Samsung's Galaxy S8 facial recognition feature defeated with digital photo
Samsung with its Galaxy S8 introduced a new device unlock feature based on facial recognition software, but it seems all it takes to bypass the low-level security layer is a photo of a registered user.
As seen in the video below, YouTuber Marcianotech was able to spend some time with the Galaxy S8 at Samsung's launch event on Thursday. After a few minutes of playing with the device, he was able to successfully defeat the handset's facial recognition function with a picture of his face (captured on another S8 no less).
It seems that Samsung's biometric security feature relies on image fingerprinting or similar methods of recognizing prominent features in a captured image. These techniques use complex algorithms to measure the size, shape and distances between a user's eyes, nose, and mouth, as well as other identifying facial features.
Since such systems use common 2D cameras, they can be defeated using 2D images. There are, however, technologies that help bolster 2D facial recognition solutions. For example, facial motion capture might be applied to detect whether or not a target face is moving, bettering the chances that received imagery depicts a live human face rather than a photo or video.
In any case, it appears the facial recognition software built into Samsung's S8 and S8+ does not incorporate safeguards beyond industry standard 2D image fingerprinting.
For its part, Samsung in a statement to ArsTechnica said its new facial recognition feature only controls device unlocking and is not applied to more sensitive tasks like mobile payments or accessing the handset's Secure Folder.
Perhaps not coincidentally, Apple is also rumored to debut some form of facial recognition technology in its upcoming "iPhone 8" smartphone later this year. According to KGI analyst Ming-Chi Kuo, Apple's version is believed to integrate specialized IR transmitters and receivers to accomplish enhanced 3D sensing and modeling capabilities, or depth mapping. The system should provide a more accurate representation of a user's face as compared to conventional 2D systems.
As AppleInsider explained earlier this month, however, it is unlikely that Apple intends to replace existing Touch ID fingerprint authentication with a face-based biometric solution. Because face-based technology is still being refined, Apple's facial rumored facial recognition system will likely power ancillary, opt-in functionality, while Touch ID handles critical tasks. At least in the near term.
As seen in the video below, YouTuber Marcianotech was able to spend some time with the Galaxy S8 at Samsung's launch event on Thursday. After a few minutes of playing with the device, he was able to successfully defeat the handset's facial recognition function with a picture of his face (captured on another S8 no less).
It seems that Samsung's biometric security feature relies on image fingerprinting or similar methods of recognizing prominent features in a captured image. These techniques use complex algorithms to measure the size, shape and distances between a user's eyes, nose, and mouth, as well as other identifying facial features.
Since such systems use common 2D cameras, they can be defeated using 2D images. There are, however, technologies that help bolster 2D facial recognition solutions. For example, facial motion capture might be applied to detect whether or not a target face is moving, bettering the chances that received imagery depicts a live human face rather than a photo or video.
In any case, it appears the facial recognition software built into Samsung's S8 and S8+ does not incorporate safeguards beyond industry standard 2D image fingerprinting.
For its part, Samsung in a statement to ArsTechnica said its new facial recognition feature only controls device unlocking and is not applied to more sensitive tasks like mobile payments or accessing the handset's Secure Folder.
Still, with Samsung marketing facial recognition as a security feature, users could be expecting a bit more from the new functionality.The Galaxy S8 provides various levels of biometric authentication, with the highest level of authentication from the iris scanner and fingerprint reader. In addition, the Galaxy S8 provides users with multiple options to unlock their phones through both biometric security options, and convenient options such as swipe and facial recognition. It is important to reiterate that facial recognition, while convenient, can only be used for opening your Galaxy S8 and currently cannot be used to authenticate access to Samsung Pay or Secure Folder.
Perhaps not coincidentally, Apple is also rumored to debut some form of facial recognition technology in its upcoming "iPhone 8" smartphone later this year. According to KGI analyst Ming-Chi Kuo, Apple's version is believed to integrate specialized IR transmitters and receivers to accomplish enhanced 3D sensing and modeling capabilities, or depth mapping. The system should provide a more accurate representation of a user's face as compared to conventional 2D systems.
As AppleInsider explained earlier this month, however, it is unlikely that Apple intends to replace existing Touch ID fingerprint authentication with a face-based biometric solution. Because face-based technology is still being refined, Apple's facial rumored facial recognition system will likely power ancillary, opt-in functionality, while Touch ID handles critical tasks. At least in the near term.
Comments
And to top it off, Scamsung give a deflection about the security instead of acknowledging they screwed up, yet again!
if I spot anyone using this in the wild I'll immediately point this out to them and see if they'll be stupid enough to continue using it afterwards...
Too bad Apple is above doing something like that in a TV ad
A combination of biometric IDs can also form a strong identification system, e.g. Efforts to break touch id can be halted by additionally checking for the owner's face. Or pass code attempts can be rejected if the phone hasn't seen its owner in a period of time. Instead Samsung has compromised security by granting more access to singular, weak forms of biometric identification. Utter stupidity with zero foresight, and a strong indication of what development is like inside Samsung.
If (rather when) the iPhone removes the home button, you can be sure that the sensor won't be moved to the back of the device, but rather use a technology that reads it through the fingerprint through the screen.
What Samsung is doing here is just trying to make their phone look like what Apple is rumoured to be producing - even though it's compromising their user experience to achieve this. From launch Samsung conceded that Samsung pay would still require use of the now oddly placed finger print sensor.
In their pursuit to make the S8 look as apple-like as possible, we see that Samsung has even aped the iPhone 6 wallpaper, big white billboard advertising style, round+polished finish and further altered apps to look even more like iOS.
EDIT:: Guess I could have read the entire article first...
Although, one thing the article does skim over is whether or not this tech can be used in conjunction with / in addition to the fingerprint sensor, as opposed to either/or, which, I imagine it can be. So on a demo device which does not have fingerprint authentication set up, then yes, a photo will get you in, not so if fingerprint authentication is also activated. On the other hand, the devices clearly have the capability to allow solely facial recognition to unlock the device, which while a seemingly "neat" option, is clearly not a smart security policy.
Because of existing US Laws, they can't force you to divuldge your passcode but they can use finderprints and optical controls without hindurance then they will be hoping that Apple introduces something on a par with Samsung.
Whatever Apple introduces, don't use it if (including touchId) you have anything even remotely embarassing let alone incriminating on your phone/tablet.
Actually, there are quite a few talks by Alan Kay on Youtube, I suggest you watch them all. What he says in brief is that all those technologies currently attributed to Xerox were 10-15 years in development, way before Xerox PARC was even established. Take a look at the Augmented Research Center (ARC) and what has been developed there.
The rest of the claimed thefts are as real as that one.
Edit: Hm, doesn't seem to be supported by Appleinsider.