The parents, Attaullah Malik and Sana Sherwani, said their fifth-grade son Ammar Malik simply picked up his mother’s new iPhone X without permission and, to their surprise, unlocked the device with his very first glance.
We are seeing a flood of videos on YouTube from iPhone users who have gotten their hands on the new iPhone X and are trying to trick the Face ID. When my wife and I received our iPhone X, we had no such intention. However, things changed right after we were done setting up our new iPhones on November 3rd. We were sitting down in our bedroom and were just done setting up the Face IDs, our 10-year-old son walked in anxious to get his hands on the new iPhone X. Right away my wife declared that he was not going to access her phone. Acting exactly as a kid would do when asked to not do something, he picked up her phone and with just a glance got right in.
The younger Malik was then consistently able to unlock his mother’s iPhone X, according to his parents. He was even able to unlock his father’s iPhone X, but only on one attempt, which he has since been unable to replicate.
WIRED reporter Andy Greenberg suggested that Sherwani re-register her face to see what would happen. Upon doing so, the iPhone X no longer allowed Ammar access. Interestingly, after Sherwani tried registering her face again a few hours later in the same indoor, nighttime lighting conditions in which she first set up her iPhone X, the son was able to regain access with his face.
The parents clarified that no one ever entered the iPhone X’s passcode after any of the failed unlocking attempts. That’s important, since when Face ID fails to recognize you beyond a certain threshold, and you immediately enter a passcode, the TrueDepth camera takes another capture to improve its reliability.
Apple explains in its Face ID security paper:
Conversely, if Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly calculated mathematical representation. This new Face ID data is discarded after a finite number of unlocks and if you stop matching against it. These augmentation processes allow Face ID to keep up with dramatic changes in your facial hair or makeup use, while minimizing false acceptance.
Given no passcode was ever entered, we can assume that Face ID never learned and adjusted for the son’s face.
The same Face ID security paper states that the probability of a false match is higher among children under the age of 13, because their distinct facial features may not have fully developed. Given the child is only 10 years old, and Apple’s information, what’s shown in the video isn’t a surprising flaw.
Nevertheless, the video is further evidence that Face ID isn’t 100 percent foolproof given just the right circumstances. If you are concerned about this, Apple merely recommends using only a passcode to authenticate.
In related news, Vietnamese security firm Bkav recently shared a video in which it was able to spoof Face ID with a mask. The video is generating headlines since Apple said Face ID uses sophisticated anti-spoofing neural networks to minimize its chances of being spoofed, including with a mask.
The mask was supposedly crafted by combining 3D printing with makeup and 2D images, with some special processing done on the cheeks and around the face. Bkav said the supplies to make it cost roughly $150.
We’re skeptical about the video given the lack of accompanying details. For instance, Bkav hasn’t specified whether it disabled Face ID’s default “Require Attention” feature, which provides an additional layer of security by verifying that you are looking at the iPhone before authentication is granted.
Even if the video is legitimate, it’s hardly something that the average person should be concerned about. The chances of someone creating such a sophisticated mask of your facial features would seem extremely slim.
Apple so far has not responded to the videos, beyond pointing reporters to its existing Face ID security paper we linked to above.