Security researchers say they used a $150 mask to break the Face ID facial recognition system that locks Apple’s new iPhone X. The work may be a significant, it may be little more than a stunt with few real-world consequences, or it could possibly be something in the middle. So far, it’s impossible to know because the researchers have evaded key questions about how they went about breaking into the device.
The supposed hack was carried out by researchers from Vietnamese security firm Bkav, which in 2009 demonstrated a way to bypass face-based authentication in Toshiba and Lenovo laptops. On Friday, company researchers published a video showing them unlocking an iPhone X by presenting it with a custom-made mask instead of the live human face that Apple has repeatedly insisted is the only thing that can satisfy the requirements of the facial recognition system.
The researchers said they designed their mask using 2D and 3D printers and that an artist made the nose by hand using silicone materials. Other features of the mask used 2D images and “special processing on the cheeks and around the face, where there are large skin areas” in a successful attempt to defeat the artificial intelligence Face ID uses to distinguish real faces from images, videos, or masks.
“It is quite hard to make the ‘correct’ mask without certain knowledge of security,” a Bkav representative wrote in an e-mail to Ars. “We were able to trick Apple’s AI, as mentioned in the writing, because we understood how their AI worked and how to bypass it.”
The truth is out there
The video and accompanying press release omitted key details that are needed for other researchers to assess if the results represent a true bypass of an authentication system Apple has spent years developing. One of the most important details is whether the mask successfully unlocked the iPhone immediately after it was set up to use the real human face for authentication or if the bypass succeeded only over a period of time following the face enrollment. The distinction is crucial. According to a white paper Apple published earlier this month, Face ID takes additional captures over time and uses them to augment enrolled Face ID data. If the researchers trained Face ID over time to work with the mask, they were giving themselves an advantage a real-world attacker wouldn’t have.
Another important consideration is how the mask was made. Did, for instance, the artist or any of the researchers have to have access to the real face the mask was based on? Did the human target sit for measurements or the taking of a mold? Or, on the other hand, was the mask solely crafted using images or videos that could be taken without the target’s knowledge or consent? Again, the answers are crucial because if the mask could only be created with the help of the target, the bypass doesn’t represent a meaningful hack.
Throughout the weekend, Ars pressed Bkav representatives repeatedly to describe these and other details. As the following exchange demonstrates, the representatives deflected and at times outright evaded the questions:
Ars: Were you able to use the mask to unlock the iPhone immediately after freshly enrolling the real face? The reason I ask is that, according to Apple’s whitepaper, Face ID will take additional captures over time and augment its enrolled Face ID data with the newly calculated mathematical representation. Can you describe precisely how you went about conducting this experiment?
Bkav: It does not matter whether Apple Face ID “learns” new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this “learning,” thus, to give a more persuasive result, we applied the strict rule of “absolutely no passcode” when crafting the mask.
Ars: Can you explain why your hack worked but the ones attempted by Wired magazine failed?
Bkav: Because… we are the leading cyber security firm 😉 It is quite hard to make the “correct” mask without certain knowledge of security. We were able to trick Apple’s AI, as mentioned in the writing, because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops.
Ars: Are the dimensions of a person’s face needed? How would those be obtained without a target sitting for them?
Bkav: The 1st point is, everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.
Apple has done this not so well. I remember reading an article on Mashable, in which Apple told that iPhone X had been planned to be rolled out in 2018, but the company then decided to release it one year earlier. This shows that they haven’t carried out scientific and serious estimation before deciding to replace Touch ID with Face ID.
The 2nd point is, in cyber security, we call it Proof of Concept, which is useful for both sides, the hackers and the users. The hackers, they can find out a simpler way to exploit users’ device based on such PoC. While with users, if they know about such possibility, they will not use the feature to keep themselves safe. Just like the KRACK attack, it is not easy to be successfully exploited but users are urged to update the patch ASAP, because the threats are real. With Face ID’s being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, ect. are the ones that need to know about the issue, because their devices are worth illegal unlock attempts. Exploitation is difficult for normal users, but simple for professional ones.
Ars: What’s the approximate cost of the mask?
Bkav: ~150 USD
Ars: How long did it take to construct the mask, including the time to develop 3D models and other assets associated with its production?
Bkav: We started working on it, including 3D models and other assets, right after receiving iPhone X on Nov 5.
Ars: What technologies and techniques were employed to make the 3D model associated with the 3D-printed portions of the mask?
Bkav: We used a popular 3D printer. Nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple’s AI.
Ars: Who would be the target for this kind of attack?
Bkav: Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID’s issue. Security units’ competitors, commercial rivals of corporations, and even nations might benefit from our PoC.
In a follow-up e-mail, I wrote:
Thanks so much for the response. A few more questions:
— It’s still not clear precisely how you went about conducting this experiment. Were you able to use the mask to unlock the phone immediately after enrolling the real face?
— Please explain precisely what was needed to make the mask. Did you need physical access to the real face? Did you have to measure, touch, or otherwise interact with the real face? Were you able to create the mask simply by taking a picture or video of the face? How did the artist create the nose? Did the artist touch the real nose, take a mold of the real nose, or otherwise interact with it in any way?
— Using your technique, what would a real-world attacker have to do to go about creating a mask that unlocked the phone of a billionaire, corporate leader, nation leader or FBI agent? Would the attacker have to have access to the target’s actual face, or would a video or picture of the face be enough?
Please be as specific as possible, and please don’t discuss additional matters or opinions until directly answering these questions. Thanks again for your help.
A few hours later, I sent another e-mail that read:
Now that I’ve thought about things a bit more, here are a few more questions:
— What printers did you use, particularly for the 2D prints?
— What kind of material did you use as skin? Did you use real skin?
— The video and writing make no mention of the enrollment and how quickly it preceded the mask bypass. Is there a reason these details aren’t covered?
A few comments if I may. I respectfully disagree when you say it doesn’t matter whether Apple Face ID learns new images of the face. It most definitely matters under which conditions new faces are learned. If a passcode is used by the attacker with the mask, it’s not a valid hack. Furthermore, even without using the passcode, the mask might only be recognized after a large number of attempts that would have triggered the lockout after 5 failed tries but then storing the mask into the templates resulting in a first-try success. I think security people are likely to be skeptical of this hack without explicit documentation of these details.
The representative responded with the following:
Your questions are very good ones, we like them very much 🙂
Let me update that there’s a QA part newly added to the following post http://www.bkav.com/FaceID. The QA comprises questions from different journalists (including you) that we continually gather and give answers to, so that those who are still doubtful can find out something they need.
About 3D scanning and printing, it is now simple, will be even more simple in the future. We might use smartphones with 3D scanning capabilities (like Sony XZ1); or set up a room with a 3D scanner, a few seconds is enough for the scanning (here’s an example of a 3D scanning booth).
An easier way is photograph-based, artists craft a thing from its photos. Take the nose of our mask for example, its creation is not complicated at all. We had an artist make it by silicone first. Then, when we found that the nose did not perfectly meet our demand, we fixed it by our own, then the hack worked. That’s why there’s a part on the nose’s left side that is of a different color (photo attached). So, it’s easy to make the mask and beat Face ID. Here, I want to repeat that our experiment is a kind of Proof of Concept, the purpose of which is to prove a principle, other issues will be researched later.
Additionally, because many journalists want to know more about our experiment, an international press conference is planned to be held and live streamed early next week. During the conference, any of your further questions and the ones that are left unclarified in this email will be answered clearly and satisfactorily. Detailed time and duration will be available soon. For the time being, I hope that the QA and above information can be useful to some extent.
One way of reading the responses suggests that the researchers and artist required the help of the target to create the mask, but in the future, the researchers think it will be possible to design similar masks that will instead require only the aid of 3D scans or photographs that could be taken without the target’s knowledge or consent. If this interpretation is correct, the bypass is still interesting because it undermines Apple’s contention that only a live face can be used to unlock a Face-ID enabled phone. But a hack that requires the help of the target would nonetheless suggest that for the time being, Face ID remains relatively secure.
Bkav researchers should publish a longer video that documents what was required to make the mask and whether it’s able to fool Face ID immediately after a real face has been enrolled. Until then, it’s impossible to say if this is a real hack.
More Info: arstechnica.com