Monday, November 13, 2017

Apple FaceID cracked

That didn't take long:
When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. A week later, hackers on the actual other side of the world claim to have successfully duplicated someone's face to unlock his iPhone X—with what looks like a simpler technique than some security researchers believed possible. 
On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.
From a security perspective, FaceID (and fingerprint recognition) is a terrible idea.  The problem is that it's used for the wrong purpose.  Both would be fine as a username replacement - after all, you are you.  But they're really, really, really bad ideas as passwords, which is how they're used.  They can't be changed if they get compromised (and believe me, that is what hackers world wide are working on because it's the Holy Grail of pwnage).  They can be used against your will, by Bad Guys or by Governments.

If you use either of these two things, you should turn them off.


housefitter said...

It was just last Thursday or Friday I think... Rush was on the radio pooh poohing anyone who had their doubts about the security of face id... I thought to myself at the time, "never say never".

Old NFO said...

Yep, code... not the rest of that crap... :-)

knirirr said...

I was thinking of getting an iPhone as I rather like the Apple watch, but the face scanning puts me right off. Security issues aside, the thought of advertisers getting access to an API to see if I'm paying attention is rather unpleasant.

Ruth said...

There was an article just yesterday about how a kid was able to "hack" his mother's FaceID. As in, he picked up the phone and looked at it, and it let him in. Experimentation showed that the light that the mother was sitting in when she set up her FaceID made the difference, setting it in bright daylight kept the kid out. Definitely not as secure as they'd like us to think.