sb-eu logo
Story image

Will the iPhone X's Face ID be hackable? Security expert weighs in

02 Oct 2017

The iPhone X’s facial recognition technologies have been called into question by a security consultant at global tech firm Synopsys, who claims that no facial recognition technology is ever unbeatable.

Nikola Cucakovic posted a blog titled ‘How secure is iPhone X Face ID facial recognition’, which analysed the widespread adoption of facial recognition as a means of biometric access control.

According to Cucakovic, any facial recognition technology must be able to consistently and securely identify the right person. But that technology comes with many attack vectors threat actors can use to beat the system.

While the iPhone X is not on the market yet, information about how its Face ID works has been widely circulated.

A flood illuminator can detect a face in any light conditions and the infrared camera can also take a picture. Using a projector comprised of more than 30,000 dots, the image and dot pattern are used to create a mesh in the ‘neural network’.

Every time a user looks at the device, the image is compared to the mesh. In the case of a match, the device is unlocked.

However, Cucakovic notes, Apple’s SVP of worldwide marketing Phil Schiller admitted that there is a one in a million chance that somebody else could unlock a device that it not theirs with their own face… especially if it’s your ‘evil twin’.

Apple’s Touch ID is subjected to a one-in-50,000 chance that somebody else could use their fingerprint to unlock someone else’s device – and it has been done by the Chaos Computer Club.

“While it’s not impossible to obtain someone’s fingerprint, we can say that it’s definitely more difficult than simply obtaining an image of someone’s face—especially since social media and technology are so integrated into modern-day life that photos are everywhere,” Cucakovic says in the blog.

“What Apple must therefore ensure is that even with a photograph of the victim’s face, an attacker cannot access the phone. Many facial recognition technologies released to date have been circumvented using rudimentary techniques, including printed photographs, digital photographs, animated digital photographs, and 3D models.”

While Apple claims it has worked to protect against these threats, nobody will know for sure until the device is on the market.

For enterprises ‘wishing to be at the forefront of technology’, Cucakovic believes that Apple’s Local Authentication API, which will be used for both fingerprint and facial recognition, will be easily adopted.

“However, for some organizations, there may have been a period of analysis and review concerning Touch ID before it was approved/risk-accepted for use within the enterprise (or for use in their externally visible App Store apps),” Cucakovic states.

“Those organizations may not have assessed the risks concerning facial recognition or approved the technology for enterprise use. On Day 1 when the iPhone X is released, all apps that support Touch ID will support Face ID. This means that users of corporate devices will be able to use facial recognition even if their organisations aren’t okay with that. Organizations should start to evaluate whether Face ID is appropriate for use now, ahead of the iPhone X release, to adjust their policies in time.”

Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Interview: Check Point profiles 5 battles that SOC teams face in 2020
Security operations centres (SOCs) are often the first lines of defence.More
Story image
California's CCPA now enforced worldwide
“The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many,” comments ISACA Privacy Group member David Bowden.More
Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
Bitglass receives US patent for SAML technology
Bitglass designed its SAML relay to allow a cloud access security broker (CASB) to be inserted into the traffic flow between users and cloud services during the login process.More