Vietnamese security firm says They've Broken Face ID a Week After iPhone X Release

[zanduh]

So it took 5 minutes to scan the face

They specifically didn’t state whether or not “attention required” was checked off which I take to mean they didn’t have it checked. And on top of that if they failed the face recognition then it would force them to switch to the passcode. We don’t know how many attempts and resets it took them to get it to work. 

 

This is supposed to be the big “gotchya!” To Apple?

[captain_to_fire]

6 hours ago, rawrdaysgoby said:

ughhh he did it to the mask first then to himself.... soo..... yea....

 

it is much harder to make a facial mask then a thumb print I guess

I always believe that every lock has a key and no doubt that even something like iCloud activation or Face ID. This is why I hope this methodology gets tested by more people by replicating it. If proven true then it’s good since Apple can then issue a software update or make the next iteration of the iPhone have a much better facial recognition just like how the Touch ID on the iPhone 7 is a big improvement from the iPhone 5s. 

Edited November 14, 2017 by hey_yo_

[Egg-Roll]

9 hours ago, matrix07012 said:

but considering Face ID was already fooled by two brothers, this might be real.

The picture i saw the brothers are similar but distinctive enough one could see differences instantly, this means a complete stranger might be able to gain access to your phone if they are very close in facial appearance. I also saw the Brother article over the weekend and after the freeze issue i got bored with all the iPhone issues.

 

38 minutes ago, hey_yo_ said:

If proven true then it’s good since Apple can then issue a software update or make the next iteration of the iPhone have a much better facial recognition

Nothing is perfect, someone will find a way around it. Best thing to do is avoid using stuff you cant trust. Just because it is there doesn't mean it "has" to be used. Facial recognition is going to take another 3-5 years at least to get it to the point where fingerprint readers are now.

[vorticalbox]

10 hours ago, Sauron said:

I suppose it's better than touchID, where they could scrape your fingerprint right off of the device itself. I assume this requires some sort of scan of the owner's face, which is not necessarily easy to obtain.

I read a thing once where they build a 3d model of a face from a photograph. So I can see this being quite easy to pull off. 

 

pro tip don't use something people gave easy access too, face, finger print etc as a password. 

 

Bio metrics should be used to Identify a user not authenticate. 

[Master Disaster]

10 hours ago, dizmo said:

Exactly. That's a lot of work. It's just as easy to fool a fingerprint reader, and yet we're not that worried about that.

I don't think this is a huge issue. So, say someone does that. They have to steal your phone. If your phone goes missing, you should cancel anything that's vital (credit card, for example) anyway. Have sensitive stuff on your phone? Turn on the PIN as well. Solved.

20 years ago making SNES games was a lot of work, these days it can be achieved with an office grade PC and a free application.

 

Maybe right now this might not be an issue but in the future when the process is fully understood and streamlined it might be possible to create a full scan in a few seconds without the owner even being aware.

 

Personally I stick with a good old PIN despite my phone supporting fingerprint unlock.

 

BTW did anybody see Mythbusters Vs Fingerprint locks? They got a top of the range lock that the manufacturer claimed couldn't be beat as it detected heat and moisture in the finger as well as the actual print.

 

Yeah, turns out all you gotta do is make a ballistics gel print of the fingerprint, lick it then press it onto the reader and hey presto, you're in.

[mr moose]

Build a better mousetrap and they'll build a better mouse.  

 

 

[captain_to_fire]

I hope Apple is bringing back Touch ID and have it side by side with Face ID and add the the option for both fingerprint and facial recognition to unlock the iPhone and for riskier situations like politicians and journalists, add the option to require the entry of facial, fingerprint and PIN to unlock the iPhone and also the option to wipe the iPhone after three or five failed passcode attempts instead of ten. 

 

Identical twins can fool Face ID but not Touch ID. https://www.nytimes.com/2009/10/06/science/06qna.html 

Edited November 14, 2017 by hey_yo_

[79wjd]

20 minutes ago, hey_yo_ said:

I hope Apple is bringing back Touch ID and have it side by side with Face ID and add the the option for both fingerprint and facial recognition to unlock the iPhone and for riskier situations like politicians and journalists, add the option to require the entry of facial, fingerprint and PIN to unlock the iPhone and also the option to wipe the iPhone after three or five failed passcode attempts instead of ten. 

 

Identical twins can fool Face ID but not Touch ID. https://www.nytimes.com/2009/10/06/science/06qna.html 

That's unlikely to happen. Besides, TouchID on the back of a phone still sucks and if you really care about security than TouchID+FaceID is still really shitty security. The fact is that anyone who can get past one can probably get past the other too most of the time. 

 

You can still lock/wipe the iPhone from iCloud. So if you're in a very sensitive position, then as soon as your phone goes missing you can instantly wipe it. If you backup to iCloud, then doing so is only as much of an inconvenience as going to the store to get a new phone and clicking 'restore from backup' (and if you don't have backups, then you're screwed anyway).

[captain_to_fire]

3 minutes ago, djdwosk97 said:

TouchID+FaceID is still really shitty security

I was thought Face ID+Touch ID+passcode although that would be very inconvenient. Which made me think that passcode is still the most secure way to protect a phone. 

 

The more inconvenient it is, the more secure it is. 

 

5 minutes ago, djdwosk97 said:

You can still lock/wipe the iPhone from iCloud. So if you're in a very sensitive position, then as soon as your phone goes missing you can instantly wipe it. 

Remote wipe only works if the iPhone is connected to the internet via cellular data or wifi which isn’t always the case when you’re in a flight or in another country. 

[FloRolf]

Can you not just open the camera again, go to latest pics, roll down the top menu and then access the phone from there, like they did with some older iPhone? 

#secure #novirusespossiblethisisiosomfg

[79wjd]

12 minutes ago, VegetableStu said:

Not to mention having to find a PC or something else you trust to access icloud.com, if it gets lifted in the streets ._.

Either the thief is prepared and the extra attempts won't matter, or they'll have to prepare after stealing your phone, in which case there is plenty of time to deal with it. Or they're the average thief and even with a million attempts they still wouldn't be getting in.

16 minutes ago, hey_yo_ said:

Remote wipe only works if the iPhone is connected to the internet via cellular data or wifi which isn’t always the case when you’re in a flight or in another country. 

The problem is that anyone who has the means of getting in within 10 attempts will also have the means of doing it in 3/5 attempts. 

2 minutes ago, FloRolf said:

Can you not just open the camera again, go to latest pics, roll down the top menu and then access the phone from there, like they did with some older iPhone? 

#secure #novirusespossiblethisisiosomfg

No. And most (all?) of the videos demonstrating that unlocked the phone with TouchID first. 

[captain_to_fire]

10 minutes ago, djdwosk97 said:

The problem is that anyone who has the means of getting in within 10 attempts will also have the means of doing it in 3/5 attempts. 

I’m pretty sure brute forcing a six digit passcode with only three attempts allowed before wipe is much more secure than ten attempts before wipe and I’m pretty sure most hackers would try to guess the passcode first.

[captain_to_fire]

37 minutes ago, djdwosk97 said:

Besides, TouchID on the back of a phone still sucks

I myself is not a fan of fingerprint scanners at the back but remember that Apple applied for a patent for an under the display fingerprint scanner. I’m pretty sure that the iPhone X is currently a massive beta test and everyone who bought are paying beta testers. Somewhere in Cupertino, CA, their R&D and design teams are evaluating reviews, user feedback and security researchers if they made the right choice with the Face ID or moving to OLED (which I think is a wrong move). While I’m sure that the ugly notch is here to stay, in some aspects, Jony Ive (design), Craig Federighi (software) and Tim Cook are discussing whether they made the right change or not for the iPhone X. 

 

[79wjd]

14 minutes ago, hey_yo_ said:

I’m pretty sure brute forcing a six digit passcode with only three attempts allowed before wipe is much more secure than ten attempts before wipe and I’m pretty sure most hackers would try to guess the passcode first.

4 digits -- 10^4 = 10,000 possibilities.

6 digits -- 10^6 = 1,000,000 possibilities

6 characters -- 36^6 = 2.2 billion possibilities. 

 

3 vs. 10 isn't a huge difference. 

5 minutes ago, hey_yo_ said:

I myself is not a fan of fingerprint scanners at the back but remember that Apple applied for a patent for an under the display fingerprint scanner. I’m pretty sure that the iPhone X is currently a massive beta test and everyone who bought are paying beta testers. Somewhere in Cupertino, CA, their R&D and design teams are evaluating reviews, user feedback and security researchers if they made the right choice with the Face ID or moving to OLED (which I think is a wrong move). While I’m sure that the ugly notch is here to stay, in some aspects, Jony Ive (design), Craig Federighi (software) and Tim Cook are discussing whether they made the right change or not for the iPhone X. 

 

Adding TouchID to the screen would admit that they were wrong in their choice to go with faceID (even if it was only because they couldn't get embedded TouchID working in time, that's how people would see it) and I don't see that happening. I also read a report that the X was supposed to be released in 2018 but they were forced to do it earlier and embedded TouchID was discounted from the get go because they didn't think it feasible. On top of all of that, Apple is talking about the security of FaceID compared to TouchID, so with that on top of everything I really don't expect any chance of TouchID making a comeback.

 

While I would (marginally) prefer TouchID embedded in the screen, I don't see it happening.

[dizmo]

8 hours ago, Master Disaster said:

20 years ago making SNES games was a lot of work, these days it can be achieved with an office grade PC and a free application.

 

Maybe right now this might not be an issue but in the future when the process is fully understood and streamlined it might be possible to create a full scan in a few seconds without the owner even being aware.

Which is why security is also constantly evolving and they came out with this

[ARikozuM]

19 hours ago, dizmo said:

I wonder what a scan requires though. If you're a higher up, you should be more sensitive with such things, and honestly, have your device more secure than one level of security.

You're not likely to have anything sensitive on the phone itself aside from possibly whatever is needed at the moment (in case your network doesn't work) while everything else can be grabbed through a second or even third line of defense (calling it in or logging to the networks) vs just carrying terabytes of data on your phone. Unless someone is an idiot and keeps all of their contracts on their phone when they only need one. 

19 hours ago, dizmo said:

It'd be interesting to know how many pictures are needed, from what angles, and what quality. Naturally I understand why they don't want to release such information, but still.

With what? If you made a silicone mold of the fingerprint you could just put it on your finger and against the reader, no?

Or a copy, paste it over your finger. I'm assuming the method of "living person" is simply a temperature sensor.

The iPhone uses the fingerprint texture or capillary layout. I don't know of any phone (the iPhone SE, Note 4 and 5 didn't) that uses thermal processing to verify the fingerprint. 

 

On topic: I'm skeptical since they only tested the "owner" and the mask. He didn't bother trying the cameraman's face or even a picture. We weren't given any idea of the training FaceID went through before testing the mask or even if any training took place. 

 

[captain_to_fire]

12 hours ago, djdwosk97 said:

Adding TouchID to the screen would admit that they were wrong

What more proof Apple wants that Face ID is a flop and it’s a beta feature and everyone who bought it should feel being ripped off for paying to become beta testers? 

 

https://www.linkedin.com/pulse/my-10-year-old-son-can-unlock-wifes-iphone-x-using-face-malik 

 

[79wjd]

24 minutes ago, hey_yo_ said:

What more proof Apple wants that Face ID is a flop and it’s a beta feature and everyone who bought it should feel being ripped off for paying to become beta testers? 

 

TouchID also didn't have a perfect launch. The difference is that it's easier to fool FaceID since you can see faces and thus it's easier to target an attack. FaceID will also hopefully improve over time through software updates and machine learning (and I'd also expect to see improved hardware in the future), but I'd still take FaceID any day over TouchID on the back of the phone -- of course, I would have preferred TouchID embedded in the display, but that wasn't achievable, and the two methods each of their pros and cons in terms of convenience. 

 

And no, I don't feel ripped off because I, nor anyone with half an ounce of common sense, uses FaceID or any biometric security method because of its security. It's about convenience. A password will ALWAYS be superior to anything biometric. 

[Master Disaster]

And for those saying its fake, yeah no.

 

The BBC flew a reported to Vietnam where the company performed a live demo of the mask unlocking the phone for them.

 

Its legit, heck it even works if somebody else is wearing the mask too.

[kilgore_T]

seems like a lot of effort just to hack someone's phone

 

[michaelocarroll007]

On 11/13/2017 at 3:51 PM, Sauron said:

I suppose it's better than touchID, where they could scrape your fingerprint right off of the device itself. I assume this requires some sort of scan of the owner's face, which is not necessarily easy to obtain.

Its been proven with a decent Camera you can from 10-20' away take a picture and get a good enough finger print to fool touch id. DSLR obv. 

[michaelocarroll007]

On 11/14/2017 at 7:44 PM, djdwosk97 said:

TouchID also didn't have a perfect launch. The difference is that it's easier to fool FaceID since you can see faces and thus it's easier to target an attack. FaceID will also hopefully improve over time through software updates and machine learning (and I'd also expect to see improved hardware in the future), but I'd still take FaceID any day over TouchID on the back of the phone -- of course, I would have preferred TouchID embedded in the display, but that wasn't achievable, and the two methods each of their pros and cons in terms of convenience. 

 

And no, I don't feel ripped off because I, nor anyone with half an ounce of common sense, uses FaceID or any biometric security method because of its security. It's about convenience. A password will ALWAYS be superior to anything biometric. 

Why not both finger on back and Face ID up front. Whys it always this One or Other Argument. $1000 phone im sure they can spend a few more figuring out a finger print on the side or back along with face ID

[Sauron]

2 minutes ago, michaelocarroll007 said:

Its been proven with a decent Camera you can from 10-20' away take a picture and get a good enough finger print to fool touch id. DSLR obv. 

Do you mean faceID?

[michaelocarroll007]

2 minutes ago, Sauron said:

Do you mean faceID?

https://9to5mac.com/2014/12/29/touch-id-hack/

 

Touch ID ( Though googling for info about this now just brings up 200 Face ID articles so cant find anything much newer or more info) This was from 2014 so a while back 

[Sauron]

3 minutes ago, michaelocarroll007 said:

https://9to5mac.com/2014/12/29/touch-id-hack/

 

Touch ID ( Though googling for info about this now just brings up 200 Face ID articles so cant find anything much newer or more info) This was from 2014 so a while back 

Well, it's probably even easier to scrape it off of the device, but yeah, even worse I guess.