Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //


03:30 PM
Simon Marshall
Simon Marshall
Simon Marshall

FaceID Faces Security Headwind

Apple brings facial recognition to the iPhone but some security experts aren't convinced the technology is ready.

On the day Apple launched its iPhone X, facial recognition experts have questioned the security of a new biometric authentication system on the devices.

Apple has been preparing to use facial ID for authentication for some time, cherry-picking in the last four years three Israeli companies that supply the sense-capture-identify one-two-three of facial matching authentication.

It reportedly acquired RealFace earlier this year for an undisclosed amount, LinX in 2015 for an estimated $20 million and PrimeSense in November 2013 for $345 million. PrimeSense designed a 3D sensor, Linx developed a DSLR-like mobile camera module and RealFace built facial recognition software.

It's surprising therefore to find out that Apple's new authentication method may be flawed and easily spoofed. "iPhone X has 3D face recognition on it to do face matching. The Chaos Computer Club will take (only) a month to spoof it," opined Andrew Bud, CEO and founder of iProov. "They will find the iPhone weakness and they will break it. And if they don't publish how they did it, Apple will never know."

The CCC famously broke the Samsung Galaxy S8 iris scanner a month after it was launched. But it does have a track record of being very sporting in the grey hat mode when it indeed breaks a system, often publishing how and why an exploit has been successful; its 5,500 members seem to function as a benevolent collective. Millions of other hackers do not.

Owners of the new $1,000 iPhone X elite model have disposable incomes. You get my drift.

I'm not a hacker myself (or if I am, I'm black hat and you don't know it), but there are several ways that a potential weakness could be leveraged. An attempt could be made during the initial education mode where hackers probe for weaknesses, looking to build their fact base while remaining unobserved. Here there would be an intercept to see how the ID authentication process communicates between the OS and hardware. If there's an intercept, then it's also logical that bogus values could potentially be inserted to see how the system/service responds.

According to Jeff Orr, research director of strategic technology at ABI Research, "If a true 3D sensor is involved that captures more identifying points than a fingerprint, this challenges prior facial recognition approaches where the image could be spoofed using photos, contact lenses, and video playback." The more identification points the sensor has, the stronger the security and the better it is for the consumer.

Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event -- a free breakfast collocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

During the launch presentation, Apple invited viewers to glimpse behind the curtain of the biometric unit on the iPhoneX. Its TrueDepth camera system comprises an IR camera, flood illuminator, front camera, a dot projector, and also proximity and ambient light sensors.

The challenge process takes place in real time, and begins when the user’s face is detected by the flood illuminator. The IR camera takes an image, and the dot projector pushes 30,000 IR dots onto the face. The information from the IR image and dots are combined and pushed through an on-chip neural network for processing. The composite is then matched to an existing image stored locally on the device. The data from this is ‘enclaved’ on a purpose-built A11 Bionic chip, although it was not clear how safe it was.

While acknowledging during the presentation that “there is no perfect system” for biometric facial recognition, Apple added that there is a 1 in 50,000 chance that, say, I could unlock your phone with my fingerprint. For FaceID, that statistic is 1 in 100,000,000. So, the device is spoofable. Apple added that if there’s a family member that bears a resemblance, then a passcode should be used on top of FaceID in order to better safeguard data.

Certainly, that advice is to Apple's credit; Every data point -- face, eye, fingerprint enrolled into a single strong authentication process would make an attack harder.

"A combination of facial, eye and fingerprint recognition seems like a more progressive approach to ensuring the security of the user, device, and its data," says Orr. But, there are some very devious methods out there to break through security.

"(This) would overcome concerns about someone trying to unlock the phone of a sleeping or deceased person," says Orr. "It is not clear today if corrective lenses, contact lenses, or use of prescriptions/intoxicants that alter pupal dilation will have an impact on the system."

Or, a hacker could simply try to retrieve authentication patterns already enrolled and stored locally on the device, such as TouchID, if indeed this is how the iPhone X system works.

In some cases, observers fear that facial ID causes real issues for an iPhone user who is physically next to a spoofer. Imposing a biometric request under duress is possible. But since we're into hypotheticals here, what about if someone could model their own 3D scanner using the same 3D sensor to gather identities for a future exploit? That hack could be executed over time and only launched once thousands of identities have been exploited.

And finally, a question for Benjamin Button: How do legitimate users manage changes over time as they age, change appearance and grow younger?

Apple did not respond to several requests for comment. Special thanks to Jeff Orr.

Editor's Note: This article has been updated to reflect information released in the iPhone X launch event.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.