Researchers at the security vendor Bkav Corporation found a way to bypass iPhone X security by tricking Face ID, Apple’s facial recognition technology.
The team at the Vietnam-based company was able to unlock an iPhone X using a mask made out of a 3D-printed frame, a handmade silicone nose and some 2D pictures layered on top of the mask. The whole experiment used only about $150 worth of materials, but it required a lot of know-how, according to Bkav.
“It is quite hard to make the ‘correct’ mask without certain knowledge of security,” said Bkav’s CEO Nguyễn Tử Quảng. “We were able to trick Apple’s AI … because we understood how their AI worked and how to bypass it.”
The Bkav research team didn’t start trying to bypass the iPhone X security feature until the device was released on Nov. 5, 2017, but they were successful almost immediately and published their findings on Nov. 9.
“Everything went much more easily than you expect,” said Quảng, noting that Apple’s Face ID works even when the user covers up half of their face, so the technology behind it really only needs half of a mask to be fooled. “Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we, ourselves, had thought.”
This is not the first time this company has been able to break facial recognition technology. In 2008, Bkav demonstrated the security flaws in facial recognition for laptops.
“So, after nearly 10 years of development, face recognition is not mature enough to guarantee security for computers and smartphones,” wrote the Bkav researchers in their report on the experiment, adding that for biometrics security, fingerprint scanning is the best option.
However, the Bkav researchers also noted that not everyone has to worry about this iPhone X security issue. “Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and [agencies] like FBI need to understand the Face ID’s issue,” the company wrote. “Security units’ competitors, commercial rivals of corporations, and even nations might benefit from our PoC [proof of concept].”
Bkav’s PoC could also potentially impact the tensions between law enforcement and Apple over encryption and locked iPhones. Apple famously refused to unlock the iPhone belonging to the gunman in the 2015 San Bernardino, Calif., shooting. The FBI ordered Apple to unlock the phone so it could investigate its content, but the company refused, sparking a still-going debate over encryption backdoors for law enforcement. However, if law enforcement can put Bkav’s proof of concept to work successfully, there could be real implications in the debate.
“Exploitation is difficult for normal users,” Bkav wrote, “but simple for professional ones.”
In other news
- Equifax has taken control over 138 domains that mimicked the company’s breach response website. The real website was created in September 2017 following the data breach that exposed the personal and financial information of around 145 million U.S. consumers. Separate from the company website, Equifax set up www.equifaxsecurity2017.com for customers to check whether or not they had been breached and to learn about follow-up steps if they had. The website, which was injected with malware that spread to its customers, inspired a Hong Kong-based company called China Capital Investment Limited to purchase 138 domains through GoDaddy that were similar to the legitimate Equifax website, but slightly different. This included using variations on the real domain and likely misspellings or typos, such as eauifaxsecurity.com, equifaxsecuiry2017.com, and equifavsecurity2017.com. According to Gizmodo, China Capital Investment started buying up these domains within 24 hours of the Equifax breach announcement.
- In this month’s Patch Tuesday, Microsoft rolled out a fix for a 17-year-old vulnerability in Microsoft Word. The flaw was a remote code execution vulnerability in Microsoft Office that the company did not previously know about. Researchers at security firm Embedi discovered the flaw, which exists in all versions of Microsoft Office, and, if successfully exploited, could enable an attacker to run arbitrary code as the legitimate user. Also on Patch Tuesday, Adobe released patches for 80 vulnerabilities on nine of its products; 56 of the vulnerabilities were in Acrobat and Reader alone, and the others were spread over Flash Player, Photoshop, Connect, DNG Converter, InDesign, Digital Editions, Shockwave Player and Experience Manager. While Adobe says that none of the vulnerabilities were exploited in the wild, many of them were classified as critical.
- A new strain of malware known as FALLCHILL is being used by a hacking group associated with the North Korean government. The U.S. Department of Homeland Security (DHS) and the FBI issued a joint alert that said the FALLCHILL remote administration tool was used by the group known as Hidden Cobra or the Lazarus Group to hack into organizations in the aerospace, telecommunications and financial industries. “[The] FBI has high confidence that Hidden Cobra actors are using the IP addresses — listed in this report’s IOC [indicators of compromise] files — to maintain a presence on victims’ networks and to further network exploitation,” the alert stated. “DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.” The Lazarus Group is believed to be behind hacks such as those on Sony Pictures Entertainment and Bangladesh’s central bank.