Hackers claim they fooled Face ID with cheap mask

By

faceID Face scan mockup Unused
Face ID has already been hacked.
Photo: Ste Smith/Cult of Mac

Hackers may have already proven that Face ID isn’t quite as secure as secure as Apple claims.

Using a simple 3D printed mask, Vietnamese security firm Bkav, has posted a video showing an iPhone X being unlocked after unveiling a composite 3D-printed mask made of plastic, makeup, silicone and paper cutouts for some facial features.

Bkav detailed how it hacked Face ID in a blog post but has not publicly demonstrated the process yet. It also hasn’t been confirmed by a third-party yet. Normal iPhone X users shouldn’t really be alarmed either because for now it requires a lot of time to 3D scan your face. Still, Bkav says it shows Face ID is less secure than Touch ID.

“Apple has done this not so well,” wrote Bkav. “Face ID can be fooled by mask, which means it is not an effective security measure.”

Fooling Face ID

mask
The mask used to fool Face ID.
Photo: Bkav

The mask used by the hackers consisted of a 3D-printed frame of the victim’s face. They then attached a sculpted silicone nose, two-dimensional eyes and lips printed on papers. It’s a much simpler solution than the Hollywood-quality masks commissioned by WIRED that had much more detailed hair and facial features that failed to trick Face ID.

“The recognition mechanism is not as strict as you think,” wrote Bkav. “We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

Even though Bkav claims to have beat Face ID, there’s still a lot of questions on how legitimate the hack is. It’s still unclear how the phone was registered and trained on the owner’s real face. To pull off the hack you need access to 3D scan the person’s face for 5 minutes.

Bkav said it made four masks that failed to unlock Face ID and then got it right on the fifth attempt. Billionaires and top CEOS could be potential targets of the hack, but most iPhone X owners have nothing to worry about.

  • TrueNorth_Steve✓ᴰᴱᴾᴸᴼᴿᴬᴮᴸᴱ

    don’t worry iOS 11.1.2.1 will fix it.

    • pjs_socal

      Go back to your favorite fandroid site…

  • Still don’t’ see how they think Face ID is less secure than Touch ID. Touch ID has been proven that it can be cracked if someone has a good copy of your fingerprint, which is a lot easier to do than having 3D scans of your face taken unnoticed.

  • Jaca Paladium

    If you have the new iPhone X, you will notice something very very wrong easily ! It’s a scam ! Every iPhone-X owner knows that when you stare the device, the lock animates to “unlocked”. This is not happening on the video ! Someone is not being honest !

    • rjove696

      Exactly what I noticed! If you look closely when he unlocks it the second time, the phone is still “locked” but he swipes it open anyway, very strange. His excitement looked fake too

  • Learned Handjob

    Lol this is so stupid. All you need is to 3D scan someone’s face for 5 minutes and 3D print it. I mean lmao that’s so infeasible it’s ridiculous.

    • Thinkman

      Once again, handjob, how many people in the entire world would go to the trouble of 3D printing a mask, add prosthetics (also necessary), and a few other “features” other than those über-nerds (Samsung employees?!) working their sad little fingers to the bone for a proof of concept that is literally inconceivable in the real world of crime!

  • Yet Another Opera Lover

    “It also hasn’t been confirmed by the a third party yet”

    Isn’t there an IR camera to verify the heat map of your face as well? I can’t imagine they faked that. I don’t think this is real, especially given that this has been out for a few days and we haven’t seen a plethora of people replicating it yet.

  • pjs_socal

    This hack requires high precision 3D scans of the user’s face. How is a black hat hacker going to get such scans without the user’s knowledge or consent? Second, the hack must work within 5 tries or Face ID is disabled.

    Furthermore, I strongly suspect that this test was performed with attention detection turned off.

    If so, it is an utterly meaningless publicity stunt.

  • Thinkman

    Just how many crooks would you guess would go to such lengths to crack facial ID? Approximately none! Crooks are lazy fks by nature – also more often than not, dumber than dirt!

  • Jeroen de Haas

    If you have the new iPhone X, you will notice something very very wrong easily ! It’s a scam ! Every iPhone-X owner knows that when you stare the device, the lock animates to “unlocked”. This is not happening on the video ! Someone is not being honest !

  • FilBack

    Totally fake. There is no unlock animation.

  • Prof. Peebody

    The length of efforts people took to fake this kind of news is just unbelievable (no unlock animation, really?). I am not sure what is his motive behind this fake announcement, but I have read this piece in several online news today, one even claim that FaceID is total useless.

  • roborat

    The hacker is believed to be Arya Stark.

  • andrewi

    I thought FailID had a temp sensor.