News broke yesterday that a cybersecurity company based in Singapore has already ‘beaten’ the latest facial recognition feature unveiled by Apple for their latest model, the iPhone X. Bkav says a 3D-printed mask costing just $150 (£115) to make has fooled the Face ID software, which is used to unlock the iPhone X, authorise payments and log in to apps. Terry Ray, CTO at Imperva commented below.
Terry Ray, CTO at Imperva:
“Nothing is 100% secure. Where there’s a will, there’s a way. The questions are: How much trouble would someone go to, and how much would they spend, to get your data?
It’s important to note that the attacks being talked about are individual bespoke attacks that must be built and executed against each victim separately. This is in addition to stealing the individual’s phone and getting access to it before the owner can remotely wipe the device. Is your data so valuable that someone would go to this effort? Is your data so valuable that someone would go to this effort? For the vast majority of us, the answer is definitely, no. However, for those few who feel they may be at threat, such a “Mission Impossible” style attack might be possible. The more time researchers spend with the Iphone X, the more likely they are to find interesting ways around the biometric defenses.
Each person must decide which is the highest priority for them, convenience or security, and weigh the importance of each against the technology they choose to secure their personal data. If convenience is more important, FACE ID may be your choice. On the inverse, if security is your priority, until more is tested against FACE ID, I’d suggest using only a passcode, all the time. However, consider the mechanisms Apple put in place to force a passcode instead of FACE ID. Apple highlights six situations when the passcode will be forced instead of FACE ID:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
So, consider this scenario:
An attacker models your face from many online pictures (let’s assume you’re famous with pictures everywhere). Using the model, the attacker creates a life-like mask as described by the article. Now the mask is made, though can’t be tested until a phone is in hand (it’s unclear how many ‘tweaks’ to the mask were necessary to get the ‘hack’ to work). The last step is to steal the phone and get someplace private to start testing the mask. Given the six items above the attacker would need to avoid the following:
The attacker cannot power the phone off, or else it will force a passcode login, which could take years if the victim uses a six digit alphanumeric code (which the victim should). Why is this a problem? It means the attacker must quickly isolate and disconnect the phone from all networks to prevent a remote reset of the device or a remote lock command to the device.
The attacker gets only five tries to use the mask. On the sixth try, a passcode is required and again we are back to years to break into it.
The attacker has 48 hours to unlock the phone so they can’t spend too much time working out fixes for their five tries or else the phone locks with a passcode.
You should be getting a picture here.
What is the most secure method if security is your priority? For security, the best approach is a good six or more digit passcode of alphanumeric non-case sensitive characters. For the rest of us, FACE ID is probably just fine.”