Mask to bypass Apple FaceID

Security researchers have broken Apple's FaceID security system using a mask they said takes around a few days to make and costs only $150.

The authors of this research are experts from Vietnamese cyber-security firm Bkav, the same company that back in 2009 bypassed some of the first facial recognition systems deployed with laptops from ASUS, Lenovo, Toshiba, and others, using nothing more than a simple photo.

While Samsung failed to secure the iris and facial recognition systems it deployed with Galaxy S8 phones released earlier this year against simple "photo attacks," Apple did a much better job.

In previous experiments, hackers and journalists failed to trick Apple's FaceID system with both photos and silicone masks.

Bkav researchers said they were successful in their attempts after studying Apple's FaceID security manual and by leveraging their previous work on facial recognition systems.

Researchers use weird mask to bypass FaceID

The research team didn't go as far as to reconstruct accurate masks of the phone owner's face, compared to past experiments that failed. Instead, they focused on the features that needed to be valid for the actual authentication process — getting right the mask's eyes, nose, mouth, face shape, and relief.

To create their mask, they didn't use just one material, like silicone, but merged different techniques. They used 3D printing to create an accurate face model based on digital photos of the phone's owner, they modeled a silicone nose that they stuck on the mask, and they glued 2D images of the phone owner's eyes and mouth on the 3D model.

They failed during first attempts, but they asked an artist to tweak the silicone nose, hence the reason some part of the nose is brown instead of white, in the photos above.

Hack could be used against high-value targets

The whole process took about one week and cost researchers $150 in materials, which excludes this type of hack being used on regular users.

Bkav researchers believe such a hack would be of use when attempting to break into the phones of billionaires, government officials, intelligence agents, CEOs, and other high-value targets.

The Bkav team also recorded a video as proof of their work. Video embedded below.