It sees you when you're sleeping, don't care if you're awake - Pixel 4 face unlock unlocks your phone regardless if the user is alert or alive

[rcmaehl]

Source:
BBC (quote source)

CNet

Google

Gizmodo

 

Summary:
Unlike Apple's Face ID system. Google's face unlock feature doesn't care if a user is awake and alert, or alive even, it just cares if the face matches. This is causing some alarm in the privacy community.

Media:

Quotes/Excerpts:

Quote

Google has confirmed the Pixel 4 smartphone's Face Unlock system can allow access to a person's device even if they have their eyes closed. One security expert said it was a significant problem that could allow unauthorised access. By comparison, Apple's Face ID system checks the user is "alert" and looking at the phone before unlocking. Google said in a statement: "Pixel 4 Face Unlock meets the security requirements as a strong biometric." "There are actually only two face [authorisation] solutions that meet the bar for being super-secure. So, you know, for payments, that level - it's ours and Apple's." Using the default settings, the phone still unlocked if the user pretended to be asleep. Images of the Pixel 4 leaked before launch showed a setting labelled: "Require eyes to be open," in the facial-recognition menu. However, this setting was not present on the devices loaned to BBC News. "If someone can unlock your phone while you're asleep, it's a big security problem," said cyber-security expert Graham Cluley. "Someone unauthorised - a child or partner? - could unlock the phone without your permission by putting it in front of your face while you're asleep,"  "I wouldn't trust it to secure the private conversations and data on my phone." Google's...support website tells customers: "Your phone can also be unlocked by someone else if it's held up to your face, even if your eyes are closed." It says concerned customers can switch on "lockdown" mode - which deactivates facial recognition - when they want enhanced security.

My Thoughts:

Google is really dropping the bar here when it comes to face unlock. While I'm sure other manufacturers also don't meet the bar apple has set. Google is boasting about how secure it is compared to Apple and isn't living up to expectations. Thankfully, this should be patchable, but I am still disappointed in them. Thankfully though, it's not the S10 fingerprint reader exploit.

[Brooksie359]

I don't even get this whole arms race of biometrics. I just use a pin and it seems to work fine. Also why in the world is everyone so freaked out about the security of their phone? I can't think of a single thing on my phone that I would be worried about if someone got ahold of it. 

[rcmaehl]

4 minutes ago, Brooksie359 said:

I don't even get this whole arms race of biometrics. I just use a pin and it seems to work fine. Also why in the world is everyone so freaked out about the security of their phone? I can't think of a single thing on my phone that I would be worried about if someone got ahold of it. 

Banking info

Nudes

Private Conversations

Instagram/Snapchat/etc account access

etc etc

 

[Brooksie359]

2 minutes ago, rcmaehl said:

Banking info

Nudes

Private Conversations

Instagram/Snapchat/etc account access

etc etc

 

Why would you have your banking info on your phone if you cared about security at all. Nudes seems like a dumb choice as well. Conversations I guess but who would be interested in that? Same with Instagram and snapchat I don't see why anyone would want to hack someone's phone to get access to those. 

[Kilrah]

Convenience.

[rcmaehl]

Just now, Brooksie359 said:

Why would you have your banking info on your phone if you cared about security at all. Nudes seems like a dumb choice as well. Conversations I guess but who would be interested in that? Same with Instagram and snapchat I don't see why anyone would want to hack someone's phone to get access to those. 

I can assure you any bit of information you can get about someone is extremely useful, especially with conversations. Blackmail is a thing that exists and having access to people's opinions, photos, and conversations is the perfect ammo. Everyone has at least one piece of information or conversation that would strain a relationship with a coworker, get a person fired from a job, cause them to lose a friend, or other negative social consequences. 

[Silentprototipe]

Why did I read the title like a chirstmas song?   

 

Also I love how everyone is freaking out about security flaws in new tech. I mean what did people expect? That these things wouldn't have security flaws? We had the same thing happen years ago with normal fingerprint sensors

[Silentprototipe]

Just now, VegetableStu said:

.... SHIT I GOT STEALTH JINGLED

Spoiler

 

 

[IAmAndre]

38 minutes ago, Brooksie359 said:

I don't even get this whole arms race of biometrics. I just use a pin and it seems to work fine. Also why in the world is everyone so freaked out about the security of their phone? I can't think of a single thing on my phone that I would be worried about if someone got ahold of it. 

Customer information

Private conversations with sensitive data

...

[Silentprototipe]

40 minutes ago, Brooksie359 said:

I don't even get this whole arms race of biometrics. I just use a pin and it seems to work fine. Also why in the world is everyone so freaked out about the security of their phone? I can't think of a single thing on my phone that I would be worried about if someone got ahold of it. 

Biometrics has made life so much easier. Typing a pin is dreadful when its been years being used to fingerprint sensors. Convenience is the name of the game. Its always going to be less secure than just a pin but we willingly gave that up for convenience 

[Zodiark1593]

19 minutes ago, rcmaehl said:

I can assure you any bit of information you can get about someone is extremely useful, especially with conversations. Blackmail is a thing that exists and having access to people's opinions, photos, and conversations is the perfect ammo. Everyone has at least one piece of information or conversation that would strain a relationship with a coworker, get a person fired from a job, cause them to lose a friend, or other negative social consequences. 

I wonder if, in the case of Mister Rogers (an individual that you'd be hard pressed to find any negative information about), a blackmailer would have to take creative liberties to get leverage?

[Bacon soup]

So the FBI got their master key in the form of dead people. I guess we will see more "suicides" in FBI investigations.

[RejZoR]

So much hype about this radar thing in Pixel 4 just for it to be inferior to Apple's 2 years old tech? Not only FaceID is so fast with iOS 13 that it's unlocked before you even fully raise it in front of your face, it's also attention aware. Meaning it can be placed in front of your face, but if you have your eyes closed or looking away, it won't even unlock. It's just a bit... weird that Google spent so much time and money on tech and managed to made it worse than someone elses 2 years old tech.

 

The rest of use with radar tech is more or less gimmick class. Oh noes, it silences alarm when you look/reach at it. So does iPhone. iPhone also quiets down alarm or ringing when you pick it up or look at it. And while swining alarm away looks cool, it's not practical as you'll just swing across phone and fall asleep again. Where pressing button to turn off requires more attention, plus looking at the thing. Hell, alarm clocks should have simple add/subtract equations that you need to solve in order to turn off, sort of like an "alarm captcha". Just to be sure you're really awake when turning alarm off. Or have it across a room so you need to walk up to it and turn it off, like I have it to be sure...

[Radioactive Snowman]

These pixel phones get increasingly tragic every year, are google even trying to make a decent product? They're failing miserably

[Doobeedoo]

Will they even release a 5G version though. 

[LAwLz]

57 minutes ago, Brooksie359 said:

I don't even get this whole arms race of biometrics. I just use a pin and it seems to work fine. Also why in the world is everyone so freaked out about the security of their phone? I can't think of a single thing on my phone that I would be worried about if someone got ahold of it. 

PINs are annoying if you want them to be really secure. It's not hard to figure out a 4 digit PIN, and once you start approaching ~8 then it becomes annoying if you unlock your phone often. I average about 60 unlocks a day on my phone. Every second I shave off my unlock time translates to another minute saved a day.

 

As for things on my phone someone would want to get a hold of:

• Private conversations such as SMS.
• Private images (not nudes, but other private images).
• It's used in a lot of 2FA setups I got. So if you got my phone you got half of what you need to enter a lot of my accounts.
• Speaking of accounts, I am logged in to several accounts on my phone at all time. Get my phone and you can access stuff like my email, which in turn means you can reset my passwords on other services and get access to them.
• Possibly logged data like where I have been (GPS history) and where I will be (calendar).
• Phone and email information to not just my friends and family, but also work partners and colleagues.
• Other sensitive sensitive information like health data.

[MadDuke]

This is awesome news that it works that well and fast.

The point of facial recognition is to unlock when it sees your face. Period-

 

If you are dead, sleeping and/or incapacitated.  Someone can also take your fingerprint.  The only secure thing you can have is a longer PIN code and/or Password.

Sorry. Even if you had a 20 years in the future DNA sequencer to unlock your phone someone could literally bleed you dry and use your blood to do it hehehe

 

I have a Polar V800 watch for years now and it keeps my phone unlocked automatically when I'm near.  It's a convenience factor which exists to just make a nuisance for people who would steal your phone and/or find it if you have lost it.  

[Mihle]

I will never use face unlock features. Fingerprint ftw, preferably on the back of the phone.

[RejZoR]

Just now, Mihle said:

I will never use face unlock features. Fingerprint ftw, preferably on the back of the phone.

I was skeptical like that. Until I tried FaceID almost a year ago. It's a really convenient tech. And I frankly can't see myself going back to fingerprint again. Not after iOS 13 update that made it so fast it's unlocked without any interruptions of use like before where there was a 1-2 seconds delay.

[MadDuke]

4 minutes ago, LAwLz said:

PINs are annoying if you want them to be really secure. It's not hard to figure out a 4 digit PIN, and once you start approaching ~8 then it becomes annoying if you unlock your phone often. I average about 60 unlocks a day on my phone. Every second I shave off my unlock time translates to another minute saved a day.

 

As for things on my phone someone would want to get a hold of:

• Private conversations such as SMS.
• Private images (not nudes, but other private images).
• It's used in a lot of 2FA setups I got. So if you got my phone you got half of what you need to enter a lot of my accounts.
• Speaking of accounts, I am logged in to several accounts on my phone at all time. Get my phone and you can access stuff like my email, which in turn means you can reset my passwords on other services and get access to them.
• Possibly logged data like where I have been (GPS history) and where I will be (calendar).
• Phone and email information to not just my friends and family, but also work partners and colleagues.
• Other sensitive sensitive information like health data.

There are things someone can get a hold off. Of course.

 

But, to make a change on your Google account you will need to re-enter a password and all my Banking stuff has a PIN code I need to enter also.  Which is not an inconvenience since I don't look at my bank account 30 times a day.  

[Mihle]

31 minutes ago, RejZoR said:

I was skeptical like that. Until I tried FaceID almost a year ago. It's a really convenient tech. And I frankly can't see myself going back to fingerprint again. Not after iOS 13 update that made it so fast it's unlocked without any interruptions of use like before where there was a 1-2 seconds delay.

My phone is unlocked even before the front points towards me because when I pick I up my finger is already on the sensor in my pocket.

[LAwLz]

33 minutes ago, MadDuke said:

There are things someone can get a hold off. Of course.

 

But, to make a change on your Google account you will need to re-enter a password and all my Banking stuff has a PIN code I need to enter also.  Which is not an inconvenience since I don't look at my bank account 30 times a day.  

Yeah they won't be able to make changes to my Google account, but they can go to any other account I have and go "forgot password" and it will send a new password to my gmail, which they have access to.

Most security questions are trivial to guess so that's not much protection either.

[JoostinOnline]

My One Plus 6 unlocks with my eyes closed too. It was one of the first things I tested.

[jiyeon]

I feel like this might be applicable to other phones too, anyone out there tested it? With an alive person that is just asleep, obviously.

[7412]

What's the point of face ID? It unlocks without you even wanting to unlock. 

Under-display fingerprint scanners are already easy and fast. And they ditch the top bezel as well.