Serious Questions Raised About Face ID On New Apple iPhone X
As millions shun the new iPhone 8 from Apple, serious questions are being raised about the security of the yet to be released iPhone X and it’s Face ID technology.
With users of the new device having to rely on their face to unlock the device once Apple’s new top-of-the-line model that will not ship in Australia until November and even then, it will be in short supply.
After removing the now famous Apple home button serious questions are being asked as the home button was used for Touch ID fingerprint authentication.
Apple has been somewhat coy in its rollout of the feature and has not answered ChannelNews emails relating to the device.
In a piece this week for Forbes — “No, Apple’s Face ID is Not a ‘Secure Password’” — scientist JV Chamary takes the tech giant to task for the way Apple exec Phil Schiller laid things out at Apple’s recent event. “The chance that a random person in the population could look at your iPhone X and unlock it with their face,” Schiller said, “is about one in a million.” As Chamary notes, though, that doesn’t tell the full story when it comes to the new feature and the security of the device.
And it’s not just scientists who are concerned about the security elements of the iPhone X one US Senator’s letter to Apple asks for more details about how the feature will work.
Recently Huawei posted a video on its Facebook page that seems to be mocking the new feature.
Meanwhile, the assessment from the security community so far appears to be somewhat mixed — with experts offering praise for some aspects of the new feature but also plenty of cautionary notes.
Troy Hunt, who writes about web security and similar topics, told BGR: “Face ID isn’t necessarily better or worse in terms of security. Rather, it’s different … Face ID gives consumers another choice in terms of which form of biometric authentication they use, and like Touch ID, it offers them a means of protecting their device without the usability friction of a PIN.
As for how easily fooled it will be, we’ll have to wait until it’s in the hands of testers to know for sure, but it would be very surprising if there are any easily exploitable risks found.”
For at least one member of the security community — Marc Rogers, the head of information security at Cloudflare — his reaction to Face ID? “For hackers like me, it’s game on.”
Hackers, you’ll recall, quickly broke into phones secured via Touch ID, which led to headlines like this one from The Verge: “Your phone’s biggest vulnerability is your fingerprint.” Rogers, though, contends that Face ID doesn’t need to be perfect. “It just needs to be secure enough.”
“This is why we still use locks to secure doors even though people can pick locks,” he says. “However, the jury is out with Face ID. Until people get a better grasp of how secure it is, my suggestion would be to stick to complex passwords for high-risk things.”
The data that the feature relies on gets fed into a machine learning model that learns about your face. Meaning, according to Rogers, it should be able to compensate for changes like facial hair, for example.
Apple keeps data about your face on the device and doesn’t send it to the cloud.
Face ID also uses eye detection to make sure that it’s a live, alert human and not someone faking it with a model or picture.
Apple has also added a duress feature where if you press the power button five times, the phone clears its “secrets” preventing Face ID or Touch ID from unlocking the phone. “This,” he said, “is great.
Rogers: “This is form before function. Touch ID was a great design, because it uses a process that fits into your normal usage.
What’s more natural than touching the home button? Taking a selfie in the grocery line or sitting in a restaurant feels awkward and unnatural.
People avoid using things that are awkward or extra work. This is why before Touch ID, less than one in five even had a pin on their device.”
Moreover, he says, Apple did not do this (Face ID) to improve security. “They did this because they couldn’t find an acceptable way to put the Touch ID sensor into the new screen without interfering with their design goals.”
Apple’s duress feature is untested in court.
Your face is your most exposed “credential.” And “it’s not clear yet if this biometric can be ‘secure enough’ for high risk tasks like unlocking password managers or accessing your bank.”