The facial recognition technology of your smartphone is going to betray your secrets to the first 3D-printed replica of your head shown to it. This security flaw applies to all smartphones, especially the Android-powered ones.
Cyber security writer Thomas Brewster tested the latest models of Android phones that feature facial recognition. He used a 3D-printed replica of his head, which cost him several hundred dollars but gave him the ability to hack his own smartphones.
A U.K.-based 3D printing company scanned Brewster’s face in order to manufacture a 3D model of his head. Made from gypsum powder and realistically-colored, it cost $400.
Brewster obtained examples of four different models of Android smartphones. All phones had facial recognition systems. He registered his face on each unit before exposing them to the 3D-printed head.
He warned that the replica of his head succeeded in unlocking all four Android phones. Some of them took several tries but were fooled in the end. (Related: HP goes “full Orwellian” with its 3D printers, says it will prohibit users from printing objects the government doesn’t want you to print.)
The four Android smartphones tested by Brewster were the LG G7 ThinQ, the Samsung Galaxy S9 and Galaxy Note 8, and the OnePlus 6. The Samsung phones needed some trickery, but the OnePlus was instantly tricked.
LG issued the disclaimer that the facial recognition technology in its flagship smartphone is not the primary means of protecting the device. The company stressed that the fingerprint sensor and PIN code are better at securing the device.
Samsung said much the same thing as LG. They also warned that a person who looked like the user could unlock the phone. The facial recognition technology on both Samsung Android models were much more suspicious of Brewster’s 3D-printed head, but creative lighting and angling convinced the systems to unlock their phones.
Chinese company OnePlus considered facial recognition to be a convenience. It did not issue any warnings about the security risk. Its OnePlus 6 phone proved to be the easiest to persuade that, yes, that was its owner looking into the sensor and not a mannequin head.
Smartphone companies claim that they are improving 3D face recognition and iris scanning systems.
Insecure about the protection of your smartphone or mobile device? Experts recommended ditching the convenient biometric security methods for either a robust password or a PIN.
Your biometrics are always at risk of getting copied by a hacker. And if the cyber criminal possesses a fingerprint or a photo of your face, he can penetrate the most advanced facial recognition and fingerprint sensors.
Furthermore, the Fifth Amendment does not extend to your biometric data. So law enforcement and federal agencies are legally allowed to force you to look into the facial recognition camera or put your finger on the fingerprint sensor so that they can access the contents of your smartphone.
They might not even need to have you around to unlock your smartphone. There are a lot of high-resolution CCTVs and video cameras whose feed they can access. They also have access to much more advanced facial recognition software that can pick you out in a crowd.
Passwords and PIN codes, on the other hand, are protected by the Fifth. So the police and the feds cannot force you to tell them what your password is.
So the next time a tech expert tells you that biometrics made passwords obsolete, you can reply that biometrics won’t protect your personal files from shifty-eyed sorts – but passwords can, especially since hackers don’t need permission or the law to hack your home.
Assets.DocumentCloud.org [PDF]Submit a correction >>