Story image

Will the iPhone X's Face ID be hackable? Security expert weighs in

02 Oct 2017

The iPhone X’s facial recognition technologies have been called into question by a security consultant at global tech firm Synopsys, who claims that no facial recognition technology is ever unbeatable.

Nikola Cucakovic posted a blog titled ‘How secure is iPhone X Face ID facial recognition’, which analysed the widespread adoption of facial recognition as a means of biometric access control.

According to Cucakovic, any facial recognition technology must be able to consistently and securely identify the right person. But that technology comes with many attack vectors threat actors can use to beat the system.

While the iPhone X is not on the market yet, information about how its Face ID works has been widely circulated.

A flood illuminator can detect a face in any light conditions and the infrared camera can also take a picture. Using a projector comprised of more than 30,000 dots, the image and dot pattern are used to create a mesh in the ‘neural network’.

Every time a user looks at the device, the image is compared to the mesh. In the case of a match, the device is unlocked.

However, Cucakovic notes, Apple’s SVP of worldwide marketing Phil Schiller admitted that there is a one in a million chance that somebody else could unlock a device that it not theirs with their own face… especially if it’s your ‘evil twin’.

Apple’s Touch ID is subjected to a one-in-50,000 chance that somebody else could use their fingerprint to unlock someone else’s device – and it has been done by the Chaos Computer Club.

“While it’s not impossible to obtain someone’s fingerprint, we can say that it’s definitely more difficult than simply obtaining an image of someone’s face—especially since social media and technology are so integrated into modern-day life that photos are everywhere,” Cucakovic says in the blog.

“What Apple must therefore ensure is that even with a photograph of the victim’s face, an attacker cannot access the phone. Many facial recognition technologies released to date have been circumvented using rudimentary techniques, including printed photographs, digital photographs, animated digital photographs, and 3D models.”

While Apple claims it has worked to protect against these threats, nobody will know for sure until the device is on the market.

For enterprises ‘wishing to be at the forefront of technology’, Cucakovic believes that Apple’s Local Authentication API, which will be used for both fingerprint and facial recognition, will be easily adopted.

“However, for some organizations, there may have been a period of analysis and review concerning Touch ID before it was approved/risk-accepted for use within the enterprise (or for use in their externally visible App Store apps),” Cucakovic states.

“Those organizations may not have assessed the risks concerning facial recognition or approved the technology for enterprise use. On Day 1 when the iPhone X is released, all apps that support Touch ID will support Face ID. This means that users of corporate devices will be able to use facial recognition even if their organisations aren’t okay with that. Organizations should start to evaluate whether Face ID is appropriate for use now, ahead of the iPhone X release, to adjust their policies in time.”

Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.