
Breaking Into Android Phones with a 3D-Printed Head - rexbee
https://www.forbes.com/sites/thomasbrewster/2018/12/13/we-broke-into-a-bunch-of-android-phones-with-a-3d-printed-head/#305e5c2f1330
======
shambolicfroli
Hmm. When I had a skin cancer excised by a surgeon, in a followup visit a
woman with no ID came in and made a point of taking closeup photos of full-
face and profile. When I asked she said this was standard (for minor skin
cancer removal). (Same place, where I walked into the room for the procedure,
they had Carole King singing "it's too late" at loud volume on a portable
stereo sitting on the ground.)

~~~
gumby
I was considering doing a startup addressing skin cancer and a number of Mohs
surgeons were happy to have me come in and observe the entire process. To the
patients they'd just say "he's observing today" and not even introduce me or
ask the patient (or me) to sign anything.

I have a friend whose startup cared was doing a surgical product; after I told
him my story he called up a bunch of plastic surgeons and went and observed a
bunch of them.

Both of us were interested in workflow; the actual science we had done on
animals of course, but our research was aimed at seeing if the product would
be viable (could be medically wonderful but if the doctors don't care they
won't use it on the patients, even if it improves outcome).

I don't think we could have done this at a hospital, but given that it was
surgery (surgeons have a lot of freedom) perhaps we could have.

------
goda90
Biometrics will never be a password. It's got to be a combo of something you
have and something you know.

~~~
zeta0134
Agreed. Biometrics doesn't even quality as something you have. It's something
that you _are._ If your physical key gets compromised in some way, you can
generally have a new one issued. But you can't just re-issue your face.

~~~
wlesieutre
You _can_ , it’s just risky and expensive and probably not something you want
to do.

------
matt4077
The article is unfortunately unclear on this, but I believe they succeeded
only on the Android phones, not with the iPhone X they also tried it on.

To wit: "[..] four Android models and an iPhone X.

Bad news if you’re an Android user: all four phones unlocked with the 3D
printed head."

------
null000
Considering I don't use face unlock on anything I care about (most financial
apps, for instance, are protected by strong passwords and/or fingerprints) and
the sheer fiddlyness of 3d printing, if they can get a scan and print of my
head off, they earned what they find. Have fun looking through a bunch of porn
and reddit shitposting, I guess.

------
DanAndersen
Does anyone know if there's anything about the unlocking method that requires
the model to be 3D-printed?

It seems like you could render the 3D model of the head on a monitor and point
the phone's camera at the monitor. If the phone needs to see some sort of
parallax change relative to its own motion (from internal sensors), then one
could put a 6-DOF tracker onto the phone and use it to update the rendered
viewpoint of the head (a form of user perspective rendering).

Such an approach would be quite useful for law enforcement to gain access with
much less time waiting for printing.

~~~
prepend
The iPhone uses lasers so it’s not just imagining but depth measurement. I
don’t think could be faked with only a monitor.

~~~
rootusrootus
In this example, though, the iPhone did not fall for the 3D printed head, so
this attack would likely be just as effective with a picture.

~~~
tantalor
Just as _ineffective_

~~~
rootusrootus
I meant against the Android phones, which are just using a 2D camera for face
detection.

------
ricardobeat
So the iPhone was not fooled? They seem to conveniently ignore this for the
remainder of the article - more clickbait power.

~~~
alansammarone
No such luck with the iPhone X, though. Apple's investment in its tech - which
saw the company work with a Hollywood studio to create realistic masks to test
Face ID - has clearly paid off. It was impossible to break in with the model.

~~~
SlowRobotAhead
I imagine this is because the printed head isn’t anything but one-color under
IR, it’s all the same temperature, right?

Seems like an interesting challenge to create a heated fake head.

~~~
_tulpa
The IR camera and the dot projector they use it with are in the near IR range
(as in wavelengths near the visible part of the spectrum). It’s mostly only
used to get depth data, and it’s near-IR so that you don’t get a bunch of
visible dots projected onto your face every time you use it.

I guess you could see temperatures, but you’d have to point it at something
almost hot enough to emit visible light. For normal face temperatures you’d
need something sensitive to far IR.

~~~
SlowRobotAhead
If it’s just 3D without heat mapping, why don’t masks work?

~~~
_tulpa
I mean... A quick search would show you that masks can work. But I’ll bite.

It’s really precise 3D with a greyscale non-thermal IR image. Could be
inaccurate masks? Missing details around the eyes and mouth and other
important areas? Do masks have eyes with a discernable gaze direction? Do they
have microexpressions or natural facial deformation? Do the eyes move?

There’s a buttload of stuff they could be measuring that is insanely hard to
replicate with a mask. Besides, a thermal map would be pretty much useless
even if the hardware was capable of thermal imaging. Skin temperature varies a
lot (and not always uniformly) based on ambient conditions, physical exertion,
being sick, sitting in direct sunlight, etc, etc.

~~~
rtkwe
Hmm I wonder if it is gaze detection. Seems like if you can detect gaze
direction fast enough you could use the presence or absence of saccades to
tell if it's a real live person or not. Doing that in a mask/bust would be
fairly difficult.

It could also be looking at small changes like the periodic flushing that
happens (see [0]). Though I'm not sure how well that would work on a moving
phone but it could work I think just at a broader scale. FaceID is really fast
though so not certain there's enough time to gather the data for that either.

[0]
[http://people.csail.mit.edu/mrub/vidmag/](http://people.csail.mit.edu/mrub/vidmag/)

------
agumonkey
Reminds me of old Mission Impossible episodes where they prepped rubber masks.

~~~
dbcurtis
Mythbusters did an episode about those masks. They only fooled humans at a
distance, and then not well.

Grant does a heck of a double-take, though, at one point. It is a fun episode
so I won’t spoil it.

------
cronix
Excuse me while I (covertly) laser scan your face to create a 3d model so I
can print it and unlock your phone.

~~~
DanAndersen
For now, at least.

Some companies have massive annotated databases of people's faces from
different angles, and the ability to do plausible 3D reconstruction of the
faces.

~~~
cronix
Yes, like some DMV's do facial scanning now, and some cities/counties are
hooking it up to Amazons Rekognition with cameras mounted in public as well as
Palintir software, among others. The FBI tends to use those DB's too. I'll
stick to my password, which is actually constitutionally protected, unlike a
face, which can be seen from public.

------
bunnycorn
I've watched the video and it ends terribly bad.

No, the passcode might be in your head, but if someone sees you in a CCTV
entering the passcode, it's not only there anymore.

------
armenarmen
What level of detail do airport security body scanners have? Enough to print a
head good enough to unlock a phone?

------
intopieces
I wish there were an option to make the successful face scan my username, not
my password.

~~~
gbaygon
how many usernames do you need in your phone?

~~~
saagarjha
Android supports multiple "profiles", so it's convenient when you have a
shared device such as a family tablet.

------
dawnerd
Would be interested to see how well Windows hello stacks up on proper
hardware.

------
lern_too_spel
Do any Android users actually use face unlock? It always seemed like a
gimmicky feature from the early days of smartphones when everyone was just
trying to build up their patent portfolios.

~~~
sidkhanooja
I use a OnePlus phone (don't know if HN users have heard of it), and OP users
rarely use the fingerprint unlock.

Although the user is definitely compromising on security, the speed of face
unlock is such that it is near-instantaneous. Double tap the display, and you
don't even have to blink - the phone unlocks.

It may be a gimmick in the early days of Android (think Nougat or even Oreo),
but it's definitely not a gimmick now, for me at least. It's fast enough to
have proved its worth.

------
detaro
This repeats the contents of another, IMHO better-worded article:
[https://www.forbes.com/sites/thomasbrewster/2018/12/13/we-
br...](https://www.forbes.com/sites/thomasbrewster/2018/12/13/we-broke-into-a-
bunch-of-android-phones-with-a-3d-printed-head/)

Please submit the original source to HN!

~~~
gumby
The Forbes link is indeed better.

Forbes links seem to have a poor rep on HN because they are mostly poor blog
entires that could have been on medium. The one you posted was an exception.

------
amelius
Why didn't Apple consider to unlock phones using a smartwatch instead?

That might have been a compelling reason to actually buy one.

~~~
vivekseth
You can use an Apple Watch to unlock a Macbook!

~~~
MBCook
I really wish they didn’t have to be on the same iCloud account though. It
would be nice to register my watch to unlock my work computer, but I can’t.

