STE WILLIAMS

A Vietnamese security company called Bkav claims it has successfully bypassed Face ID authentication on Apple’s flagship iPhone X using – wait for it – a mask.

Before studying the claim and how Face ID works let’s state that, if true, this would be a big technical hiccup, and not just for Apple.

Face ID is supposed to be the hard launch for a new generation of biometric authentication tech and not simply a fancier way to unlock the iPhone X’s screen.

Anyone beating it is also potentially compromising its use as an authentication mechanism for financial transactions (currently Apple Pay) and, in time, wider online services. This matters because the world badly needs better authentication ASAP.

And yet Bkav says its proof-of-concept (POC) beat Face ID using a rudimentary mask constructed using $150-worth (£110) of 3D-printed plastic, paper cut-out eyes and lips, a silicone nose and some makeup.

In the video demo of the team unlocking an iPhone X, Face ID even fails to spot that two-dimensional images have been stuck onto the 3D surface.

This is surprising, not only because Apple said it has tested Face ID against sophisticated replica masks during its launch event, but third-parties have also tried to do the same without success.

The mask used was even non-naturalistic, representing barely half the real user’s face. What did Bkav do that Apple and others couldn’t?

The company said it fooled Apple’s AI neural engine, which is known to look for specific parts of the face. Somehow, its researchers were able to perfect the mask without having to test it first on a real iPhone X, which locks after five unsuccessful attempts.

Counterintuitively:

Apple’s AI can only distinguish either a 100% real face or a 100% fake one. So if you create a ‘half-real half-fake’ face, it can fool Apple’s AI.

Contrast this with the iPhone X’s Face ID spec which Apple says works by “projecting and analyzing over 30,000 invisible dots to create a depth map of your face [which is] matched against the stored mathematical representation to authenticate.”

The chance of a random person unlocking an older iPhone using the company’s Touch ID fingerprint system is said to be one in 50,000 – for Face ID it is supposed to be one in a million.

Inevitably, doubts have been raised about Bkav’s bypass, although the company has form after beating a variety of authentication systems in the past.

The caveat is that anyone using this technique would still have to have extensive access to the iPhone X’s owner in order to create an accurate mask in the first place. The company admits this puts exploits based on it into the realm of high-end cyber-espionage.

Or perhaps not. Reports have surfaced that a 10-year-old boy was able to unlock his mother’s iPhone X, possibly because their faces are similar. When a magazine asked her to re-enrol her face to check this wasn’t a one-off, he was able to access the phone intermittently.

Perhaps these incidents remind us that while Face ID is very good, it’s still short of perfection. It’s already known that identical twins can probably beat it – and Bloomberg reported that Apple cut corners on Face ID to meet iPhone X deadlines.

This could explain why Apple also requires users to enter a passcode when the iPhone X is turned on or rebooted, or hasn’t been unlocked for 48 hours, for instance.

The good news is that companies who set out to break Face ID (including, ironically, Apple itself during the iPhone X’s launch event) are really helping Apple make it better in the long run. Better to do that now when the technology is new than discover a big weakness after a real-world compromise.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MfSxHjji1qg/