Cybersecurity experts ‘beat’ Face ID with carefully constructed 3D mask

A cybersecurity firm have apparently successfully tricked Face ID into unlocking with a specially made mask, imitating a real person’s face. The security researchers say they only unlocked the iPhone X with a real person’s face, so the iPhone could not learn false data from the mask.

How much of a security flaw this really represents is up for debate of course. Making the mask only cost $150 in materials, but required access to a detailed scan of the person’s facial features and many hours of work by artists …

Author Ad Placeholder
Will only appear on redesign env.

The researchers say that much of the model was made using an off-the-shelf 3D printer whilst other elements like skin and nose were hand-made.

The resultant mask does not look humane at all, with only the eyes, nose and mouth area actually painted in. The researchers found that large portions of the face did not have to accurately depict the subject in order for Face ID to successfully unlock.

Apple says the Face ID system includes defences against such biometric attacks, although it doesn’t guarantee infallibility by any means. Here’s the relevant quote from the white paper:

An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks.

The practical value of this disclosure is arguable. Face ID being fooled by a photograph is one thing, being fooled by an accurate mask is quite a high barrier.

However, it does show that a targeted attack on specific important individuals could be possible. The researchers suggest that Face ID’s weaknesses mean it should not be used by CEOs or presidents, for instance.

For the layperson, Face ID is more than secure — it is too time-consuming for someone to make a mask of this quality in order to break into one random person’s phone.

It’s also worth noting that this mask would have been made with the cooperation of the person it is mimicking, which would not be the case for an attack on a CEO for example.

Moreover, Apple can use the findings from this research to make an even more secure algorithm for Face ID to be released in future software updates.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.