Security researchers at Vietnamese tech firm Bkav have released a video demonstrating the iPhone X’s Face ID being fooled by a ghoulish mask.
The mask is constructed of a 3D printed facial model covered specially processed white bandage-like ‘skin’ around the forehead, cheeks and chin, a silicon nose with what looks like a blood spatter on the left nostril, and 2D printed eyes.
The mask looks far less realistic than the masks Apple showed on stage when it revealed Face ID and said were used to train Face ID’s neural network not be fooled. Apple has provided some details about how Face ID works in its Face ID Security Guide.
The Bkav researchers claim to have worked out the 3D mask hack within five days of receiving the iPhone X. They also claim the mask cost just $150 to make compared to the thousands Wired recently spent on realistic silicon masks that ultimately failed to beat Face ID.
Bkav researchers in 2009 showed off a way to trick facial recognition systems in laptops from Asus, Lenovo and Toshiba using a specially edited 2D image of a registered user’s face. They reused the 2D technique for the eyes in the Face ID attack.
The company hasn’t revealed exactly how it tricked Face ID but says it was possible because they understood how Apple’s Face ID artificial intelligence worked. Face ID requires the user look directly at the camera by directing the direction of the user’s gaze, and then uses neural networks for matching and anti-spoofing.
They also noted Face ID tolerates situations where it can only detect half the user’s face, which suggests Apple is relying too heavily on Face ID’s neural network, according to Bkav.
The silicon natural skin-colored nose was made by an artist, however the nose didn’t initially work, but did after they added a splotch of reddy-brown color on the left side of the nose.
Unlike the Wired attempt on Face ID, the Bkav mask wasn’t worn by a person looking into an iPhone X, but placed on a stand opposite to an iPhone X that was fastened to a stand and tilted slightly to the left.
The researchers emphasize this was a proof of concept attack. They also note it would not be easy for the average user to successfully use their mask in an attack, but not difficult for a professional.
They believe the mask would be of interest to law enforcement, which is likely given Apple’s battles with the US government over iPhone security and encryption. They believe targets would be the extremely wealthy, senior executives, and political leaders.