Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

iOS

9/12/2017
03:30 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

FaceID Faces Security Headwind

Apple brings facial recognition to the iPhone but some security experts aren't convinced the technology is ready.

On the day Apple launched its iPhone X, facial recognition experts have questioned the security of a new biometric authentication system on the devices.

Apple has been preparing to use facial ID for authentication for some time, cherry-picking in the last four years three Israeli companies that supply the sense-capture-identify one-two-three of facial matching authentication.

It reportedly acquired RealFace earlier this year for an undisclosed amount, LinX in 2015 for an estimated $20 million and PrimeSense in November 2013 for $345 million. PrimeSense designed a 3D sensor, Linx developed a DSLR-like mobile camera module and RealFace built facial recognition software.

It's surprising therefore to find out that Apple's new authentication method may be flawed and easily spoofed. "iPhone X has 3D face recognition on it to do face matching. The Chaos Computer Club will take (only) a month to spoof it," opined Andrew Bud, CEO and founder of iProov. "They will find the iPhone weakness and they will break it. And if they don't publish how they did it, Apple will never know."

The CCC famously broke the Samsung Galaxy S8 iris scanner a month after it was launched. But it does have a track record of being very sporting in the grey hat mode when it indeed breaks a system, often publishing how and why an exploit has been successful; its 5,500 members seem to function as a benevolent collective. Millions of other hackers do not.

Owners of the new $1,000 iPhone X elite model have disposable incomes. You get my drift.

I'm not a hacker myself (or if I am, I'm black hat and you don't know it), but there are several ways that a potential weakness could be leveraged. An attempt could be made during the initial education mode where hackers probe for weaknesses, looking to build their fact base while remaining unobserved. Here there would be an intercept to see how the ID authentication process communicates between the OS and hardware. If there's an intercept, then it's also logical that bogus values could potentially be inserted to see how the system/service responds.

According to Jeff Orr, research director of strategic technology at ABI Research, "If a true 3D sensor is involved that captures more identifying points than a fingerprint, this challenges prior facial recognition approaches where the image could be spoofed using photos, contact lenses, and video playback." The more identification points the sensor has, the stronger the security and the better it is for the consumer.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event -- a free breakfast collocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

During the launch presentation, Apple invited viewers to glimpse behind the curtain of the biometric unit on the iPhoneX. Its TrueDepth camera system comprises an IR camera, flood illuminator, front camera, a dot projector, and also proximity and ambient light sensors.

The challenge process takes place in real time, and begins when the user’s face is detected by the flood illuminator. The IR camera takes an image, and the dot projector pushes 30,000 IR dots onto the face. The information from the IR image and dots are combined and pushed through an on-chip neural network for processing. The composite is then matched to an existing image stored locally on the device. The data from this is ‘enclaved’ on a purpose-built A11 Bionic chip, although it was not clear how safe it was.

While acknowledging during the presentation that “there is no perfect system” for biometric facial recognition, Apple added that there is a 1 in 50,000 chance that, say, I could unlock your phone with my fingerprint. For FaceID, that statistic is 1 in 100,000,000. So, the device is spoofable. Apple added that if there’s a family member that bears a resemblance, then a passcode should be used on top of FaceID in order to better safeguard data.

Certainly, that advice is to Apple's credit; Every data point -- face, eye, fingerprint enrolled into a single strong authentication process would make an attack harder.

"A combination of facial, eye and fingerprint recognition seems like a more progressive approach to ensuring the security of the user, device, and its data," says Orr. But, there are some very devious methods out there to break through security.

"(This) would overcome concerns about someone trying to unlock the phone of a sleeping or deceased person," says Orr. "It is not clear today if corrective lenses, contact lenses, or use of prescriptions/intoxicants that alter pupal dilation will have an impact on the system."

Or, a hacker could simply try to retrieve authentication patterns already enrolled and stored locally on the device, such as TouchID, if indeed this is how the iPhone X system works.

In some cases, observers fear that facial ID causes real issues for an iPhone user who is physically next to a spoofer. Imposing a biometric request under duress is possible. But since we're into hypotheticals here, what about if someone could model their own 3D scanner using the same 3D sensor to gather identities for a future exploit? That hack could be executed over time and only launched once thousands of identities have been exploited.

And finally, a question for Benjamin Button: How do legitimate users manage changes over time as they age, change appearance and grow younger?

Apple did not respond to several requests for comment. Special thanks to Jeff Orr.

Editor's Note: This article has been updated to reflect information released in the iPhone X launch event.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.