Android devices facial recognition fooled by 3D-printed head, but not Face ID
A 3D-printed head fooled the facial recognition systems of four smartphones running Android, but failed to unlock an iPhone with Face ID in testing by Forbes.
At a cost of just over £300 (US$378), a Forbes reporter had a 3D-printed replica of his head made by a UK firm, which took pictures of him with 50 cameras simultaneously to construct a single 3D image. A few days after the image is taken, a customer can pick up the replica.
An LG G7 ThinQ, a Samsung S9, a Samsung Note 8, and a OnePlus 6 all mistook the fake head for the real user, but carrying out the spoof involved varying degrees of difficulty, Forbes reports. The LG G7 specifically warns users that its facial recognition feature is a secondary unlocking method, and that it reduces the device’s overall security. The Samsung S9 delivers a similar warning during facial enrollment. The S9’s iris recognition function was not fooled by the 3D-printed head. Forbes notes that during testing, LG seems to have updated its facial recognition software, making it more difficult to spoof.
Forbes tested both the faster and slower versions of face unlock on the Note 8, and was successful with both, but needed to experiment more with different angles and lighting to defeat the slower option, as was necessary with the S9. The OnePlus 6 did not warn the user, and opened with the least effort.
Representatives from all three Android device manufacturers noted that their facial recognition features are meant for convenience, and Samsung noted that high security functions like payments or access to the Secure Folder cannot be performed with it.
The 3D printed head did not unlock the iPhone, and also did not fool Windows Hello in testing.
TechCrunch reports that from a legal perspective, law enforcement agencies could also use the same technique, though Project on Government Oversight Senior Counsel Jake Laperruque says it is not the most practical or cost-effective way for police to gain access to a device.
Forbes suggests those concerned about facial recognition spoofing should consider not using the feature.
“Focus on the secret aspect, which is the PIN and the password,” NCC Group Research Director Matt Lewis told Forbes. “The reality with any biometrics is that they can be copied. Anyone with enough time, resource and objective will invest to try and spoof these biometrics.”
This position begs the question of whether the challenge of copying the biometric exceeds that of learning the PIN and password, however. Further, for most smartphone users, the risk of having an attacker surreptitiously take 50 simultaneous facial photos from all angles without permission is likely minimal.
Article Topics
Android | biometric liveness detection | biometrics | facial recognition | spoofing
They are all for convenience, even Face ID. That has its own set of well-documented problems. Recognition is NOT authentication.