Vietnamese cybersecurity firm Bkav claims to have fooled Apple’s Face ID authentication using an inexpensive mask. The company published a blog post and video showing a “proof of concept” on how they broke into an iPhone X using a simple technique.
The below video shows it in action.
As you can see, the researcher pulls a piece of cloth from a mask facing an iPhone X and it unlocks instantly.
The video has caused a stir on social media, with several people questioning its authenticity. Several users have pointed out that the Face ID lock icon at the top doesn’t open when the phone is facing the mask. We also found that odd but were able to replicate the strange behavior on an iPhone X unit Apple provided us. Other users believe the security firm set up Face ID using the mask, not the researcher’s face. As no other security researcher has replicated these results, it’s impossible to know if this low-quality video is genuine.
“For the moment I can’t rule out that these guys might be tricking us a bit,” Marc Rogers, a researcher for security firm Cloudflare, told Wired.
If it is, the authentication method Apple claims is the safest ever used on a smartphone may be easier to break than originally expected. Apple wrote in a white paper on Face ID that it is smart enough to know when it’s looking at a mask. Interestingly, previous tests by Wired and the Wall Street Journal using Hollywood-grade silicon were unable to unlock Face ID.
It’s not clear why the iPhone X was fooled by this less convincing, and frankly extremely creepy mask. Bkav says the mask is made using a combination of 3D printing, plastic, silicon, makeup, and paper cutouts. In total, it costs just $150 to make and only took about a week to complete.
Still, the average iPhone X users shouldn’t worry about this trick being used against them. Bkav explains the method requires detailed measurements or a scan of the user’s face, making it too advanced for your average hacker to take advantage of. The cybersecurity firm did stress that “billionaires, leaders of major corporations, nation leaders and agents like FBI” need to be aware of the problem.
The firm hit out at Apple, saying it “has done this not so well” and claiming their video shows “they haven’t carried out scientific and serious estimation before deciding to replace Touch ID with Face ID.”
There are still several unanswered questions surrounding the demonstration. Bkav said it would reveal more in a press conference later this week. Until then, take this video with a grain of salt.