
Another important consideration is how the mask was made. Did, for instance, the artist or any of the researchers have to have access to the real face the mask was based on? Did the human target sit for measurements or the taking of a mold? Or, on the other hand, was the mask solely crafted using images or videos that could be taken without the target's knowledge or consent? Again, the answers are crucial because if the mask could only be created with the help of the target, the bypass doesn't represent a meaningful hack.
Throughout the weekend, Ars pressed Bkav representatives repeatedly to describe these and other details. As the following exchange demonstrates, the representatives deflected and at times outright evaded the questions:
Ars: Were you able to use the mask to unlock the iPhone immediately after freshly enrolling the real face? The reason I ask is that, according to Apple's whitepaper, Face ID will take additional captures over time and augment its enrolled Face ID data with the newly calculated mathematical representation. Can you describe precisely how you went about conducting this experiment? Bkav: It does not matter whether Apple Face ID “learns” new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this “learning,” thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask. Ars: Can you explain why your hack worked but the ones attempted by Wired magazine failed? Bkav: Because... we are the leading cyber security firm ;) It is quite hard to make the "correct" mask without certain knowledge of security. We were able to trick Apple's AI, as mentioned in the writing, because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops. Ars: Are the dimensions of a person's face needed? How would those be obtained without a target sitting for them? Bkav: The 1st point is, everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought. Apple has done this not so well. I remember reading an article on Mashable, in which Apple told that iPhone X had been planned to be rolled out in 2018, but the company then decided to release it one year ear
finance.yahoo.com · 2017
Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f82967%2f7e1f7535 a028 4885 9984 973f49d6cd0c More
There is no such thing as foolproof phone security.
Case in point: Security researchers at Bkav have reportedly defeated the iPhone X's Face ID feature using a simply-constructed 3D mask.
The average person probably doesn't need to worry about the purported hack, but billionaires, celebrities, and high-profile public figures like presidents may want to rethink their use of Apple's nascent facial recognition technology.
SEE ALSO: If you own an iPhone X, you absolutely need to know this gesture trick
Apple is trying to convince people Face ID is more secure than its Touch ID fingerprint sensor, which is still used in the iPhone 8 in addition to earlier models. But stories about weak spots (especially if you've got a twin or you're a kid) keep popping up.
While Apple acknowledges that Face ID isn't hack-proof, the company says it's built the face recognition technology to have 1 in a million chance of somebody else unlocking your iPhone X compared to the 1 in 50,000 chance using Touch ID.
Not only that, but Apple says it worked with Hollywood makeup artists and mask makers to ensure that elaborate masks couldn't be used to bypass a person's iPhone X.
Before Bkav, a security firm, released its results, others have tried to trick Face ID using detailed masks and failed. The Wall Street Journal's Joanna Stern had a mold of her face made by a professional prosthetic company and, sure enough, her iPhone X wouldn't unlock when a colleague donned her fake face. Wired's David Pierce also attempted a much more detailed recreation of his face using a variety of different materials, but also failed to trick Face ID.
Bkav's rudimentary mask, though, tripped up the feature. The mask, which you can see below, included a 3D-printed face with 2D-printed eyes and lips and a 3D nose constructed of silicone. Mashable has reached out to Apple for comment on the hack.
If this hack looks basic, that's because it is — at least on the surface. Bkav says the crude mask only cost about $150 to make.
Rich and famous more at risk
That may sound really scary, but this hack won't affect most people.
For starters, the lengths one must go through — it took about a week for Bkav to create a mask that successfully tricked the iPhone X — isn't worth it in most cases.
Then there's the matter of getting scans of your eyes and mouth. According to Wired, Bkav's researchers need to manually scan a person's face for five minutes before getting enough detail to reconstruct a false mask.
Additionally, the silicon nose needs to be made by hand. An initial version of the nose reportedly didn't work and needed to be modified to deceive the iPhone X's TrueDepth cameras and built-in AI.
Though similar facial recognition unlocking technology on Samsung's Galaxy S8 and Note 8 phones is much easier to bypass (in some cases, it can be fooled by a picture), the alternative and more secure iris scanner built into these phones is much more difficult to hack, requiring very specific printers and contact lenses.
All things considered, Bkav's researchers say billionaires, celebrities and public figures, who will have their faces photographed and widely published could be easier targets for its hacks. With enough effort, a skilled craftsman could reconstruct a mask similar to the one Bkav made using lots of photographs.
fortune.com · 2017
A researcher in Vietnam has demonstrated how he apparently fooled Apple‘s face recognition ID software on its new iPhone X using a mask made with a 3D printer, silicone, and paper tape.
An announcement on Friday by Bkav, a Vietnamese cybersecurity firm, that it had cracked Apple’s Face ID, and a subsequent video apparently showing an iPhone being unlocked when pointed at a mask, were greeted with some skepticism.
Ngo Tuan Anh, Bkav’s vice president, gave Reuters several demonstrations, first unlocking the phone with his face and then by using the mask. It appeared to work each time.
However, he declined to register a user ID and the mask on the phone from scratch because, he said, the iPhone and mask need to be placed at very specific angles, and the mask to be refined, a process he said could take up to nine hours.
Apple declined to comment, referring journalists to a page on its website that explains how Face ID works.
That page says the probability of a random person unlocking another user’s phone with their face was approximately one-in-a-million, compared to 1-in-50,000 for the previously used fingerprint scanner. It also says Face ID allows only five unsuccessful match attempts before a passcode is required.
Anh acknowledged that preparing the mask wasn’t easy, but he said he believed the demonstration showed facial recognition as a way to authenticate users would be risky for some.
“It’s not easy for normal people to do what we do here, but it’s a concern for people in the security sector and important people like politicians or heads of corporations,” he said. “(These) important people should absolutely not lend their iPhone X to anyone if they have activated the Face ID function.”
It’s the first reported case of researchers apparently being able to fool the Face ID software.
Cybersecurity experts said the issue was not so much whether Face ID could be hacked, but how much effort a hack required.
“Nothing is 100% secure,” wrote Terry Ray, chief technology officer at U.S.-based cybersecurity company Imperva, in a note. “Where there’s a will, there’s a way. The questions are: How much trouble would someone go to, and how much would they spend, to get your data?”
Bkav’s Anh said the research took about a week, and included numerous failures. The mask frame was made of plastic, covered with paper tape to resemble skin, with a silicone nose and paper for eyes and mouth.
As far back as 2009, Bkav researchers highlighted what they said were problems with using facial recognition as a way to authenticate users. They said then that they had hacked three laptop manufacturers which used webcams to authenticate users.
IT'S barely been available for ten days, but conniving hackers have already cracked the iPhone X's facial recognition security system.
Security experts based in Singapore used a 3D scanner to re-create the owners face at a cost of £115.
YouTube/Bkav 4 The researcher places the phone in front of the mask and it unlocks
They used 3D printing, makeup and 2D images plus some "special processing on the cheeks and around the face" to fool the iPhone X.
In a clip posted to YouTube, a researcher at Bkav can be seen holding his iPhone X in front of the model of his face and successfully unlocking it.
Apple has claimed that its Face ID - which replaces fingerprint scanner Touch ID from its earlier models - is super secure.
Samsung was left red-faced when hackers proved it was easy to fool its own version using a photo of its owner.
Bkav 4 How the mask trickery works
The smartphone rival admitted the flaw but said that it never claimed facial recognition was uncrackable.
Bkav has gone to extreme lengths to unlock the iPhone X and while £115 is just a fraction of the £1,000 price tag, it seems unlikely that criminals are going to recreate each owners' faces before nicking their gadgets.
YouTube/Bjav 4 The facemask was made using 3D printed features as well as specially edited 2D images to create shadow and angles
But it could prove problematic for high profile names, a spokesperson said.
They said: " Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue [sic].
Simple trick shows how you can get rid of stock iPhone apps
"Security units' competitors, commercial rivals of corporations, and even nations might benefit from our proof of concept."
Hackers or spies could use this method to try and learn all the top-secret details after nicking a politician or journalist's phone, for example.
Apple 4 The iPhone X costs around £1,000
Apple said that its Face ID will continually learn by constantly taking selfies of its owner to create a very detailed profile.
That might be why it was easily tricked just a week after purchase.
Apple has worked with mask makers to make sure scenarios like these can't happen.
Speaking at the iPhone X launch event in September, Apple's Senior Vice President Phil Schiller said: "They [Apple workers] have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID".
Here are the Apple iPhone X's coolest features - including animojis
more iphone x stories PICKING FRUIT iPhone buyer's guide – how to choose between Apple's mobile models in 2019 SNAP HAPPY Apple reveals the 10 BEST photos taken on an iPhone from around the world Fab Phones Where to buy a new iPhone the cheapest Hot Deals GOOD AS NEW iPhone X 'refurb' model costs £100 LESS – and is 'tested and approved' by Apple LOOKS GOOD 6 easy tips for taking awesome iPhone X selfie shots Revealed SUPER SHOOTER Portrait Mode is the iPhone's BEST camera feature – how to take amazing snaps Hotline Bling Best mobile phone deals you can get right now Revealed NOT SO SWEET iPhone buyers warned of scam that leaves you with 'bag of SUGAR' and no phone SUPER ZOOM Your iPhone has a HIDDEN magnifying glass feature that unlocks with three taps Revealed DOWNLOAD DONS Apple reveals the BEST iPhone apps, Apple Music songs and podcasts for 2018 APPLE JUICE Bad iPhone battery life? You've got 28 days to get a CHEAP boost from Apple LIGHT IT UP Change your iPhone's torch brightness with this easy trick
We pay for your stories! Do you have a story for The Sun Online news team? Email us at email@example.com or call 0207 782 4368. We pay for videos too. Click here to upload yours.
schneier.com · 2017
It only took a week:
On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking.
The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true.
I don't think this is cause for alarm, though. Authentication will always be a trade-off between security and convenience. FaceID is another biometric option, and a good one. I wouldn't be less likely to use it because of this.
FAQ from the researchers.
Posted on November 15, 2017 at 6:54 AM • 46 Comments
computerworld.com.au · 2017
A researcher in Vietnam has demonstrated how he apparently fooled Apple's face recognition ID software on its new iPhone X using a mask made with a 3D printer, silicone and paper tape.
An announcement on Friday by Bkav, a Vietnamese cybersecurity firm, that it had cracked Apple's Face ID, and a subsequent video apparently showing an iPhone being unlocked when pointed at a mask, were greeted with some skepticism.
Ngo Tuan Anh, Bkav's vice president, gave Reuters several demonstrations, first unlocking the phone with his face and then by using the mask. It appeared to work each time.
However, he declined to register a user ID and the mask on the phone from scratch because, he said, the iPhone and mask need to be placed at very specific angles, and the mask to be refined, a process he said could take up to nine hours.
Apple declined to comment, referring journalists to a page on its website that explains how Face ID works.
That page says the probability of a random person unlocking another user's phone with their face was approximately 1-in-a-million, compared to 1-in-50,000 for the previously used fingerprint scanner. It also says Face ID allows only five unsuccessful match attempts before a passcode is required.
Anh acknowledged that preparing the mask wasn't easy, but he said he believed the demonstration showed facial recognition as a way to authenticate users would be risky for some.
"It's not easy for normal people to do what we do here, but it's a concern for people in the security sector and important people like politicians or heads of corporations," he said.
"(These) important people should absolutely not lend their iPhone X to anyone if they have activated the Face ID function."
It's the first reported case of researchers apparently being able to fool the Face ID software.
Cybersecurity experts said the issue was not so much whether Face ID could be hacked, but how much effort a hack required.
"Nothing is 100 percent secure," wrote Terry Ray, chief technology officer at U.S.-based cybersecurity company Imperva, in a note. "Where there's a will, there's a way. The questions are: How much trouble would someone go to, and how much would they spend, to get your data?"
Bkav's Anh said the research took about a week, and included numerous failures. The mask frame was made of plastic, covered with paper tape to resemble skin, with a silicone nose and paper for eyes and mouth.
Read more: Hacking costs hit Equifax
As far back as 2009, Bkav researchers highlighted what they said were problems with using facial recognition as a way to authenticate users. They said then that they had hacked three laptop manufacturers which used webcams to authenticate users.
(Reporting by Mai Nguyen; Writing and additional reporting by Jeremy Wagstaff; Editing by Ian Geoghegan)
news.com.au · 2017
IT TURNS out Apple’s Face ID is far from perfect, as demonstrated by a 10-year-old boy who is the latest to “hack” the sophisticated technology.
How did he do it?
By simply looking like his mum.
Ammar Malik was able to break into his mum’s new smartphone by simply looking at it, according to Wired.
Which evidently is a problem because the little devil likes reading his parents’ text messages.
“My wife and I text all the time and there might be something we don’t want him to see,” Attaullah Malik, the boy’s father, said. “Now my wife has to delete her texts when there’s something she doesn’t want Ammar to look at.”
The boy did lose his ability to unlock the phone after his mom re-registered the Face ID feature. However, he had more luck after Wired asked her to re-register the device in the same lowlight conditions as the first time she set it up.
“I set up the Face ID using my face but the annoying thing is my 10-year-old son can unlock my phone using his face,” she said in a video demonstration posted to YouTube.
When Apple announced it was getting rid of Touch ID for facial recognition, the company said it was a more secure option with only a one in 1 million chance of being tricked.
“If you happen to have an evil twin, you need to protect your data with a passcode,” marketing vice president Phil Schiller joked during Apple’s iPhone X announcement.
Earlier this week security researchers at Bkav managed to hack the Face ID technology by using a 3D printed frame, makeup, a silicone nose and 2D images, along with special processing on the cheeks and around the face where there are large areas of skin.
“It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought,” they said.
The researchers claimed the entire mask used to trick Face ID cost less than $A200 to create.
It was a particularly elaborate exercise to test the new iPhone’s technology which your average person is very unlikely to replicate, but the case of Ammar Malik shows it’s still far from perfect.
imore.com · 2017
Face ID, Apple's facial identity sensor for iPhone X, is new and that's both scary and ripe for exploitation. We saw it happen with Touch ID, from all the concern that manifested when Apple announced it alongside iPhone 5s to the sensationalized headlines and the attempts to spoof it after it launched. Now, we're seeing the same thing with Face ID — fear, uncertainty, and doubt spread before it was even released and spoof attempts are following in a post-video-first, think-through-the-logic-flow second frenzy. It's a shame. Face ID is incredibly enabling and accessible technology that can all but eliminate active authentication for users and allow them to unlock and use their iPhones more simply and easily than ever before. But those same people, the ones who could benefit the most, are being assaulted by an endless stream of headlines that are, bluntly, worse attacks than many of the so-called exploits they claim to be reporting. I know this because every time one of those headlines goes live, I get calls and messages from my family members who are suddenly panicked by them. And they don't deserve that. Nobody does. Face ID facts Before Face ID was released alongside iPhone X, Apple published a white paper covering its implementation and current limitations. The company followed up with a support article. I summed them all up, and some logical extensions, in my iPhone X review:
Face ID, as currently implemented, does not work in landscape orientation. (The camera system is optimized for portrait.)
Face ID needs to be able to see your eyes, nose, and mouth to be able to function. If too much of that area is blocked by IR filters (like some sunglasses) or other objects (like masks), there's not enough of your face to ID. (This is like the gloved finger with Touch ID.)
Direct sunlight on the Face ID camera can blind it, just like any camera. If you're standing with the sun directly over your shoulder, turn a bit before using Face ID. (This is like the moist finger with Touch ID.)
If you're under the age of 13, your facial features may not yet be distinct enough for Face ID to function properly and you'll have to revert to passcode.
Face ID can't effectively distinguish between identical twins (or triplets, etc.) If you have an identical sibling or even similar looking family member, and you want to keep them out of your iPhone X, you'll have to revert to passcode.
If you give someone else your passcode, they can either delete and re-setup themselves on Face ID or, if they look similar to you, enter the passcode repeatedly at failure to retrain Face ID to recognize their features as well/instead.
Unlike Touch ID, which allows for the registration of up to 5 fingers, Face ID currently only allows for one face. That means no sharing easy access with family members, friends, or colleagues.
If, for any reason, you don't like the idea of your face being scanned, you'll have to revert to passcode or stick with a Touch ID device.
There doesn't seem to be anything shown off in video or breathless headline since that doesn't fall under any of these limitations. Hack vs. spoof One of the most egregious errors in reporting that's gone on around Face ID also echoes those we saw years ago with Touch ID: The conflation of hacking with spoofing.
When people hear or read the word "hack", it's easy to imagine someone got into the system. In this case, the secure enclave on Apple's A11 Bionic chipset that houses the neural networks for Face ID and its data. That absolutely has not happened. For both Face ID and Touch ID, the secure enclave remains inviolate. (That's very different from early HTC and Samsung implementations, which stored fingerprint data in world-readable directories...) What we have seen is people try to spoof it or fool it into thinking its capturing legitimate biometric data. We saw this with Touch ID as well. We saw fingerprints being lifted and reproduced for the express purpose of fooling the sensor system. Even before biometrics, we saw this with traditional keys. People would scan and reproduce keys to get into door locks. It's exactly the type of attack you try against physical security systems. Now we're seeing the same thing with family members, masks, and. Face ID. Family Face ID feuds Earlier this month, we saw two brothers post a video claiming one could unlock the Face ID system of the other. I covered it at the time:
One of the videos that got a lot of attention this weekend was made by two brothers, both of whom were eventually able to get Face ID to unlock the same iPhone X. It was revealed in a follow-up video that the first brother set up Face ID, then the second brother then tried to use it and was properly locked out. Then the second brother entered the iPhone X passcode to unlock. If someone else, including your sibling, has your iPhone X passcode, Face ID doesn't even exist. You've given them much higher access than even Face ID allows — including the ability to reset Face ID and other da
forbes.com · 2017
The Vietnamese hackers who claimed earlier this month to have fooled Apple's Face ID with a mask costing less than $150 are back. But this time, their evidence is more compelling.
Whereas in their previous attack researchers from Vietnamese cybersecurity company Bkav didn't show the enrolment process, or how long it took from that point to opening an iPhone X with the mask, in a new proof of concept, they appear to do both. A video shows the Face ID facial recognition enrolment being reset. Then the researcher enrols his own face and seconds later unlocks it with a mask made of a 3D-printed visage constructed of stone powder, with 2D-printed eyes stuck on.
The researchers dubbed their mask the "artificial twin," as it was similar to the way an identical (or close to identical) sibling could unlock an iPhone X. Indeed, video evidence of such trickery has emerged since the launch of the iPhone X. In at least one case, a female user's 10-year-old son was able get into the device by just looking at it. Apple, during the iPhone X launch, admitted that in some cases where family members looked similar enough, there was a chance Face ID would allow them access. But it claimed to have worked with Hollywood studios to test out various mask-based hacks.
Bkav hasn't been shy in criticizing Apple's facial recognition technology, though. "About two weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc., should be cautious when using Face ID," said Ngo Tuan Anh, Bkav's vice president of cybersecurity. "However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions."
Apple hadn't responded to a request for comment at the time of publication. Users who are concerned about using facial recognition on their iPhone X can just fall back to using a passcode.
A spokesperson for Bkav said it had decided not to tell Apple about about its newest techniques as the iPhone maker had chosen not to respond to media reports when its last hack was released.
Explaining more on the process of creating the mask, the spokesperson said the company used a 3D scanning booth to take the original images. "For example, if you are standing in the middle of booth, it will take photos of you at different angles in just two seconds. And we take an infrared image of your face.
"Then, we will make 3D object of your face from the photos... Then, with the 3D object, we use a 3D printer, using stone powder as material, to print the twin mask of your face. It will be the original mask by the printer, no modification is needed.
"Then, using the infrared image of your face, we cut the eye's parts from the image. We know how to cut the eye's parts so that it can trick Face ID, but cannot disclose... Then, we glued the eye parts to the 3D twin mask of your face. Then, it is done. No other modification needed."
Real world attacks possible?
What Bkav didn't address in its release Monday was the applicability of a mask-based attack in the real world. An attacker would need to be able to get an accurate scan of a target's face, then spend the time and effort creating the mask (a process that hasn't been fully-detailed by Bkav). It's also apparent from the video that the iPhone has to be aligned with the mask at a specific angle for the attack to work.
Security and encryption expert Professor Alan Woodward, from the University of Surrey in the U.K., said there were still questions about the researchers' approach. "What we still don't know is how much effort it took to produce that particular mask and how many attempts it took to match the mask and face. As a threat it proves that Face ID is not totally reliable, but as a risk we should all worry about in everyday life I'm less convinced," Woodward said.
"What the experiment does show is that a static mask can fool the Apple technology that is supposed to ensure that only a living face is recognised. Once that is possible it then becomes theoretically possible to produce a static mask to open the device.
"However, you can see from the way this experiment is done it is very tricky to position the device just so. That suggests that mask has to be used in very particular circumstances."
complex.com · 2017
iPhone X’s Face ID keeps getting tricked.
As pointed out by Forbes, researchers at the Vietnamese security firm Bkav have found another way to bypass Apple’s facial recognition system. The team, which pulled off a similar hack earlier this month, was able to replicate a face using a series of photos, stone powder, and 2D printed eyes. The researchers call the mask "the artificial twin."
"Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID' AI at higher scores," Bkav wrote in a blog post. "The eyes are printed infrared images—the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone. An iPhone X has its highest security options enabled, then has the owner's face enrolled to set up Face ID, then is immediately put in front of the mask, iPhone X is unlocked immediately. There is absolutely no learning of Face ID with the new mask in this experiment."
You might be thinking: How can anyone get a proper scan of my face without my knowledge? Bkav claims it’s easier than many of think. Researchers said all they have to do is set up a series of concealed cameras in a room.
POST CONTINUES BELOW
"For example, if you are standing in the middle of booth, it will take photos of you at different angles in just two seconds. And we take an infrared image of your face," a Bkav spokesperson told Forbes. "Then, we will make 3D object of your face from the photos... Then, with the 3D object, we use a 3D printer, using stone powder as material, to print the twin mask of your face. It will be the original mask by the printer, no modification is needed." All in all it cost about $200 to make the mask.
You can check out the hack above.
Since the iPhone X was released, many people have discovered ways to fool the security feature. Twins and children have successfully unlocked phones using less elaborate methods than Bkav’s, which has made more and more users skeptical.
Though no security feature is 100 percent foolproof, the firm insists the Touch ID is a much safer option, as it’s more difficult to collect fingerprints than it is to take photos of someone’s face.
pymnts.com · 2017
Vietnamese hackers who previously said they could bypass Apple’s Face ID biometric phone security with a mask claim to have hacked the iPhone X again, this time with more evidence of their success.
According to news from Forbes, Vietnamese cybersecurity company Bkav posted a video that shows how a researcher was able to reset the facial recognition enrollment, enroll his own face and then unlock the iPhone X seconds later. The researcher used a mask made of a 3D printed visage and 2D printed eyes — which cost less than $150. The researchers called their mask the artificial twin, since it was similar to the mask it used when it first hacked Face ID.
“About two weeks ago, we recommended that only very important people, such as national leaders, large corporation leaders, billionaires, etc., should be cautious when using Face ID,” said Bkav VP of Cybersecurity Ngo Tuan Anh in the report. “However, with this research result, we have to raise the severity level to every casual [user]: Face ID is not secure enough to be used in business transactions.”
A spokesperson for Bkav told Forbes it has decided not to alert Apple to the new way it was able to fool Face ID, since the company hasn’t responded to media reports about the security of the facial recognition biometrics technology on the iPhone X following the initial hack.
While Bkav was able to use a mask to unlock a user’s iPhone X, the cybersecurity firm didn’t address if a mask-based attack could happen in the real world. After all, the bad guys would need an accurate scan of the target’s face and then would have to spend the time and effort to create the mask. They would also have to make sure the mask is aligned with the phone at a specific angle in order for the hack to work.
“What the experiment does show is that a static mask can fool the Apple technology that is supposed to ensure that only a living face is recognized. Once that is possible, it then becomes theoretically possible to produce a static mask to open the device,” security and encryption expert Professor Alan Woodward from the University of Surrey in the U.K said in the report.
mashable.com · 2017
Breaking into a locked iPhone X shouldn't ever be described as simple, but according to a group of security researchers, that's exactly where we find ourselves.
The same Vietnamese team that managed to trick Face ID with an elaborately constructed mask now says it has found a way to create a replicated face capable of unlocking Apple's latest and greatest biometric using a series of surreptitiously snagged photographs.
SEE ALSO: No one agrees on whether or not a dead body will unlock a smartphone
Apple has copped to the fact that Face ID, for all its technical prowess, isn't perfect. It can be tricked by twins. For most people, however, that security threat is a nonexistent one. But what about masks? The Cupertino-based company assured customers that it had designed the biometric-powered safeguard with that attack in mind — yet the researchers at Bkav are here to rain on that particular parade.
"These materials and tools are casual for anyone."
They built a relatively inexpensive mask which, according to a blog post and video demonstration, was able to fool Face ID into unlocking.
"In this new experiment, Bkav used a 3D mask (which costs ~200 USD), made of stone powder, with glued 2D images of the eyes," researchers explained in a blog post. "Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID AI at higher scores. The eyes are printed infrared images — the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone."
To make matters worse, getting the data needed to construct the mask could be done without the target's knowledge, the researchers wrote — no elaborate face scans or up-close photographs required.
"Bkav researchers said that making 3D model is very simple," the blog post noted. "A person can be secretly taken photos of in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object."
Just how easy would it be for someone to pull this off in the real world? We reached out to Apple for comment, but received no response as of press time. We'll update this post when and if we hear back.
The researchers at Bkav, on the other hand, did get back to us, and their comments didn't inspire much confidence in Face ID's security.
"[When] targeting a person, [an attacker] can pre-install HD cameras of 3D scanning system in a meeting room or in an exhibition to secretly take photos of the target," explained a company spokesperson over email. "It takes only around 2s to get photos of the target’s face. Very fast."
As for making the mask itself? "[We] printed only one 3D mask, only one infrared image," the spokesperson noted. "We cut the eyes’ parts and pasted them on the mask, only one time. We succeeded at first try. There was no modification needed."
Should iPhone X owners be worried about this? Well, maybe. It's not like a common thief is going to go to the trouble of surreptitiously scanning your face before (or after) he's jacked your phone from you on your subway commute.
However, if someone wanted access to a specific something on your phone — and felt that it was worth the time and effort of building a mask — you might have a reason to be concerned. Although, of course, using an alphanumeric password in lieu of Face ID would negate that concern.
If anything, Bkav's findings are a reminder that no form of consumer biometric is infallible, and that as security improves, so do the tools and techniques hackers use to beat it.
This story has been updated to include additional comments from Bkav.