A cybersecurity firm have apparently successfully tricked Face ID into unlocking with a specially made mask, imitating a real person’s face. The security researchers say they only unlocked the iPhone X with a real person’s face, so the iPhone could not learn false data from the mask.
How much of a security flaw this really represents is up for debate of course. Making the mask only cost $150 in materials, but required access to a detailed scan of the person’s facial features and many hours of work by artists …
The researchers say that much of the model was made using an off-the-shelf 3D printer whilst other elements like skin and nose were hand-made.
The resultant mask does not look humane at all, with only the eyes, nose and mouth area actually painted in. The researchers found that large portions of the face did not have to accurately depict the subject in order for Face ID to successfully unlock.
Apple says the Face ID system includes defences against such biometric attacks, although it doesn’t guarantee infallibility by any means. Here’s the relevant quote from the white paper:
An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks.