This 10-year-old was able to unlock his mom’s iPhone using Face ID

Daljeet

Level 6
Thread author
Verified
Well-known
Jun 14, 2017
264
Since the iPhone X has hit the market, people have been trying all sorts of ways to trick the phone’s Face ID feature, including this creepy, cobbled-together mask. While Apple has admitted that false positives can happen, it was thought this could only happen with twins, or siblings under the age of 13. However, a new video has popped up showing a 10-year-old unlocking his mother’s iPhone, suggesting that any family members who bear enough resemblance might be able to bypass the system.
In the video, the mother explains that despite setting up Face ID for her face, her son is able to unlock the phone using his face. A Wired report on the video notes that the son was able to do this upon picking up the phone for the first time. The son was also able to unlock his father’s phone, but only in one instance.

After the mother reregistered her face under different lighting, her son was no longer able to unlock her phone. She reregistered a third time in dimmer lighting to replicate her initial registration, and then, her son was able to unlock the phone again.

Although Apple says Face ID is more secure than Touch ID, this raises questions about the possibility of false positives not only happening with twins and siblings around the same age, but with people of different sexes and significantly different ages. It is possible that the son’s age played a role as Apple has said that the “undeveloped facial features” in those under the age of 13 could cause issues with Face ID.

We’ve reached out to Apple for comment and will update with a response.
 

Daljeet

Level 6
Thread author
Verified
Well-known
Jun 14, 2017
264
Mom and son face is matching, and that's why son able to bypass face. Recently I heard someone design a mask to bypass faced but now similar faces can also.
We forget one thing how faceid works there are algo's which calculate face and nose eyes and mouth distance. If two peoples have similar face then they can bypass faceid.
 
D

Deleted member 65228

A normal, good password will always be better for security IMO. A good password will be hard to crack due to use of numbers, not using characters in a straight line and even in some cases, a combination of both lower-case and upper-case... With at least 8-10+ characters.

Face ID identification is flawed because of the establishments demonstrated in the video posted in this thread, as well as the information mentioned by another member @daljeet. He is correct IMO, the algorithms likely work like this and therefore can be exploited with masks or similar face (e.g. your children, parents, etc. -> potentially but possible as we can already see).

Finger print identification is flawed because it isn't impossible to steal someone elses finger prints. If someone shakes your hand, or touches something which you later use for analysis, you can extract their print onto something else and then use the item which now has a copy of their prints to bypass finger print identification. In the real word, professional criminals may actually steal someone else's prints and overlay them onto their own gloves, to fool forensics into believing someone else was responsible for something when they weren't (push them off the right direction). The same method can be used to bypass finger print identification. It doesn't take a genius to do it, even in science lessons in... school maybe, you may learn a bit about fingerprints in a practical lesson, who knows.

IMO a good strong password will always be the best primary option. Due to the time it can take to crack them. Someone can attempt to brute-force with common passwords or new calculated passwords looping through random combinations, but you can enable Two-Factor Authentication (2FA) to require phone and/or e-mail consent. Some services will auto-lock your account after X amount of incorrect guesses until further validation, helping to prevent brute-force attacks from being successful in any timely fashion, even if the password is quite weak and would not take as much time to guess through brute-force password cracking tools.

If you don't re-use the same password, if a service becomes compromised, it can be harder to attack you further past the scope of that service. For example, if you use the same password on a service which is attacked and has their network breached and passwords are stolen but the encryption is eventually broken, the attacker could then potentially hijack your other accounts by signing into your e-mail using the credentials (same password being used). However, if you use a different password for different services, then you are even tougher to target.

Therefore, if you want to use Face ID or finger print authentication, combine it with an after password if possible. That way you will be much more secure IMO.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top