Recently, Thomas Brewster, who covers security and privacy for Forbes, detailed his experience in using a 3D printed head – modeled after his own – to try and break into several phones of the Apple and Android variety.
Forbes had Birmingham-based 3D printing and scanning company Backface create the head; the process began with 50 cameras combining to take a single shot of Brewster’s head that made up an entire 3D image. The image was loaded into editing software to fix any errors, and the life-size model was then 3D printed out of a British gypsum powder. After a few days, Brewster received the 3D printed model of his head, which cost just over £300 to make.
“You’re then the proud owner of an uncanny, almost-spectral version of your own visage,” Brewster wrote.
Brewster used his real face to register for facial recognition across five phones: the iPhone X, LG G7 ThinQ, Samsung S9, Samsung Note 8, and OnePlus 6. Then, he tested each one with the 3D printed head model to see if he could successfully circumnavigate the phones’ facial recognition. Spoiler alert: while each of the Android phones was tricked, the iPhone was “impenetrable.”
Brewster noted some differences between the various Android phones’ attempts at security – the G7 warns the user right off the bat that the facial recognition can be unlocked by seeing a similar face. But in the middle of the experiment, its facial recognition software updated and became more difficult to trick.
“It’s been long known that many implementations of facial recognition amongst Android phones have been less secure than Apple’s Face ID system. Some of those face recognition systems have been fooled with simple photographs,” the MacRumors staff wrote. “Apple’s Face ID, however, also includes IR depth mapping and attention awareness technology. The attention awareness alone may be enough to explain the inability for a static 3d printed head to unlock the iPhone X. That said, the iPhone X’s Face ID has been fooled in the past with more sophisticated printed 3d heads.”
“The facial recognition function can be improved on the device through a second recognition step and advanced recognition which LG advises through setup,” an LG spokesperson told Forbes. “LG constantly seeks to make improvements to its handsets on a regular basis through updates for device stability and security.”
The S9 also warned users that facial recognition alone was not that secure when used without a password or PIN.
“Oddly, though, on setting up the device the first presented option for unlocking was facial and iris recognition,” Brewster explained. “Whilst iris recognition wasn’t duped by the fake head’s misted-over eyes, facial recognition was tricked, albeit with a need to try a few different angles and lighting first.”
The Note 8 had an option for “faster recognition,” which even the manufacturer admitted was not as secure; however, the 3D printed head was able to unlock the phone on both settings, though the slower one did require more effort in terms of angles and lighting. As the least secure device Brewster tested, the OnePlus 6 did not include a warning or a slower, more secure recognition option and, “despite some sci-fi style face scanning graphics” the phone performed, it immediately opened for the 3D printed head.
“We designed Face Unlock around convenience, and while we took corresponding measures to optimize its security we always recommended you use a password/PIN/fingerprint for security,” a OnePlus spokesperson told Forbes. “For this reason, Face Unlock is not enabled for any secure apps such as banking or payments. We’re constantly working to improve all of our technology, including Face Unlock.”
“Apple’s investment in its tech – which saw the company work with a Hollywood studio to create realistic masks to test Face ID – has clearly paid off,” Brewster wrote.
In addition, Brewster noted that Microsoft’s new Windows Hello Facial recognition was also not tricked by the 3D printed model of his head.
According to Matt Lewis, the research director at cybersecurity contractor NCC Group, a strong alphanumeric password is a far safer option when securing your device than relying on facial recognition alone.
What do you think about this? Discuss this news and other 3D printing topics at 3DPrintBoard.com or share your thoughts in the Facebook comments below.