Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by cmn32480 on Tuesday November 14, @04:42PM   Printer-friendly
from the steal-your-face dept.

Wired is running a story of hackers claiming to have broken Face ID on the new iPhone X.

When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. A week later, hackers on the actual other side of the world claim to have successfully duplicated someone's face to unlock his iPhone X—with what looks like a simpler technique than some security researchers believed possible.

On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking.

On a similar note Apple has repeatedly fought working with governments to unlock phones, if the police have a dead or detained criminal what is to stop them from just pointing the phone at their face and getting all the juicy data bits inside? Does Face ID *help* police/governments?


Original Submission

Display Options Threshold/Breakthrough

Reply to Article

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Informative) by Justin Case on Tuesday November 14, @04:53PM (10 children)

    by Justin Case (4239) Subscriber Badge on Tuesday November 14, @04:53PM (#596856)

    "Biometric" is not your password. It is your user-ID.

    Still need something else for authentication.

    --
    Porn is subversive; hated and feared by church, state, and authoritarian busybodies everywhere. So enjoy some today!
    • (Score: 1, Insightful) by Anonymous Coward on Tuesday November 14, @05:06PM (9 children)

      by Anonymous Coward on Tuesday November 14, @05:06PM (#596864)

      "User ID" is just the portion of a password that a user seemingly doesn't mind being published widely.

      • (Score: 0) by Anonymous Coward on Tuesday November 14, @05:14PM (6 children)

        by Anonymous Coward on Tuesday November 14, @05:14PM (#596867)

        "Password" is just the portion of a user ID that a user seemingly wants to keep as secret as possible.

        • (Score: -1, Offtopic) by Anonymous Coward on Tuesday November 14, @05:32PM

          by Anonymous Coward on Tuesday November 14, @05:32PM (#596873)

          "I'm on fire! Everything's on fire! Save me, Jesus!"
          - Steve

        • (Score: 3, Touché) by bob_super on Tuesday November 14, @05:46PM (4 children)

          by bob_super (1357) on Tuesday November 14, @05:46PM (#596878)

          "Password" is covered by the fifth, while "biometric" isn't...

          • (Score: 0) by Anonymous Coward on Tuesday November 14, @06:09PM (3 children)

            by Anonymous Coward on Tuesday November 14, @06:09PM (#596887)

            But what amendment protects this insane level of pedantry?

            • (Score: 2) by bob_super on Tuesday November 14, @06:34PM (1 child)

              by bob_super (1357) on Tuesday November 14, @06:34PM (#596897)

              The first.

            • (Score: 0) by Anonymous Coward on Tuesday November 14, @06:34PM

              by Anonymous Coward on Tuesday November 14, @06:34PM (#596899)

              The anti-1st?

      • (Score: 4, Insightful) by darkfeline on Tuesday November 14, @10:12PM (1 child)

        by darkfeline (1030) on Tuesday November 14, @10:12PM (#597013) Homepage

        Why is this marked insightful? This is wrong.

        Identification != authentication

        The purpose of an ID is to uniquely IDentify a user. If you need to refer to a specific user, you cannot say "the user with the password password" because we all know half of your users use that password.

        Instead you say "the user with the username foo".

        In the "real world", things that are often used for identification include national ID numbers, Social Security (*gasp* it's for identification, not authentication), driver's license number, and name+address.

        The thing is, all of those have downsides, and using biometrics is really really good ID. Almost certainly unique when combining multiple types, no need for a centralized database.

        Of course, identification != authentication. Don't use biometrics for auth, you lowlives.

        • (Score: 2) by Gaaark on Wednesday November 15, @01:39AM

          by Gaaark (41) Subscriber Badge on Wednesday November 15, @01:39AM (#597088) Homepage Journal

          Except for computer systems that make you type in a username AND a password, the username CAN be almost like a password: you have to guess the username AND the password.

          If you don't know that Gaaark username for his laptop is Unic0rnPr0n, you have to guess correctly both username and password.

          I'd rather someone have to guess both than just use my face.

          ***Or, did I misunderstand your point?? Tired...might have.

          --
          --- That's not flying: that's... falling... with more luck than I have. ---
  • (Score: 1, Insightful) by Anonymous Coward on Tuesday November 14, @05:02PM (1 child)

    by Anonymous Coward on Tuesday November 14, @05:02PM (#596861)

    if the police have a dead or detained criminal what is to stop them from just pointing the phone at their face and getting all the juicy data bits inside? Does Face ID *help* police/governments?

    Uh it's the same for the other easy methods like fingerprints.

    You can use passwords or if you think you can get lucky that you'll be able to press the "cop sequence" so the phone requires a passwords .

    • (Score: 2) by frojack on Tuesday November 14, @07:23PM

      by frojack (1554) Subscriber Badge on Tuesday November 14, @07:23PM (#596929) Journal

      what is to stop them from just pointing the phone at their face?

      Swat tactics will almost certainly be updated to avoid head shots, and quickly search for a phone, and unlock it even before the perp is actually dead.

      Faceid does time out after a few hours (I forget the details maybe overnight, IDK) so you have to be relatively quick about it.

      Turns out

      --
      No, you are mistaken. I've always had this sig.
  • (Score: 4, Interesting) by quacking duck on Tuesday November 14, @05:09PM

    by quacking duck (1395) on Tuesday November 14, @05:09PM (#596866)

    Apple was up front about how FaceID isn't good enough to distinguish between identical twins. No one with a clue ever claimed it to be a 100% bullet proof authorization system.

    That said, it's also far superior to the latest Samsung Galaxy S8's version, which was famously cracked on day zero with a mere photograph. Samsung still hadn't fixed this flaw when the Note 8 was released six months later [businessinsider.com].

    On a similar note Apple has repeatedly fought working with governments to unlock phones, if the police have a dead or detained criminal what is to stop them from just pointing the phone at their face and getting all the juicy data bits inside? Does Face ID *help* police/governments?

    Insofar as the older TouchID required physically forcing a suspect to touch the scanner, and now with FaceID they can just point it at their face, sure, the police/government now have an easier time. On the other hand, quickly pressing the standby button 5 times disables FaceID (and TouchID on older phones), requiring the passcode to re-enable it.

    Anyone thinking about harping on Apple have far more legitimate targets. Like that infamous 1+1+1=12 bug in iOS 11's default calculator app, which was known back in the v11.0 betas and still hasn't been fixed.

  • (Score: 0) by Anonymous Coward on Tuesday November 14, @05:25PM (1 child)

    by Anonymous Coward on Tuesday November 14, @05:25PM (#596870)
    • (Score: 2) by tangomargarine on Wednesday November 15, @03:54PM

      by tangomargarine (667) on Wednesday November 15, @03:54PM (#597325)

      I love how that URL comes really close to telling you the entire headline, has a seizure in the middle, starts over, then cuts out one letter before completing the last word to make it actually make sense. Bravo.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 2) by EvilSS on Tuesday November 14, @05:48PM

    by EvilSS (1456) on Tuesday November 14, @05:48PM (#596879)
    I mean you can do the same with constructed finger prints. If someone is willing to go to that much trouble to get at your data, and you know it's possible, don't use biometrics FFS. Or leave your fingerprints/face at home in a safe when you go out.

    What is more interesting is this story where a woman's son is able to open her iPhoneX with his own face: https://www.macrumors.com/2017/11/14/face-id-spoofed-by-child-and-mask/ [macrumors.com]
  • (Score: 1, Informative) by Anonymous Coward on Tuesday November 14, @05:58PM (2 children)

    by Anonymous Coward on Tuesday November 14, @05:58PM (#596882)

    if the police have a dead or detained criminal what is to stop them from just pointing the phone at their face and getting all the juicy data bits inside?

    I guess this means they have to stop shooting people in the face. Talk about crimping their style ...

    • (Score: 2) by Justin Case on Tuesday November 14, @06:06PM (1 child)

      by Justin Case (4239) Subscriber Badge on Tuesday November 14, @06:06PM (#596885)

      No, just use the stun gun you hate because movie cops don't use it. Then, when the "suspect" is down, use the unconscious face to unlock the phone.

      Now you can blow their head clean off. In self defense of course.

      --
      Porn is subversive; hated and feared by church, state, and authoritarian busybodies everywhere. So enjoy some today!
      • (Score: 3, Funny) by Gaaark on Wednesday November 15, @01:47AM

        by Gaaark (41) Subscriber Badge on Wednesday November 15, @01:47AM (#597092) Homepage Journal

        You just have to remember to turn off the bodycam first!

        --
        --- That's not flying: that's... falling... with more luck than I have. ---
  • (Score: 0) by Anonymous Coward on Tuesday November 14, @06:11PM (1 child)

    by Anonymous Coward on Tuesday November 14, @06:11PM (#596888)

    If you're concerned about it, just don't use those biometric functions. Use the good ol' password/pin and make it a good one.

    • (Score: 2) by frojack on Tuesday November 14, @07:29PM

      by frojack (1554) Subscriber Badge on Tuesday November 14, @07:29PM (#596935) Journal

      Given the frequency with which most people are in and out of their phones, no password is likely to be fast enough. They'd rather run naked.

      Given the total disregard that millennials have for privacy, any password they use is likely to be very short and simple.
      I wouldn't be surprised if Many just opt for words like "no".

      --
      No, you are mistaken. I've always had this sig.
  • (Score: 3, Insightful) by meustrus on Tuesday November 14, @06:34PM (9 children)

    by meustrus (4961) <{meustrus} {at} {gmail.com}> on Tuesday November 14, @06:34PM (#596896)

    The battle lines drawn for police vs. privacy are wrong.

    We need the state, as part of due process, to have access to all evidence that exists. We need due process to make this access accountable to the public and limited to a narrow legal scope.

    In service of this, police have the capability to open locks but may only do so with a court order. Why should electronics be any different?

    In practice, however, this argument falls short for technical reasons. If the police had the ability to unlock any device, we do not have legal frameworks in place to prevent them from unlocking every device. If there is one lesson to be learned about computing, it is that there is no longer a meaningful difference in effort between doing something once and doing it billions of times. And in the name of counter-terrorism, the process of obtaining a warrant has become frighteningly less transparent.

    Most importantly, however, no means have yet been devised for police to have controlled access to electronic locks in a manner similar to physical locks that don't fundamentally compromise the locks themselves. Let's face it: if I could lock my front door in a way that would-be burglars would definitely not be able to open, it would be irrational to sacrifice definite protection against such criminals to create privileged access for anybody.

    Unfortunately, those that understand the implications of technology have thus far advocated for a world that shelters everyone's privacy in absolution, because we know that it is technically possible and we want our own activities to remain invisible. It's what a rational self-motivated person would want, but it's not what's best for society.

    What is best for society would be a system in which we maintain all ability to protect ourselves, but an agent of the law can through transparent due process obtain all evidence that exists in the course of a single investigation. I don't see how this is technically possible, but it's what we need. Otherwise, our technology will lead us into a lawless world where power comes unchecked from concealable technological resources, leaving us all caught in the crossfire between increasingly invisible state agents and the already invisible agents of the criminal underworld.

    --
    If there isn't at least one reference or primary source, it's not +1 Informative.
    • (Score: 2) by tangomargarine on Tuesday November 14, @07:06PM (2 children)

      by tangomargarine (667) on Tuesday November 14, @07:06PM (#596915)

      What is best for society would be a system in which we maintain all ability to protect ourselves, but an agent of the law can through transparent due process obtain all evidence that exists in the course of a single investigation. I don't see how this is technically possible, but it's what we need.

      It wouldn't be hard with PKI and key escrow. The problem is how trustworthy the government agent is who gets the copy of your key.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by meustrus on Tuesday November 14, @11:14PM (1 child)

        by meustrus (4961) <{meustrus} {at} {gmail.com}> on Tuesday November 14, @11:14PM (#597049)

        If you create a backdoor key, anybody can steal the backdoor key. If you create a backdoor key that applies to every single lock, stealing that one key becomes exponentially more valuable. The same goes for separate backdoor keys for every lock that are all kept in the same place.

        Information security is about keeping secrets. The moment you have told anybody else, your attack vector expands to include theirs.

        --
        If there isn't at least one reference or primary source, it's not +1 Informative.
        • (Score: 2) by tangomargarine on Wednesday November 15, @03:52PM

          by tangomargarine (667) on Wednesday November 15, @03:52PM (#597323)

          Give the government agent your original key; there's no backdoor involved at all.

          It's easy to do technically, it's just not a very good idea. At that point everything hinges on 1) the security of the government key escrow system, and B) how robust and trustworthy the process for obtaining permission to use the keys is.

          Information security is about keeping secrets. The moment you have told anybody else, your attack vector expands to include theirs.

          Yup. But of course the point of this whole "secure backdoor encryption" nonsense isn't to make *us* more secure; it's to help the government get their greasy fingers into all of our data.

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 0) by Anonymous Coward on Tuesday November 14, @07:17PM (1 child)

      by Anonymous Coward on Tuesday November 14, @07:17PM (#596926)

      People destroy evidence all the time, so your argument kinda falls apart. There is almost never some safe containing all the incriminating evidence which is why we have subpoenas. If someone does not provide access for law enforcement when there is a legal subpoena then it does not go well for them.

      Your comparison of physical and digital locks is ridiculous, all we will see is criminals using alternate methods to go about their activities while the average person loses privacy and can be easily targeted by the criminals you want to catch! Not only is it not possible, but it is not desirable. The biggest flaw in your thinking is presuming that law enforcement is always "the good guy". We have seen plenty of modern examples of this not being true.

      • (Score: 2) by meustrus on Tuesday November 14, @11:24PM

        by meustrus (4961) <{meustrus} {at} {gmail.com}> on Tuesday November 14, @11:24PM (#597055)

        ...all we will see is criminals using alternate methods to go about their activities while the average person loses privacy and can be easily targeted by the criminals you want to catch!

        That's why I don't have a solution. Creating backdoors solves nothing for this reason and just creates more problems.

        To compare it to a physical lock: if the government mandated that every deadbolt accept the government's master key, average citizens would become less secure while criminals would use black market locks with no such restrictions. The metaphor actually works pretty well when properly applied.

        And no, I do not presume that law enforcement is "the good guy". I presume that it is the designated agent of enforcing the laws that we have already agreed to. Appropriate oversight is necessary to keep law enforcement from becoming corrupt. But my entire argument does assume a lot about how the state functions which is not always true. Selective enforcement, minority disenfranchisement, and corruption are all serious problems, but they are outside the scope of discussing how law enforcement can best accomplish the job that they have been given.

        --
        If there isn't at least one reference or primary source, it's not +1 Informative.
    • (Score: 3, Insightful) by frojack on Tuesday November 14, @07:34PM (3 children)

      by frojack (1554) Subscriber Badge on Tuesday November 14, @07:34PM (#596936) Journal

      We need the state, as part of due process, to have access to all evidence that exists.

      You started out wrong, and it went down hill from there.

      There's absolutely no justification for the police to have all evidence that exists.

      With that as your standard, there is nobody who is innocent. You've just called for a real world "Go to Jail, go directly to jail" card.

      You, sir, are an idiot.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by meustrus on Tuesday November 14, @11:36PM (2 children)

        by meustrus (4961) <{meustrus} {at} {gmail.com}> on Tuesday November 14, @11:36PM (#597058)

        That nobody is innocent is a fault in our laws, not a fault in the powers of law enforcement. It unfortunately leads to selective enforcement, targeted at people the police are already otherwise interested in.

        But don't miss the "as part of due process" part of my argument. Due process does not allow anybody to broadly sweep all evidence of criminal activity. It only allows for a targeted search based on existing suspicion. And when there is an existing suspicion, the best way to prove whether that suspicion is correct or whether the police need to look elsewhere is if they can look at all evidence that exists.

        But think for a moment about what you misinterpreted in my argument. Nobody wants to put everybody in jail. Who would pay taxes? Who would guard the prison? If law enforcement were truly omniscient, we would be having some interesting conversations about all those laws that are technically being broken but don't hurt anybody. We might even have the information to say for sure that certain activities currently illegal are good for society. Granted, we'd also have some serious corruption problems that would probably tank any real reform of our legal system pretty quickly.

        --
        If there isn't at least one reference or primary source, it's not +1 Informative.
        • (Score: 2) by Gaaark on Wednesday November 15, @01:54AM (1 child)

          by Gaaark (41) Subscriber Badge on Wednesday November 15, @01:54AM (#597094) Homepage Journal

          "Nobody wants to put everybody in jail. "

          But there are people who may want to put YOU in jail: give them the power to, and it may happen.

          --
          --- That's not flying: that's... falling... with more luck than I have. ---
          • (Score: 2) by meustrus on Wednesday November 15, @08:03PM

            by meustrus (4961) <{meustrus} {at} {gmail.com}> on Wednesday November 15, @08:03PM (#597435)

            You're remarkably naïve to think that they couldn't already lock you or me away if they wanted to. The vast majority of evidence can already be obtained through warrants, and even if all they have is "reasonable suspicion" they can still use that to make your life unlivable.

            --
            If there isn't at least one reference or primary source, it's not +1 Informative.
  • (Score: 4, Insightful) by GreatAuntAnesthesia on Tuesday November 14, @10:05PM (2 children)

    by GreatAuntAnesthesia (3275) on Tuesday November 14, @10:05PM (#597010) Journal

    For fuck's sake. On the whole I don't mind Apple, but one thing about them that really does piss me off is this:

    the company's futuristic new form of authentication

    As if Apple fucking invented it. IT'S NOT NEW! I have an HTC One Mini Two in my hand from about 2014 that unlocks with face recognition, and I doubt that was the first phone to do it.

    I remember when I had drooling Apple fanboys in 2010 telling me how awesome facetime was and how awesome Apple was for inventing it, when I had already got bored of video calling on my old Motorola Razr 5 years earlier. And then there's iPods, which were of course the first ever mp3 players in the universe.....

    Why is it then when Apple releases some feature on their products, the entire world goes suddenly gaga over it and wows at how new it is, while simultaneously going totally blind to all the other brands and products that have been doing the EXACT SAME THING FOR YEARS?

    • (Score: 4, Informative) by meustrus on Tuesday November 14, @11:38PM

      by meustrus (4961) <{meustrus} {at} {gmail.com}> on Tuesday November 14, @11:38PM (#597059)

      Mainly because Apple's design and marketing make it easy for normal people to understand how to do these things. Apple's business strategy has long been to be late to market with the easiest-to-use product.

      --
      If there isn't at least one reference or primary source, it's not +1 Informative.
    • (Score: 0) by Anonymous Coward on Thursday November 16, @01:05AM

      by Anonymous Coward on Thursday November 16, @01:05AM (#597534)

      From a 2015 Popular Science article [popsci.com]:

      Facial recognition systems that appeared a few years ago in some versions of Android as well as on some PCs could often be circumvented just using a high-quality picture of the person put in front of the camera.

      Since then, most of these systems have gotten a little savvier: most now require you to blink during the recognition process, to verify that you're a real live person and not a photo...

      ...I shot a quick video of myself--blinking included. I held my phone up to the screen, and sure enough, the bank app let me right in...

      From TFA:

      Simpler, flat-image scans had allowed earlier laptops and phones like the Samsung Galaxy S8 to be fooled by a mere photograph. Instead, the iPhone X projects a grid of 30,000 infrared dots onto a face, and then uses an infrared camera to read the distortion of that grid, creating a three-dimensional model.

      Apple is doing 3-D. Sounds new to me.

(1)