On November 3, Apple released iPhone X, and introduced Face ID technology for the first time. At the same time, a worldwide race was triggered with the intention to break Apple's latest futuristic technology.
In just one week, a group of hackers claimed that they had successfully reproduced human faces to easily unlock anyone's iPhone X, and their technology might be simpler even than the methods studied by security researchers.
"We made a mask to crack iPhone X Face ID that costs just $150!"
Last Friday, blog articles and videos from Bkav, a Vietnamese cyber-security company, showed that they deceived iPhone X and cracked Face ID easily with a combination of 3D printed plastic molds, silicone, cosmetics and simple cut paper. Although their cracking process has yet to be confirmed by other security research institutions, this method of cracking seems to have bypassed iPhone X's most expensive security measures. Especially notable is that the Vietnamese researchers only spent $150 to make the cracking mask.
However, this crack was just a proof of concept. Ordinary iPhone owners don't need to worry about this for now, because the crack process is time-consuming and requires significant effort. Moreover, hackers need to have an exact model of a user's face to make the mask.
Meanwhile, Bkav was straightforward in their blog: "Apple security identification doesn't work well. Face ID can be tricked by a simple mask, so it is not an effective security mechanism."
A video posted on YouTube shows that the phone was unlocked instantly after a researcher at the company placed an iPhone X in front of the mask. Although Face ID records the owner's face with a sophisticated 3D infrared camera program, modeled with an AI-driven method, the researchers could still successfully defraud and unlock it with a poorly made mask. The mask consists of a plastic frame that is 3D-printed based on the digital scanning of the iPhone owner's face, a carved silicone nose, a pair of 2D eyes, and lips printed on paper.
However, researchers also admitted that their technique require detailed measurements or digital scanning of the owner's face. The researchers said that they needed to scan the subjects for more than five minutes with a hand-held scanner. This shows that in practice, the target iPhone can only be hacked with elaborate planning. So general users of iPhone X need not worry about this hacking.
"So it's unlikely for average users to become the targets of hacking, but billionaires, executives of large companies, heads of states and spies from agencies such as the FBI may have to consider the hidden trouble of Apple's Face ID", said the researcher Bkav. They also mentioned that this unlocking technique could be upgraded further to use, for example, a quicker scan of target face using a mobile phone or a model made with photos. However, they did not make any prediction whether those upgrades would be still so simple.
"This unlocking process is much easier than expected."
Putting aside the big challenge of getting an accurate scan of the face, let's look at the simple approach researchers used. It works better than the more expensive method to hack Face ID tried by WIRED this month. At that time, with the help of special effects artists costing thousands of dollars, WIRED made a complete set of masks based on the face of an employee with five different materials, from silica gel to gelatin and vinyl. The designers strove for perfection; for example, they designed eye sockets to simulate real eyeball movements and glued thousands of eyelashes to enable more realistic face features to be captured by the infrared camera of iPhone X. However, none of the masks made succeeded in unlocking the iPhone X.
In contrast, the Bkav said they used cheaper combinations of materials to beat Face ID. They managed to use 3D printing instead of molding to make facial frames, and unthinkably, they used regular (2D) paper to print out fixed eye pattern. The mask allowed them to successfully unlock an iPhone X. As the researchers didn't provide more information about the production process, some people doubted the validity of this hack. However, the researchers claimed that the implementation of the technique was partly based on the understanding that face-lock cameras only check certain facial features. This possibility was also previously confirmed by WIRED.
None of the masks WIRED made for their face-lock test unlocked the iPhone X. Source: WIRED.com
"The recognition mechanism is not as strict as you would think," said a researcher at Bkav.
"We only need half a face to make a hacking mask, which is even easier than we originally thought."
There are still a lot of doubts about this unlocking test of Bkav, as no more details were disclosed. Bkav did not answer the most important ones of the long list of questions raised by WIRED, and he said a press conference would be held later the week to reveal more details.
However, Bkav recently released a new video and blog article titled "Bkav's new mask beats Face ID in "twin way": Severity level raised, do not use Face ID in business transactions." In this article, the team at Bkav revealed an improved mask that costs $200 that is made of stone powder, and has 2D-infrared images as eyes. Furthermore, in the video, the researcher showed a step-by-step process of setting up Face ID, and then proceeds with unlocking it with the mask.
"I would like to say that if this is confirmed, it really means Face ID is not as secure as Touch ID." - Mark Rogers, Cloudflare
Mark Rogers, a security expert, pointed out that "how the phone was registered and trained to recognize the true face of the user in the first place" was one of the most prominent issues. According to Rogers, Bkav's research team was likely to have blurred some facial features when training the phone to identify the face, and therefore weakened the face recognition data model of iPhone X. So finally Bkav's team taught the phone to recognize a mask-like face rather than creating a highly emulated mask (which is why it could hack Face ID).
"So far I cannot rule out whether those guys such as Bkav are playing tricks," Rogers added. Rogers is a security researcher at Cloudflare, a cyber-security company, and help WIRED make its first attempt to crack Face ID. He was also one of the first hackers to crack Apple's Touch ID back in 2013.
However, when faced with WIRED's questioning, Bkav denied using any tricks in the test. The company spokesperson said that four masks were used for the experiment but failed before the mask that successfully deceived Face ID was created. Researchers asked a Bkav team member to re-register the iPhone X for the experiment to make sure that the data model would not make mistakes due to the presence of previous mask recognition data. After that, they didn't enter any password, but unlocked the phone only with the mask.
In addition, Bkav's history has shown that they should be taken seriously. About a decade ago, researchers at Bkav found that they could simply use a 2D picture of the user to beat facial recognition systems of laptop makers such as Lenovo, Toshiba and Asus. Those findings were publicly displayed at the Black Hat Security Technology Forum 2009 and were cited widely.
If Bkav's experiment turns out to be true, Rogers thinks the most unexpected result from the study is that Face ID can be started even if the printed eye image stays still. Apple's patent application for Face ID had led Rogers to believe that Face ID would look for the user's eyeball movement. But if this is not the case, iPhone X's facial recognition system will be extremely vulnerable. It may not only be fooled by the mask but also be unlocked even when the user is asleep, or even worse, dead.
The last case is particularly worrisome because in theory this is a problem that only exists for Face ID but not for Touch ID, as with Touch ID, the phone can only be unlocked at least with the conductivity of a living person's finger. "This means that defrauding the face recognition system does not require any vital sign tests," said Rogers, "I would like to say that if this is confirmed to be true, it means Face ID is not as safe as Touch ID." In addition, it is still uncertain whether Face ID uses any ways other than detecting eyeball movements to determine if the user is alive. (There has been some researchers pointing out that fingerprint recognition worked with corpses as well: A video sent to WIRED by Ben Schlabs from SR Labs showed that an iPhone SE was unlocked by a fake finger made of plastic foam).
Rogers believed that although iPhone X might be stolen when the owners were asleep, abducted or dead, shaping a silicone plastic mask specifically for an average user would be quite ridiculous. A more realistic worry is that someone wants to crack the password by simply scanning your phone.
For Bkav's attempt, Rogers commented that "Average users still don't have to worry too much about the hacking as it would be much more expensive than simply looting the phone to view the password."
