Security Firm Says Extremely Creepy Mask Cracks iPhone X's Face ID

Nov 13, 2017
Originally published on November 13, 2017 7:46 pm

Less than a week after the iPhone X release, a Vietnamese security firm says it has done what others couldn't — trick the phone's facial recognition software. How? One very creepy mask.

In a video released by the company Bkav, an employee unshrouds the mask, to which the phone apparently responds to by unlocking. "Face ID on this iPhone X is not as secure as Apple has announced," the employee says. The employee then unlocks the phone again with his own face.

On its website, Bkav says it made the mask with two- and three-dimensional printers, silicone and "hand-made" skin to "trick Apple's AI."

The whole thing cost about $150, the company says.

A feature of the iPhone X, Face ID uses facial recognition rather than a passcode or fingerprint to unlock the phone. It can also be used to confirm identity to make purchases and sign in to other apps.

Of course, a feature like that has attracted a few skeptics.

Wired made an array of deeply creepy masks, hiring a special effects makeup artist who spent 17 hours embedding thousands of eyebrow hairs with a needle — all of which failed to unlock the phone. The Wall Street Journal tried to fool it, and succeeded — but only by using 8-year-old identical triplets.

Apple would not comment on the video for this story. And NPR was not independently able to verify the claims.

When the iPhone X was unveiled in September, Apple marketing executive Philip Schiller said that Face ID's creators had developed a "neural engine" to process facial recognition that wouldn't "easily be spoofed by things like photographs," he said.

"They've even gone and worked with professional mask-makers and makeup artists in Hollywood to protect against these attempts to defeat Face ID. ... We require user attention to unlock. That means if your eyes are closed, you're looking away, it's not going to unlock," Schiller said at the time.

Schiller also put the odds of a random person being able to unlock your phone's Face ID at 1 in 1,000,000.

But Bkav, the security firm, said hacking Face ID wasn't as hard, pointing out that the software would recognize the owner's face even if half-covered.

"It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask," the firm asserted.

Bkav calls its hack proof of concept, "the purpose of which is to prove a principle."

Marc Rogers, a researcher at the security firm Cloudflare, told Wired that if Bkav has indeed succeeded in hacking Face ID, the most surprising aspect would be the discovery that printed eyes could deceive it — no eye motion needed.

The magazine also notes that Bkav has a history of successfully breaking laptops' facial recognition tools with nothing more than 2-D images of a face.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

ROBERT SIEGEL, HOST:

Next, has Apple's security for its latest iPhone already met its match? We'll pose that question on today's All Tech Considered.

(SOUNDBITE OF MUSIC)

SIEGEL: When Apple introduced its new top-of-the-line iPhone in September, the company's top marketing executive touted its coolest feature.

(SOUNDBITE OF ARCHIVED RECORDING)

PHIL SCHILLER: The iPhone X, your iPhone is locked until you look at it and it recognizes you. Nothing has ever been simpler, more natural and effortless. We call this Face ID.

(APPLAUSE)

SIEGEL: Phil Schiller talked up the phone's facial recognition function. Face ID, according to Schiller, is 20 times harder to crack than Touch ID.

(SOUNDBITE OF ARCHIVED RECORDING)

SCHILLER: Now, the team's worked hard to make sure the Face ID can't easily be spoofed by things like photographs. They've even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID.

SIEGEL: Well, not from Hollywood, but from Vietnam comes a claim of hacking Face ID with masks and just over a week since the phone went on sale. NPR's Laurel Wamsley has been following this. And, Laurel, who claims to have fooled - or spoofed, I guess, is the term of art - Face ID?

LAUREL WAMSLEY, BYLINE: It's a Vietnamese company called Bkav. They make their own smartphone. But they're a security firm, and so they try to prove that things are not as secure as they appear. And they have sort of a track record of beating facial recognition technology that already exists on laptops.

SIEGEL: What did they do?

WAMSLEY: So in this case they posted a video a few days ago, less than a week after they'd gotten the iPhone, that shows them sort of unshrouding this mask and presenting the mask in front of the new iPhone X. And indeed, the iPhone X opens up and unlocks when it sees the mask. And then the company employee turns the phone back towards himself and shows him unlocking it with his own face. And they say this proves that they were able to design a mask that can fool the facial recognition technology.

SIEGEL: So let me guess - did Apple concede defeat and say they must be right and the security is terrible on our new top-of-the-line iPhone?

WAMSLEY: They did not do that. And they have not commented.

SIEGEL: Not commented. Other people have tried to do this. They've tried to crack the iPhone X. Is there any reason to doubt the Bkav claim?

WAMSLEY: Yeah. So this is actually been sort of a fun thing. So since Apple announced this new technology back in September, different tech companies and different outlets have tried to beat the system here by making their own masks and things to try to fool that. So I think there is some skepticism that, you know, Wired magazine hired all these makeup artists and stuff to try to crack it, but this company did it itself. So there's no reason in particular to think that it's not true. But the video is very short, and we don't know that this company might not have trained it in some ways to recognize this mask.

SIEGEL: Do we know whether in order to crack somebody's iPhone X the way that this company, Bkav, claims to have done - would they have to have access to my face to do this on my phone? Would they have to make a mask of me to do this?

WAMSLEY: Yes.

SIEGEL: They would?

WAMSLEY: They would. Yeah, they would have to have not just your picture, but also the dimensions of your face. This would involve 3-D printing, 2-D printing, makeup. It's a lot of work to create a likeness of you that would convince your phone it's you.

SIEGEL: NPR's Laurel Wamsley, thanks.

WAMSLEY: Thank you. Transcript provided by NPR, Copyright NPR.