iPhone X Face ID fooled again by 'evil twin' mask

Video Security researchers have once again claimed a simple mask can hoodwink Apple's Face ID authentication system, which graces the tech giant's $1,000 iPhone X.

Earlier this month, bods at Bkav, based in Vietnam, demonstrated it was possible to bypass the face-recognizing login mechanism using a $150 3D-printed mask, effectively allowing a stranger to unlock a victim's handset.

However, it wasn't that practical as it took up to ten hours and fiddling with the mask's silicone nose fool the Face ID software. Now, this week, we're told the crew has dramatically improved their technique.

For their latest approach, another 3D mask was created, this time made out of stone powder that more closely imitates human skin. Then 2D-printed pictures of the phone owner's eyes, designed to trick Face ID's infrared sensors, were pasted on, and managed to unlock an iPhone X, set on the highest security setting, in one try, it is claimed.

"About 2 weeks ago, we recommended that only very important people such as national leaders, large corporation leaders, billionaires, etc. should be cautious when using Face ID," said Ngo Tuan Anh, Bkav's veep of cyber security.

"However, with this research result, we have to raise the severity level to every casual users: Face ID is not secure enough to be used in business transactions."

Here's the outfit's video illustrating the latest technique:

Youtube Video

Apple staff joked that the Face ID system could be used to unlock the handset if the owner had an evil twin. After the success of their refined mask design, the Bkav team has dubbed the attack the "evil twin" method.

You may think getting an accurate 3D scan of a target's face would be hard, however, the Bkav team simply set up a few cameras in a room, snapped the target as they entered, and then stitched the pictures together to make a 3D composite using software.

"Security should approximate to absolute, and AI should only be a supplement, not the sole security base for Face ID like the way Apple is working on," said Nguyen Tu Quang, Bkav's CEO.

"AI, in any way, is now still human-made and it does at its best based on the experience of its creators and trainers, here is Apple. Thus, anyone who is more experienced than the creator can bypass it".

The team suggested that fingerprints are still the safest way to protect your phone. We also suggest long pass codes. Sadly, payers of the Cupertino idiot tax with the new handset don’t get that fingerprint option, so passcode it is for the moment. ®

PS: As some of you may have spotted, Bkav also makes a smartphone, making it an Apple rival bashing Apple. However, it argues it is primarily a "cyber security firm," and has pointed out vulnerabilities in Samsung handhelds and Google Chrome, as well as being critical of eye-scanning authentication systems since 2008, before it decided to tout its own mobe.