[Thomas Brewster] writes for Forbes, but we think he’d be at home with us. He had a 3D printed head made in his own image and then decided to see what phones with facial recognition he could unlock. Turns out the answer is: most of them — at least, those running Android.
The models tested included an iPhone X, an LG, two Samsung phones, and a OnePlus. Ironically, several of the phones warn you when you enroll a face that the method may be less secure than other locking schemes. Conversely, one phone had a faster feature that is known to make the phone less secure.
The phones didn’t just pop open at a glance of the 3D printed head. Some required a little angle changes and lighting. But all the Android devices eventually opened. Many vendors reiterated that face unlocking is more like a swipe to unlock action than a biometric security.
There are quite a few problems with any sort of biometric scan, though. First off, biometrics can change. Your face could become disfigured in a variety of ways. A fingerprint can literally be lost along with its finger. But one of the most worrisome things, to us, is that you can never revoke a biometric signature. Forget your password or lose your keys and we can revoke those things and give you new ones. You can’t get a different face or fingerprint.
The subject head was made from a specialized rig with 50 cameras by a company that specializes in this. The printer used an old technology — gypsum powder — along with some coloring. The cost was £300 (about $377 at today’s exchange rate).
Granted, it seems hard to imagine a casual thief going through the trouble of modeling your head. But an employer? A law enforcement agency? Or someone who could gain a lot by compromising your phone? It isn’t that hard.
Just in case Apple users are feeling smug, don’t forget that a mask apparently did the same trick even on the iPhone X. You can even scan an entire body if you like.
…and people often wonder why I keep making funny faces at my phone – I call it security through obscurity.
Passwords are still better. You can be compelled to place your finger on the fingerprint scanner or look at your phone’s camera. Police cannot compel you to enter your password.
hmmm… but if they really need to know what’s on your phone… do they really need you and your permission? But seriously, your password is most likely just a short sequence of numbers that (if you have time enough) can be resolved with a brute force attack (well just trying 0000, 0001, 0002, 0003…)
what happened to the simple “connect the dots” that’s still going strong on Android? People seem to fail to realize that you can have a quick way of unlocking your phone and once you go over 5-6 dots, the number of possible permutations is pretty high…
I always wonder if you can figure out the connect the dots by carefully observing the oils on the screen?
My niece figured that out long ago on her mother’s phone, she blew on the screen to fog it up.
All the more reason to keeping a clean screen. Wonder though if that works with a screen protector?
Screen protectors make it worse. On my phone you can look at the screen at the right angle and see the path my finger has worn due to the micro-scratches on the screen protector.
It took me a couple days to solve the finger strokes needed to access my deceased brother’s devices.
I wrote a script to output all possible combinations, sorted by difficulty, and then started going through them. Would be relatively easy to make a robot do this.
How about Yubikey with NFC?
The iPhone has progressively longer wait times when the wrong password is entered. So brute force won’t likely work.
https://imgs.xkcd.com/comics/security.png
Yes they can. Great Britain is one of those “fine” countries where refusing to give a password gets you jail time.
But…
Will that jail time be less than the jail time you’d get once they see what’s inside the phone?
B^)
Gross, sounds like they’re not so great Britain anymore.
My brother can unlock my pixel 2.. It says when you set it up that’s its not secure..
>pixel 2
that’s your problem mate.
” But one of the most worrisome things, to us, is that you can never revoke a biometric signature.”
Sure you can. Just take out a loan from certain people and don’t pay it back!
Hack a phone?
It looks more like someone is trying to escape Alcatraz to me!
Till now, it was terrifying to know someone might cut your thumb in order to use it later to unlock your phone.
From now on, fear of being beheaded!
:o)
Oh, iPhone users can feel smug. It took a tremendous amount of effort to unlock one with a mask. They don’t false positive, much and very rarely false negative.
Gypsum powder…
i.e. Plaster of Paris
quick, everyone, scan your most hated enemy’s face and 3d print heads so u can hack their phone