When Apple announced Face ID on the iPhone X they made a number of lofty claims about its security, many which are slowly unravelling.
The latest to fall is the claim that Face ID cannot be spoofed by masks, with Apple’s Phil Schiller saying the company “...worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID. These are actual masks used by the engineering team to train the neural network to protect against them in Face ID. It’s incredible!”
It now appears all that work has been in vain, as Vietnamese security company Bkav has demonstrated that a simple (or somewhat complex) mask is able to fool Face ID in unlocking without the user being present.
“The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID,” explained Mr. Ngo Tuan Anh, Bkav’s Vice President of Cyber Security.
See the video below.
Bkav claims this proves facial recognition is “not mature enough” to trust on smartphones and PCs, and if substantiated by others makes it clear that it will not be able to protect your data if you are the subject of a targeted attack.
Of course, unless you get on the wrong side of a spy agency it is very unlikely that someone will go to the trouble of carefully crafting a mask of you, but it does suggest that Apple should likely not advertise the technology as more secure than a fingerprint reader. After all, unlike your fingerprint, your face is always on show, making it a rather poor secret key.