If you have a spare thousand dollars burning a hole in your pocket you might be tempted to purchase Apple’s latest smartphone, the iPhone X.
The new device comes with a bigger screen than the previous regular incarnation of the iPhone and an improved camera, but what many people are excited about is that Apple has moved from fingerprint-based Touch ID to a new facial recognition system.
But is Apple’s Face ID really as secure as we’re told?
If you believe Apple’s marketing material it seems clear that one technology is better than the other:
“The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID).”
But things may not be quite that clean-cut.
The following YouTube video shows how, in one family at least, Face ID is falling short in terms of security.
In the video Sana Sherwani shows how her ten-year-old son Ammar Malik is able to access her locked iPhone X, just by looking at it.
As Wired describes, a split second after Malik looked at his mother’s iPhone X it was unlocked.
My first thought when seeing the video was that maybe young Ammar (who describes himself as being the owner of a “handsome face”, and performs a ‘dab’ in celebration at his success) might have unintentionally trained the iPhone X to recognise his features.
After all, Apple’s technical paper on Face ID security explains that the technology learns how your face changes over time, handling – for instance – changes in hair style or the growth of a beard.
Some have reported that if different faces are inadvertently used when setting up Face ID, or if passcodes are entered correctly after a face is rejected, it’s possible for the iPhone X to learn a “composite” face that might mix more than one person’s features.
But in this case it doesn’t appear that that is what has occurred.
Apple has already admitted that Face ID’s “one in a million” probability of a random person’s face being able to unlock an iPhone X may not be enough to prevent twins and non-identical family members from unlocking phones without permission, and that in such situations the only solution is to roll-back to older, tried and trusted forms of authentication:
“The statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed. If you’re concerned about this, we recommend using a passcode to authenticate.”
Ammar Malik’s demonstration of how he can unlock his mum’s iPhone X certainly seems a lot more straightforward than the efforts one Vietnamese security firm had to go to, creating a creepy 3D-printed mask to fool the smartphone’s security.
Suddenly, Touch ID doesn’t seem so undesirable. But, of course, Touch ID simply isn’t available on the iPhone X because of the lack of a physical “Home” button, due to the device’s sprawling screen.
If you feel you may be at risk from someone willing to put the resources into breaking into your iPhone X, are an identical twin, or simply have kids… maybe you should be rethinking whether Face ID is really something you should enable.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024