Skip to main content

These spoofers claim that they tricked Face ID with a simple mask

Face ID setup
Face ID setup (Image credit: iMore)

When Face ID was announced back in September, many shared their concerns regarding the new feature's possible limitations. Though Apple assured users that Face ID would be extremely difficult to deceive, everyone from security researchers to pranksters have been waiting with bated breath for the iPhone X to be released so they could test that claim.

Now, just a week after people actually started getting their hands on Apple's new flagship model, Vietnamese security firm Bkav announced in a blog post it has successfully spoofed Face ID with a fairly rudimentary mask.

Andy Greenberg of Wired addressed the claims in more detail:

On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.

It's important to distinguish this type of spoofing attack from an actual hack. At no time did anyone break into Apple's secure enclave, access any Face ID data, or get around the hardware of the system.

As far the spoof goes, Greenberg also notes that in order to pull this trickery off, a person would have to dedicate a good amount of time and effort to the project and have pretty regular access to your face. According to Bkav's researchers, their method requires at least five minutes of 3D facial scanning and measuring, and is therefore not necessarily something the average user would need to worry about:

Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue.

It's also worth noting that the security firm doesn't specify whether it trained Face ID against the mask.

See more

In the end, if you've recently purchased an iPhone X, you're no more at risk than you were back when you used your fingerprint to unlock your device. If you remember, when Touch ID launched we saw a similar spate of CSI-style spoofing there as well.

If you're a Bruce Wayne-level elite or a secret agent of some kind, just keep taking the same precautions you did before you upgraded. However, if you're just a run-of-the-mill iPhone wielder like the rest of us average folk, it's super unlikely that your content is in danger.

Thoughts?

What do you think about the individuals at Bkav allegedly fooling Face ID? Let us know in the comments.

Tory Foulk is a writer at Mobile Nations. She lives at the intersection of technology and sorcery and enjoys radio, bees, and houses in small towns. When she isn't working on articles, you'll likely find her listening to her favorite podcasts in a carefully curated blanket nest. You can follow her on Twitter at @tsfoulk.

6 Comments
  • Much ado about nothing etc.
  • Doesn't sound simple
  • It sounds like breaking FaceID is pretty difficult if it took this expert this many tries, time, and planning. It gives me more confidence in FaceID.
  • Eh, it could become easier is the problem. It took this amount of research up front, but now that it's out, it's possible it'll become easier and easier to do.
  • The video does not show much. How do we know what face was used to train it and if that was the first attempt. Not like I am going to let someone have me sit down scan my face and try to make a mask out of it. Would love to see this from start to finish.
  • The whole thing is a fake job. And not a very good one at that. The whole "Swipe and say 'WHOA'" is just obfuscation, a classic magician's trick. All they should do to prove that the spoof works is to face the phone at the mask and show the lock icon moving to the unlock position. If you look at the video, however, you will see that the icon NEVER displays in the unlock position. The whole demonstration should be calmly repeatable a dozen times in a row in 30 seconds. Off button - wake the screen - show the lock icon "unlocking". Rinse and repeat. Forget the swipe - that is not evidence of the unlock. Only the icon is relevant.