Hackers Crack Apple's Face ID With $150 Mask

Here’s the latest sign that the long-awaited facial recognition technology introduced by the iPhone X that caused production delays and myriad other headaches for Foxconn and its suppliers doesn’t live up to Apple’s lofty claims: A group of Vietnamese hackers became the first in the world to defeat the phone’s Face ID security, accomplishing the task with relative ease using a $150 silicone prop.

On Friday, Vietnamese security firm Bkav released a blog post and video purportedly showing them cracking Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which they assembled to successfully trick the iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make, according to Wired.

To be sure, this vulnerability shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate the silicone mask used by the hackers. Creating the dummy used to fool the phone required a detailed measurement or digital scan of hacker who owned the phone. However, the notion that these dummies could someday be used to unlock phones and steal sensitive data isn’t completely far-fetched. And it's also notable that Apple specifically boasted that the Face ID technology couldn't be defeated by masks.

"Targets of these types of sophisticated hacks probably wouldn’t be ordinary users, “but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID's issue," the Bkav researchers said. They also suggest that future versions of their technique might be performed with a quick smartphone scan of a victim’s face, or even a model created from photographs, but didn't make any predictions about how easy those next steps might be to engineer.

The hackers answer questions about beating Face ID in a humorous post published on the company’s blog.

Apparently drunk on their victory, the hackers pulled no punches with their Apple-bashing in a humorously worded blog post.

"Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

Their responses to the “questions” listed in the Q&A were also, at times, nonsensical. But the video published on YouTube does appear convincing.

In the video, one researcher pulls a piece of cloth from a mounted mask facing an iPhone X on a stand, and the phone instantly unlocks. Despite the phone's purportedly sophisticated 3-D infrared mapping of its owner's face and AI-driven modeling, the researchers say they were able to achieve that spoofing with a relatively basic mask: little more than a sculpted silicone nose, some two-dimensional eyes and lips printed on paper, all mounted on a 3-D-printed plastic frame made from a digital scan of the would-be victim's face.

Apple’s technology purportedly becomes more secure with time as it continues to analyze the facial features of its owner. Still, the fact that these hackers were able to crack the phone with a plastic doll doesn’t bode well for the future of cybersecurity in the US.