Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday May 24 2023, @04:19PM   Printer-friendly

Someone who looks a lot like you could also unlock it, says Which?

Samsung, Oppo and Nokia are among a range of Android phone makers with facial recognition scanning tech that can be "easily duped" by a printed 2D photo, according to tests undertaken by campaign group Which?

Resident techies that put a range of phones and brands through their paces (see box below) said the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.

Of the 48 phones Which? sent to labs for testing, 19 could be spoofed with photos and "worryingly" these were "not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper."

The vast majority of the phones that failed the simple biometric test were, unsurprisingly, low to mid-range in price, though Which? claimed there were exceptions, including the Xiaomi 13 and the Motorola Razr.

Of the phones that Which? reckons could be fooled, seven were made by Xiaomi, four came from Motorola, while two came from each of Nokia, Oppo and Samsung. One model made by Honor and another by Vivo was also found to be exploitable.

Under Android's requirements, phone makers must ensure devices and software are "Android compatible," which includes how often device security can be spoofed. Class 3 systems must not be duped more than 7 percent of the time, and Class 1 system are least secure, with a spot rate of 20 percent of the time to more.

Which? voiced worries that scammers could exploit the weakness to – for example – access Google Wallet to make payments to a limited value (£45 in the UK, about $56) without needing to unlock their phone. For larger transactions, Google asks users to use a Class 3 biometric lock, Which? said.


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Interesting) by crm114 on Wednesday May 24 2023, @04:37PM (6 children)

    by crm114 (8238) Subscriber Badge on Wednesday May 24 2023, @04:37PM (#1307951)

    I own an iPhone XR, which does not have a fingerprint reader. It keeps reminding me I can scan my face to ... send... where?

    No thanks. My phone, my face, my fingerprint.

    • (Score: 2) by Tork on Wednesday May 24 2023, @04:53PM

      by Tork (3914) Subscriber Badge on Wednesday May 24 2023, @04:53PM (#1307957)

      It keeps reminding me I can scan my face to ... send... where?

      To the chip on your phone.

      --
      🏳️‍🌈 Proud Ally 🏳️‍🌈
    • (Score: 2) by aafcac on Wednesday May 24 2023, @05:20PM (4 children)

      by aafcac (17646) on Wednesday May 24 2023, @05:20PM (#1307963)

      I'm not really sure why the face ID isn't simply set up to require a blink, wink or other change of the face. It does have limitations, but it prevents photos from being used

      • (Score: 2) by looorg on Wednesday May 24 2023, @05:46PM (3 children)

        by looorg (578) on Wednesday May 24 2023, @05:46PM (#1307974)

        Wouldn't that just require that you have two pictures? Or pictures on both sides of a picture. One where your face is normal and one where you close one eye and then you just flip it over a few times? One would think that wouldn't work but considering that a static low-res 2d picture apparently works now I wouldn't be surprised it it was fooled by the motion of just turning the picture over a few a times.

        • (Score: 2) by looorg on Wednesday May 24 2023, @05:53PM

          by looorg (578) on Wednesday May 24 2023, @05:53PM (#1307975)

          ... or one of those photo strips, sets of four images or so on a vertical strip you could get from photo booths back in the day (or probably still can in certain places)? Just get one of those and then move it up and down in front of the camera. That should probably fool it into thinking it's motion and you are blinking or doing facial expressions of some kind.

        • (Score: 3, Insightful) by JoeMerchant on Wednesday May 24 2023, @06:38PM

          by JoeMerchant (3937) on Wednesday May 24 2023, @06:38PM (#1307985)

          Fingerprints are NOT unique. Especially not in a world of 80 billion human fingers.

          Facial recognition tech is NOT anywhere near foolproof. Is it better than a minimum wage security guard trained against a 10 most wanted list? Hell yeah, but... even that security guard is a little harder to scam with stuff like fuzzy Polaroids than state of the art AI.

          The facial recognition and fingerprint reading tech in your phone is FAR from state of the art. It's convenience, and in some ways it's better than passwords, pins, swipe patterns and all that because it's harder to look over your shoulder and duplicate. Well, maybe. I believe a friend and I tested their iPhone years back by taking a picture of them with my phone, then holding that picture up to the iPhone camera and, yep, it let me in.

          Any suggestions of winks, blinks, nods, or middle finger salutes are similarly easily captured from far across an airport lounge using a telephoto mirror lens that you're unlikely to notice trained on your face while you go through your login dance for all to see.

          Copying fingerprints is well worn in Hollywood hacker plot points, but the truth is: the scanner is only looking for a few select features and while it might not let you in with greasy fingers, law enforcement can probably swipe various common print patterns across your seized phone's sensor with a non-zero chance of being let in. "Honest your Honor, the phone was unlocked when they handed it to me. What? Body cam footage, um, no, I'm afraid there was a technical schnarvenfuffle with that sequence, it's not available."

          --
          🌻🌻 [google.com]
        • (Score: 2) by aafcac on Wednesday May 24 2023, @10:26PM

          by aafcac (17646) on Wednesday May 24 2023, @10:26PM (#1308028)

          That shouldn't be an issue, a wink would only be a small part of the image changing. Swapping an entire photo would result in a massive change to the image for a moment.

  • (Score: 2, Informative) by Zinho on Wednesday May 24 2023, @06:43PM (4 children)

    by Zinho (759) on Wednesday May 24 2023, @06:43PM (#1307987)

    the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.

    Yes, marketers would say that, wouldn't they. I mean, Hollywood uses biometric props in all of their scenes purporting to show secure facilities! It's gotta be secure, right?
    I just took the Security+ certification exam last year, the correct answer on that test is that single-factor biometric logins are a convenience feature, not a security feature. They let you log in without needing to fumble around on a virtual keypad to enter a pin or a swipe pattern, so they're easier and faster - not more secure. Too many exploits [duckduckgo.com] against the biometric sensors.

    Also of note: in the U.S. police are allowed to compel you to look at your phone camera or touch its fingerprint sensor. They aren't allowed to compel you to enter a pin (or any other "something-you-know" authentication factor), since that runs afoul of both prohibitions both on compelled speech and self-incrimination.

    --
    "Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
    • (Score: 3, Informative) by JoeMerchant on Wednesday May 24 2023, @08:40PM (3 children)

      by JoeMerchant (3937) on Wednesday May 24 2023, @08:40PM (#1308009)

      >compel you to ... touch its fingerprint sensor

      I mean, I know in practice they are able to compel you to receive repeated brutal anal penetration by a wooden mop handle [wikipedia.org] but when you live to tell the tale they do get scolded for it.

      Odd that we have protections for self-incrimination by speech, but not by physical touch. I thought that DNA collection for analysis required a warrant, compelling fingerprint deposition on your personal property... I guess it's an extension of the booking photo / fingerprinting process - a really bad, overreaching extension, but there it is.

      --
      🌻🌻 [google.com]
      • (Score: 4, Interesting) by Zinho on Thursday May 25 2023, @12:28PM (2 children)

        by Zinho (759) on Thursday May 25 2023, @12:28PM (#1308094)

        Odd that we have protections for self-incrimination by speech, but not by physical touch.

        Amen, brother!
        I'm definitely not advocating for the status quo, just pointing it out. I think it's strange, too, doubly so when tech companies/news media actively campaign to make us feel safer becoming vulnerable to such searches.

        BTW, what's up with us both getting flamebait mods on this thread? Some pro-police modder got his feelings hurt over having the truth pointed out?

        Hey, modboy, don't hate, participate: post a reply, please. I want to hear what you have to say.

        --
        "Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
        • (Score: 3, Touché) by JoeMerchant on Thursday May 25 2023, @12:34PM

          by JoeMerchant (3937) on Thursday May 25 2023, @12:34PM (#1308095)

          Modboy is a rare Silent Majority member. The common ones are neither, but at least Modboy is almost silent.

          --
          🌻🌻 [google.com]
        • (Score: 2) by janrinok on Thursday May 25 2023, @03:27PM

          by janrinok (52) Subscriber Badge on Thursday May 25 2023, @03:27PM (#1308128) Journal

          It is just our resident grumpy old man, I least I am assuming he is old. The moderations tend to get corrected over the course of discussion.

  • (Score: 2) by inertnet on Thursday May 25 2023, @08:32AM (1 child)

    by inertnet (4071) on Thursday May 25 2023, @08:32AM (#1308073) Journal

    For a smartphone its bio-metric system only needs to be about 90% accurate or better. If you want to distinguish between 100 employees for instance, it needs to be well over 99%. If you need to identify one in a million people, accuracy must be better than 99.9999%. Your smartphone doesn't need that accuracy.

    • (Score: 0) by Anonymous Coward on Friday May 26 2023, @08:15AM

      by Anonymous Coward on Friday May 26 2023, @08:15AM (#1308281)
      Yeah, I suspect most people just want it secure enough to stop kids, pranksters, colleagues, petty thieves from messing with their phones.

      They'd probably feel a bit honored if the NSA, Mossad etc take that much effort to hack in their phone.

      And if Gov thugs/dogs come to ask them to unlock their phone, they might just unlock it anyway.
(1)