Earlier this month, a Vietnamese security company called Bkav demonstrated how it was able to fool the Face ID feature on the iPhone X with a printed silicon mask wrapped around a 3D frame and 2D infrared images of a human’s eyes. The entire contraption was said to cost in the range of $200 and naturally raised a number of questions about the effectiveness and reliability of Face ID, one of the standout features on the iPhone X.
A few weeks later, Bkav is back with a new blogpost which explains how they were able to fool Face ID yet again, this time with a mask created out of a different material. This time around, Bkav security researchers note that they used a 3D mask made out of stone powder along with 2D infrared printouts of eyes. The new method of fooling Face ID is said to be even more accurate than the first.
In a newly published video which goes over how the Face ID spoof was carried out, we see a Bkav security researcher deleting his current Face ID profile and registering his face anew. This is an important point given that previous videos claiming to fool Face ID actually featured users inadvertently training Face ID to incorporate their own facial features into the stored Face ID profile.
Also interesting is that the toggle for “Require Attention for Face ID” is switched on, thus showing that Bkav’s 3D masks can fool Face ID even at its highest security setting.
“About 2 weeks ago,” Bkav’s blogpost reads in part, “we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc. should be cautious when using Face ID. However, with this [new] research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions.”
Now is this a reason to be cautious about using Face ID? Hardly. Much like we saw with Touch ID, biometric systems aren’t impervious to being fooled when faced with a sophisticated and determined attacker. That being said, unless you have reason to believe that someone might want to secretly take all-encompassing and high-quality photos of you in order to create a life-like mask of your face, you probably don’t have anything to worry about.