Earlier this week, a security firm managed to trick Apple’s Face ID on the iPhone X, unlocking it without the registered user. It turns out the sophisticated methods involved in their attempt might not have even been needed, as Face ID has once again been duped, this time, by a 10-year-old.
While Bkav Corp’s attempt required a 3D printer, designing of a mask with the consent of the registered user and at least $150-worth of materials, all 10-year-old Ammar Malik needed was his mother’s smartphone.
As described in Wired, Malik was curious about the new flagship design, picking the iPhone X up only for it to surprisingly pass the biometric security and log him straight in. Unfortunately for his mother, Sana Sherwani, this gave young Ammar access to all of her personal data.
“It was funny at first,” Malik’s father told Wired. “But it wasn’t really funny afterward. My wife and I text all the time and there might be something we don’t want him to see. Now my wife has to delete her texts when there’s something she doesn’t want Ammar to look at.”
While Malik also tried his father’s iPhone X, he only got the same result on one occasion and has since been unable to replicate it. His mother’s phone, however, seems to be permanently accessible via Face ID.
After a bit of troubleshooting, it was determined that the cause of the problem was related to how Face ID originally registered. Upon re-doing the process under better lighting conditions, Sherwani was able to ensure that the biometric scan wasn’t bypassed by her son’s face. The problem returned when conducting the process yet again under low light, leaving it pretty conclusive.
While attempting the process in a brighter room will solve a lot of issues, allowing the smartphone to pick up on more distinct features, this problem isn’t an isolated one. There have been many cases of siblings, even those with larger age gaps being able to tap into devices that don’t have them registered with ease.
This problem is propelled by users accidentally training their devices to recognise siblings, resulting from the built-in AI. If the device rejects an attempt to access the phone via Face ID, for the user to then input the security pin straight after, it will treat this as its own mistake and attempt to learn the features of the person using it again.
This scenario often plays out with the owners showing someone the phone, for it to reject the other person. The owner will then unlock it for them as the temporary user tinkers about, all the while the iPhone X is scanning away, learning this new person. This was not what happened in the case of Malik, however, as Sherwani insists it unlocked the very first time he picked up the phone.
For now, the only possible methods to avoid this is to ensure the set up phase is conducted under good lighting conditions, implement a security pin as mandatory alongside the Face ID, turn the Face ID off and if that isn’t an option, try it out on every member of the family until you feel secure.
KitGuru Says: It seems that Face ID just isn’t that secure yet and users should beware using such a temperamental security measure. It is looking more and more likely that Apple has perhaps lowered the specs of the technology, despite its denial. Have you had issues with Face ID?