telegraph.co.uktelegraph.co.uk - November 13 view article

Hackers claim to beat iPhone X's Face ID in one week with £115 mask

Face ID captures 30,000 invisible dots on a face to unlock the iPhone X Credit: AP

Apple claims the facial recognition system on the new iPhone X is impervious to being fooled by photos, impersonators and masks, but a team of  hackers claim to have beaten the technology after just a week.

Cyber security firm Bkav says a 3D-printed mask costing just $150 (£115) to make has fooled the Face ID software, which is used to unlock the iPhone X, authorise payments and log in to apps.

The researchers said it proved that Face ID is "not an effective security measure", although making the mask did require a detailed facial scan, and would be difficult for normal users to replicate.

However, the researchers' demonstration has not been independently verified, and the video does not go through the entire set-up process, so there are likely to be doubts about the supposed flaw. 

When the iPhone X was unveiled in September, Apple touted the security benefits of Face ID, saying there is a one in a million chance of another person being able to unlock it, and that it had stress-tested the technology using silicone masks made by Hollywood studios.

Bkav constructed the mask using a combination of 3D printing, a silicone nose and printed images of the eyes. A video released by the company appears to show Face ID being fooled when a cloth covering the mask is removed, although it does not show Face ID being set up, so it cannot be confirmed that the technique works.

Face ID differs from the image recognition techniques used in many other electronics and which have been easily fooled merely by photos of the target. The iPhone X uses a technique called dot projection, which directs beams of infrared light at the user's face to create a 3D image, and uses artificial intelligence to "learn" the person's face.

Apple has used a fingerprint sensor embedded in the home button for iPhone security for several years, but removed the home button on the iPhone X to make room for a bigger screen, leading it to develop Face ID.

Bkav said the mask it used to fool the phone could not be replicated by everyone but was simple enough for hackers to make, with the 3D scanners needed to map a person's face relatively easy to find. "Exploitation is difficult for normal users, but simple for professional ones," it said. 

Trying to fool the iPhone X facial recognition

01:42

It claimed the technique used to beat the security could be used to target politicians, billionaires and chief executives. As well as unlocking a phone, Face ID is used to log into banking apps and authorise Apple Pay.

Bkav has previously demonstrated security flaws with laptop face recognition systems.

Apple has said that Face ID is not suitable for children under 13 or for twins, suggesting they use a passcode instead. An Apple spokesman pointed to a security white paper on Face ID detailing its security.

telegraph.co.uktelegraph.co.uk - November 13 view article