Face ID has been defeated again, and this time it was 'simple'

Breaking into a locked iPhone X shouldn't ever be described as simple, but according to a group of security researchers, that's exactly where we find ourselves.

The same Vietnamese team that managed to trick Face ID with an elaborately constructed mask now says it has found a way to create a replicated face capable of unlocking Apple's latest and greatest biometric using a series of surreptitiously snagged photographs.

SEE ALSO: No one agrees on whether or not a dead body will unlock a smartphone

Apple has copped to the fact that Face ID, for all its technical prowess, isn't perfect. It can be tricked by twins. For most people, however, that security threat is a nonexistent one. But what about masks? The Cupertino-based company assured customers that it had designed the biometric-powered safeguard with that attack in mind — yet the researchers at Bkav are here to rain on that particular parade.

"These materials and tools are casual for anyone."

They built a relatively inexpensive mask which, according to a blog post and video demonstration, was able to fool Face ID into unlocking.

"In this new experiment, Bkav used a 3D mask (which costs ~200 USD), made of stone powder, with glued 2D images of the eyes," researchers explained in a blog post. "Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID AI at higher scores. The eyes are printed infrared images — the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone."

To make matters worse, getting the data needed to construct the mask could be done without the target's knowledge, the researchers wrote — no elaborate face scans or up-close photographs required.

"Bkav researchers said that making 3D model is very simple," the blog post noted. "A person can be secretly taken photos of in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object."

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

Just how easy would it be for someone to pull this off in the real world? We reached out to Apple for comment, but received no response as of press time. We'll update this post when and if we hear back.

The researchers at Bkav, on the other hand, did get back to us, and their comments didn't inspire much confidence in Face ID's security.

"[When] targeting a person, [an attacker] can pre-install HD cameras of 3D scanning system in a meeting room or in an exhibition to secretly take photos of the target," explained a company spokesperson over email. "It takes only around 2s to get photos of the target’s face. Very fast."

As for making the mask itself? "[We] printed only one 3D mask, only one infrared image," the spokesperson noted. "We cut the eyes’ parts and pasted them on the mask, only one time. We succeeded at first try. There was no modification needed."

Should iPhone X owners be worried about this? Well, maybe. It's not like a common thief is going to go to the trouble of surreptitiously scanning your face before (or after) he's jacked your phone from you on your subway commute.

However, if someone wanted access to a specific something on your phone — and felt that it was worth the time and effort of building a mask — you might have a reason to be concerned. Although, of course, using an alphanumeric password in lieu of Face ID would negate that concern.

If anything, Bkav's findings are a reminder that no form of consumer biometric is infallible, and that as security improves, so do the tools and techniques hackers use to beat it.

This story has been updated to include additional comments from Bkav.

---

Featured Video For You

---

Is the iPhone X's facial recognition twin compatible?

---