• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Was Apple’s Face ID Just Beaten by a Silicon Mask?

November 13, 2017 By The Editor

selfie iphone

Late on Sunday, WIRED reported that a Vietnamese security firm called Bkav may have beaten the iPhone X’s Face ID facial recognition unlock system using a mask made of silicon, 3-D printed plastic, and paper cutouts. The firm released a blog post and video explaining their experiment. Note that this test has not been repeated or confirmed by other security researchers and it required a significant amount of time and effort – in line with high-level corporate or governmental espionage, a la Mission Impossible. It requires detailed measurements of the victim’s face or a digital scan to create the mask, so it’s very unlikely that this would be used against the average iPhone user.

Also, there are ways that researchers at Bkav could have “weakened” Face ID before cracking it with the mask. The person in Bkav’s demo wore glasses, but their mask did not. Face ID uses machine learning elements to help account for small changes in the user’s appearance, such as wearing a hat or scarf. Our security researchers say it’s possible that training the iPhone on a face that wears glasses could have caused it to pay less attention to the printouts of eyes on the mask, making it easier to fool. Bkav has not released many details about their tests and Apple has not yet responded to WIRED’s story, so there are still many unanswered questions.

WatchGuard’s CTO Corey Nachreiner recently dug into Face ID security for a column in Tech Beacon, where he argued that multifactor authentication is a stronger solution than any single biometric token. Here’s an excerpt from that article.

Despite Face ID’s security, I’m still almost positive that researchers and hackers will eventually crack it. Which brings me to my real point: No single authentication factor, no matter how well designed, will ever be perfect. Our authentication options are something we know (passwords), have (tokens or certificates), or are (biometrics). The problem is that there are always ways for these tokens to be stolen, guessed, or mimicked.

This test from Bkav seems to back up Corey’s assertion that hackers will eventually find ways to defeat any authentication token. The more secure approach is to combine different authentication factors rather than create more advance biometrics ones (even if they are stronger). Multi-factor authentication will always win out over any single token.

Read the full article on WIRED and study Bkav’s blog post for yourself here. And read more about Face ID and multifactor authentication here on Secplicity.  

Share This:

Related

Filed Under: Editorial Articles, Featured

Comments

  1. Adrian says

    November 13, 2017 at 11:59 pm

    I think that the issue for most people is less about the security of the phone than the privacy of the face images or face data captured by the phone.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use