Last month, security firm Bkav released a video supposedly demonstrating how it tricked the iPhone X’s Face ID authentication method using a mask made of plastic, silicon, and paper cutouts. The low-quality video had its share of skeptics who questioned its authenticity and feasibility.
The group took those criticisms to heart and has now released a second video that shows Face ID being set up in real time before it gets fooled by a rather crude-looking mask. Dubbed the “artificial twin,” this new mask is made of stone powder and printed infrared images. As you can see in the clip, the researcher removes his profile from Face ID, re-enrolls his face, then unlocks the phone by aiming its front-facing sensors at the mask. The iPhone X grants it access on the first attempt.
With its mask, Bkav is exploiting the same vulnerability in Face ID that Apple admitted to: It’s not very good at distinguishing between twins or people who look alike. That claim has been tested numerous times in the past month with mixed results. The iPhone X failed to tell twins apart in Mashable’s tests but didn’t have any problems when Business Insider tried a similar experiment. The most concerning Face ID fail yet was when a 10-year-old boy broke into his mom’s fancy new $1,000 device.
“With this new research result, anyone can be ‘cloned’ to make a ‘twin’ mask of himself/herself,” Bkav wrote in a blog post. “Thus, Bkav recommends Apple to give another recommendation similar to the twins’ one, which means that iPhone X users should use passcode in all cases of sensitive data or business transactions.”
If that wasn’t bad enough, Bkav claims its second edition mask is “very simple” to make and can be done without raising the iPhone X owner’s suspicions. All that’s needed is a room full of cameras. When an iPhone X user walks in, the cameras stealthily take pictures of their face at different angles and combine them into a single 3D model.
Of course, that’s not something that can realistically be accomplished by the average person. But there are concerns that organizations could use the hack to steal private information from politicians or celebrities. It’s no surprise then that Bkav prefers fingerprint authentication, which it claims is the “most secure biometric technology.”
If you value your privacy, consider going back to the trusty passcode—at least until Apple addresses these findings or issues an update.