Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Face ID faceplant: You can't trust iPhone X auth—will the enterprise?

Richi Jennings Your humble blogwatcher, dba RJA

Apple’s Face ID is under fire (again). This week, it’s the 10-year-old who can unlock mom’s iPhone X with a mere glance—even though he has a perfectly normal family resemblance to his parents.

And after Friday’s revelation that Vietnamese researchers could fool Face ID with a model head, things aren’t looking so rosy for Apple’s latest security tech.

Let’s face it, no biometric alone is going to be as good as a strong password. In this week’s Security Blogwatch, we identify the facts.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  A magical musical adventure through the land of Oz.


What’s the craic? Here’s Attaullah Malik—My 10-Year-Old Son Can Unlock My Wife's iPhone X Using Face ID:

We … were just done setting up the Face IDs, our 10-year-old son walked in … picked up her phone and with just a glance got right in. … Apparently, TrueDepth … wasn’t accurate enough as it worked with my 10-year-old son.

He doesn’t fall under the “twins” exception. … His face is smaller than my wife’s. … The geometry of their faces don’t match.

In a world where your smartphone … has access to pretty much all of the services that you use, [it’s] of paramount significance. … Once a malicious person has found a way to hack into your phone, even encrypted data can be accessed.

The take away … we need to understand the limitation of a small mainstream consumer device … to provide true biometric security.

How about that? Andy Greenberg tries to explain a “million to one” error:

Attaullah Malik and Sana Sherwani made [the] discovery earlier this month, when their fifth-grade son, Ammar Malik, walked into the bedroom of their Staten Island home to admire their new pair of iPhone Xs. … The boy picked up his mother's … and a split second after he looked at it, the phone unlocked.

Malik was careful to note that Ammar is a "good kid" who isn't likely to take advantage of his access to his mother's phone. [But] his son was able to dependably unlock [it]. Malik found that especially puzzling, since … his son's face is clearly smaller than his wife's, and the two have somewhat different features.

With Face ID, Apple has launched a grand experiment in a form of biometric security previously untested at this scale. [Apple says] "the statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed."

Oh, so I guess that’s okay. But Scott Wilson has a bee in his bonnet:

Security has always kinda been an afterthought with Apple. … There's a new iPhone exploit every few weeks or so. Today it's your kid's face.

[In] the largest hacking incident in history, XCodeGhost … 200 million people had their iphones hacked for over six months. It's literally the worst computer security incident in history. … iOS and OSX have topped the CVE database for maximum number of reported vulnerabilities for three years.

Jennifer Lawrence isn't going to get her nudes back. … They are just out there. Because of Apple's terrible security.

And then, of course, there’s last week’s Vietnamese research hoo-hah. Ngo Tuan Anh and Nguyen Tu Quang claim Face ID [is] not an effective security measure:

The iPhone X's Face ID facial recognition system … is not as secure as Apple claimed. … With a mask crafted through a combination of 3D printing technique, 2D images and some special processing, [we] can beat Face ID.

Face recognition technology in general is not mature enough after nearly 10 years of development. … Face ID is not an effective security measure.

It was even simpler than we ourselves had thought. Apple has done this not so well.

Oh boy. Steve Gibson streams his consciousness:

Predictably … we’re beginning to have [Apple’s] claims … tested. … They were claiming a million to one [chance] of a stranger unlocking your [iPhone].

I don’t know how you make that claim without testing it. … They may believe that’s the case, but what we’re immediately seeing are … “close-enough” faces … unlock [a] phone.

Faces are generally far more public than fingerprints. [We can] take multiple angles of a person’s face and reconstruct a 3D model.

Apple has made a huge [and] unfortunate concession, giving up true security in favor of convenience. … It’s a brand-new, unproven technology—it would be crazy to … jump in only on Apple’s assurances, which … seem to have been overblown.

But Bruce Schneier is sanguine:

The hack hasn't been independently confirmed, but I have no doubt it's true.

I don't think this is cause for alarm, though. Authentication will always be a trade-off between security and convenience. FaceID is another biometric option, and a good one. I wouldn't be less likely to use it because of this.

To which, Weirdo Wisp waxes waspishly: [You’re fired!—Ed.]

I would prefer a combination of biometrics [and] the usual short 4 to 8 digit PIN. … This wouldn’t be as fast … but much more secure.

For “normal” … people, FaceID or TouchID seems to be better than a short PIN.

And Dan Goodin’s not convinced:

The work may be significant, it may be little more than a stunt. … So far, it's impossible to know because the researchers have evaded key questions.

The video and accompanying press release omitted key details that are needed for other researchers to assess if the results represent a true bypass. … Representatives deflected and at times outright evaded [my] questions.

So Danny Bradbury broadens the discussion:

Apple … isn't the only one touting facial recognition. … Others include Microsoft, with Windows Hello, and Google, with the Trusted Face technology … in Android Lollipop. Just how secure are these … and should we rely on them?

For every successful false acceptance attack … designers will come up with an enhancement … that thwarts it. You're trying to use a photo to spoof a system? Fine, we'll create a system that scans your face in 3D. You're using a mask? OK, here's a liveness detector that looks for motion and blinking. Then researchers will typically come back with a counter-hack.

Security never was and never will be a zero-sum game. It's a question of quantifiable risk.

What next for smartphone authentication? Here’s Andrea Miller—Scientists testing sweat analysis:

Dr. Jan Halámek, a biochemist and assistant professor at the University of Albany, and his team’s … approach relies on amino acids found in skin secretions. A phone … will be able to identify what compounds are in its owner’s unique sweat.

His team is submitting proposals for funding.

Meanwhile, Elliot Williams conspires to theorize:

Your face is not secret.

The “hard” part is never as hard as it seems. The fact that [it was] broken within the first few weeks of … release into the wild is not coincidence.

Apple [says] “no government back doors” and then designs an unlock system that’s breakable with something that the government has in abundance — images of your face under controlled conditions.

The moral of the story? If your users have kids, siblings or parents, don’t let them use Face ID.

And finally …

Oh My!

 “A magical musical adventure through the land of Oz.”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Petras Gagilas (cc:by-sa)

Keep learning

Read more articles about: SecurityIdentity & Access Management