New 3D Printed Mask is Even Better at Fooling iPhone X’s Face ID

By now, most people know about the Vietnamese security firm that fooled Apple’s new cutting-edge security feature, Face ID, which was introduced as part of the iPhone X. The idea behind Face ID is that everyone’s face is unique, so it’s a foolproof way to secure your phone. The technology behind it is impressive, too; Apple’s TrueDepth camera analyzes and creates a detailed depth map of your face using more than 30,000 invisible dots. Those dots are used to create a 3D image of your face, which is remembered by artificial intelligence within the phone; your face is then the only one that can successfully unlock the phone.

Of course, Apple was quickly reminded that not every face is completely unique; twins were able to unlock their siblings’ phones easily. The worst thing that might come of one twin hacking into another’s phone might be some inappropriate text messages to crushes, but what if a “twin” could be created for the purpose of breaking into the phone of a high-ranking business or government official? Cybersecurity company Bkav recently proved that Face ID could be fooled by a 3D printed mask, though the company did admit that it would be hard to reproduce such a mask without sophisticated 3D scanning equipment and detailed knowledge of how Apple’s AI system works.

Now, however, Bkav has upped its game. The company has created a new 3D printed mask from stone powder with 2D printed infrared images of eyes glued on. While it took several hours and a lot of effort to unlock the phone with the first mask, it took only seconds to unlock it with the new one, working as simply as it would for a twin. According to Bkav, the new mask required no learning of Face ID.

“About 2 weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc. should be cautious when using Face ID,” said Ngo Tuan Anh, Bkav’s Vice President of Cyber Security. “However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions.”

When the iPhone X was launched, Apple issued a recommendation that anyone with an identical twin protect sensitive information with a passcode, and Bkav now says that Apple should caution all users to use a passcode to protect sensitive data. Which raises the question – why not just use a passcode to unlock phones in the first place? Yes, they can be hacked, but so, apparently, can facial ID data. The most secure way to protect a phone, said Bkav, is still a fingerprint. While those too can be reproduced using 3D printing, it’s much more difficult – especially because now Bkav has been able to create detailed 3D scans of people’s faces simply by setting up hidden cameras at various angles around a room and using photogrammetry.

“Security should approximate to absolute, and AI should only be a supplement, not the sole security base for Face ID like the way Apple is working on,” said Nguyen Tu Quang, CEO of Bkav. “AI, in any way, is now still human-made and it does at its best based on the experience of its creators and trainers, here is Apple. Thus, anyone who is more experienced than the creator can bypass it.”

See how easily Bkav beat Face ID below:

Discuss this and other 3D printing topics at 3DPrintBoard.com or share your thoughts below.