A Vietnamese cybersecurity firm claimed Saturday that it managed to beat Apple's highly touted Face ID security measure using a mask costing about $150 to make. Representatives from Bkav said in a public statement that the entire process took about a week to accomplish.
At the iPhone X launch event in September, Apple's Senior Vice President Phil Schiller claimed that the tech giant had worked with mask and makeup designers to create a locking mechanism that could not be cracked.
"With the iPhone X, your iPhone is locked until you look at it and it recognizes you. Nothing has ever been more simple, natural, and effortless," Schiller said. "This is the future of how we'll unlock our smartphones and protect our sensitive information."
Bkav researchers, on the other hand, claim they can obtain the 3D data necessary to construct a mask capable of opening a locked iPhone X with Face ID in a matter a seconds. The security firm argued that a skilled artist could likely generate such a custom mask based on a handful of 2D photographs of the phone's user.
"Everything went much more easily than you expect," the company wrote in a news release, noting that the iPhone's facial recognition system only needs half of a person's face in order to work.
"The recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought."
As proof of the concept, Bkav released a video that it says demonstrates how a custom mask that had significant visual differences to the human eye could be used to trick an iPhone X into unlocking. In its blog post, the company noted that portions of the mask were actually generated on a regular two-dimensional printer.
While other security researchers have cast doubt upon Bkav's claims, the firm revealed a related method for tricking facial-recognition systems from Lenovo, Toshiba and others in 2009.
Similarly, in September of this year, users of Samsung phones found that the Korean tech company's own facial recognition system could be tricked with just a simple photograph:
Bkav seemed to admit that the hack wasn't something those unversed in software and facial-recognition based security could simply whip up. The danger, it claims, is nonetheless considerable.
"Exploitation is difficult for normal users, but simple for professional ones," the company noted. "With Face ID's being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, etc. are the ones that need to know about the issue, because their devices are worth illegal unlock attempts."
Apple has yet to comment on the matter.
Overall, the potential Bkav exploit seems to suggest that facial recognition may still face significant hurdles before it can be regarded as an impenetrable locking mechanism.
Many experts agree that, in high-stakes situations where security is paramount, passwords in combination with physical access keys remain the best mechanism for securing a device (despite the fact that many of us are awful at using them).
As well, the pattern-drawing security method offered on Windows and Android operating systems have proven effective under study. In 2012, the FBI claimed in a federal court filing that it was unable to decipher the pattern that an accused pimp had set on his Android smartphone.