“Apple has done this not so well. I remember reading an article on Mashable, in which Apple told that iPhone X had been planned to be rolled out in 2018, but the company then decided to release it one year earlier. This shows that they haven't carried out scientific and serious estimation before deciding to replace Touch ID with Face ID.”
I’m amy case, this doesn’t worry me personally too much. I don’t expect biometrics to be more secure than a password, just reasonably secure and more convenient. Before Touch ID, my passcode was 0000 with a four-hour lock timeout. I only had it set because some apps reduced functionality if no passcode was set. Real world security for me increased a lot with biometrics.
As for fingerprints versus facial recognition, the article claims fingerprints are better, but I’m skeptical. For one thing, my phone is covered in my own fingerprints, so getting something to copy is a lot easier.
In the meantime, my iPhone X arrives on Thursday, and I’m looking forward to training Face ID. All I got from this article was “these are the lengths you have to go to to defeat it”, which seems pretty darn good for my purposes.
One thing I'd really be interested in learning about is how much time and how many attempts it took them before they could successfully unlock the phone. And more pertinently, what those values might look like once they get some more experience with it. In a real-world scenario, they only get 48 hours and 5 attempts, so any technique which takes more than that is still nonviable.
It will also be interesting to see if Apple is able to improve their defenses against this. I get the sense that they couldn't improve Touch ID much because a good fake fingerprint looks just like a real one to the sensor. This mask definitely does not look much like the person's actual face, so they may be able to tweak things to be more resistant to this attack.
Which is not to say that this attack is pointless or these guys are dumb or anything. I'm impressed with their work! It's just not a game over situation the way they make it sound in certain parts of their writeup.
Would it be possible to have a really secure phone that had fake fingerprints added to the material of the surface of the phone?
I'm only half-serious, but it might make lifting the real prints harder...
(maybe it is trivial to distinguish prints made on a surface from those in the structure of the surface)
You might have a better shot at coming up with some material that just doesn't get fingerprints on it in the first place. Maybe a cloth-covered phone?
Because we don't touch 20000 other objects every day from where someone can pick our fingertips from?
We're less likely to lose one of those objects at the same place and time we leave our phone somewhere. It's comparable to leaving your keys in your car. Sure, someone could find those keys where you lost them and then find your car - but is sure is easier for them when they're both in the same place.
I think it's very likely that you touch something at the place where you left you phone, assuming that it wasn't dropped while you were moving.
I believe it is. Fingerprints left on a surface are made with oils from the skin and are "lifted" off by applying a substance that sticks to it and literally lifting the print off the surface.
Use your pinky or ring finger for fingerprint recognition.
Well, that's hardly a criterion for most people. I'd rather give the password than die.
What about that part makes it hard to "take them seriously"?
Their claims to be "the leading security firm" etc might be, but this is a perfectly rational and plausible claim (and the part that the technology was rushed is true as told by Apple).
>Before Touch ID, my passcode was 0000 with a four-hour lock timeout.
Then probably you're not the target market for a secure device.
There's no such thing as "a secure device." There are devices which offer various levels and types of security. If you're a CIA officer carrying classified secrets on your device, you probably don't want to use Face ID. For the average user, it's a nice increase in security.
Face ID is a gimmick to keep attention on the iPhone.
The second thing is their claims and their focus on marketing around security. This was easily beaten in its first week in the real world! So it's not really that secure is it?
The third thing is that Apple has a long history of choosing gimmicks over actual functionality. The OS X dock is just one example of this.
The second thing means they maybe didn't succeed to the extent they wanted to, but certainly doesn't tell us that security wasn't even a goal.
The third thing is irrelevant to the question at hand.
Neither does TouchID, and you’ll pry that from my cold, dead, fingers, one of which will probably be hovering over the TouchID sensor.
Non sequitur? Sounds like a totally rational argument to me, to the point of being a tautology.
Rushed a feature to market by one year == they also rushed the testing.
Apple never said they rushed the phone. They said they were able to get it out early. These are not the same thing; "rushed" implies that quality suffered, while merely getting it out early could just be due to work going faster than anticipated.
Even if the phone as a whole was "rushed," that doesn't mean Face ID was. Maybe it was naturally ready by now.
Even if Face ID was rushed, that doesn't mean that the security aspects were rushed.
Even if Face ID's security aspects were rushed, that doesn't mean testing was rushed.
It's like if you show up early to a meeting and so I accuse you of speeding. Is that sensible?
No, but it is sensible to consider that if they've estimated 2018 themselves as the initial release date and then put it out in 2017, they didn't "made it naturally" but rather rushed it.
I don't say that's 100% proven or anything.
But it's very sensible to consider -- in other words plausible.
It might be "rushing to conclusions" but it's totally not a "non sequitur", since evidence in support is there, even if you find it lacking.
You previously said it was "to the point of being a tautology."
I think this quote is fitting:
"More than anything though, we need to remember that Face ID introduces another security model with its own upsides and downsides on both security and usability. It's not "less secure than a PIN", it's differently secure and the trick now is in individuals choosing the auth model that's right for them."
> given the processing power to actually observe and interpret eye movements in the split second within which you expect this to work, this would be a really neat failsafe. Apple highlights this as "attention awareness"
Yes, it would be a great failsafe.
However, if the PoC demonstrated by Bkav is legit, it would seem that Face ID doesn't look for eye movement; it just checks if the eyes are oriented toward the device.
That said, I agree that regular people probably don't need to worry about any of this.
If they could demonstrate it working from a 3D printed mask taken from a surreptitious scan at distance in the outdoors then I think we'd have reason to be worried.
For spies, spooks, government agents etc. I suspect that Face ID would always be a no-no as it is much harder to control the ability of others to eavesdrop.
> However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask.
"Face ID takes another capture and augments its enrolled Face ID data"
Here's the entire quote:
"…if Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly
calculated mathematical representation"
So like what they can gather from 100s of one's photos in social media and other places?
As the OP said: demonstrate that from that data you can produce a sufficiently accurate model that works with this method.
The article hasn’t.
It may be possible (you only have to match the resolution of the IR depth map) but it is not currently demonstrated.
Plus I imagine it’s quite easy to refine FaceID in the software as well so an attack like this may not be very long lasting.
I would be astonished if state actors are not already well on their way to figuring out how to do this.
This, in comparison, seems much harder and consequently further reduces the realistic attack scenarios where people have to be worried. For most people this is a non-issue. (It mostly already was a non-issue with fingerprints, for the same reasons.)
I think the biggest difference in time was given by the "attacker" trying to understand what the FaceID system is looking for exactly, as an algorithm. But once they know that, future attacks should be much faster. Like if they try to bypass someone else's phone, it shouldn't take another 7 days. It could even be hours.
With TouchID they already knew what to do - clone someone's fingerprint. There's no machine learning algorithm that needs to be reverse-engineered there.
Not necessarily, as the algorithm is a NN (IIRC), so it looks for different things on different people too.
For example, you have to use FaceID every 4 hours or it requires a passcode. Do you think they were able to hand make an acceptable mask within 4 hours?
Regarding the four-hour limit, the attacker have to either cheat and start making the mask in advance, or practise making masks quickly. Neither seems impossible. But of course, Apple could (and IMO would) improve the defense. I'm sure Apple would think of ways to counter any publicly known attack.
You mean like a phone or something?
Fingerprints are easy to copy and you cannot change them, so fingerprints might be more secure than use the pin 1234. But it isn't more secure than a strong password, but so much more convenient to use...
3d printing is getting better and cheaper all the time.
Cameras and software are getting better all the time.
If someone cares enough to invest the R&D it should be pretty easy to automate everything between getting photos someone and printing the mask.
The point is that using biometric authentication as an all-in-one isn't secure.
But then we already know it’s not as secure as two factor authentication and a random passcode. Touch ID could be fooled with predict fingerprints as well, though with the deep subcutaneous scanning in later versions it was much harder than with the first version. Anyway, Nobody who critically depends on the security of their phone should use Face ID or Touch ID anyway.
My guess on how those attacks will develop in the future are:
1. Exploit occlusions.
As far as I know the FaceID System does work with occluded faces (glasses, maybe scarfs in the winter, ...). Once you know what the minimum required visible area is, you can focus on partial faces. If the algorithm has less features to identify, it probably makes more mistakes and is easier to fool.
2. Create a low-dimensional (in terms of parameters, not vertices) representation of a face that can be tuned to mimic a wide variety of target faces and still is correctly identified by Face ID. Once you have that you can take a few photos of your target person and tune the parameters in your generic model to fit the person in the photos, and probably be even able to reconstruct a mask from far away.
3. Try to create a real mask with a flexible surface that can be tuned to fit a wide range of faces. If at all possible try to span the same feature space as in 2.) as it would allow you to create a real face mask from only the few parameters that directly come from your fitting process.
If all of the above works an attacker can create an Iphone stealing pipeline:
Have several cameras set up in a crowded tourist spot. Match persons in different views and try to reconstruct their faces. Once the system has found a person that has been viewed from enough angles, "retrieve" his phone unlock it with the mask and reset it.
I know that does sound pessimistic, but your face is a "security token" but one which you can not realistically protect from theft. Unless you want it to have serious negative impact on your daily routine.
And if someone wants to hide his face while in public (i.e. with a surgical mask), he can no longer travel to certain countries. I live in Austria and there just recently came a law into effect that bars everyone from occluding their face while in public.
Well, the same applies to the iPhoneX and its software, I suppose.
A scanner could be placed e.g. behind or on top of a mirror in a restroom.
Just to be usable to map the face in 3D space and make a mask.
Once you start getting into higher security areas, you still need multiple identity factors to authenticate people. I'd guess that a bigger potential risk factor for systems like FaceID is intent -- entry of a passcode or fingerprint being placed on a button is a more explicit expression of intent as opposed to glancing at a device.
These scans were made from photographs:
You are correct. Face recognition, like any other biometric, is a bit of a farce. The face doesn't unlock the phone. The face is read by software which then generates some string of numbers, essentially a hash of the face/print, than then unlocks the phone. That hashing process can be hacked/intercepted/replicated just as with any other password. Biometrics is a convenience feature, not security device. But the real reason that biometrics aren't used in highly secure environments it the difficulty of repudiation. If/when a break-in does occur, how exactly does everyone reset their faces? It's like asking everyone to reset their passwords and everyone then using the same passwords. What you have to do is install a new hashing regime and rescan everyone's faces.
The best system, the one that is used most everywhere, is three-factor: (1) A card you carry/scan. (2) A password/code you enter into a pad. (3) An old man behind glass, usually a retired soldier, who has been in the job for years and knows everyone in the building. That old man can recognize people better than any biometric scanner.
Also because the former carries a much smaller jail sentence if caught.
"""Q: How did Bkav develop the mask (for example why you use silicone for the nose, why 3D printing for some areas while special processing for others, etc.)?
A: You are right. Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it. As stated above, we were the first in the world to show that face recognition was not an effective security measure for laptops."""
is a really nice way to dodge the question of why they used silicone for some parts of the mask.
I'm not sure the authenticity of this story. The authors of the hack claim to be: "the leading firm in network security, software, smartphone manufacturing (Bkav.com/Bphone) and smarthome"[sic] and one of their products is a "gold plated SmartHome for super luxury villas".
I wonder if it will work is ordinary luxury villas...
Interesting. I expected this to be some quite obscure technique.
That seems reasonably obscure (:
Anyway, the key point here is that Face ID didn't fail to recognize Craig, it refused to recognize him because it had already been locked.
But you don't even use HTTPS. Why?
It's not about whether the provider wants the information to be public, it's about whether the provider wants the information to arrive intact.
Claims such as “we are the leading cyber security firm” and “we understand apple’s AI and how to beat it” do not make you look more competent, just more boastful.
"A: It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask."
Does it mean passcode was completely off and the phone would not lock itself after a few failed attempts? Because there's a difference between trying until it works and getting a mask within 24 hours that does not fail three times.
They are saying the question is moot.
> However, we knew about this "learning"
but they are going to answer the question regardless
> thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask.
They ensured that the mask didn't get integrated into Apple's learning data by never entering the pin. The understanding is that whenever a failed face scan is followed by a correct pin, the face scan is added to learning data (since the assumption is it belongs to the legit user).
It should be self-evident that neither of these is "secure" for some level of "security", but they might be perfectly fine for the level of threat that you face, which is not likely to be particularly high. But I don't know you, so maybe you face a higher-than-average level of threat, in which case, yes, a sufficiently long password/passphrase that you memorise is probably the best option for your mobile device.
Eventually they may become easy to copy, then their utility as secrets will be gone.
If your goal is not having the punk who grabs your phone be able to get access to your banking info or personal data, any competent biometric system is a huge win if it means that the average person keeps their device locked rather than unlocked because it's too much trouble.
If you're worried about mass surveillance-style attacks, a fingerprint sensor or advanced face scanner is likely better than a password because it's significantly harder to harvest using a camera in a public place.
If you're being targeted, all of those trade-offs change, almost completely if state-level resources are involved.
That's always been the case. The main promise of biometric security was not "better security", but better convenience. The best argument for it would be that it makes average security better, in the sense that more people use it than not use anything at all or re-using passwords, but it's not the best way to secure your devices.
Password manager + U2F token is the most secure way to lock your accounts.
Someone could just hold a gun to your head or to your partner/child and then it's irrelevant what the security mechanism is. You are going to hand over the credential since your privacy is not more important than your life.
The issue is convenience together with good enough security
In the real world, effective biometrics are the most secure login tokens we have.
PS: I read that some community firmware images allow this mode, the only thing that stops me from using them is lack of camera drivers for unofficial firmware.
This was posted 2 days ago, any statement from apple on this story?
> It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask.
My guess would be because it doesn't actually work.
It's infuriating that each time a mass-produced biometric scanner comes out, it's hogtied by the fact this cheap technology isn't quite good enough yet.
> Does this person have an Apple Watch? Is the device in range? Is it unlocked? Do the wearer's biometrics match?
Most individuals have (for better or worse) bought into the (relatively) closed system of Apple products – why not continue leveraging that to their advantage?
Id say the ideal plot would follow an exponential curve, and seems that if you didn't keep a lot of personal data on your phone and all your social, financial and mail accounts can be reset quickly via the web, you don't need much security provided you maintain custody of your device. That said, Im glad that any claims as to the security of biometrics are not just taken at apple's/samsung's/google's word.
I remember the iPhoneX event stated that there was a exponentially smaller chance that someone else's face could unlock your phone, and that masks "wont work". I could also be mis-remembering, but there is a way to tell the iPhoneX to not allow your face if you find yourself compromised in some way. So unless someone has access to make a 3d rendering of your face, the means to make a mask and the opportunity to take your phone before you can signal that you want to authenticate with a password it seems pretty secure...
What about the false negative rate however? This is what will actually aggravate users.
As a user I like touch unlock. I can do it without looking at the phone, having the phone gave me, in the dark, wearing sunglasses and so on.
To me face recognition just seems like a huge step backwards. I'd love to be proven wrong.
Overall it’s much smoother and non-intrusive than TouchID
I’ve never needed to unlock my phone in a situation where I’m
not about to look at it so I’m not sure what use case you’re running into there.
As for in the dark: it automatically scans when you swipe up, so no issue. Don’t think of it as “using Face ID” think of it as “swipe up to unlock phone”. The Face ID is just an implementation detail.
Did they configure Face Id, made the mask and then it worked immediately? Did they tinker with the mask until it worked? From the way this is written I suppose the latter.
Nevertheless, I thought Apple was detecting small movements in eyes to ensure that the subject in front is actually a living human. I don't know where I got this from, but now I am disappointed.
Face ID does track eye movement ("require attention"), but you can turn off that setting. I haven't found any information as to whether the firm disabled the eye tracking for this crack.
> Q: What's the approximate cost of the mask?
> A: ~ 150 USD
Taken together, the second answer cannot be true. Only if the cost stated is related to material cost only, which is is only one input factor to assess the total cost of this approach
In any case, if it needed only a paper print, you wouldn't count the cost of the printer, since you can print it anywhere.
Then "hand made" skin, which they don't reference cost or time spent creating.
Then "hand made" nose, which they don't reference cost or time spent creating.
Also makeup, which they don't reference cost or time spent applying.
This is a security firm serving up info with HTTP, not HTTPS, ducking every serious question to the point it seems likely they are hiding something. Even if everything they claim is true, their attack vector is so difficult chances of success would seem to be effectively nil.
Not sure about the "hand-made" skin, but it might just be some white and glossy paint?
In the end, they've shown is FaceID is just as secure as Apple claimed. Apple never claimed impervious to any attacks, they claimed it would work well an quickly, and be more resistant to attack than TouchID. Requiring a Mission Impossible level team to create a mask that duplicates your face is not a level of attack most customers are concerned with.
TouchID can be defeated simply by stealing the device, lifting the owners fingerprints from said device, and 3d printing duplicate prints to use. FaceID is far more secure than that.
At no time that I’m aware have Apple claimed resilience against masks or gelatin fingers.
That such a meaningless slogan. Passwords and biometrics have different pros and cons, but they are the same in that they increase security.
Biometrics should never be used on the sole authentication method
* Biometrics is always better than no security.
* Biometrics done well is certainly better than a 4-digit PIN.
* Biometrics on an iDevice is in fact always used with something else, which is device itself: Touch/FaceID on an iPhone can only be used to access that particular iPhone. Ie. if you manage to steal my fingerprint, you can only use it to access the devices that I have set up to use my fingerprint. This means that my fingerprint alone is not of any value, unless you can also gain physical access to my phone. Compare this with a password which, if stolen, allows attackers on the other side of the globe to access to my accounts.
It is not a meaningless slogan, if Biometrics give the wider public a FALSE sense of security in that companies like Apple pitch them in unrealistic and inaccurate ways in their marketing that gives the average Joe the false idea that bio metrics are more secure than they really are, and secure more data that it really does.
>Biometrics is always better than no security.
That not only a pointless statement, but a False Dilemma Fallacy as well
>Biometrics done well is certainly better than a 4-digit PIN.
Done well is the key part, and again that is a False Dilemma Fallacy as you assume the choice is between a 4 digit pin and Biometrics, it is not
> if you manage to steal my fingerprint, you can only use it to access the devices that I have set up to use my fingerprint. This means that my fingerprint alone is not of any value, unless you can also gain physical access to my phone. Compare this with a password which, if stolen, allows attackers on the other side of the globe to access to my accounts.
it is funny you mention that because often time I see people set VERY insecure passwords because they believe that thei biometrics protects their password. So they set a insecure password "They will never use or need" because they relay biometrics and believe it provides all the security they need not just the security of the device, but since they only access their data from that device they are lulled in a false sense of security that the biometrics are protecting not only their device but ALL OF THEIR ACCOUNTS
Oh, please! There is an abundance of evidence to show that the wider public is completely uninterested in security to the degree that a majority will disable security features altogether if they are inconvenient to use in the slightest. People don’t use biometric authentication because they are misled to believe that it’s more secure than other methods of security. They use it because it’s the most convenient method.
In principle perhaps, but not in practice. Before biometric authentication became widespread, it was completely normal not to protect your phone at all. And when it was protected, it was almost always with a 4-digit PIN that you only had to enter after some amount of time had passed since you last unlocked the phone.
often time I see people set VERY insecure passwords because they believe that thei biometrics protects their password
That’s a nice anecdote which may be a completely accurate account of what someone told you. Or not. I find it hard to believe with no evidence that such a specific misunderstanding should be widespread. I do find it very believable that people use bad passwords, because people have always used bad passwords. As long as we’re exchanging anecdotes, I can tell you that I personally changed from a 4-digit PIN to a longer password when I got Touch ID, because it wasn’t as inconvenient when I only had to type it in once in a while as opposed to every time I unlock my phone.
Biometrics are biometrics. They're distinct from username and passwords.
They can be used for low effort access control, the same way that most locks are easy to pick or bypass but are still useful to block crimes of opportunity.
There is also a quick button squeeze you can do that requires passcode for the next unlock, so you can do that before you go to bed if you're really afraid someone is going to gain physical access to your device.
"We might use smartphones with 3D scanning capabilities (like Sony XZ1); or set up a room with a 3D scanner, a few seconds is enough for the scanning (here's an example of a 3D scanning booth).
An easier way is photograph-based, artists craft a thing from its photos. Take the nose of our mask for example, its creation is not complicated at all. "
Although I am not sure if it's based on your head or just scanning your iris.
"Q: Were you able to use the mask to unlock the iPhone immediately after freshly enrolling the real face? The reason I ask is that, according to Apple's whitepaper, Face ID will take additional captures over time and augment its enrolled Face ID data with the newly calculated mathematical representation. Can you describe precisely how you went about conducting this experiment?
A: It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask."
Attacks will always be possible because FaceID can never be infinitely precise. Your face changes over time, even during the day. People wear glasses or sunglasses sometimes, and take them off sometimes. They grow facial hair, and shave it off. They wear makeup, and take it off. They pick up black eyes in jui-jitsu class.
There is a balance between maximum precision and maximum usability. Apple's task was to find that balance. This hacked up "exploit" does nothing but show they found the proper balance.