Touted as the iPhone X’s new flagship form of device security,Face ID is a natural target for hackers. Just a week after the device’s release, Vietnamese research team Bkav claims to have cracked Apple’s facial recognition system using a replica face mask that combines printed 2D images with three-dimensional features. The group has published a video demonstrating its proof of concept, but enough questions remain that no one really knows how legitimate this purported hack is.
As shown in the video below, Bkav claims to have pulled this off using a consumer-level 3D printer, a hand-sculpted nose, normal2D printing and a custom skin surface designed to trick the system, all for a total cost of US$150.
For its part, in speaking with TechCrunch, Apple appears to be pretty skeptical of the purported hack. Bkav has yet to respond to our questions, including why, if its efforts are legitimate, the group has not shared its research with Apple (we’ll update this story if and when we hear back). There are at least a few ways the video could have been faked, the most obvious of which would be to just train Face ID on the mask itself before presenting it with the actual face likeness. And it’s not like Apple never considered that hackers might try this methodology. As the company explains in abreakdown of Face ID:
Face ID matches against depth information, which isn’t found in print or 2D digital photographs. It’s designed to protect against spoofing by masks or other techniques through the use of sophisticated anti-spoofing neural networks. Face ID is even attention-aware. It recognizes if your eyes are open and looking towards the device. This makes it more difficult for someone to unlock your iPhone without your knowledge (such as when you are sleeping).
Bkav’s method claims to use both 2D imagesandmasks, two tactics that Apple seems pretty confident that Face ID can defend against. Also, it’s worth remembering that in a normal use case, the iPhone X would lock after five failed attempts to log in using Face ID, but it’s unclear how many tries Bkav made, though the company says it applied “the strict rule of ‘absolutely no passcode’ when crafting the mask,” a scenario that would preclude a scenario in which the researchers entered a passcode after five failed attempts and expanded the device’s training to include the mask data.
It’s alarming to hear of any workaround for sophisticated consumer security tech, but even if some kind of mask hack ends up working, it doesn’t exactly scale to the average consumer. If you’re concerned that someone might want into your devices badly enough that they’d execute such an involved plan to steal your facial biometrics, well, you’ve probably got a lot of other things to worry about as well. A hack like this would take considerable time and resources, the kind that are more likely to be employed by state-sponsored actors or other hacking teams with specific targets — far from the usual lowest common denominator vulnerabilities that threaten the privacy of everyday users. Bkav admits this openly in aQ & A on its hack, noting that “Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID’s issue.”
Prior to the Bkav video, Wired worked with Cloudflare to see if Face ID could be hacked through masks that appear far more sophisticated than the ones the Bkav hack depicts. Remarkably, in spite of their fairly elaborate efforts — including “details like eyeholes designed to allow real eye movement” and “thousands of eyebrow hairs inserted into the mask intended to look more like real hair” — Wired and Cloudflare didn’t succeed. Wired also reported on the Bkav hack, comparing its own efforts against what we can glean from the video.
If the notion that a $150-mask with far less detail could fool Face IDstrains credulity, that healthy skepticism is probably merited. At the same time, Bkav isn’t a totally random name in security research: the company published a report on weaknesses in Asus, Lenovo and Toshiba facial recognition tech back in 2009, so it’s clearly been thinking about this kind of stuff. Why it might undermine any potential credibility with a bogus FaceID hack is beyond us, but we eagerly invite the company to share additional technical details of its hack if the effort is indeed legitimate.