You’ve probably already heard by now that a Vietnamese “security firm” (a fancy name for a front for hackers) called Bkav has announced a successful hack of Face ID. Let the uproar begin. However, while everyone in the tech press loses their minds and attempts to pull in a boatload of easy clicks over this, let’s take a brief moment to step back and look at what has been reported in some context.
Nothing New Under the Sun
It would be one thing if Face ID getting hacked quickly after the release of the iPhone was an isolated event. However, that is most definitely not the case. Roll back the clock to September of 2013 and the release of the iPhone 5S and TouchID. Marc Rogers spoofed it with a simulated fingerprint within days of release. We’ve all grown to know and love TouchID for its relative security and most of all, its convenience. However, it was possible for someone who could get a high quality fingerprint and had the right equipment to bypass it with a little bit of time and effort.
Apple and its TouchID and Face ID are not exceptions, either. We all know that Samsung’s facial recognition tech can be spoofed with a good quality photo. It is also well known that their more secure Iris Scanner has also been bypassed. Like TouchID, it takes a little work and know how, but anyone with some expertise who really wanted to could probably pull it off…if they could get a high quality photo of your eyes. That is a big if, which I will touch on again in a minute.
My first point is that every hacker on the planet attacks the latest high profile security measures as soon as they are released. This is because being the first brings a great deal credibility in the hacker community, as well as a ton of publicity. As such, individual hackers, security firms, and collectives are going to pour time and money into coming up with a solution before anyone else. You had better believe that Apple and Samsung are both at the top of the list of prime targets.
If It Was Easy, Everyone Would Do It
While the video that Bkay released poked fun at Apple for Face ID not being secure enough, we still aren’t talking about something that most people are going to be both willing and able to do. While the materials may have only cost them around $150, that assumes that the perpetrator has both a 3D printer capable of producing an accurate frame to mount the materials on. Such a printer drives that price up quite a bit if you don’t already have one. Then you have the fact that time IS money, at least for people like me. It is for “security firms,” as well. It is almost certain that this group spent a good $1000 or more in US Dollars labor hours putting this hack together. This is not quite as cheap and easy as this group wants to make it sound.
Also, and this is the key, you still have to have physical access to the person’s face, not just a high quality picture, to pull this off. It’s the same with having to have a high quality fingerprint that can be molded to fool TouchID, and a high quality close-up picture of someone’s eyes to spoof Samsung’s Iris Scanner. This is not something that you have to worry about common thieves doing. Your local police department or county sheriff’s office likely won’t be able to, either, but they may be able to hire someone who can. When you get above them to State-level agencies, the risk grows. When you get to Federal agencies, you should assume they can bypass whatever you have, short of a 12 or greater character strong password.
A Spectacular Failure
I would definitely recommend that anyone who is worried about this Face ID hack read this article by Andy Greenberg, entitled We Tried Really Hard to Beat Face ID- And Failed (So Far) from 11/3 in Wired. It seems that they planned to try and fool Face ID for a month after the announcement of the iPhone X. They also enlisted help from the pros, as you can see here:
A month ago, almost immediately after Apple announced Face ID, WIRED began scheming to spoof Apple’s facial recognition system. We’d eventually enlist an experienced biometric hacker, a Hollywood face-caster and makeup artist, and our lead gadget reviewer David Pierce to serve as our would-be victim. We ultimately spent thousands of dollars on every material we could imagine to replicate Pierce’s face, down to every dimple and eyebrow hair.
For any reader with face-hacking ambitions, let us now save you some time and cash: We failed.
From this point forward, those who have the money and the wherewithal to make a go at cracking Face ID on an iPhone X will have a model to work off of. However, this article does demonstrate that time and money alone won’t beat these systems, especially not the first time. It does take a certain amount of skill, and in some cases, a little luck.
Software Can Save the Day
Keep this in mind if you are freaking out about Face ID right now. If the system’s balance of security and accuracy needs to be tweaked, that can actually be done via a software update. Let me be clear that I don’t believe that this will be necessary to protect the majority of iPhone users. However, as long as a potential vulnerability doesn’t hinge on the hardware (as was the case with the TouchID hack), then the level of accuracy required to get a positive response can tweaked. In the case of Face ID, Apple should be able to modify the software to make the system more secure, if it did turn out to be necessary.
Mobile Security Isn’t Meant to be Impenetrable
This is the last point to consider when it comes to the security measures that come on our phones. No matter what the person standing on stage from Apple, or Samsung, or Microsoft, or whoever tells you, these biometric measures aren’t built to be completely secure. Get that straight right off the bat. They are meant to do three things. First, they have to strike a balance between security and convenience. Second, they have to fit in a small space. Third, they have to be producible at scale. THESE are the rules that govern mobile biometrics, so don’t be surprised when they get hacked within a month of release.
The vast majority of users are most concerned with the balance of security and convenience for our purposes of using a device on a day to day basis. Ask yourself this- do you want your phone to be more secure or do you want east of use? Most people are going to fall somewhere on the ease of use side of this argument, and phone manufacturers know it. Mobile security has to be reliable and repeatable enough to work the first time most of the time, or users will disable it.
I know this doesn’t apply to everyone. There are some users and organizations that demand more security than mobile biometric systems like Face ID can provide. The ability to set a strong password is there for them, but make no mistake- that is far from convenient. Again, it is all about the balance between the two.
Let’s be real here- the people who favor security over convenience are the exception, not the rule. Most of us want to be able to protect our phones from prying eyes and common thieves. If you suspect that either the Federal government or a hacker collective is after you, you might want to switch over to that secure password…right after either hiring a good lawyer or maybe having a chat with a psychiatric professional. Otherwise, you are still ok for now.
I’ll close with a common analogy. I could buy the most expensive security system that I can afford to protect my home, but I would be putting it in KNOWING that it can be beaten and bypassed by an experienced “professional” burglar. However, that level of burglar couldn’t care less about what’s in my house, so I really don’t have to worry very much about them. I’m concerned with petty criminals who likely aren’t going to be savvy enough to get around such a system. Such a system is completely appropriate for the people it’s designed and built to ward off.
As far as I am concerned, there is no difference between mobile device biometrics and home security. They are both created to be easy for the owner to use so that they don’t just disable and abandon them, and to thwart a certain level of criminal or potential hacker. There is virtually no security system that is completely unbeatable, at least not until we get to quantum computing.
With this being true, it is unrealistic for us to expect mobile device biometrics to be. Maybe the attention focused on this event is more a product of companies like Apple and Samsung overplaying their hands on their security measures to grab headlines at launch. A word to the wise- don’t buy the hype. Face ID isn’t meant to be completely secure. Neither is any other mobile biometric system. They are meant to be convenient and secure enough.
What do you think about Face ID in light of this hack? Are you having second thoughts about purchasing the iPhone X? Are you considering disabling Face ID, or maybe turning off features like Apple Pay? Or, like me, are you not too worried about this, in context? Let me know what you think in the Comments section below, on Flipboard, on our Facebook page, or on Twitter @iPadInsightBlog.