Bkav Warns Face ID Isn’t Secure Enough for ‘Very Important People’

Text Size
- +

Toggle Dark Mode

Vietnamese security firm Bkav is back in the spotlight with even more evidence that it was able to crack Face ID with a sophisticated mask.

The hackers made headlines earlier this month when they posted a video allegedly showing a $150 mask bypassing Apple’s new facial recognition system. But the video wasn’t without its own faults: for one, it didn’t show the setup process for Face ID and the researchers never elaborated on how long it took for their mask to finally unlock the device.

But in Bkav’s new video, posted on Nov. 26, seems to do away with both of those faults. In it, one of the firm’s security researchers actually demonstrates the entire process — from the Face ID facial enrollment process to the actual opening of the iPhone X. Bkav reportedly used a new 3D printed version of its mask made using stone powder and infrared 2D images for the eyes.

The firm also added that it took nine to 10 hours for it to trick the iPhone X’s artificial intelligence into unlocking with its first mask. That doesn’t seem to be the case with its Mask 2.0 — which it has dubbed the “artificial twin.”

Bkav has been critical of Apple’s new Face ID platform since its first video, but now the company’s warning is more dire. “About two weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc., should be cautious when using Face ID,” Bkav VP of cybersecurity Ngo Tuan Anh said. “However, with this research result, we have to raise the security level to every casual user: Face ID is not secure enough to be used in business transactions.”

Real-World Risks

Of course, what Bkav failed to take into account in its proof-of-concept video and press release is just how practical its methods are.

To create a mask sophisticated enough to crack Face ID, an attacker would obviously need to get an accurate 3D scan of a face. Bkav, for example, said it used a 3D scanning booth to take the images it based its mask on, a spokesperson for the firm told Forbes. While the company hasn’t detailed the process exactly, it also sounds like it involves using infrared images to create the mask’s eyes.

Because of the effort and sophistication of creating such a mask, Bkav’s research shouldn’t alarm the average user too much. If anything, the research shows that Face ID isn’t perfect and can theoretically be cracked if an attacker is skilled or persistent enough. But, on the other hand, this type of attack isn’t exactly something the casual iPhone X user has to worry about in their day-to-day life.

Of course, if you’re really concerned about an evil twin, an adolescent family member, or a professional mask-equipped thief breaking into your iPhone X, you can always just use a passcode instead.

Read iPhone X Overview
Social Sharing