Hackers Crack Apple's Face ID With $150 Mask

Tyler Durden's picture

Here’s the latest sign that the long-awaited facial recognition technology introduced by the iPhone X that caused production delays and myriad other headaches for Foxconn and its suppliers doesn’t live up to Apple’s lofty claims: A group of Vietnamese hackers became the first in the world to defeat the phone’s Face ID security, accomplishing the task with relative ease using a $150 silicone prop.

On Friday, Vietnamese security firm Bkav released a blog post and video purportedly showing them cracking Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which they assembled to successfully trick the iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make, according to Wired.

To be sure, this vulnerability shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate the silicone mask used by the hackers. Creating the dummy used to fool the phone required a detailed measurement or digital scan of hacker who owned the phone. However, the notion that these dummies could someday be used to unlock phones and steal sensitive data isn’t completely far-fetched. And it's also notable that Apple specifically boasted that the Face ID technology couldn't be defeated by masks.

"Targets of these types of sophisticated hacks probably wouldn’t be ordinary users, “but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID's issue," the Bkav researchers said. They also suggest that future versions of their technique might be performed with a quick smartphone scan of a victim’s face, or even a model created from photographs, but didn't make any predictions about how easy those next steps might be to engineer.

The hackers answer questions about beating Face ID in a humorous post published on the company’s blog.

Apparently drunk on their victory, the hackers pulled no punches with their Apple-bashing in a humorously worded blog post.

"Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

Their responses to the “questions” listed in the Q&A were also, at times, nonsensical. But the video published on YouTube does appear convincing.

In the video, one researcher pulls a piece of cloth from a mounted mask facing an iPhone X on a stand, and the phone instantly unlocks. Despite the phone's purportedly sophisticated 3-D infrared mapping of its owner's face and AI-driven modeling, the researchers say they were able to achieve that spoofing with a relatively basic mask: little more than a sculpted silicone nose, some two-dimensional eyes and lips printed on paper, all mounted on a 3-D-printed plastic frame made from a digital scan of the would-be victim's face.

Apple’s technology purportedly becomes more secure with time as it continues to analyze the facial features of its owner. Still, the fact that these hackers were able to crack the phone with a plastic doll doesn’t bode well for the future of cybersecurity in the US.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
hedgeless_horseman's picture


"Targets of these types of sophisticated hacks probably wouldn’t be ordinary users, “but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID's issue," the Bkav researchers said.

Or their daughters.

"It puts the lotion on it's skin, or else it gets the hose again"

Shitonya Serfs's picture

I like the mask. Like looking into a mirror.

pods's picture

Why not just slip the target something to knock them out, then hold the phone up to their face?  

Then use the target's phone to snap a pic while you teabag them after you are done rummaging through their phone.


JimmyJones's picture

back during the early 2000's right about the time Google was going to go public, I was at Defcon in Las Vegas and a off duty Army dude was showing us how to trick facial recognition using pictures with eyes and a mouth cut out.  This is just a similar more advanced technique .  When will they ever learn that a smart hacker will ALWAYS defeat the best formally educated, high cost, people when they attempt to make things "secure".  2 tier authentication is still very good and works, if you give a crap.

+1000 for getting Tea bagging into this convo.

ParkAveFlasher's picture

I'd give a crap, but someone might counterfeit MY crap.

auricle's picture

A simple passcode has never failed me.

NoDebt's picture

So.... if I tune somebody up in a barfight I'm also assuring they won't be able to get into their iPhone X for a couple weeks?  Bonus!


NoDebt's picture

Oh, oh, even better.  People who get plastic surgery done and can't get into their own phone after that.


Joe Davola's picture

Those varmit cong all look the same, right?

07564111's picture

iFooled some folks :D

iScanned some folks :D

iShit on some folks :D

Lurk Skywatcher's picture

Anything as public as your face or fingerprints should be your username, not your password.

Fucking idiots have no idea about security.

Cluster_Frak's picture

Lucky you. My crap got hacked by Russians. 

Global Douche's picture

Add to that: Do NOT use your phone in "2FA" unless you want "2 get Fucked up the Ass."

ShorTed's picture

Remind me not to party with you!

NoDebt's picture

"Why not just slip the target something to knock them out, then hold the phone up to their face?"

I'm with you on that one, pods.  How many times have we seen handprint identification fooled by a movie bad guy just by chopping off somebody's hand and placing it on the sensor?  Why should this be any different?



JimmyJones's picture

Its not unless they some how modify the algorithm to look for something that appears to be signs of life but once those "signs" are identified they too can be replicated.

sleigher's picture

We can just cut their face off and wear it on our own.    #leatherface

Winston Churchill's picture

Isis head choppers have this one beat.

scraping_by's picture

Didn't the old Mission Impossible show have everyone running around in silicone masks? Fooling baddy security guys and I think some face scanners too. Long time ago. But, old US programs get dubbed and shown on foreign TV.

booboo's picture

I usually just use a melon spoon to scoop out the guys eye if I need to break into their shit, just sayin.

BandGap's picture

You had me till the teabagging part.

How about get a good photo of the target, find some nice software to turn 2-D into 3-D and work the magic. No smelly testicles required.


Dontblamethegoat's picture

As we dive to the bottom of the pond .... teabagging ... really ... what a waste of time ...

spyware-free's picture

Biometric security is a myth. Fingerprints, Facial features and other personal characteristics can be spoofed and trick the devices that depend upon them as is shown in this article.
Also, if a hacker were to acquire your biometric in digital form it's possible to "inject" that copy into an authentication request on devices that don't validate source effectively creating an MITM vulnerability. And what happens to the poor sap that had their digital biometric stolen? Plastic surgery?

NCIzzy's picture

great post, and lol at second line. thx for the chuckle

Global Douche's picture

But...but..but, your awesome idea is shot down if the target used their middle finger, vertically extended, to make the lockshot.

quadraspleen's picture

here's the thing: it's not about FaceID.

Apple couldn't give a shit whether or not your face (or some masks face) unlocks your phone. They'll fix this, it's just software, after all, but it's about the FACES. Not just yours; everyones. And while the fools are staring into their iPhone Xs, it's looking all around..for faces..and just refining it's algorithms..

the Metropolitan Police are putting FaceID tech in the big advertising boards at Piccadilly Circus (and everywhere else)

gotta love a face



07564111's picture

Yep, your security has nothing to do at all with these portable scanners for face and fingers. Dumb and stupid fucks give up their data without a thought for the future.

Two-bits's picture

And here I was worried that American women would have to worry about 2 hours of foundation and concealer before they could unlock their phones.   Saved by the hackers.

Ben A Drill's picture

Your only vulnerable if you buy into that technology.

Implied Violins's picture

True, but I wonder if there is some underlying reason that this has come out.

Could it be that the ultimate goal is to try to prove to people that the only real way to be sure your identity can't be stolen is if you are micro chipped?

There are always layers to this bullshit...

Rex Andrus's picture

You thought that was a vaccine?

Global Douche's picture

I did, and I dreamt it came with a blockchain with Hades as it's just reward.

Greenspazm's picture

Solution: make a cock and balls recognition app.

Jacobra's picture

Great excuses like, I couldn' answer the phone because of shrinkage are coming.

Shitonya Serfs's picture

You get outed as a sexual predator in the Great 2017 Witch Hunt.

E.F. Mutton's picture

I showed it my asshole.  Siri said "Welcome back from Rehab, Mr. Weinstein"

buzzsaw99's picture

if apple can scan your face, hackers can scan your face.

peddling-fiction's picture

Easily, may I add.

Soon on Darknet; your hacked face and paw prints for a buck or two if you are a plebe.

Oh the humanity...

Global Douche's picture

I bitched and griped at my state representatives back in Spring over the Real ID Act. I warned everyone at the meeting (over 95% have Oklahoma driver's licenses) that to maintain Real ID compliance, don't be surprised if Iris Scans and handwriting samples become a requirement for license renewal in the future, after all, it was in the BILL which reportedly became law! Even worse, DHS still doesn't consider Oklahoma as Real ID compliant.

p.s., I'm gonna publicly roast the rep running for the senator's former seat if I find out he's campaigning here. I'm already getting ZH ads about that shit now! He has no choice but to answer the question related to this very subject due to his campaign. Tyler, can you do Okies a huge favor and cancel what remains of that man's campaign? BTW, I'm NOT Russian.

pods's picture

And the NSA does too. Pretty soon we will all get those embarassing ads that pop up while we walk by.

Speaking of that, I looked for 5 minutes at what it would cost to ship a pallet of lead across the country and now every fucking ad I get is LTL shipping. You would think I was a logistics expert from the Teamsters. Sheesh.


buzzsaw99's picture

all the nsa has to do is pop off the back of any device and enter their four digit pin.  lulz

pods's picture


"I've got that same combination on my luggage."

medium giraffe's picture

How many Assholes have we got on this ship anyhow?

Winston Churchill's picture

Not even that.They own the companies that write the bios for everything.

Demologos's picture

And in the dark and dank near future, everywhere Pods goes he is greeted by Lipton ads ... and people nearby will go hmmm.

TalkToLind's picture

NO!  I know that facial recognition is impossible to crack because they said so on TEEVEE!  Are you telling me the TEEVEE lied to me???