Face ID Beaten by Mask, Not an Effective Security Measure

After Apple released iPhone X, hackers from different parts of the world are competing on who can fool the company’s latest form of authentication. During its launching, Phil Schiller, the Senior Vice President of Apple, proudly admits that Face ID can recognize the difference between an actual human face from a mask. This is made possible because of the implementation of artificial intelligence (AI). According to the members of the Apple engineering teams, they have even collaborated with professional mask creators and Hollywood makeup artists just to prove that nothing can beat Face ID. The masks that the engineering team used for testing are the same masks that they use for teaching the neural network in protecting themselves against Face ID. According to Phil Schiller, this is truly amazing!

However, a week after the iPhone X was officially launched, hackers from the other side of the world insisted that they have successfully unlocked an iPhone X by simply duplicating the user’s face. What’s more amazing is, they used a simple technique that a few security researchers find unbelievable. The security specialists from Bkav Vietnam proves that Face ID can be tricked by masks. Obviously, this only implies that Face ID is not an effective security strategy.

The Vietnamese security firm Bkav even released a video that shows how they’ve managed to crack Apple’s Face ID. They accomplish this by simply using a mask made up of silicone, 3-D-printed plastic as well as some makeup and paper cutouts. Although this presentation has yet to be confirmed with other security researchers, most especially since these researchers claim that their mask only costs $150 all in all. This is a huge issue that can greatly affect the high-priced security of iPhone X.

Although this is considered as a hacking proof-of-concept, yet as an iPhone X owner, you should not get alarmed right away. After all, recreating a person’s face takes too much time and effort. On the other hand, Bkav did not provide FAQ on their research but claimed that Apple did not do a good job on Face ID since it can be easily tricked by a mask which implies that it is not an efficient security measure.

Why Face ID Is Not Reliable?

This video only proves that Face ID can be beaten:

In the video above, the phone immediately unlocks after the piece of cloth was pulled to show the mask. The mask was mounted in such a way that it is facing right on the stand where the iPhone X was placed. The researchers say that they have successfully fooled the technology in spite of the fact that the phone is using the most advanced AI technology and 3-D infrared system in scanning the user’s face

According to the Vice President of Bkav, Mr. Ngo Tuan Anh, this mask is a combination of 2D images and 3D printing with makeup. Aside from this, they also do some extraordinary procedures around the face and on the cheeks since these are the areas where there are lots of skin. This is done in order to mislead the AI of Face ID.

Hence, after spending ten years developing face recognition, we can say that we can’t fully trust this when it comes to ensuring security on smartphones and computers. It was in 2008 when Bkav proves to the world that face recognition is not an efficient security measure for laptops. This occurred just after Lenovo, Toshiba, Asus, and other brands decided to use this procedure on their products. The fact is, it was Bkav who first made the examination.

Is Face ID A Failure?

The good thing is there might be some restrictions on this ineffectiveness. According to Apple, there are some circumstances wherein iPhone X will ask a passcode aside from the Face ID authentication. For instance, if the device was just restarted or turned on, the device was accessed through a remote lock command, or the device remained locked for over 48 hours. It can also happen after the owner made five failed attempts in matching his face. Or if the passcode was never used in unlocking the device for six and a half days, at the same time, Face ID failed to unlock the device for four hours. And finally, after you accidentally pressed either the side button and the volume button together for two seconds which can initiate power off or Emergency SOS.

According to Paul Norris, Tripwire’s senior systems engineer, in order to unlock the phone, the attacker must be able to create a mask that includes the accurate details of the user’s face. Additionally, they must be able to accomplish this within 5 attempts. On the overall, everything must be done within forty-eight hours. Norris further added that these series of events are quite unlikely.

On the other hand, it seems that there is something missing in the information provided by Bkav. The researchers did not provide any accurate details on the structure of the mask, for instance, what particular 3D technologies were applied? How many attempts were done before they were asked to enter a passcode? What was registered on the device?

Accordingly, it is possible that AI can be trained to permit the mask to unlock the device provided that the user must enter a valid passcode after an unsuccessful attempt using the mask. The user is allowed to do five attempts before requiring him to enter his passcode. You also need to keep in mind that you need to enter your passcode every 156 hours no matter if your device has been unlocked for several times.

Bkav further claimed that deceiving artificial intelligence is something that they have done since 2008 when they successfully bypassed the same technology that protects Lenovo, Toshiba, and Asus laptops.  During the previous attack, they were able to bypass the security measure by using the digital images of the user so they can use the machines. This particular attack was being shown during the Black Hat DC conference.

Who Can be Exploited From Face ID’s Issue?

The “proof of concept” presented by Bkav comes right after the FBI is having problems with securing messaging platforms. The FBI is having trouble unlocking the cellphone that they confiscated from the shooter of the Texas massacre that occurred on Nov. 6 and resulted in 26 dead people. This is also the same as the difficulty that the bureau encountered with the terrorist’s phone responsible for the San Bernardino incident.

According to Bkav researchers, it is important that the CIA, FBI, major corporations, and other vital organizations must know that Face ID can be beaten by their mask.  This is due to the fact that they have devices that are worthy of unlocking. For the professional ones, exploitation will just be easy but not for regular users.

Bkav researchers further added that the possible targets are not going to be the regular users but rather the billionaires, the leaders of different countries, the leaders of large corporations as well as the FBI, CIA, and other agents. It is relevant that these people must recognize the problem with Face ID. The competitors of large corporations, the rivals of security agencies, and even various countries can greatly obtain some benefits from this “proof of concept.”

Bkav also admitted that they will continue with their work on the Face ID issue, regardless if Apple claims that Face ID is still learning from every authentication attempt. This is done in order to enhance the mathematical illustration of the user’s face. But Bkav insisted that it won’t matter if Apple Face ID is still learning from the new representations, it still won’t change the fact that Apple’s Face ID is not an efficient security measure.

Based on the video presentation above, it clearly shows that the phone was instantly unlocked after the cloth was lifted from the mask exposing the well-created face. Bkav further suggested that the forthcoming version of their strategy could be improved by having a much quicker scan of the user’s face or making a model of the user’s face from photographs. However, they do not have any forecast on how they are going to accomplish these things.

So, What Was The Mask Made Of?

The researchers from Bkav revealed that they were able to accomplish that trick by using a relatively basic mask. The mask that they constructed is a mixture of 3D printing and a handmade structure. On the other hand, the nose that was used on the mask was created by an artist based on specific details. Silicone was used to construct the nose. The researchers had to squeeze it’s nose just to make sure that it can beat Face ID’s AI.

First of all, they scan the user’s face and produced a 3D printed plastic frame. Afterward, they installed the lips and two-dimensional eyes which are both printed on paper. Then, they placed the sculpted silicone nose in the proper place. Additionally, the phone can unlock even if only half of the user’s face is shown. Surprisingly, it only took six days for the researchers to construct the mask that has beaten Apple’s Face ID.

The researchers also admitted that the strategy that they use would require digital scanning on the face of the user as well as accurate measurements. Using a handheld scanner, they will scan the user’s face manually for about five minutes. This means that they are using a highly targeted spying strategy and not just a run-of-the-mill hacking method which most iPhone X owners might think.

If you own an iPhone X, then you could try it out yourself. The phone can identify you by simply showing half of your face. It only means that this recognition device is not so stern at all. It seems that Apple depended so much on Face ID’s AI. The fact is, you only need to create a half-face mask in order to beat Face ID. It was even much simpler than the researchers have thought.

Expensive Masks Vs. Cheap Masks

Aside from making sure that they have a precise face scan, the researchers of Bkav are also using a simpler procedure. These masks are cheaper, yet they outperformed the more expensive ones when attempting to trick the Face ID AI. At WIRED, they’ve created different versions of masks that cost thousands of dollars.  These masks were made from silicone, vinyl, gelatin, etc. The design was created by a special effects artist. It includes more details such as eyeholes with actual eye movement and lots of hairs inserted on the eyebrows. This is done to deceive the iPhone’s infrared sensor, but unfortunately, none of these masks worked.

On the contrary, Bkav researchers were able to successfully fooled Face ID by simply using cheap materials on their masks. Rather than using face-casting, they prefer to use 3D printing. The most amazing part is they use two-dimensional printed eyes. These researchers did not provide more details about their process. This is why there are still some people who are having some doubts. However, they reveal that their work is based on the concept that the Face ID AI will only examine a portion of the user’s facial features.

The Bkav researchers claim that the recognition system of Face ID is not so strict. The fact is they only need to create a half-face mask. It was even much simpler than they thought. Since more details about the process were not provided, then the work of Bkav’s researchers remain vague.

Most Prominent Questions

Because of the limited information provided by Bkav researchers, a lot of questions have arisen. One of them is from a fellow security researcher, Marc Rogers. He wants to know how the phone was trained on the user’s face as well as how it was registered. Perhaps the phone was trained on its user’s face when some of its facial features were not clear. Rogers even implied that they teach the phone to identify a face that is similar to a mask rather than making a mask that looks the same with the user’s face.

But Bkav denied all these allegations. According to their spokesperson,  before they created the mask that fooled Face ID, they have created four others that failed.

Compare Hare