Taylor Hatmaker, TechCrunch:
Touted as the iPhone X’s new flagship form of device security, Face ID is a natural target for hackers. Just a week after the device’s release, Vietnamese research team Bkav claims to have cracked Apple’s facial recognition system using a replica face mask that combines printed 2D images with three-dimensional features. The group has published a video demonstrating its proof of concept, but enough questions remain that no one really knows how legitimate this purported hack is.
I believe the term should be spoofed, not hacked. The video in the post shows Bkav using a homemade mask trying to spoof a person’s face registered using Face ID. Hacking would be breaking in and stealing credentials, or installing a back door, that sort of thing.
That said, something doesn’t sit right looking at that video. When I first saw it, my instinctive reaction was that it was fake. But even if the mask was successful in spoofing the user’s face, I just don’t see this as an issue.
More from Taylor’s post:
If you’re concerned that someone might want into your devices badly enough that they’d execute such an involved plan to steal your facial biometrics, well, you’ve probably got a lot of other things to worry about as well.
Prior to the Bkav video, Wired worked with Cloudflare to see if Face ID could be hacked through masks that appear far more sophisticated than the ones the Bkav hack depicts. Remarkably, in spite of their fairly elaborate efforts — including “details like eyeholes designed to allow real eye movement” and “thousands of eyebrow hairs inserted into the mask intended to look more like real hair” — Wired and Cloudflare didn’t succeed.
If Bkav has the goods, I suspect we’ll hear more from them, perhaps a follow-on post with a more clearly defined demonstration. Or, perhaps, we’ll hear from Apple about some patch they made to Face ID in response to Bkav’s work. As is, color me skeptical.