iPhone owner: “So, you can unlock my iPhone using a mask that cost you just $200 to create? How does that work?”
Bkav: “Yes, it’s really quite simple. Just register FaceID, then immediately hand over your iPhone to us, before you use the iPhone to refine the FaceID data set, and also stand still while we take some detailed photos of your face under controlled lighting conditions. Then go home and come back tomorrow and we’ll show you the trick. Oh, and in the meantime please don’t use Find My Phone to lock us out, okay?”
And... GO!
As a moderator, consider posts with racist comments like the example below (final sentence).
So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
How is that racist? The researchers are Vietnamese.
I don't mind all these people trying to say they've cracked Apple's FaceID because it gives Apple a ton of feedback they can use to continue to evolve this product. For the most part, I feel software updates will be able to address the majority of these potential failures. Of course, a better, more extensive initial face scan might be required. I suggest adding at least two more scans, one including a change in facial expression (squint, smile or don't smile, open/close your mouth) and one including wearing glasses, a hat/or other head covering and maybe even covering some of your face with your hand. Force the software to capture more initial characteristics of the face and not accept the scan until it captures an adequate number of scans of the eyes in various positions.
I would think FaceID would not work if it doesn't sense movement in the eyes, which would not happen in the test given in this article. Try staring without changing the location of your eye and you'll find it's almost impossible. Apple needs to add this requirement, if it's not already there. The eyes need to shift, refocus, or change somehow to recognize it as a live person.
Hats and sunglasses don’t matter with Face ID (if your shades allow IR).
kimberly said: As a moderator, consider posts with racist comments like the example below (final sentence).
That is not racist. It is like saying the Canadians spend all their time making boysenberry pies. Probably not true but it has nothing to do with race.
Sure, Vietnamese aren't a race, but we both know that the term is commonly used to refer to bigotry. That said, I can see how it's taken that way but I don't think it should since so far 100% of the cases for bypassing Face ID have come from Vietnam; at least the high-profile claims that are blowing up tech sites.
So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
lol I don't see how that's racist. are you sure you know what 'racist' means?
So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
In what way is that a racist comment by @macexpress?!
Sheesh... give it a rest.
(I see that lots of others had a similar reaction to the post; still, I’ll leave mine here)
I can't help but notice that all of these 'hacks' are much harder to pull off than simply watching someone enter their passcode.
Even if it was trivial to lure an individual to provide a face scan or fingerprint there is no guarantee that these scans will produce a working model, it could take many successive attempts to obtain workable scans, which is unlikely to be useful for criminals.
Then there are the various, potentially repeated, efforts needed to produce the physical mask or dummy fingerprint - and finally access to the device inside the time-out period for a log in to be successful. It's clear that face or touch id are both superior to repeatedly entering a passcode.
Altogether this reminds me of the "touch id" hacks, technically possible, but in the lifetime of touch id has proven to not be a weakness.
These idiots again. Looking for another 15 minutes of fame at Apple's expense.
I want someone, anyone who hacks FaceID or TouchID to show us an unedited video of the entire process. For all we know they tried dozens of times and then only published a video when it worked.
In fact, I'd bet $$$ this is EXACTLY what's happening here.
Agreed. They could have tried a dozen times, or way more.
——————
Here’s an another example, a “miraculous card trick”:
With cameras rolling ...
I ask someone to (randomly) think and identify any playing card.
I then ask them to remove that card from a deck of cards in plain sight in front of them.
They can’t find the card. It’s missing from the deck.
However they find that missing card in a sealed envelope. An envelope that has been in plain sight the whole time.
A miracle!!! ???
Nope. I just attempted the same trick multiple times on camera with different people.
The real trick is that I ONLY showed the successful video. And that video is 100% real and unfaked.
However, if you look at the entire record of EVERYTHING, it doesn’t look quite so miraculous. Even though the actual successful video is entirely REAL.
How many cameras read back the image data? If it is only one then even though the dot projector interrogates the face with a 3D scan the image the camera sees is just a 2D projection of the 3D subject on a 2D plane.
What's very bogus here is the $200 claim that somehow does not account for the significant data acquisition, 3D modeling, development and tuning of algorithms, 3D printing devices, verification procedures, and materials that are needed to produce a 3D mask that can bypass a minimally-trained Face Id installation. They can't just slap something together and hope that it works on the first (and likely ONLY) attempt they will ever get, especially if they don't have physical access to the target person or iPhone to verify that their 3D mask model is sufficiently accurate. The required verification steps are a glaring omission from their claim. I'd bet that they tested their 3D mask dozens of times (at least) with the target face and iPhone as they refined their 3D printed model and tested it with the target device to ensure that it would work for the "big reveal." Gotta throw the BS flag on this alone. How likely would an actual iPhone owner allow such an obvious verification process to take place without raising suspicion? Perhaps if they tricked the targeted user into submitting to an MRI scan they could obtain the required data for their 3D model with sufficient accuracy in a single session. Very likely - not.
No doubt that state sponsored organizations can probably obtain everything needed to pull this off in one pass. But they also need physical access to the phone which means they would have to steal it in a stealthy manner or through force and/or coercion while also rendering the owner unable to remotely disable the device. That's a whole lot more time and work intensive than any number of very simple and effective brute force coercion and intimidation techniques that can be very easily employed to force the phone's owner to surrender their PIN code to unlock said phone. The 3D printed fake face is something you'd expect to see on a TV crime/fantasy series - truly laughable.
From Mashable: "Bkav researchers said that making 3D model is very simple," the blog post noted. "A person can be secretly taken photos of in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object."
So, to unlock an iPhone X using this hack, you need to do one of two things: 1) Steal a phone and then capture a bunch of photos of the owner without his/her knowledge, print a mask using stone dust and some kind of infrared printer, all within 48 hours (or less) to get under the phone's biometric time limit, or 2) do all of that stuff BEFORE you steal the phone so the mask will be ready when you have the phone in your custody.
Oh yeah. You iPhone X owners should be petrified with concern.
Is my memory faulty, or do I recall that the Samsung Note 7’s groundbreaking new facial recognition - with iris scanning as well - could b fooled with a simple low-quality selfie or other 2D photo.
That was, of course, before the Note 7s started exploding and made the point moot.
Did anyone think that this wasn’t working to bypass Face ID? The simple fact is, who’s going to waste their time making a mask like this. Well you know maybe the CIA will waste of time making a mask. But your every day, common criminal? I don’t think so. I mean if they really wanted to they could just hold the phone right in front of your face and unlock it right then and there, why waste time with a mask? That’s the whole point.
What's very bogus here is the $200 claim that somehow does not account for the significant data acquisition, 3D modeling, development and tuning of algorithms, 3D printing devices, verification procedures, and materials that are needed to produce a 3D mask that can bypass a minimally-trained Face Id installation. They can't just slap something together and hope that it works on the first (and likely ONLY) attempt they will ever get, especially if they don't have physical access to the target person or iPhone to verify that their 3D mask model is sufficiently accurate. The required verification steps are a glaring omission from their claim. I'd bet that they tested their 3D mask dozens of times (at least) with the target face and iPhone as they refined their 3D printed model and tested it with the target device to ensure that it would work for the "big reveal." Gotta throw the BS flag on this alone. How likely would an actual iPhone owner allow such an obvious verification process to take place without raising suspicion? Perhaps if they tricked the targeted user into submitting to an MRI scan they could obtain the required data for their 3D model with sufficient accuracy in a single session. Very likely - not.
No doubt that state sponsored organizations can probably obtain everything needed to pull this off in one pass. But they also need physical access to the phone which means they would have to steal it in a stealthy manner or through force and/or coercion while also rendering the owner unable to remotely disable the device. That's a whole lot more time and work intensive than any number of very simple and effective brute force coercion and intimidation techniques that can be very easily employed to force the phone's owner to surrender their PIN code to unlock said phone. The 3D printed fake face is something you'd expect to see on a TV crime/fantasy series - truly laughable.
I agree. It sounds like a lot of labor and/or special equipment needed. The Bkav link in the article says that the mask costs USD$200 (is that labor and materials? or just materials?). USD$200 goes a LONG way in Vietnam - especially in labor/services. So I can assume the equivalent cost to make the mask is multiple times higher in the US.
iPhone owner: “So, you can unlock my iPhone using a mask that cost you just $200 to create? How does that work?”
Bkav: “Yes, it’s really quite simple. Just register FaceID, then immediately hand over your iPhone to us, before you use the iPhone to refine the FaceID data set, and also stand still while we take some detailed photos of your face under controlled lighting conditions. Then go home and come back tomorrow and we’ll show you the trick. Oh, and in the meantime please don’t use Find My Phone to lock us out, okay?”
And... GO!
As a moderator, consider posts with racist comments like the example below (final sentence).
So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
Kimberly - Simply mentioning a race doesn’t make a comment or a person racist.
If I comment that Filipinos apparently spend more time walking than Americans because many of them don’t own cars, is that a racist comment to you?
My wife is from the Philippines, and I have traveled there numerous times. My comment is simple observation.
If I comment that black people are more muscular than white people, is that a racist comment? Having more muscle is usually not considered a bad thing, but the point here is that I’m applying it to a race. On the flip-side, I’m also saying that other races are weaker (in terms of muscle mass) than black people. It’s not racist; it’s a simple fact.
I’m a physician and can tell you that black people are more muscular to the point where we have to use modified equations to calculate things like kidney function, because these equations make assumptions on muscle mass.
The last thing we need is for people so blinded by political correctness that whenever they see a comment that mentions a race, they feel obligated to stir up hate and try to stamp out speech.
The world has enough problems without people always feeling like they have to always walk on eggshells because of people like that.
Did anyone think that this wasn’t working to bypass Face ID? The simple fact is, who’s going to waste their time making a mask like this. Well you know maybe the CIA will waste of time making a mask. But your every day, common criminal? I don’t think so. I mean if they really wanted to they could just hold the phone right in front of your face and unlock it right then and there, why waste time with a mask? That’s the whole point.
Governments seem like they'd have the most internet.
One thing to consider with this bypass is that it probably required a lot of trial and error. If their mask did't unlock it, they'd make some adjustments and try again. Once the 5 attempts had passed (which could easily be triggered by others holding the device) they'd have to input the passcode again to unlock the device and then keep trying. Until this can be done with a printed images over a 3D mask in a short timeframe with a near 100% accuracy it's likely not even going to be useful to any gov't agencies.
Then you have the learning aspect of the device. No one has mentioned how long they used the device under normal circumstances before using the decoy. If the feds want to get access to a device with Face ID and the iPhone X has been used for months then it could be exponentially more difficult.
But I think that's neither hear nor there since the law currently doesn't protect biometrics and if they have a deceased shooter they can simply keep his eyes open and use Face ID to unlock (assuming he wasn't shot in the face and they covered the Face ID sensors so it didn't trigger a lock to passcode state.
So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
I would assume their goal is to make a commercial system that they could sell to law enforcement. When someone is arrested the mugshot could be taken with a 3D camera and a mask generated from the data.
From Mashable: "Bkav researchers said that making 3D model is very simple," the blog post noted. "A person can be secretly taken photos of in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object."
So, to unlock an iPhone X using this hack, you need to do one of two things: 1) Steal a phone and then capture a bunch of photos of the owner without his/her knowledge, print a mask using stone dust and some kind of infrared printer, all within 48 hours (or less) to get under the phone's biometric time limit, or 2) do all of that stuff BEFORE you steal the phone so the mask will be ready when you have the phone in your custody.
Oh yeah. You iPhone X owners should be petrified with concern.
petrified, by stone dust... haha, I see what you did there. well played.
So are people going to walk around wearing $200 masks of me, somehow getting the exact dimensions of my face? I think this is kinda stupid and worthless. Apparently, the Vietnamese have nothing better to do.
I would assume their goal is to make a commercial system that they could sell to law enforcement. When someone is arrested the mugshot could be taken with a 3D camera and a mask generated from the data.
But they could also just use your actual face if they have you in custody.
The registration is fake. His face doesn’t even fit into the circle and the process is faster than a real registration. He struggles to turn his head fast enough to match the bar animation. After registration he should show that that was a true registration by unlocking with his face first.
Actually since it cannot register a mask, the whole process is scam, a single continuous animation. It’s easily seen how he counts seconds before pressing the side button.
Comments
Sheesh... give it a rest.
(I see that lots of others had a similar reaction to the post; still, I’ll leave mine here)
Even if it was trivial to lure an individual to provide a face scan or fingerprint there is no guarantee that these scans will produce a working model, it could take many successive attempts to obtain workable scans, which is unlikely to be useful for criminals.
Then there are the various, potentially repeated, efforts needed to produce the physical mask or dummy fingerprint - and finally access to the device inside the time-out period for a log in to be successful. It's clear that face or touch id are both superior to repeatedly entering a passcode.
Altogether this reminds me of the "touch id" hacks, technically possible, but in the lifetime of touch id has proven to not be a weakness.
Agreed. They could have tried a dozen times, or way more.
——————
Here’s an another example, a “miraculous card trick”:
With cameras rolling ...
I ask someone to (randomly) think and identify any playing card.
I then ask them to remove that card from a deck of cards in plain sight in front of them.
They can’t find the card. It’s missing from the deck.
However they find that missing card in a sealed envelope. An envelope that has been in plain sight the whole time.
A miracle!!! ???
Nope. I just attempted the same trick multiple times on camera with different people.
The real trick is that I ONLY showed the successful video. And that video is 100% real and unfaked.
However, if you look at the entire record of EVERYTHING, it doesn’t look quite so miraculous. Even though the actual successful video is entirely REAL.
So yep. I’m unconvinced. Nice try!
-MAS
No doubt that state sponsored organizations can probably obtain everything needed to pull this off in one pass. But they also need physical access to the phone which means they would have to steal it in a stealthy manner or through force and/or coercion while also rendering the owner unable to remotely disable the device. That's a whole lot more time and work intensive than any number of very simple and effective brute force coercion and intimidation techniques that can be very easily employed to force the phone's owner to surrender their PIN code to unlock said phone. The 3D printed fake face is something you'd expect to see on a TV crime/fantasy series - truly laughable.
That was, of course, before the Note 7s started exploding and made the point moot.
I like the odds with ten fingers.
If I comment that Filipinos apparently spend more time walking than Americans because many of them don’t own cars, is that a racist comment to you?
My wife is from the Philippines, and I have traveled there numerous times. My comment is simple observation.
If I comment that black people are more muscular than white people, is that a racist comment? Having more muscle is usually not considered a bad thing, but the point here is that I’m applying it to a race. On the flip-side, I’m also saying that other races are weaker (in terms of muscle mass) than black people. It’s not racist; it’s a simple fact.
I’m a physician and can tell you that black people are more muscular to the point where we have to use modified equations to calculate things like kidney function, because these equations make assumptions on muscle mass.
The last thing we need is for people so blinded by political correctness that whenever they see a comment that mentions a race, they feel obligated to stir up hate and try to stamp out speech.
The world has enough problems without people always feeling like they have to always walk on eggshells because of people like that.
One thing to consider with this bypass is that it probably required a lot of trial and error. If their mask did't unlock it, they'd make some adjustments and try again. Once the 5 attempts had passed (which could easily be triggered by others holding the device) they'd have to input the passcode again to unlock the device and then keep trying. Until this can be done with a printed images over a 3D mask in a short timeframe with a near 100% accuracy it's likely not even going to be useful to any gov't agencies.
Then you have the learning aspect of the device. No one has mentioned how long they used the device under normal circumstances before using the decoy. If the feds want to get access to a device with Face ID and the iPhone X has been used for months then it could be exponentially more difficult.
But I think that's neither hear nor there since the law currently doesn't protect biometrics and if they have a deceased shooter they can simply keep his eyes open and use Face ID to unlock (assuming he wasn't shot in the face and they covered the Face ID sensors so it didn't trigger a lock to passcode state.
Actually since it cannot register a mask, the whole process is scam, a single continuous animation. It’s easily seen how he counts seconds before pressing the side button.