When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company’s futuristic new form of authentication. A week later, hackers on the actual other side of the world claim to have successfully duplicated someone’s face to unlock his iPhone X—with what looks like a simpler technique than some security researchers believed possible, according to Wired.
On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they’d cracked Face ID with a composite mask of 3D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.
But it’s also a hacking proof-of-concept that, for now, shouldn’t alarm the average iPhone owner, given the time, effort, and access to someone’s face required to recreate it.
Bkav, meanwhile, didn’t mince words in its blog post and FAQ on the research. “Apple has done this not so well,” writes the company. “Face ID can be fooled by mask, which means it is not an effective security measure.”
In the video posted to YouTube one of the company’s staff pulls a piece of cloth from a mounted mask facing an iPhone X on a stand, and the phone instantly unlocks. Despite the phone’s sophisticated 3D infrared mapping of its owner’s face and AI-driven modeling, the researchers say they were able to achieve that spoofing with a relatively basic mask: little more than a sculpted silicone nose, some two-dimensional eyes and lips printed on paper, all mounted on a 3D-printed plastic frame made from a digital scan of the would-be victim’s face.
The researchers concede, however, that their technique would require a detailed measurement or digital scan of a the face of the target iPhone’s owner. That puts their spoofing method in the realm of highly targeted espionage, rather than the sort of run-of-the-mill hacking most iPhone X owners might face, says Wired.
“Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID’s issue,” the Bkav researchers write. They also suggest that future versions of their technique might be performed with a quick smartphone scan of a victim’s face, or even a model created from photographs, but didn’t make any predictions about how easy those next steps might be to engineer.
The Bkav researchers say they were able to crack Face ID with a cheap mix of materials, 3D printing rather than face-casting, and perhaps most surprisingly, fixed, two-dimensional printed eyes. The researchers haven’t yet revealed much about their process, or the testing that led them to that technique, which may prompt some skepticism.