Bkav, a Vietnamese cybersecurity firm have demonstrated how they bypassed Apple Inc’s face recognition ID software on the new Iphone X by using a mask made out of silicone, paper tape and a 3D printer. A video demonstrating how the security researcher fooled the face ID security has since been uploaded. Although these are some extreme lengths to go through in order to hack the Iphone X – it took a week for Bkav to successfully hack the phone – it is still evidence that there is a flaw within this specific security feature that can be exploited. Bkav have labelled celebrities and public figures as most at risk due to their faces being photographed and being widely publicised. Apple has so far declined to comment.
This news sparked a lot of discussion among industry experts. Here are some of their views:
Mark James, Security Specialist at ESET
“Although the video itself does leave a few questions to be answered, we need to understand that any of the “extra” ID features of this, and indeed any previous, iPhone have always been aimed at the average user. TouchID and Facial recognition are there for ease, not added security; both of these features can and have been duped by technology- the question you need to ask yourself is “ does this feature make my life easier?”. If the answer is yes and your phone just contains the “normal” run of the mill level of private stuff, then your good to go. If you’re a high profile celebrity or government official, then you may need to ask yourself how much effort someone would go to, in trying to replicate your fingerprint or face. Any security feature has the chance of being replicated or “hacked”- but it often takes time, effort, and a fair bit of money and/or expertise to do so.”
Lee Munson – Security Researcher at Comparitech.com
“The live unveiling of the new security feature on Apple’s latest flagship iPhone appears to have been a portent of what was to come as Craig Federighi’s issues with unlocking the device have given way to a far bigger problem.
Even though Face ID has not been touted as completely fool proof, it has been portrayed as offering a high level of security. The fact that it appears the use of a mask can circumvent it would suggest otherwise though.
That said, the typical iPhone X owner is not going to be at risk of such an attack, but companies issuing the latest handset to employees, or allowing the use of personal devices on their networks, may wish to take a long hard look at their mobile device management and bring your own device policies.”
Javvad Malik, Security Advocate at AlienVault:
“With any new security technology, particularly at mass consumer level; there will always be attempts to circumvent in new and creative ways.
Much of this comes down to the risk tolerance and models of individuals. Generally speaking, face ID, much like touch ID or even passcodes provides sufficient protection for most users under most scenarios. Of course, if a user is worried about threats from well-funded adversaries, organised crime, or governments, then additional security measures will need to be taken above and beyond what most consumer devices offer.”
2Josh Mayfield, Director at FireMon:
Apple’s facial recognition was never intended to be a security measure for strong authentication. The hype around the automated log-in from staring at one’s phone was meant to give the user ease, rather than hardened security to prevent unauthorized access.
The trouble with facial recognition is that too many humans have defining characteristics that cannot be dissected by a machine – we look too similar. The reason CAPTCHA is so effective is that there are subtleties that only a human eye can assess and accurately confirm.
The second trouble with Apple’s facial recognition is that it seeks confirmation rather than disconfirmation. When you begin with the goal of confirming, you will quickly squeeze every new variable to fit your desired outcome. When this bias is written into the systems machine learning, the only outcome is loosely associated facial features confirmed as authentic.
From a security standpoint, the method of confirmation is contra to legitimate security.
Each attribute on a face is builds a cumulative case for the machine’s confidence that the user is the right one. This means that facial characteristics that are not ‘right’ will not stop the machine from confirming the person as authentic. Like a lawyer making a case out of disconnected and merely corroborative evidence (when lacking the smoking gun), the machine gets things close enough and uses probability to confirm the identity. But probability is not certainty.
Strong authentication cannot be faked, gamed, or manipulated. Apple’s facial recognition begins with the opening assumption that the user gazing at the screen is likely to be the correct user. From there, the recognition system only seeks to confirm its assumption…never to seek to prove its assumption wrong.”
Paul Norris, Senior Systems Engineer – EMEA at Tripwire:
“Time and effort were involved in creating the mask that fooled the Face ID recognition software. Detailed dimensions would have to be taken to create the mask, and the security firm alluded to the fact that they had to use a special material on the mask too. What they didn’t disclose was how many attempts and what level of effort it took to get the mask to work flawlessly.
Is this really a risk to iPhone X users? Apple will disable the Face ID after five attempts, and force the user to enter a passcode, which should be secure. Apple accidentally demonstrated this feature during their keynote session where the iPhone X refused to unlock during the live demo due to unrecognised faces being present prior to the demonstration.
To use Face ID, there must be a passcode set up on the phone. The iPhone will prompt you for the passcode for additional security validation when:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn’t unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
In order to compromise Face ID authentication, the attacker would have to have a detailed map of the face of the user, create a mask that would map the exact details of the victim’s face, unlock the phone within five attempts and do all of this within 48 hours. This seems like an unlikely sequence of events.”
Terry Ray, CTO at Imperva:
“Nothing is 100% secure. Where there’s a will, there’s a way. The questions are: How much trouble would someone go to, and how much would they spend, to get your data?
It’s important to note that the attacks being talked about are individual bespoke attacks that must be built and executed against each victim separately. This is in addition to stealing the individual’s phone and getting access to it before the owner can remotely wipe the device. Is your data so valuable that someone would go to this effort? Is your data so valuable that someone would go to this effort? For the vast majority of us, the answer is definitely, no. However, for those few who feel they may be at threat, such a “Mission Impossible” style attack might be possible. The more time researchers spend with the Iphone X, the more likely they are to find interesting ways around the biometric defences.
Each person must decide which is the highest priority for them, convenience or security, and weigh the importance of each against the technology they choose to secure their personal data. If convenience is more important, FACE ID may be your choice. On the inverse, if security is your priority, until more is tested against FACE ID, I’d suggest using only a passcode, all the time. However, consider the mechanisms Apple put in place to force a passcode instead of FACE ID. Apple highlights six situations when the passcode will be forced instead of FACE ID:
https://images.apple.com/business/docs/FaceID_Security_Guide.pdf
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
So, consider this scenario:
An attacker models your face from many online pictures (let’s assume you’re famous with pictures everywhere). Using the model, the attacker creates a life-like mask as described by the article. Now the mask is made, though can’t be tested until a phone is in hand (it’s unclear how many ‘tweaks’ to the mask were necessary to get the ‘hack’ to work). The last step is to steal the phone and get someplace private to start testing the mask. Given the six items above the attacker would need to avoid the following:
The attacker cannot power the phone off, or else it will force a passcode login, which could take years if the victim uses a six digit alphanumeric code (which the victim should). Why is this a problem? It means the attacker must quickly isolate and disconnect the phone from all networks to prevent a remote reset of the device or a remote lock command to the device.
The attacker gets only five tries to use the mask. On the sixth try, a passcode is required and again we are back to years to break into it.
The attacker has 48 hours to unlock the phone so they can’t spend too much time working out fixes for their five tries or else the phone locks with a passcode.
You should be getting a picture here.
What is the most secure method if security is your priority? For security, the best approach is a good six or more digit passcode of alphanumeric non-case sensitive characters. For the rest of us, FACE ID is probably just fine.”