Security company circumvents Face ID and says iPhone X biometrics are not secure

Run to the mountains, the Face ID it was cheated! Or in

The technique of this article: whenever a new technology like this is launched, some run to prove that it is possible, yes, to circumvent it. It was like that with the Touch ID, for example, when the Chaos Computer Club (CCC) staff photographed, in high resolution, a user's finger 2,400 times to create a “fake” latex fingerprint in order to trick the Ma fingerprint sensor. Now , we saw something “similar” happen with Face ID.

Many vehicles like the Wall Street Journal and the WIRED hired experts and created their own professional masks to test the capabilities of the new iPhone X biometric unlocking WIRED, they even include details like eye holes designed to allow real eye movement and thousands of hairs in the eyebrow inserted into the mask to make it look even more real. All * without * success.

Mask to try to circumvent the Face ID, created by WIREDMask to try to circumvent the Face ID, created by WIRED

Until the Bkav Corporation that according to TechCrunch, has a history on the subject since, in 2009, it published a report (PDF) about the weaknesses of facial recognition technology from ASUS, Lenovo and Toshiba, apparently, managed.

They claimed to have invested “only” $ 150 (not counting the value of the 3D printer), but the mission to supposedly circumvent Face ID was not easy. The solution developed by Bkav appears to be as complicated or more compared to that of Touch ID, mentioned above, which reinforces Apple's claims that the new system is more secure than Touch ID. They created a 3D mask, sculpted a nose by hand, printed parts of the face in high resolution (2D) and even used a custom skin surface designed to, in fact, fool the Ma artificial intelligence system.

Mask to try to circumvent Face ID, created by Bkav CorporationMask to try to circumvent Face ID, created by Bkav Corporation

There are three key points in Face ID technology. First, a photo of the user was taken to create the face surface. Second, another image was photographed in the form of a mesh to reproduce the 3D image of the face. Both images were taken by an infrared camera. The third is Face ID's ability based on AI technology to distinguish between real and fake faces. Bkav engineers think that with 2D and 3D images, it is easy to create a deceptive object. AI technology can be a more complicated part. However, the vulnerability in Face ID's AI has been predicted by Bkav since Apple's launch event, based on research and scientific analysis.

With this philosophy, Bkav's experiment confirmed that Face ID was tricked by a mask. In addition, the mask created by Bkav looks very different from the masks of other attempts. “Our mask that cheated Face ID simple, but very philosophically complex to create, requires professionals and insights on security, as well as AI technology, ”added Mr. Ngo Tuan Anh.

The researchers stated that, during the creation of the mask, they applied the “no password” principle, that is, a scenario that would prevent such researchers from entering an access code after five unsuccessful attempts (since Face ID blocks after that) ) and expand the possibilities, training the device to learn and know the data of the mask.

Although all this has been done, the video released by them (above) has generated several questions from the community. When the tester presses the side button and slides, we cannot see the lock opening or the Face ID animation happening. Another issue involves the Face ID technology itself, which recognizes whether your eyes are open and looking towards the device. Could the option “Require Attention for Face ID” (available at Settings General Accessibility Face ID and Attention) be disabled demo?

Even though all of this is true and Bkav has managed to circumvent Face ID, she herself commented that ordinary people should not be concerned as possible targets for something as elaborate as this would be just “billionaires, leaders of big corporations, national leaders and agents like of the FBI ”. Still, the criminal organization behind such an action would need to have the iPhone X and the person in question to replicate a mask of that level without counting the security protocols applied by Apple (48 hour time window or a maximum number five wrong attempts) to disable Face ID and require a numeric password.

The fact, as Carlos Cardoso (from Half Bit) said: “These features (like Face ID) are a basic form of security for a device you use in your day-to-day life. They exist to make the cost / benefit ratio of those who steal your device unpleasant, not to prevent the KGB from reading your emails. ”