When Face ID was announced back in September, many shared their concerns regarding the new feature’s possible limitations. Though Apple assured users that Face ID would be extremely difficult to deceive, everyone from security researchers to pranksters have been waiting with bated breath for the iPhone X to be released so they could test that claim.
Now, just a week after people actually started getting their hands on Apple’s new flagship model, Vietnamese security firm Bkav announced in a blog post it has successfully spoofed Face ID with a fairly rudimentary mask.
Andy Greenberg of Wired addressed the claims in more detail:
On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they’d cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.
It’s important to distinguish this type of spoofing attack from an actual hack. At no time did anyone break into Apple’s secure enclave, access any Face ID data, or get around the hardware of the system.
As far the spoof goes, Greenberg also notes that in order to pull this trickery off, a person would have to dedicate a good amount of time and effort to the project and have pretty regular access to your face. According to Bkav’s researchers, their method requires at least five minutes of 3D facial scanning and measuring, and is therefore not necessarily something the average user would need to worry about:
Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID’s issue.
It’s also worth noting that the security firm doesn’t specify whether it trained Face ID against the mask.
If you carefully craft a 100% reproduction of a key, you can probably unlock the same tumblers the original does. This is not new tech. Stop talking about it if you refuse to understand it. https://t.co/8OsjJWbVaP
— Jerry Hildenbrand (@gbhil) November 12, 2017
In the end, if you’ve recently purchased an iPhone X, you’re no more at risk than you were back when you used your fingerprint to unlock your device. If you remember, when Touch ID launched we saw a similar spate of CSI-style spoofing there as well.
If you’re a Bruce Wayne-level elite or a secret agent of some kind, just keep taking the same precautions you did before you upgraded. However, if you’re just a run-of-the-mill iPhone wielder like the rest of us average folk, it’s super unlikely that your content is in danger.
What do you think about the individuals at Bkav allegedly fooling Face ID? Let us know in the comments.