Earlier this month, Vietnamese cybersecurity firm Bkav released a video supposedly showing how it could trick the iPhone X’s Face ID using a mask. Some skeptics questioned its authenticity and whether the method could bypass the phone’s attention detection system. Now, the company has released a second video that reveals more about its spoofing method and the mask's effectiveness.
The fact Bkav never showed the Face ID enrolment process in its original clip had raised some eyebrows, but the new video records the whole setup. This time, a new 3D-printed mask made from stone powder rather than paper tape is used, while the 2D-printed eyes are again present.
In this clip, we see the researcher capture his Face ID profile in real time. He points out that “Require Attention for Face ID" and "Attention Aware Features" are both enabled, which means users have to look directly at their handsets to use Face ID.
After proving the system is working normally by using his own face, the demonstrator holds the iPhone X in front of the mask and the phone unlocks.
Bkav says the new mask costs around $200 to make. It has dubbed it the “artificial twin,” as the method copies the way Face ID can be fooled by a user’s identical (or near identical) sibling. At the iPhone X launch event, Apple admitted its facial recognition tech could be tricked by an “evil twin,” but assured people it had worked with Hollywood studios to prevent masks being used as hacking tools.
"About two weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc., should be cautious when using Face ID," said Ngo Tuan Anh, Bkav's vice president of cybersecurity. "However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions."
Everyday users have little to worry about, of course. Real world attacks using this method would require an accurate scan of a victim’s face—Bkav used a 3D scanning booth for their images—and we still don’t know the exact details of how the mask was created.
Bkav said it didn’t tell Apple about the latest technique as the Cupertino company never responded to media reports about the last mask-based hack.