Doubts have been raised about their methods, but it appears researchers in Vietnam have bypassed the Face ID lock screen.
Apple no longer wants you to unlock your iPhone with touch. With the iPhone X, it’s all about your face.
Face ID was the standout feature of the iPhone X, and one that differentiates it from the iPhone 8 range and anything that’s come before. It’s Apple’s latest biometric authentication system and works using a new camera array on the front of the screen.
Apple claims the error rating on the iPhone X’s Face ID is one in a million. TouchID had a 1 in 50,000 chance of unlocking for the wrong fingerprint. The tech giant also said Face ID can tell the difference between twins (although the error rating drops when it comes to relatives) and doesn’t get ‘spooked’ by a photograph or even a mask of someone’s face.
The latter has now been called into question. After WIRED tried, and failed, to use a mask to trick the system, Vietnamese security firm Bkav claims to have mastered it using a (frankly terrifying) 3D-printed mask and a prosthetic nose. It said that creating the mask was simple, using simple 3D scanning software like that found on the Sony XZ1, and a silicone nose.
In a blog post, and accompanying video, the researchers explain: "We were able to trick Apple's AI because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops...Apple has done this not so well." In the video, the team is shown removing a cover from the mask positioned in front of the iPhone X. The handset then automatically unlocks.
Bkav was the first company to "break" facial recognition for laptops following its introduction on a range of Toshiba, Lenovo and Asus laptops. That particular exploit was publicly demonstrated and confirmed in 2008. The Face ID proof-of-concept hack has not yet been confirmed in this way so it should be taken with a pinch of salt.
When asked why Bkav has been successful where other websites and firms have failed, it vaguely said: "It is because...we are the leading cybersecurity firm ;) It is because we understand how AI of Face ID works and how to bypass it." It is not clear, therefore, how the initial face was registered on the phone and how the mask specifically differs from others.
We've has contacted Apple for comment.