3D Printed Head Can Unlock Your Phone

[Thomas Brewster] writes for Forbes, but we think he’d be at home with us. He had a 3D printed head made in his own image and then decided to see what phones with facial recognition he could unlock. Turns out the answer is: most of them — at least, those running Android.

The models tested included an iPhone X, an LG, two Samsung phones, and a OnePlus. Ironically, several of the phones warn you when you enroll a face that the method may be less secure than other locking schemes. Conversely, one phone had a faster feature that is known to make the phone less secure.

The phones didn’t just pop open at a glance of the 3D printed head. Some required a little angle changes and lighting. But all the Android devices eventually opened. Many vendors reiterated that face unlocking is more like a swipe to unlock action than a biometric security.

There are quite a few problems with any sort of biometric scan, though. First off, biometrics can change. Your face could become disfigured in a variety of ways. A fingerprint can literally be lost along with its finger. But one of the most worrisome things, to us, is that you can never revoke a biometric signature. Forget your password or lose your keys and we can revoke those things and give you new ones. You can’t get a different face or fingerprint.

The subject head was made from a specialized rig with 50 cameras by a company that specializes in this. The printer used an old technology — gypsum powder — along with some coloring. The cost was £300 (about $377 at today’s exchange rate).

Granted, it seems hard to imagine a casual thief going through the trouble of modeling your head. But an employer? A law enforcement agency? Or someone who could gain a lot by compromising your phone? It isn’t that hard.

Just in case Apple users are feeling smug, don’t forget that a mask apparently did the same trick even on the iPhone X. You can even scan an entire body if you like.

23 thoughts on “3D Printed Head Can Unlock Your Phone

  1. Passwords are still better. You can be compelled to place your finger on the fingerprint scanner or look at your phone’s camera. Police cannot compel you to enter your password.

    1. hmmm… but if they really need to know what’s on your phone… do they really need you and your permission? But seriously, your password is most likely just a short sequence of numbers that (if you have time enough) can be resolved with a brute force attack (well just trying 0000, 0001, 0002, 0003…)

      1. what happened to the simple “connect the dots” that’s still going strong on Android? People seem to fail to realize that you can have a quick way of unlocking your phone and once you go over 5-6 dots, the number of possible permutations is pretty high…

          1. Screen protectors make it worse. On my phone you can look at the screen at the right angle and see the path my finger has worn due to the micro-scratches on the screen protector.

        1. It took me a couple days to solve the finger strokes needed to access my deceased brother’s devices.

          I wrote a script to output all possible combinations, sorted by difficulty, and then started going through them. Would be relatively easy to make a robot do this.

  2. ” But one of the most worrisome things, to us, is that you can never revoke a biometric signature.”

    Sure you can. Just take out a loan from certain people and don’t pay it back!

Leave a Reply to Mike Szczys Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.