The much-touted facial recognition feature from Apple is now drawing, even more, flak than it did around the launch date. A cybersecurity firm has claimed that it has tricked the Face ID into unlocking the device using a specially developed mask which imitated the face of a real person. Thus, testifying that the feature is not as secure as Apple had claimed it to be.
The Vietnam-based security firm Bkav also released a video showing how the $150 mask can bypass the security feature. Ngo Tuan Anh, Bkav’s Vice President of Cyber Security, stated in a statement, “The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID”.
When asked, how similar experiments from publications like WIRED failed where Bkav succeeded, he said, “We are the leading cyber security firm 😉 It is quite hard to make the “correct” mask without certain knowledge of security. We were able to trick Apple’s AI, as mentioned in the writing, because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops.”
Commenting on the dimensions of a person’s face, and how would those be obtained without a target sitting for them, he elaborated, “The first point is, everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought. Apple has done this not so well. I remember reading an article on Mashable, in which Apple told that iPhone X had been planned to be rolled out in 2018, but the company then decided to release it one year earlier. This shows that they haven’t carried out scientific and serious estimation before deciding to replace Touch ID with Face ID.”
He continued, “The second point is, in cyber security, we call it Proof of Concept, which is useful for both sides, the hackers and the users. The hackers, they can find out a simpler way to exploit users’ device based on such PoC. While with users, if they know about such possibility, they will not use the feature to keep themselves safe. Just like the KRACK attack, it is not easy to be successfully exploited but users are urged to update the patch ASAP, because the threats are real. With Face ID’s being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, ect. are the ones that need to know about the issue, because their devices are worth illegal unlock attempts. Exploitation is difficult for normal users, but simple for professional ones.”
Earlier, the United States Senator Al Franken had written to Apple CEO Tim Cook citing concerns on privacy and security of the users. Franken, a ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, in a wordy letter addressed to Tim Cook pointed out, “While details on the device and its reliance on facial recognition technology are still emerging, I am encouraged by the steps that Apple states it has taken to implement the system responsibly.” He continues, “However, substantial questions remain about how Face ID will impact iPhone users’ privacy and security, and whether the technology will perform equally well on different groups of people. To offer clarity to the millions of Americans who use your products, I ask that you provide more information on how the company has processed these issues internally, as well as any additional steps that it intends to take to protect its users.”
