Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday May 24 2023, @04:19PM   Printer-friendly

Someone who looks a lot like you could also unlock it, says Which?

Samsung, Oppo and Nokia are among a range of Android phone makers with facial recognition scanning tech that can be "easily duped" by a printed 2D photo, according to tests undertaken by campaign group Which?

Resident techies that put a range of phones and brands through their paces (see box below) said the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.

Of the 48 phones Which? sent to labs for testing, 19 could be spoofed with photos and "worryingly" these were "not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper."

The vast majority of the phones that failed the simple biometric test were, unsurprisingly, low to mid-range in price, though Which? claimed there were exceptions, including the Xiaomi 13 and the Motorola Razr.

Of the phones that Which? reckons could be fooled, seven were made by Xiaomi, four came from Motorola, while two came from each of Nokia, Oppo and Samsung. One model made by Honor and another by Vivo was also found to be exploitable.

Under Android's requirements, phone makers must ensure devices and software are "Android compatible," which includes how often device security can be spoofed. Class 3 systems must not be duped more than 7 percent of the time, and Class 1 system are least secure, with a spot rate of 20 percent of the time to more.

Which? voiced worries that scammers could exploit the weakness to – for example – access Google Wallet to make payments to a limited value (£45 in the UK, about $56) without needing to unlock their phone. For larger transactions, Google asks users to use a Class 3 biometric lock, Which? said.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by aafcac on Wednesday May 24 2023, @05:20PM (4 children)

    by aafcac (17646) on Wednesday May 24 2023, @05:20PM (#1307963)

    I'm not really sure why the face ID isn't simply set up to require a blink, wink or other change of the face. It does have limitations, but it prevents photos from being used

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by looorg on Wednesday May 24 2023, @05:46PM (3 children)

    by looorg (578) on Wednesday May 24 2023, @05:46PM (#1307974)

    Wouldn't that just require that you have two pictures? Or pictures on both sides of a picture. One where your face is normal and one where you close one eye and then you just flip it over a few times? One would think that wouldn't work but considering that a static low-res 2d picture apparently works now I wouldn't be surprised it it was fooled by the motion of just turning the picture over a few a times.

    • (Score: 2) by looorg on Wednesday May 24 2023, @05:53PM

      by looorg (578) on Wednesday May 24 2023, @05:53PM (#1307975)

      ... or one of those photo strips, sets of four images or so on a vertical strip you could get from photo booths back in the day (or probably still can in certain places)? Just get one of those and then move it up and down in front of the camera. That should probably fool it into thinking it's motion and you are blinking or doing facial expressions of some kind.

    • (Score: 3, Insightful) by JoeMerchant on Wednesday May 24 2023, @06:38PM

      by JoeMerchant (3937) on Wednesday May 24 2023, @06:38PM (#1307985)

      Fingerprints are NOT unique. Especially not in a world of 80 billion human fingers.

      Facial recognition tech is NOT anywhere near foolproof. Is it better than a minimum wage security guard trained against a 10 most wanted list? Hell yeah, but... even that security guard is a little harder to scam with stuff like fuzzy Polaroids than state of the art AI.

      The facial recognition and fingerprint reading tech in your phone is FAR from state of the art. It's convenience, and in some ways it's better than passwords, pins, swipe patterns and all that because it's harder to look over your shoulder and duplicate. Well, maybe. I believe a friend and I tested their iPhone years back by taking a picture of them with my phone, then holding that picture up to the iPhone camera and, yep, it let me in.

      Any suggestions of winks, blinks, nods, or middle finger salutes are similarly easily captured from far across an airport lounge using a telephoto mirror lens that you're unlikely to notice trained on your face while you go through your login dance for all to see.

      Copying fingerprints is well worn in Hollywood hacker plot points, but the truth is: the scanner is only looking for a few select features and while it might not let you in with greasy fingers, law enforcement can probably swipe various common print patterns across your seized phone's sensor with a non-zero chance of being let in. "Honest your Honor, the phone was unlocked when they handed it to me. What? Body cam footage, um, no, I'm afraid there was a technical schnarvenfuffle with that sequence, it's not available."

      --
      🌻🌻 [google.com]
    • (Score: 2) by aafcac on Wednesday May 24 2023, @10:26PM

      by aafcac (17646) on Wednesday May 24 2023, @10:26PM (#1308028)

      That shouldn't be an issue, a wink would only be a small part of the image changing. Swapping an entire photo would result in a massive change to the image for a moment.