You should still use the iPhone X's Face ID even though hackers say they beat it

Rob Pegoraro
Contributing Editor
Hackers say they’ve defeated Apple’s Face ID, but that doesn’t mean you shouldn’t use it.

A group of hackers say they’ve defeated the Face ID login system Apple (AAPL) includes on the iPhone X with about $150 in face-mask parts. And you shouldn’t worry about that for more than 150 seconds.

Says who? Says the hackers.

As a Q&A from the Vietnamese security and smart-home firm Bkav explains, “the target for this kind of attack” would “not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI.” The rest of us can put this threat way down on your list of fears.

Because doing otherwise — or letting yourself get freaked out by other reports of compromises of security measures that require an intense and personalized attack — can leave you stuck on passwords, PINs and other old-school logins that require much less effort to defeat.

Face ID versus face mask

The demo put on by Bkav at a press conference Wednesday does not lack technical proficiency. Researchers at the firm, who earlier showed how to bypass facial-recognition and iris-recognition systems on non-Apple hardware, figured out how to confuse Face ID by combining a picture of somebody’s face with a 3D-printed mask of it.

Cutting out the eyes, nose and mouth from the photo and then applying them to the mask — the results of which look like a papier-mâché project of the damned — apparently leaves the artificial-intelligence software behind Face ID lost.

There’s a reason we didn’t lead with this picture.

“It’s just because this is not entirely fake, it’s not entirely real, so the AI is confused,” CEO Nguyen To Quang said through a translator. “This is a very simple way in which we analyze the AI and we understand the weakness of the AI — and beat it.”

Apple PR responded to a request for comment by pointing to skeptical news coverage of Bkav’s demonstration. But it wouldn’t be a surprise if the company tweaked Face ID’s algorithms to recognize Bkav’s attack.

Other attempts to fake out Face ID have failed. Wired magazine, for instance, “spent thousands of dollars” to create a series of lifelike face masks that never fooled Apple’s system.

Sorry, you’re just not that interesting

But how realistic is this attack? Your adversary will need to take 2D and 3D pictures of you and will then need to take your phone from you. That requires not just an uncommon criminal but an uncommon degree of interest in you in particular.

You don’t run a country or a corporation and you don’t have any intelligence services interested in your affairs? Then your “threat model” is a lot simpler: You’re no more enticing to a hacker than anybody else with a $999-and-up smartphone. And the sorry state of cybersecurity awareness means there will probably be other iPhone X users who have been less careful.

Besides, why go after your smartphone at all if your identity or your money can be more easily had through other means? They might not even need to hack into anything at all if a company left your data exposed on the public internet.

As Facebook (FB) chief security officer Alex Stamos said in a keynote at the Black Hat conference in July: “Adversaries will do the simplest thing that they need to do.”

You’ve seen this sci-fi movie before

Bkav’s Face ID demonstration may involve creepier-looking props than other hacking demos, but it fits into the same pattern: A frightening scenario invites you to think nothing can be made secure.

The term Stamos and other security researchers use for that is “security nihilism.” In his Black Hat talk, Stamos defined the condition as believing that “all attackers are perfect” and “everybody faces the worst possible threat scenario.”

When spread in news coverage, security nihilism can lead people to learned helplessness — to deciding that since no system can stop an attack out of a sci-fi thriller, they might as well stick with what they know.

That will burn you every time.

Yes, a determined adversary can defeat Face ID or the fingerprint logins that Bkav’s Q&A endorses as more secure. But any of them beat a password or a PIN that, since you must enter it dozens of times a day, will probably be on the shorter side.

In the same way, password-manager services like Dashlane or LastPass that generate and store complex passwords in an encrypted online vault afford better protection than trying to keep dozens of 12-character logins in your non-encrypted head.

And while text-message-based “two-step verification” systems, which confirm a login with a code sent to your phone, can be defeated by an attacker who can talk your wireless carrier into putting your number on a new SIM card, passwords alone provide no second line of defense.

Telling people to trust math and circuitry over their own brains can be a tough sell. But we’ve seen this movie before, and it ends with people sticking Post-It notes with their passwords on their computers.

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.

 

By using Yahoo you agree that Yahoo and partners may use Cookies for personalisation and other purposes