So let me get this straight: you can unlock your iPhone with your face and Apple is giving away a free high-quality 3D scan of your face to anyone who wants it, who may or may not also own a 3D printer?
Wow is that a textured 3D mask of the target's face complete with 2D infrared images of their eyes?! If that what it takes to fool Apple's face scan I'm seriously impressed.
> it's worth noting that fooling Face ID in this way requires a 3D printer, several hundred dollars worth of materials, physical access to a person's iPhone X, and detailed facial photographs that can be used to reconstruct a person's face. Even then, if the 3D printed mask and the design of the infrared eyes aren't perfect, Face ID will fail after five attempts.
I mean, it's less plainly visible then your face, or even pictures of your face.
I bet you there's an algorithm somewhere that can take a picture of your face and turn it into a 3d model. Then you can take that model, 3d print it, then use it to unlock your phone.
Even the FBI had trouble getting into an iPhone. 3D printing a face might be a real solution in situations like that. Of course, for the average person, face id is probably just as secure as touch.
You really didn't read the article did you. Second paragraph says "Apple says the facial scan is so accurate there’s now only a 1 in 1,000,000 chance of another random person’s face being able to unlock your phone. This is much better than the 1 in 50,000 error rate for Touch ID. And no, holding a photo up of someone can’t unlock their phone – nor can a Hollywood-grade face mask, which (shown below) were used by Apple’s engineering teams to train the feature."
So were fingerprint scanners before Apple's take on it.
>but it's orders of magnitude more difficult to "clone" someone's fingerprint
You can do this by taking a photo of a finger or lifting a print.
>copy one of their pictures from the internet, or from a CCTV camera, etc.
A 2d photo won't unlock FaceID. There are 3D sensors on the front for a reason.
>Even if the system uses infrared or 3D images or whatever, it's just a matter of developing an advanced enough algorithm to deal with that, which shouldn't take that long if the target market is there (hundreds of millions of iphones with such an auth system).
And you think 3D printing a skull, eyes, and possibly blood vessels is easier than copying a finger? Why do you act like you know so much about something that hasn't been tested in the wild?
Considering I don't use face unlock on anything I care about (most financial apps, for instance, are protected by strong passwords and/or fingerprints) and the sheer fiddlyness of 3d printing, if they can get a scan and print of my head off, they earned what they find. Have fun looking through a bunch of porn and reddit shitposting, I guess.
Any iPhone with FaceID is actually a very capable as a 3D scanner. I recommend heges, it has support for Lidar scanning as well (if you have an iPhone 12 Pro or a new iPad Pro).
That's just it, you can get as many iphones as you want The threat actor will always be able to fool it once they have your biometric data. Even a human can't tell apart by using a photo if the 3d print is good enough. There will always be a way to mimick wetware.
> This was a serious feature deficit viz a viz the relevant iPhone at the time.
IIRC, the iPhone uses not just a photo from the selfie cam, but adds infrared to construct a sort-of-3d-ish depth map of your face as well - that is what defeats a simple attempt at unlocking with photos.
Now, the really interesting thing to research is if a silicone molded face mask could be used to fool the iPhone into unlocking. Photos or videos of the subject in multiple angles should be enough to create a decent enough 3D face copy.
Photos are not enough, they would need a high resolution 3D scan on the person’s face as well. Also they didn’t just use 3D printing, they had to use different fabrication methods and materials for different parts of the face part of which was ‘simply’ hand sculpted. This is not at all trivial to automate.
But then we already know it’s not as secure as two factor authentication and a random passcode. Touch ID could be fooled with predict fingerprints as well, though with the deep subcutaneous scanning in later versions it was much harder than with the first version. Anyway, Nobody who critically depends on the security of their phone should use Face ID or Touch ID anyway.
You are implying that there is a "secret" based on that face mapping that can be copied out of the device and then used to either 1) gain access to a non-Apple system that has some kind of biometric face detection system or 2) can be used to reproduce a face like yours to unlock your phone without you present
From the PDF:
"Once it confirms the presence of an attentive face, the TrueDepth camera
projects and reads over 30,000 infrared dots to form a depth map of the face,
along with a 2D infrared image. This data is used to create a sequence of 2D
images and depth maps, which are digitally signed and sent to the Secure
Enclave. To counter both digital and physical spoofs, the TrueDepth camera
randomizes the sequence of 2D images and depth map captures, and projects
a device-specific random pattern. A portion of the A11 Bionic chip’s neural
engine—protected within the Secure Enclave—transforms this data into a
mathematical representation and compares that representation to the enrolled
facial data. This enrolled facial data is itself a mathematical representation of
your face captured across a variety of poses. "
So, it's more like a hash of your face, which is very similar to how TouchID works. So, again, even if someone were able to break into the secure enclave and get that data, what could they do with it? It's a representation of yourself that is used for Apple devices.
Also, this is an OPTIONAL feature. If it doesn't fit your security model, don't use it. For the same reason a lot of people don't use TouchID -- they want the security of a passphrase. But for 90%+ of people that will buy that phone and are not at risk of the government or police pursuing them, the security it offers is more than adequate and it achieves this by not annoying the user and requiring them to have a 50 character passphrase.
Point a similar device at someone's face. Now you have their facial structure. You can open up their iPhone, desolder the FaceID hardware, and feed the leads captured inputs. Boom, phone unlocked. Even if they have some defense against that, you can just 3D print the person's face in a few hours and be done. Easy to write the data down in a less secure database somewhere, too.
This is trivial to do if the person is in custody. You could also profile a specific target and get their face walking past them on the street. You could do this in bulk in a public place.
Now your face is compromised and the person who stole it likely posesses your phone and is unlocking it now. You can't change your face, but it's too late anyway. You live in an oppressive regime, they found out you're gay from what they found in your phone, and you're going to be hanged in a week.
Some friends and I have defeated a few other devices with face unlock features. It was the super technical task of finding and printing a photo found on social networking sites, then holding it up to the camera. I wonder if apple has hardened against this.
The weird thing to me is that apparently we have so many people on HN that consider themselves worth the effort to make full 3D renderings of their faces just to unlock a phone. Unless you were Osama Bin Laden, it seems highly unlikely anyone would go to the trouble. If you are that kind of person, you’re probably going to be protecting your information with much more than Face ID.
"The imaging system can then stitch the patterns into a detailed 3-D image of your face to determine if you are indeed the owner of your smartphone before unlocking it."
So I pay an extra $300 to save me the trouble of putting my finger on the touchID sensor? That doesn't sound like a compelling value proposition to me.
reply