Security researcher who claimed discovery of Face ID bypass cancels Black Hat presentation...

Posted:
in General Discussion edited August 2020
A China-based security researcher has withdrawn a presentation on what was advertised as a workable Face ID hack from the prestigious Black Hat Asia conference after his employer, Ant Financial, called the talk "misleading."

Face ID
Apple's Face ID debuted with iPhone X in 2017.


Wish Wu, who was scheduled to deliver a presentation titled "Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms" at Black Hat Asia in March, told Reuters on Thursday that he pulled out of the conference at the behest of Ant.

An abstract of Wu's talk, which was pulled from Black Hat's website in December, claimed Face ID's facial recognition technology could be defeated with a black-and-white printed image and "some tape." According to the report, Ant uncovered incongruities in Wu's research late last year, which led to his withdrawal from the conference.

"The research on the face ID verification mechanism is incomplete and would be misleading if presented," the firm said.

Wu agreed with Ant's assessment, saying he was only able to reproduce the hack on an iPhone X under certain unspecified conditions. Apple's iPhone XS and XS Max are unaffected by the attack, Wu said.

"In order to ensure the credibility and maturity of the research results, we decided to cancel the speech," Wu told Reuters.

What, exactly, was amiss in Wu's research remains unknown. It should be noted that Ant, formerly known as Alipay, has long supported Apple's cutting-edge user authentication hardware, including Touch ID and Face ID.

Apple introduced Face ID with iPhone X in 2017, touting the biometric security solution's speed and accuracy. Apple claims Face ID false positives are one in a million, a figure that compares to a match rate closer to 1 in 50,000 for the outgoing Touch ID fingerprint system.

Part of the TrueDepth camera system, Face ID employs a dot projector, infrared camera and flood illuminator to collect depth map and image data of a user's face. Using this information, the onboard A-series system-on-chip creates a mathematical model of the target face and sends this data to a secure enclave for matching.

Face ID has proven extremely effective against spoofing and other physical hacks. In 2017, Vietnamese security firm Bkav claimed it defeated the system with a mask, though the technique has not been reproduced by other researchers.
watto_cobra

Comments

  • Reply 1 of 12
    I Wish Wu well
    gilly33argonaut
  • Reply 2 of 12
    Bkav doesn’t deserve anymore publicity from their PR stunt.

    Ars asked them some very specific questions about their procedures which they either provided vague answers on or didn’t answer at all.

    It’s pretty obvious that Bkav pointed the iPhone at the mask and then entered the PIN so it would learn/merge the mask with the original face (which is the way FaceID is supposed to work). The mask would then work to unlock the phone. This is the specific issue they were pressed on and refused to answer.

    Just a bunch of scammers looking for their 15 minutes of fame. It’s interesting that we haven’t heard of anyone else successfully making a mask to unlock an iPhone with FaceID. With TouchID there were numerous people that successfully used a fake fingerprint to unlock iPhones (though they are also sketchy - mainly concerned with how they lifted such pristine fingerprints). But given a perfect fingerprint it’s possible to trick TouchID.
    gilly33charlesgresradarthekatargonautwatto_cobrajony0
  • Reply 3 of 12
    sflocalsflocal Posts: 6,123member
    And yet not a peep about the myriad of Android security blunders... :/

    chasmgilly33racerhomie3williamlondonradarthekatargonautwatto_cobrajony0
  • Reply 4 of 12
    MplsPMplsP Posts: 4,004member
    sflocal said:
    And yet not a peep about the myriad of Android security blunders... :/

    Idunno  - Samsung’s anemic (pathetic) attempt at Face ID got pretty good coverage (https://www.businessinsider.com/samsung-galaxy-note-8-facial-recognition-tricked-with-a-photo-2017-9?r=UK&IR=T)

    I’ve also seen a fair amount recently about how Android is continually sending information to facebook and others without users knowledge or consent. I think the reason it’s bigger news with Apple is that unlike Android phones, people expect iPhones to be secure.
    watto_cobra
  • Reply 5 of 12
    chasmchasm Posts: 3,525member
    MplsP said:
    sflocal said:
    And yet not a peep about the myriad of Android security blunders... :/

    Idunno  - Samsung’s anemic (pathetic) attempt at Face ID got pretty good coverage (https://www.businessinsider.com/samsung-galaxy-note-8-facial-recognition-tricked-with-a-photo-2017-9?r=UK&IR=T)

    I’ve also seen a fair amount recently about how Android is continually sending information to facebook and others without users knowledge or consent. I think the reason it’s bigger news with Apple is that unlike Android phones, people expect iPhones to be secure.
    Fair point to you for noting those two examples of decent coverage of Android problems, but ... this reminds me of the recent coverage of Microsoft's Win10 1809 update fiasco ... problems in Android are so commonplace that people shrug and accept them as normal now, barring the few really exceptional problems that are likely to affect everyone. It is still true, however, that there is a distinct double-standard when it comes to reporting on Apple.
    PetrolDavewilliamlondonradarthekatargonautwatto_cobra
  • Reply 6 of 12
    wood1208wood1208 Posts: 2,924member
    More you get respected in human society, more you have to live upto and more is expected. Apple is in that category. If Android has any issue, people say which number and  shrug off as nothing new.
    watto_cobra
  • Reply 7 of 12
    Everyone at Black Hat Asia were like, Wish Wu were here.
    radarthekatwatto_cobrajony0
  • Reply 8 of 12
    dewmedewme Posts: 5,679member
    Maybe he should have tried using duct tape. Is there any real world problem that cannot be solved with duct tape? 
    mike1watto_cobra
  • Reply 9 of 12
    dewme said:
    Maybe he should have tried using duct tape. Is there any real world problem that cannot be solved with duct tape? 
    Yes, duct tape fixed my crashed Mac. Love it.
    watto_cobra
  • Reply 10 of 12
    neilmneilm Posts: 995member
    Wishful Wu thinking.
    watto_cobra
  • Reply 11 of 12
    netmagenetmage Posts: 314member
    dewme said:
    Maybe he should have tried using duct tape. Is there any real world problem that cannot be solved with duct tape? 
    Yes, those that need WD-40.
    watto_cobra
  • Reply 12 of 12
    dewme said:
    Maybe he should have tried using duct tape. Is there any real world problem that cannot be solved with duct tape? 
    Don’t forget: if you haven’t fixed it w duct tape, you haven’t used enough duct tape. 
Sign In or Register to comment.