Categories
Face ID Hack Hardware iPhone News security

Bkav hacking group bypasses Face ID, shows second proof of concept mask

In spite of Face ID being an impressive feature, yet another successful proof of concept/hack seems to have taken place.

The security system, which has apparently been fooled by twins, children, and a mask has once again been bypassed by Vietnamese security company Bkav, which made headlines in mid-November after uploading a video featuring Face ID accessed by a mask. Though successful as a proof of concept, there were several questions about the unlocking methods used in the video, including whether “Require Attention” was turned on. On Monday, Bkav shared a second video with a new mask and a clearer look at how the mask was used to spoof Face ID.

The company used a 3D printed mask made of stone powder, which can be replicated for approximately $200. 2D infrared images of eyes were then taped over the mask to emulate real eyes.


Bkav reset Face ID on camera and then set it up anew with the demonstrator’s face. “Require Attention for Face ID” and “Attention Aware Features” were both shown to be enabled on the iPhone X. For those unfamiliar with this, “Require Attention for Face ID” is meant to add an extra layer of security by requiring the users to look at your iPhone to use Face ID, and it’s a feature designed to prevent Face ID from unlocking with a mask, with a photograph, or when you’re looking away from your phone.



Upon activating Face ID, the demonstrator is able to unlock the iPhone X with both his own face and once again with the mask. The mask appears able to unlock the iPhone X on the first attempt and with no learning or repeated attempts, the mask’s 2D infrared eyes appearing to fool the “Require Attention for Face ID” setting.

Bkav claims the materials and tools used to create the mask are “casual for anyone” and that Face ID is “not secure enough to be used in business transactions,” but it’s worth noting that fooling Face ID in this way requires a 3D printer, several hundred dollars worth of materials, physical access to a person’s iPhone X, and detailed facial photographs that can be used to reconstruct a person’s face. Even then, if the 3D printed mask and the design of the infrared eyes aren’t perfect, Face ID will fail after five attempts.

Apple has offered the following description of its Face ID technology:

Face ID matches against depth information, which isn’t found in print or 2D digital photographs. It’s designed to protect against spoofing by masks or other techniques through the use of sophisticated anti-spoofing neural networks. Face ID is even attention-aware.

So, this is something to keep Apple’s security and Face ID teams busy for a while.

Stay tuned for additional details as they become available.

Via MacRumors