Apple faces security fears after mask trick

The Spark

23rd November 2017

According to Apple, its ‘Face ID’ facial recognition technology for unlocking your shiny new iPhone X is extremely secure. In fact, its website says: “The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000.”

At its iPhone launch event in September, Apple made a specific point that masks wouldn’t be able to trick it. Phil Schiller, the company’s Senior Vice President of Worldwide Marketing, even showed pictures of masks created by Apple’s R&D team to teach the system to dismiss attempts at hacking.

But Bkav, a Vietnamese cyber-security company, has shattered that assertion. By combining a 3D-printed frame, a silicone nose and 2D images, not to mention quite a bit of make-up, Bkav has created a mask capable of fooling Face ID.

Bkav has faced criticism that the tests have not been verified by a third party, but it’s not the first to expose Face ID’s flaws.

Apple waved away security concerns on launch, but a child has unlocked his mum’s phone using his own face, and Mashable has found Face ID struggles (as you’d expect, in fairness) to tell the difference between identical twins. Face ID even appeared not to work when Apple first demoed it.

Apple also said at the launch event that any biometric data would be securely stored on the phone itself, and therefore almost impossible for third parties to get hold of. According to Reuters, however, app developers will in fact be given access to such information—even if they need permission to move it to an external server.

That data is intended to be used for adding fun features to selfies or mirroring the player’s facial expressions in mobile games, but Reuters says it could also “monitor how often users blink, smile or even raise an eyebrow”.

With tech companies including Facebook getting some stick recently for not considering the impact of their inventions on society, this is another controversial new feature—and one that appears not to be completely secure or to work as intended.