Using a composite 3D-printed mask, a team of Vietnamese researchers claim to have fooled Apple's Face ID authentication system seen in the "super-premium" iPhone X, stressing that face recognition is "not mature enough" to guarantee security for smartphones.
At iPhone X launch event, Apple's Senior Vice President Phil Schiller had claimed that Face ID can distinguish between a real human face and a mask, thanks to its artificial intelligence (AI).
Using a 3D printer, the team at Vietnamese security firm Bkav created a mask that cost them $150 (roughly Rs. 9,810) and is claimed to fool Face ID.
"Nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition nine years ago). The skin was also hand-made to trick Apple's Artificial Intelligence," Bkav said in a blog post.
"The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID," said Ngo Tuan Anh, Bkav's Vice President of Cyber Security.
The Bkav security experts who also posted a video on how they did this, said that Face ID can be fooled by mask, which means it is not an effective security measure.
In 2008, Bkav claims it was the first company in the world to show that face recognition was not an effective security measure for laptops when Toshiba, Lenovo, and Asus used this technology for their products.
"Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it," the firms said on its FAQ page.
"In the future, we might use smartphones with 3D scanning capabilities (like Sony XZ1); or set up a room with a 3D scanner, a few seconds is enough for the scanning (here's an example of a 3D scanning booth)," it added.
Face ID projects more than 30,000 invisible IR dots and claims to only unlocks iPhone X when customers look at it and is designed to prevent spoofing by photos or masks.
Apple's Face ID technology uses a TrueDepth camera system made up of a dot projector, infrared camera, and flood illuminator, and is powered by A11 Bionic to accurately map and recognise a face.
According to the security firm, the recognition mechanism is not as strict as one thinks and Apple seems to rely too much on Face ID's AI.
"We just need half a face to create the mask. It was even simpler than we ourselves had thought," Bkav said.
According to the security firm, if exploited, Face ID can create problems.
"Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID's issue [sic]."
"Security units' competitors, commercial rivals of corporations, and even nations might benefit from our Proof of Concept," Bkav noted.
As for biometric security, fingerprint is the best, said the firm which discovered the first critical flaw in Google Chrome just days after its launch in 2008.