A $150 Mask Beats Apple’s Face ID System

Remember when Android tried to bring out a facial recognition system, and it was beaten by someone holding up a photo to the device’s camera? Oh, sure, we laughed about it then, but it represented a serious problem for the field of biometrics in general. Fast forward a few years to Apple’s Face ID, a system that was supposed to be so powerful that some banks were using it as an authentication tool. Recent news reveals that even Face ID has been hacked, though not using something so simple as a photo. No, this time, it took a $150 mask.

The reports say that Bkav, a Vietnamese cybersecurity company, took a mask involving a 3D-printed face and 2D printed eyes, and used that to reset the facial enrollment process. Following that, the user then enrolled his own face instead and used that to unlock the iPhone X involved in testing. Bkav referred to the mask as an “artificial twin,” as it was similar to an earlier mask it used to hack Face ID.

In perhaps an odder twist, Bkav isn’t filling in Apple on how it made the masks in question. This is actually good news, as Apple’s not responding to any other media inquiries, suggesting it may already be at work on a solution. Bkav didn’t elaborate on whether or not its process could be duplicated in the real world, either. It would take an accurate scan of a person’s face, and then the process of 3D printing would have to begin.

Yes, “theoretically.” Sure, you have to engage in a process that makes Darkman’s Peyton Westlake’s look like children making masks with paper grocery bags, but it’s “theoretically” possible. It’s “theoretically” possible to do a lot of things. Yet still, in the end, there is a way to break Face ID, and it’s another significant setback to the whole facial recognition concept.

Granted, it’s good news in a way—before it just took a photograph, now it takes a 3D-printed mask, next time it might take studio-quality latex and a team of sculptors—as it’s showing advancement, but it’s still kind of shaky, especially for folks who use smartphones for banking and Face ID for authentication.