Bkav, a Vietnamese security firm, invented a $150 mask that bypassed Apple’s Face ID feature earlier this month.
Due to skeptics, the security experts from Bkav decided to invent a new 3D mask. Bkav dubbed the new mask “the artificial twin” because of similar cases wherein actual twins can trick the Face ID feature.
This time around, the mask costs $200 and is made of stone powder glued with 2D infrared images of eyes that imitate real eyes. In the previous experiment, the experts used paper tape instead of stone powder. The experts discovered that using stone powder instead made it easier to trick the Face ID feature. The 2D printed infrared images of eyes use the same technology that is used by Face ID in detecting facial image.
According to Bkav, “The recognition mechanism is not as strict as you think. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”
People were skeptical about the first experiment because it was uncertain whether the “Require Attention” feature was enabled. This attention detection feature levels up the security by ensuring that the phone doesn’t unlock when the user is not directly looking at it. It is also meant to prevent unlocking the phone with a photograph or a mask. This feature is an optional safeguard and Bkav was able to circumvent it.
Below is the video posted by Bkav of its second experiment.
In Bkav’s latest video, the “Require Attention for Face ID” and “Attention Aware Features” were both enabled. Also, the video runs uncut throughout the process thus suggesting that the experts successfully spoofed the Face ID feature. The expert first unlocked the phone with his own face. Then, using the new 3D mask, the phone was also successfully unlocked.
Ngo Tuan Anh, the vice president of Cyber Security at Bkav, stated, “About 2 weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc. should be cautious when using Face ID. However, with this research result, we have to raise the severity level to every casual user: Face ID is not secure enough to be used in business transactions.”
The researchers at Bkav said that the process of making a 3D model is not as complicated as it seems to be. By just taking photos of a person at different angles, a 3D image can easily be created.
According to Bkav, the fingerprint-based biometric security is still the most reliable one. Taking photos is much easier compared to collecting a fingerprint. Even from a distance, the photos taken can be useful in bypassing the Face ID feature.
Since the release of iPhone X, several attempts of tricking the Face ID were successful. A 10-year-old kid was able to unlock his mother’s phone easily through Face ID. Another case involves twins being able to unlock each other’s phones.
This goes to show that extra precautionary measures need to be taken to ensure that the content of your phone won’t be accessible to just anybody.