Apple’s Face ID is supposed to be the most secure biometric security system ever put into a smartphone. The company claims a false-positive rate of just one in a million under normal circumstances. But if you add some nefarious security researchers with a lot of spare time into the mix, things get more complicated.

A Vietnamese security firm claims to have bypassed the iPhone X’s Face ID system using a silicone mask, a 3-D printed frame, and 2-D images of the eyes and mouth. It’s not a simple process, but it does mean that the iPhone X is technically defeatable.

The system starts with a 3-D printed frame that copies the underlying topography of the subject’s face. Face ID’s biggest innovation is the 3-D image scan of the user’s face that it relies on, which sets it apart from other facial recognition systems that just use a color 2-D image. To the 3-D frame, researchers added a silicone layer to resemble skin, areas of “special processing” along the forehead, and 2-D images of the subject’s eyes and mouth.

In a video, the security firm shows the mask unlocking the iPhone X on its own, as well as when placed on a person’s face.

In practice, the mask doesn’t present a threat to casual users. Any hack using the system would require a huge amount of research and preparation, which isn’t feasible for most criminals.

But for police forces executing a particularly valuable search warrant, for example, it could be possible to secretly scan a suspect’s face, make a mask, and then catch him unawares. Users can quickly disable Face ID by pressing the lock button five times in a row, but it would hypothetically be possible to steal someone’s phone and use the mask to unlock it before Face ID could be locked out.

Chris Mills has loved tinkering with technology ever since he worked out how to defeat the parental controls on his parents' internet. He's blogged his way through Apple events and SpaceX launches ever since, and still keeps a bizarre fondness for the Palm Pre.