A Vietnamese cybersecurity firm says it can unlock an iPhone X with Face ID using a custom mask.Loading...
It's the first reported case of researchers apparently defeating the Face ID feature.
Apple says the probability of a random person unlocking an iPhone X is 1-in-a-million.
An announcement on Friday by Bkav, a Vietnamese cybersecurity firm, saying it had cracked Apple's Face ID with a video that shows an iPhone being unlocked when pointed at a mask, was greeted with some skepticism.
Ngo Tuan Anh, Bkav's vice president, gave Reuters several demonstrations, first unlocking the phone with his face and then by using the mask. It appeared to work each time.
However, he declined to register a user ID and the mask on the phone from scratch because, he said, the iPhone and mask need to be placed at very specific angles, and the mask needs to be refined, a process he said could take up to nine hours.
Apple declined to comment, referring journalists to a page on its website that explains how Face ID works.
That page says the probability of a random person unlocking another user's phone with their face was approximately 1-in-1,000,000, compared to 1-in-50,000 for the previously-used Touch ID fingerprint scanner. It also says Face ID allows only five unsuccessful match attempts before a passcode is required.
Anh acknowledged that preparing the mask wasn't easy, but said he believed the demonstration showed facial recognition as a way to authenticate users would be risky for some.
"It's not easy for normal people to do what we do here, but it's a concern for people in the security sector and important people like politicians or heads of corporations," he said.
"(These) important people should absolutely not lend their iPhone X to anyone if they have activated the Face ID function."
It's the first reported case of researchers apparently being able to fool the Face ID software.
Cybersecurity experts said the issue was not so much whether Face ID could be hacked, but how much effort a hack required.
"Nothing is 100 percent secure," Terry Ray, chief technology officer at U.S.-based cybersecurity company Imperva, said in a note. "Where there's a will, there's a way. The questions are: How much trouble would someone go to, and how much would they spend, to get your data?"
Bkav's Anh said the research took about a week, and included numerous failures. The mask frame was made of plastic, covered with paper tape to resemble skin, with a silicone nose and paper for eyes and mouth.
As far back as 2009, Bkav researchers highlighted what they said were problems with using facial recognition as a way to authenticate users. They had said they hacked three laptop manufacturers that used webcams to authenticate users.
Source : http://www.businessinsider.com/apple-iphone-x-face-id-custom-mask-2017-11