You probably don’t need to worry about someone hacking your iPhone X’s Face ID with a mask

Taylor Hatmaker, TechCrunch:

Touted as the iPhone X’s new flagship form of device security, Face ID is a natural target for hackers. Just a week after the device’s release, Vietnamese research team Bkav claims to have cracked Apple’s facial recognition system using a replica face mask that combines printed 2D images with three-dimensional features. The group has published a video demonstrating its proof of concept, but enough questions remain that no one really knows how legitimate this purported hack is.

I believe the term should be spoofed, not hacked. The video in the post shows Bkav using a homemade mask trying to spoof a person’s face registered using Face ID. Hacking would be breaking in and stealing credentials, or installing a back door, that sort of thing.

That said, something doesn’t sit right looking at that video. When I first saw it, my instinctive reaction was that it was fake. But even if the mask was successful in spoofing the user’s face, I just don’t see this as an issue.

More from Taylor’s post:

If you’re concerned that someone might want into your devices badly enough that they’d execute such an involved plan to steal your facial biometrics, well, you’ve probably got a lot of other things to worry about as well.

And:

Prior to the Bkav video, Wired worked with Cloudflare to see if Face ID could be hacked through masks that appear far more sophisticated than the ones the Bkav hack depicts. Remarkably, in spite of their fairly elaborate efforts — including “details like eyeholes designed to allow real eye movement” and “thousands of eyebrow hairs inserted into the mask intended to look more like real hair” — Wired and Cloudflare didn’t succeed.

If Bkav has the goods, I suspect we’ll hear more from them, perhaps a follow-on post with a more clearly defined demonstration. Or, perhaps, we’ll hear from Apple about some patch they made to Face ID in response to Bkav’s work. As is, color me skeptical.



  • Chris

    Bkav have been extremely clever with both their positioning and communication of their feat. First off, let me state that I’m 100% confident that what we’ve been shown in the video is true. There is a mask and a human face that can both open the same Face ID enabled iPhone. But, and this is a big but, there is an underlying assumption that everyone is making.

    In previous attempts at fooling Face ID, an iPhone is trained on a human’s face, and then various attempts are made at creating a life-like mask that mimics that human face. The clever bit of engineering that Bkav has accomplished, is to turn that assumption on it’s head.

    I believe that what they’ve done is to try and create an MVF, or Minimally Viable Face that would allow Face ID to work. Then, through a series of iterations, they’ve enhanced the MVF such that a Face ID model trained on the low fidelity mask would also work on the much higher fidelity human face. So in essence, they haven’t created a key that can open an existing lock, they’ve created a lock that works with an existing key.

    So while it’s not quite what it’s portrayed as, it’s still a bit of clever social and technical engineering.

    • Brandon

      I think you nailed this one on the head. If he can’t/won’t share his process to be verified by others, then there is no reason anyone should take him seriously.

    • Dave Mark

      Chris, I really like your comment and agree, this is MVF work. But my BS detector is still going off because of the lack of a clearly done demo and because of the lack of communication. That said, even if true, there’s still not much cause for concern, at least in my mind. — Dave

    • Jurassic

      Chris, you are absolutely right.

      Here are some pertinent quotes from Apple’s “Face ID Security” technical document (available on the web). This information explains how Face ID works, and why the “hacks” you see may just be that Face ID is (unknowingly) being “trained” to temporarily accept another face:

      “To improve unlock performance and keep pace with the natural changes of your face and look, Face ID augments its stored mathematical representation over time. Upon successful unlock, Face ID may use the newly calculated mathematical representation—if its quality is sufficient—for a finite number of additional unlocks before that data is discarded. Conversely, if Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly calculated mathematical representation. This new Face ID data is discarded after a finite number of unlocks and if you stop matching against it.”

      Apple is also open about the limitations of Face ID, and explains why it may not work properly with children, twins, or close siblings:

      “The probability that a random person the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID). For additional protection, Face ID allows only five unsuccessful match attempts before a passcode is required to obtain access to your iPhone. The probability of a false match is different for twins and siblings that look like you as well as among children under the age of 13, because their distinct facial features may not have fully developed. If you’re concerned about this, we recommend using a passcode to authenticate.”

    • Meaux

      Bingo. Have you seen the adversarial glasses that CMU made that tricks existing facial recognition cameras? They look nothing like the person, they don’t even look like faces. They take advantage of the fact that facial recognition uses an algorithm and they only need to fool that.

      https://www.theverge.com/2016/11/3/13507542/facial-recognition-glasses-trick-impersonate-fool

      Also, scientists have figured out how to completely mess with image recognition. So even if this one isn’t real, a real solution will come soon and we likely won’t hear about it if black hats are the ones to discover it.

      https://www.theverge.com/2017/11/2/16597276/google-ai-image-attacks-adversarial-turtle-rifle-3d-printed

      • Jurassic

        “Have you seen the adversarial glasses that CMU made that tricks existing facial recognition cameras?”

        They are ONLY referring to 2D facial identification, like the system used by Samsung (which can be easily fooled with a photo).

        “Also, scientists have figured out how to completely mess with image recognition”

        Again, you are referring to 2D (photo) facial recognition.

        Face ID is MUCH more secure than 2D systems. Face ID is a 3D scanning system that uses an infrared projector and an infrared scanner to create a 3D model of a person’s face, and combines that data with Artificial Intelligence.

        Face ID is immune to being tricked by a photograph, and it even recognizes the user if he wears glasses or sunglasses, cuts or colors his hair, shaves off his beard or grows a beard, wears a hat, or does anything else other than changing the physical contours of his face (for example by plastic surgery or wearing prosthetics).

        You really ought to learn a bit about Face ID, instead of assuming it is no different than the less secure 2D photographic facial ID systems that have been used previously.

    • Brandy

      <

      blockquote>Google is paying 97$ per hour,with weekly payouts.You can also avail this. On tuesday I got a great New Land Rover Range Rover from having earned $11752 this last four weeks..with-out any doubt it’s the most-comfortable job I have ever done .. It sounds unbelievable but you wont forgive yourself if you don’t check it !da124d: ➽➽ ➽➽;➽➽ http://GoogleNewNetJobsTravelOpportunities/earn/hourly ★✫★★✫★✫★★✫★✫★★✫★✫★★✫★✫★★✫★✫★★✫★✫★★✫★✫★★✫★✫★★✫★✫★★✫★✫:::::!da124luu

  • GS

    Probably can train Touch ID to recognize your nose, right? Highly likely he has just done something similar with Face ID and the mask.

    • Meaux

      If he trained it on the mask, it wouldn’t work on his face. The odd thing is it appeared to work with both the fact and the mask.

  • James Hughes

    Somethings not quite right, that’s for sure. Chris, who commented here, is most likely correct. Over time though, Face ID would learn the “real” face better and this unlock trick, and yes it’s a trick, would no longer work.

    This is a short but good read about Face ID from Apple.

    https://images.apple.com/business/docs/FaceID_Security_Guide.pdf