Viet­namese re­searcher shows iPhone X face ID ‘hack’

Jerusalem Post - - BUSINESS & FINANCE - • By MAI NGUYEN

HANOI (Reuters) – A re­searcher in Viet­nam has demon­strated how he ap­par­ently fooled Ap­ple Inc’s face recog­ni­tion ID soft­ware on its new iPhone X us­ing a mask made with a 3D printer, sil­i­cone and pa­per tape.

An an­nounce­ment on Fri­day by Bkav, a Viet­namese cy­berse­cu­rity firm, that it had cracked Ap­ple’s Face ID, and a sub­se­quent video ap­par­ently show­ing an iPhone be­ing un­locked when pointed at a mask, were greeted with some skep­ti­cism.

Ngo Tuan Anh, Bkav’s vice pres­i­dent, gave Reuters sev­eral demon­stra­tions, first un­lock­ing the phone with his face and then by us­ing the mask. It ap­peared to work each time.

How­ever, he de­clined to reg­is­ter a user ID and the mask on the phone from scratch be­cause, he said, the iPhone and mask need to be placed at very spe­cific an­gles, and the mask to be re­fined, a process he said could take up to nine hours.

Ap­ple de­clined to com­ment, re­fer­ring jour­nal­ists to a page on its web­site that ex­plains how Face ID works.

That page says the prob­a­bil­ity of a ran­dom per­son un­lock­ing another user’s phone with their face was ap­prox­i­mately 1-in-a-mil­lion, com­pared to 1-in50,000 for the pre­vi­ously used fin­ger­print scan­ner. It also says Face ID al­lows only five un­suc­cess­ful match at­tempts be­fore a pass­code is re­quired.

Anh ac­knowl­edged that pre­par­ing the mask wasn’t easy, but he said he be­lieved the demon­stra­tion showed fa­cial recog­ni­tion as a way to au­then­ti­cate users would be risky for some.

“It’s not easy for nor­mal peo­ple to do what we do here, but it’s a con­cern for peo­ple in the se­cu­rity sec­tor and im­por­tant peo­ple like politi­cians or heads of cor­po­ra­tions,” he said.

“(Th­ese) im­por­tant peo­ple should ab­so­lutely not lend their iPhone X to any­one if they have ac­ti­vated the Face ID func­tion.”

It’s the first re­ported case of re­searchers ap­par­ently be­ing able to fool the Face ID soft­ware.

Cy­berse­cu­rity ex­perts said the is­sue was not so much whether Face ID could be hacked, but how much ef­fort a hack re­quired.

“Noth­ing is 100% se­cure,” wrote Terry Ray, chief tech­nol­ogy of­fi­cer at US-based cy­berse­cu­rity com­pany Im­perva, in a note. “Where there’s a will, there’s a way. The ques­tions are: How much trou­ble would some­one go to, and how much would they spend, to get your data?”

Bkav’s Anh said the re­search took about a week, and in­cluded nu­mer­ous fail­ures. The mask frame was made of plas­tic, cov­ered with pa­per tape to re­sem­ble skin, with a sil­i­cone nose and pa­per for eyes and mouth.

As far back as 2009, Bkav re­searchers high­lighted what they said were prob­lems with us­ing fa­cial recog­ni­tion as a way to au­then­ti­cate users. They said then that they had hacked three lap­top man­u­fac­tur­ers which used we­b­cams to au­then­ti­cate users.


A 3D MASK and an iPhone X are seen dur­ing a demon­stra­tion of recog­ni­tion ID at the of­fice of Bkav, a Viet­namese cy­berse­cu­rity firm in Hanoi, Viet­nam yes­ter­day.

Newspapers in English

Newspapers from Israel

© PressReader. All rights reserved.