Vietnamese Firm Bkav Claims to Have Beaten Apple Face ID With an Elaborate Mask

Apple’s new Face ID security for the iPhone X has sparked a number of concerns, with the biggest being how secure the biometric system really is. The tech giant says that while the facial recognition system is intended for convenience rather than absolute security, it’s less vulnerable than its Touch ID predecessor—though testing has shown that the system generally works, but has a number of faults and unexpected behaviors.

Here’s yet another wrinkle for Face ID: Researchers at Vietnamese firm Bkavclaim to have been able to defeat the iPhone X’s facial recognition with an elaborate mask made from a combination of 2D and 3D parts. In a video released this weekend, Bkav researchers showed off how the specially constructed face was able to unlock a brand-new device. According to Bkav, their “proof of concept” was performed without training their iPhone X to recognize components of the mask, just a team member’s face.

The company didn’t specify how many attempts it took them to get past Apple’s security, but they did write it cost around $150 for parts not including a 3D printer. Without clearer video or seeing the experiment replicated, it’s tough to know whether it’s a genuine break-in.

But assuming Bkav’s method really works as advertised, would this be a major security issue for casual users? Probably not. As Bkav explained in their blog post, “It is quite hard to make the ‘correct’ mask without certain knowledge of security. We were able to trick Apple’s AI, as mentioned in the writing, because we understood how their AI worked and how to bypass it.” For example, in addition to relying on 2D and 3D printed parts, Bkav also had to recruit an artist to construct the mask’s nose by hand. They added the process began “right after receiving [the] iPhone X on Nov 5,” suggesting it was a complicated effort that took many iterations to achieve the desired result.

As Engadget reported, this is somewhat similar to when European hacker association Chaos Computer Club used a labor-intensive process requiring 2400 DPI photographs of a user’s finger and a latex print to fool fingerprint recognition in 2013. Bkav’s elaborate Face ID workaround is quite complicated compared to that, which bolsters Apple’s claims the new system is more secure than Touch ID.

No security is foolproof, but bypassing Face ID in secrecy via this method generally seems to require a high degree of technical knowledge, time, and effort, not to mention direct access to the iPhone X in question. If someone with all of those—like police, spies, hackers, and criminals—is going after a target, that target should probably not be relying on off-the-shelf consumer-grade security. Additionally, any malicious parties would have a limited window to get into a stolen phone, since Apple has built in various restrictions on how often Face ID can be used alone (such as limits on the length of time or number of failed attempts that can occur before requiring the user to input a passcode).

If the person looking to break in isn’t worried about subtlety, they could just physically force the user to unlock the biometric security anyways, or possibly scan the user’s face while they were sleeping or incapacitated. Other slightly more esoteric known vulnerabilities include having the phone unlocked by an identical or near-identical twin.

Either way, the mask method doesn’t invalidate Face ID’s utility for users willing to trade a little security for a little convenience. But if you’ve got the nuclear codes, Bkav has provided slightly more evidence you shouldn’t rely on face-based security.

We’ve reached out to Bkav for more information, and will update this post if we hear back.