Face Off: Can The iPhone X FaceID Really Protect Our Sensitive Data?
13 September 2017 10:51
In Apple exec Phil Schiller’s words “This is the future of how we’ll unlock our smartphones and protect our sensitive information”. For Apple, this is another battle of determination to test the balance between making things convenient and making things secure.
They’ve now replaced their TouchID technology with their new flagship phone - the iPhone X. In their fight against inconvenience on our behalf, we’re now able to simply look at our screen to unlock the device, with just our face acting as a password.
FaceID won’t just be used for unlocking the phone. Everything from downloading new apps to making payments with Apple Pay can require FaceID to complete.
Although Apple’s version of facial recognition appears to improve on previous implementations in some key ways, they’ll have to overcome some big security deficiencies of past technology in order to truly keep our sensitive information safe.
Defeating Facial Recognition
In the past, all it has taken is a printed picture to defeat facial recognition, giving the technology a reputation for being notoriously easy to bypass.
Let’s go back to 2009 - Security researchers showed us all just how easy it was to fool a laptop’s face-based login using nothing more than the owners face on a piece of paper. What happened after this? The technology became a tad more advanced and slightly more difficult to spoof.
But that was only until 2015, where "Popular Science" writer Dan Moren defeated an Alibaba facial recognition system just by using a recorded video of himself blinking. These were hardly works of a genius and didn’t take much innovation at all. But, for Apple's FaceID, hacking won’t be nearly as simple.
How Will Apple's FaceID Keep Your Data Secure?
With an infrared system called “TrueDepth”, a grid of 30,000 invisible dots are projected onto the user’s face. An infrared camera then captures the distortion of that grid as the user rotates his or her head to map the face's 3D shape - a trick similar to the kind now used to capture actors' faces to morph them into animated and digitally enhanced characters.
This could prove vastly harder to spoof compared to past image recognition systems… but not impossible. There’s already a long list of people wanting to be the first to crack the vulnerabilities of the iPhone X’s face-based login.
The main technique bouncing around forums right now is with the use of 3D printing. And this isn’t exactly a long shot, as 3D facial recognition systems have been spoofed in the past via printing methods.
Photos on Instagram and Facebook might be enough to compromise your control of your face as a login mechanism. Researchers at the University of North Carolina last year showed that they could use Facebook photos alone to reconstruct a 3D virtual model of someone's face that could defeat five different facial-recognition applications they tested it against, with a 55-85% success rates.
But for the average iPhone owner, the difficulty of spoofing FaceID and also gaining physical access to a target iPhone will likely make any attack on it a huge waste of effort. If you have to 3D print a model of someone's face to defeat this, that’s probably an acceptable risk for most of the population.
Similar read: How do I tell you - "You've been hacked"?
There Are Security Limitations… And Apple Knows Them
It’s clear with the new features of IOS 11 that Apple recognises the limitations of FaceID. One feature requires the user to enter the phone’s passcode in order to trust a connection to a new computer, making it far harder to extract the data from an unlocked phone.
The second is the “SOS” mode, allowing users to select the power button five times to immediately disable FaceID.
So as innovative and slick as the iPhone X and its facial recognition system seem, there’s no illusion as to the security compromises that might have been exchanged for convenience. That being said, it looks like the closest we have come yet to secure facial recognition technology.
Similar read: Equifax data breach - Oh it's bad, here's how bad