The Apple iPhone X’s Face ID security system has been busted open by Vietnamese security firm Bkav once again.
The firm demonstrated how a simple 3D printed mask could be used to unlock an iPhone X with Face ID enabled but also said that the method was so complex and time consuming that only billionaires and the like should be concerned about the attack vector.
However the firm has now done an update to the initial test and netted the following results.
Now, Bkav has updated the mask since its initial testing in two ways. First off the firm used stone powder to print the mask which can “trick Face ID AI at higher scores” due to its resemblance to human skin. The firm also used infrared images of the users eyes to fool Apple’s security.
Many will be wondering how a hacker could even get a scan of your face without being noticed and according to Bkav that’s easier than you think.
“A person can be secretly taken (sic) photos in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object,” said Bkav.
The firm’s vice president of cybersecurity Ngo Tuan Anh warned users that the software is not secure enough.
“About 2 weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc. should be cautious when using Face ID. However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions,” said the vice president.
With that having been said this attack vector relies on a person getting your phone, having an array of cameras set up to snap your face from multiple angles and then being able to print high quality infra-red images of your eyes to attach to a 3D printed model of your face.
That seems like a lot of work for an attacker to go through to discover that my bank account is empty and the most egregious thing on my phone are GIFs of cats my friends send me.[Source – Bkav][Image – CC 0 Public Domain Pixabay]