ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

iPhone X Face ID Cracked after One Week

Apple released the iPhone X to the world on 3 November. Since then, hackers and cybersecurity researchers the world over have been racing to see if they can break the device's new facial scanning front end. At first glance, facial scanning seems to be a step up for security, but what does a Face ID really mean? And does it raise any digital privacy concerns?

Unblocked Already

Now, just a week after the release of the iPhone X, security researchers from the Vietnamese security firm Bkav claim to have fooled the facial scanner. Indeed, even before Apple released it, security experts began asking questions about whether one could crack an iPhone X with a 3D mask. Researchers in Vietnam now claim to have successfully put that method to use. According to the team, they have managed to unlock Face ID using a composite mask made of 3-D-printed plastic, silicone, makeup, and paper cutouts. According to the researchers, the mask cost them around $150 to make. 

Nobody has been able to verify those findings thus far, or to prove that Bkav has really done what it claims. For this reason, we'll have to wait until a second research team manages to peer test the methodology for cracking the Facial ID system on iPhone X.

In addition, despite offering proof of concept for the method, this research shouldn’t really bother most people. That is because it is highly unlikely that anybody will have the resources, time, or ambition to make a similar mask in order to break into a device in the real world. For starters, if someone loses their phone, the hacker who finds it will need to know whose face to make a mask for, which is highly improbable. 

Of course, there is the chance that in cases like San Bernardino, the authorities could create a mask to open a device. However, in that scenario, it is also highly unlikely, because the police could much more easily force a perp to look at their phone to unlock it.

Iphonex

Could the Police Force You to Unlock Your Phone?

The answer to this question is probably yes. Thankfully, even closing your eyes will stop the iPhone X unlocking, so this is an option. However, legally speaking DNA and fingerprints - things that make you who you are - are not protected by the Fifth Amendment. For this reason, police could gain a warrant to make US residents use their face to unlock an iPhone X. 

 Albert Gidari, director of privacy at Stanford University’s Center for Internet and Society, believes this needs to change. At the moment, the Fifth Amendment protects people against having to incriminate themselves. As such, people don't have to hand over their numeric passcode to the authorities. 

In the case of a biometric identity method being used to protect a device, Gidari argues that the biometric identifier is being used in lieu of a code, and should be assumed to express one. However, whether this change to how the Fifth Amendment is understood will ever happen is anybody’s guess. The current system favors the authorities, so there isn’t much hope that it will change anytime soon. 

Add to that, the fact that US police are once again locked out of a phone they wish they could access, and you see why it seems unlikely. 

Emergency Mode

The good news is that, like with the old fingerprint scanner feature, iPhone X users can click the power button 5 times in quick succession to enter emergency mode. This turns off the facial scanner and requires the use of a passcode to unlock the device. As such, consumers do have a way to disable the facial scanner and get themselves out of the legal grey area (if they get the opportunity).

For people who have thus far been happy to use their fingerprint to open an iPhone, not much has changed in terms of the Fifth Amendment. We will have to wait to see what happens when the new facial ID is litigated on in a real case.

Us Border

What we can be sure about is that at US border control (where federal agents have been known to force people to give up their passcodes), the authorities will likely be more forceful when it comes to making people open their phones. In addition, in countries outside of the US, where there are no Fourth and Fifth Amendments to protect their rights, people may find themselves more easily coerced into opening their iPhone with their face. 

Trust Me with Your Face

As far as digital privacy is concerned, the facial scan itself isn’t too much of a concern. The numeric file that is created at the time that an iPhone X scans its owner’s face is only stored on the device itself. According to Apple, that file (basically a numeric code that defines the characters of someone’s face), never leaves the phone. If it did leave the phone - and go to a central database of face files on Apple servers, for example - the dangers would be massive, because (as we all know), databases can be hacked by cybercriminals.

Face Id Iphone

In addition, the reference file that a user’s face is compared against is encrypted and stored in a secure part of the iPhone X. Phil Schiller, Apple’s Senior Vice President for Marketing explains,

“Once a phone learns to recognize its owner, using a 3-D map made up of more than 30,000 infrared dots projected onto a person’s face, it’ll only unlock itself when it senses that the owner is looking straight at the device. The map can’t be fooled by photos or masks, and it’s stored locally in a secure part of the device. Locking the phone just requires closing your eyes or glancing away, so waving a phone in front of its sleeping owner won’t unlock it.”

The big question is: Do you trust Apple? To be fair, Apple has generally shown itself to be trustworthy. It refused to unlock one of its phones during the San Bernardino case, for example. The reality, however, is that we simply don’t know if the file is being shared with Apple and hidden away in some massive facial recognition library. If it is, that database is dangerously invasive. It is also worth a fortune. Sadly, because of the closed source nature of Apple devices, we simply do not know.

Opinions are the writer's own. 

Title image credit: Artem Oleshko/Shuttestock.com

Image credits: Hadrian/Shutterstock.com

MPanchenko/Shutterstock.com

chombosan/Shutterstock.com

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

3 Comments

Dan
on November 21, 2017
In the realm of security, as long as humans are involved at some point, trust can *never* be assured. So it is with amusement when I read ProPrivacy articles that discuss which VPNs or other security tecnologies like Apple's Face ID are more trustworthy than others. It's obvious, of course, when we *know* that a VPN vendor shares information with governmental authorities. But any "good" track record of other VPNs is strictly based on a *lack* of knowledge of possible sharing of information with governmental authorities. Also, can anyone ascertain that the NSA or the corresponding agencies of other nations aren't behind any of these highly rated VPN vendors? Just because Apple refused to cooperate in the San Bernardino case doesn't mean that it wasn't a show to cover its cooperation in other cases. Ditto with any other company. Even if companies like Apple are consciously keeping its customers' information secure, it doesn't mean that the NSA can't figure out a way to get to it. Bottom line, for me anyway, is that it doesn't matter whether you use a VPN and/or Tor or any other "secure" means of communicating, once data leaves your device, you can never completely trust that it is secure. Heck, even when data is on your device, if you're connected to a network, you can't assume it's secure. I don't consider myself to be paranoid. I still do my banking online. I've filed my taxes online. (Hey, I even drive with just one hand on the steering wheel!) But I truthfully consider the risks vs. benefits, and never assume that my information is completely secure.
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Dan
on November 22, 2017
Hi Dan, I think that is all rather pessimistic. Technologies such as VPN can provide a high level of privacy, but is is important to understand its limitations. Tor _can_ provide true anonymity, although if your adversary is powerful and determined enough there is always some risk (and for day-to-day use Tor is rather impractical). And when it comes to communicating over a network, end-to-end solutions such Signal are pretty darn secure!
Dick
on November 17, 2017
Bkav is an Android smartphone producer and therefore a competitor. So hardly a reliable source. They declined to replicate the experiment with a newly created face, claiming it would take too much time to create one. Perhaps not fake news but not very trustworthy.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service