Vietnamese cybersecurity firm Bkav claims it’s been able to bypass the iPhone X’s Face ID feature using a mask. The mask is made to trick Apple’s depth mapping and the result is a kind of creepy hybrid monster head with realistic cutouts for the eyes, nose and mouth.
Bkav says the mask is crafted through a combination of 3D printing, makeup, and 2D images. There’s also some “special processing done on the cheeks and around the face” where there are large areas of skin, and the nose is created from silicone. The demo video shows the iPhone being unlocked using the researcher’s face and then again using the mask, in just one go.
The cost of making the mask is relatively inexpensive at $150, says Bkav, which began working on the mask right after recieving their iPhone X on November 5th. That means it was able to create a bypass for Face ID in less than a week. The firm does stress that the product is just a proof of concept at the moment and more research is needed. “Country leaders, leaders of major corporations… are the ones that need to know about the issue, because their devices are worth illegal unlock attempts. Exploitation is difficult for normal users, but simple for professional ones,” Bkav said on an FAQ on its website.
Apple published a technical white paper on Face ID a few weeks ago that described the techniques used in facial matching. It states that the iPhone X uses a neural network that’s trained to spot and resist spoofing, and “defends against attempts to unlock your phone with photos or masks.” The Wall Street Journal’s Joanna Stern made a silicone mask that failed to trick Face ID during her review of the iPhone X.
When introducing the iPhone X in September, executive Phil Schiller said Apple’s engineers had worked with professional mask makers and makeup artists in Hollywood to protect against attempts to beat Face ID. “These are actual masks used by the engineering team to train the neutral network to protect against them in Face ID,” said Schiller. He didn’t say if any of its masks could defeat the system, however. Schiller did concede that no biometric system is perfect, noting that the probability of a random person unlocking an iPhone X with Face ID is approximately 1 in 1,000,000, compared to 1 in 50,000 for Touch ID.