Forbes has added to the ever-growing pantheon of ways to trick biometrics by printing a 3D head and using it to break into Android phones.
We’ve long known how easy it is to spoof static authentication by holding up a 2D picture to a camera, as Google found out after filing a patent to let users
unlock their phones by, say, sticking out your tongue or wiggling your eyebrows…or, in the case of fingerprints, by making a dummy fingerprint out of wood glue or a 2D inkjet printout. Google went ahead and filed a patent for “Liveness Checks,” but researchers using the most basic of photo editing tools managed to fool it with just a few minutes of editing and animating photos to make them look like subjects were fluttering their eyelashes. Similarly, researchers at one point came up with a way to
mimic the swipey touch gestures we use to get into our phones. They did it by whipping up a Lego robot and equipping it with a finger sculpted from Play-Doh.
Like these previous methods of bypassing biometrics, Forbes’ head approach is rather, shall we say, crafty. Hell, it’s downright makerspace-intensive, given that you need access to a studio equipped with 50 cameras, a 3D printer, and a boatload of gypsum. The point was to see how easy it is to break into four of the hottest handsets running Android and iOS with a 3D-printed head. The upshot: the gypsum head tricked all of the Androids. Apple’s phone, however, wasn’t fooled. The models that Forbes managed to trick, given just the right lighting, a software-enhanced version of Thomas Brewster’s nose that had fallen off/been left behind during the photos capture, and various levels of fast-face scan (not so secure) vs. slow-face scan (better): the LG G7 ThinQ, a Samsung S9, a Samsung Note 8 and a OnePlus 6. The only one that gypsum-head couldn’t fool: The iPhone X.