Apple's Face ID with attention detection fooled by $200 mask

135

Comments

  • Reply 41 of 94
    georgie01 said:

    "About 2 weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc. should be cautious when using Face ID," said Ngo Tuan Anh, VP of cyber security at Bkav. "However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions."
    This is revealing about Bkav. They certainly aren’t providing a public service, and their lack of transparency and overstatement of the scope of the security issue is suspicious. And $200? Right... As long as you have already invested in a sophisticated 3D scanner and a 3D printer and whatever other equipment is necessary and have the time to invest in developing a ‘hack’ and also have the means to get such a scan of the person who’s phone you want to get into. That doesn’t cost $200, and this company knows it. So what’s their motive in trying to make FaceID seem so insecure? What do they have to gain from it?
    Publicity 
    jony0
  • Reply 42 of 94
    emig647emig647 Posts: 2,394member
    pdbreske said:
    From Mashable: "Bkav researchers said that making 3D model is very simple," the blog post noted. "A person can be secretly taken photos of in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object."

    So, to unlock an iPhone X using this hack, you need to do one of two things: 1) Steal a phone and then capture a bunch of photos of the owner without his/her knowledge, print a mask using stone dust and some kind of infrared printer, all within 48 hours (or less) to get under the phone's biometric time limit, or 2) do all of that stuff BEFORE you steal the phone so the mask will be ready when you have the phone in your custody.

    Oh yeah. You iPhone X owners should be petrified with concern.

    Not to mention, it takes two attempts before default to a passcode which puts them at square one. Better nail that mask on the first try.
    kiltedgreen
  • Reply 43 of 94
    "2D infrared images"? Really? That person brought to us as "news" has no idea about what infrared and infrared image are, pathetic effort to build a scenario... If you take an infrared image, print it, you can fool an infrared sensor even if the light reflected from that image is in visible spectrum, not infrared !! So is their claim. But who knows, maybe their printer too prints in infrared and the machine they captured those eyes transferred all the reflected infrared frequencies to the printer that printed the eyes in infrared ink that continuously shines in infrared spectrum?
    edited November 2017
  • Reply 44 of 94
    For those (too many) that don't know, increased use of FaceID decreases strictness and would make it easier to fool rather than harder - FaceID is hardest to fool immediately after training - it is so strict it will rejected the trained face in some cases! Teaching causes it to accept more variations and angles of the face, which means a less accurate model is being used, not a more accurate one. 

    BTW, the notch has two cameras, one IR and one visible (selfie) camera, which is how it interpolates depth from the dot pattern.
    edited November 2017
  • Reply 45 of 94
    I'll just leave this here:

    https://findbiometrics.com/fingerprint-cards-phone-bkav-408164/

    someone is smarting from FaceID
  • Reply 46 of 94
    Ok let's be frank. Apple has nailed Face ID...and everybody hates it. SUCCESS!
    radarthekatSpamSandwichjony0
  • Reply 47 of 94
    I'm getting bored of these stories of elaborate means for fooling Face ID or just mishandling the feature like those families with members who look alike. Someone wake me up when it fails under real world circumstances instead of this crap.
  • Reply 48 of 94
    The registration is fake. His face doesn’t even fit into the circle and the process is faster than a real registration. He struggles to turn his head fast enough to match the bar animation. After registration he should show that that was a true registration by unlocking with his face first.

    Actually since it cannot register a mask, the whole process is scam, a single continuous animation. It’s easily seen how he counts seconds before pressing the side button.
    Yeah, there was something strange about how he approached unlocking the phone with the mask (at the very least, it gave the impression that there was a very specific distance/angle required to get it to work), and I noticed that during the Face ID registration his lips/chin were continuously dipping below the scan area.
  • Reply 49 of 94
    dewmedewme Posts: 1,499member
    Soli said:
    macxpress said:
    So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
    I would assume their goal is to make a commercial system that they could sell to law enforcement. When someone is arrested the mugshot could be taken with a 3D camera and a mask generated from the data.
    But they could also just use your actual face if they have you in custody.
    Or fingers if it's a Touch ID scenario and they have you in custody with a very big dude providing "encouragement."
  • Reply 50 of 94
    k2kwk2kw Posts: 1,303member
    Hopefully Samsung will get the under display finger print scanner working and then Apple will license the technology in a few years from them.
    iPhone XII now only $1,499.00.    Or they could just put the home button/finger print scanner TouchID on the back (but not next to the camera like Samsung).
  • Reply 51 of 94
    I was happy with a passcode. Touch ID or FaceID .... pick one. Short of a DNA test, who’s got a better idea? Unless you’re one of a few very unique people in the world, nobody is going to this trouble to unlock your phone.

    Press on Apple.
  • Reply 52 of 94
    rob53 said:
    cornchip said:
    rob53 said:
    Weird, after scanning his face without actually looking at the camera (his eyes were glancing down), the lock icon was unlocked when he first tried having the mask unlock it, then the lock changed to locked and he said it was unlocked. 

    I wish people would use standard test practices instead of having both the test mask and the real face in the room in the same general area at the same time. If I was running this test, I'd encode my face in another room, test to make sure it unlocks, then restart the phone, enter my pin, lock the phone then unlock with my face again to make sure the normal, entire process works. 

    Once this is done I'd lock the phone and give the phone to a different person who takes it into a separate room and tries unlocking it with the mask. 

    I would think Apple's algorithms would notice a 2D print of the eyes and the lack of realistic 3D around the eyes. A person can not make the exact "face" twice in a row so the software should sense the lack of change in facial muscles from one attempt to the next. Until someone actually runs a proper test, I will still believe in Apple's FaceID product.
    So, you mean, like science n shit?
    We're trying to have intelligent discussions on this topic and don't need some smart ass comment degrading science. FaceID is science and if you're having problems dealing with that, don't bother commenting. It's a waste of my time commenting about your comment but it needs to be done. Some comments can be funny but not the one you left. Science is an important part of schooling, one that too many students overlook because it's not glamorous but it's absolutely necessary if we're going to have young educated people fill in for us old guys. 

    cornchip is not "degrading science."  He's mocking the testers by pointing out that rob53 proposed something like a controlled scientific, or at least valid engineering, test, whereas Bkav did not.  It's called sarcasm, in this case bordering on irony.
    mike1radarthekatStrangeDaysroundaboutnow
  • Reply 53 of 94
    Yawn...same crap different day...remember all of the touchID concerns?
  • Reply 54 of 94
    There are several problems here, but let's focus on the simplest one:

    Unless this process is easier and cheaper than just watching someone type in the PIN or beating the snot out of them until they give it up (Which it's not) it is pointless and irrelevant. 
    edited November 2017 radarthekatkiltedgreen
  • Reply 55 of 94
    jkichlinejkichline Posts: 1,292member
    $200 with of MATERIALS. $500,000 worth of equipment and a lot of preparation and knowledge to do it. This isn’t any different than growing some fingerprints in a Petri dish based on highly accurate fingerprint scans to get into Touch ID. You can claim it’s so cheap to do, but you need equipment, expertise and time to do it... like any type of Oceans 11 grade heist.
    edited November 2017 radarthekat
  • Reply 56 of 94
    macxpressmacxpress Posts: 4,507member
    kimberly said:
    iPhone owner: “So, you can unlock my iPhone using a mask that cost you just $200 to create?  How does that work?”

    Bkav:  “Yes, it’s really quite simple.  Just register FaceID, then immediately hand over your iPhone to us, before you use the iPhone to refine the FaceID data set, and also stand still while we take some detailed photos of your face under controlled lighting conditions.  Then go home and come back tomorrow and we’ll show you the trick.  Oh, and in the meantime please don’t use Find My Phone to lock us out, okay?”

    And... GO!
    As a moderator, consider posts with racist comments like the example below (final sentence).
    macxpress said:
    So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.

    Kimberly,

    I think you need to look up the definition of racist....My comment was not racist at all, and wasn't meant to be. I'll give you a quick hint on how to look it up assuming you have a Mac. Right click on the word racist and select look up "racist" and it will give you the definition. Then compare it to what I said and you'll instantly feel silly for your comment. 

    As a person with only 16 posts, who the hell are you to just come in here and start bitching and whining about what someone is saying. If you don't like the programming, change the fucking channel. 
    edited November 2017 mike1radarthekat
  • Reply 57 of 94
    croprcropr Posts: 815member
    macxpress said:
    So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
    Maybe not ordinary people like you and me but e.g. law enforcement might consider the investment to crack iPhones of suspects. 
  • Reply 58 of 94
    mike1mike1 Posts: 1,675member
    rob53 said:
    cornchip said:
    rob53 said:
    Weird, after scanning his face without actually looking at the camera (his eyes were glancing down), the lock icon was unlocked when he first tried having the mask unlock it, then the lock changed to locked and he said it was unlocked. 

    I wish people would use standard test practices instead of having both the test mask and the real face in the room in the same general area at the same time. If I was running this test, I'd encode my face in another room, test to make sure it unlocks, then restart the phone, enter my pin, lock the phone then unlock with my face again to make sure the normal, entire process works. 

    Once this is done I'd lock the phone and give the phone to a different person who takes it into a separate room and tries unlocking it with the mask. 

    I would think Apple's algorithms would notice a 2D print of the eyes and the lack of realistic 3D around the eyes. A person can not make the exact "face" twice in a row so the software should sense the lack of change in facial muscles from one attempt to the next. Until someone actually runs a proper test, I will still believe in Apple's FaceID product.
    So, you mean, like science n shit?
    We're trying to have intelligent discussions on this topic and don't need some smart ass comment degrading science. FaceID is science and if you're having problems dealing with that, don't bother commenting. It's a waste of my time commenting about your comment but it needs to be done. Some comments can be funny but not the one you left. Science is an important part of schooling, one that too many students overlook because it's not glamorous but it's absolutely necessary if we're going to have young educated people fill in for us old guys. 
    I took his response to mean the total opposite of what you thought and actually agreed with you. Perhaps he can clarify (or did already and I just haven't gotten that far yet).
    radarthekat
  • Reply 59 of 94
    Rayz2016Rayz2016 Posts: 3,945member
    netmage said:
    For those (too many) that don't know, increased use of FaceID decreases strictness and would make it easier to fool rather than harder - FaceID is hardest to fool immediately after training - it is so strict it will rejected the trained face in some cases! Teaching causes it to accept more variations and angles of the face, which means a less accurate model is being used, not a more accurate one. 

    BTW, the notch has two cameras, one IR and one visible (selfie) camera, which is how it interpolates depth from the dot pattern.

    That's not strictly true. 

    I think you're mistaking 'gets better at recognising you' for 'gets less stringent' and I'm afraid they're not the same thing at all.  

    What Apple actually does is augment its stored mathematical representation of your face whenever it gets a nice high quality image that it thinks might speed up the recognition, or it fails to recognise you and you immediately enter your passcode. 

    What you and others (myself included) have missed is that this augmentation data set is not permanent: it is deleted after a finite number of uses, or immediately if FaceID is presented with a face that is clearly not you.

    So looking at one popular scenario:

    You FaceID. It recognises you.
    You hand it to your kid. He FaceIDs It doesn't recognise him, but you unlock it with the passcode.
    You FaceID. It recognises you. 
    You hand it to your kid. He FaceIDs. It doesn't recognise him, but you unlock it with your passcode.
    You FaceID. It recognises you
    You hand it to your kid. He FaceIDs. It recognises him, thinking it's you.

    Because you hit the passcode, FaceID will add the augmentation data, and use that to recognise the kid.

    But after a number of tries, it'll stop working because the augmentation data is automatically discarded. Or what is more bizarre is that it might not let you back into your own phone because you don't match the augmented data supplied by your kid.  In which case, you enter your passcode, the augmented data is wiped and it'll recognise you the next time round ... but not your kid.

    It's actually very cleverly thought out: For those times when your appearance changes with glasses, hats and scarves, the system will still recognise you, but this is not something that will form a permanent representation of you. The base data which is a map of the contours of your face will stay pretty much the same, and that's where the really clever stuff is going on. 

    So no, it does not get more lax as time goes on.






    radarthekatjensonbroundaboutnow
  • Reply 60 of 94
    lkrupplkrupp Posts: 6,187member
    macxpress said:
    So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
    Of course not but it makes good troll fodder. The “Face ID is useless” talking point is already being touted everywhere.
Sign In or Register to comment.