Apple claims the facial recognition system on the new iPhone X is impervious to being fooled by photos, impersonators and masks, but a team of hackers claim to have beaten the technology after just a week.
Cyber security firm Bkav says a 3D-printed mask costing just $150 (£115) to make has fooled the Face ID software, which is used to unlock the iPhone X, authorise payments and log in to apps.
The researchers said it proved that Face ID is “not an effective security measure”, although making the mask did require a detailed facial scan, and would be difficult for normal users to replicate.
When the iPhone X was unveiled in September, Apple touted the security benefits of Face ID, saying there is a one in a million chance of another person being able to unlock it, and that it had stress-tested the technology using silicone masks made by Hollywood studios.
Bkav constructed the mask using a combination of 3D printing, a silicone nose and printed images of the eyes. A video released by the company appears to show Face ID being fooled when a cloth covering the mask is removed.
Face ID differs from the image recognition techniques used in many other electronics and which have been easily fooled merely by photos of the target. The iPhone X uses a technique called dot projection, which directs beams of infrared light at the user’s face to create a 3D image, and uses artificial intelligence to “learn” the person’s face.
Apple has used a fingerprint sensor embedded in the home button for iPhone security for several years, but removed the home button on the iPhone X to make room for a bigger screen, leading it to develop Face ID.
Bkav said the mask it used to fool the phone could not be replicated by everyone but was simple enough for hackers to make, with the 3D scanners needed to map a person’s face relatively easy to find. “Exploitation is difficult for normal users, but simple for professional ones,” it said.
It claimed the technique used to beat the security could be used to target politicians, billionaires and chief executives. As well as unlocking a phone, Face ID is used to log into banking apps and authorise Apple Pay.
Bkav has previously demonstrated security flaws with laptop face recognition systems.
Apple has said that Face ID is not suitable for children under 13 or for twins, suggesting they use a passcode instead. The company did not respond to a request for comment on Bkav’s findings.