The facial recognition incorporated by the latest smartphones is supposed to be there to protect your digital life from eavesdroppers. What they propose as a novelty in security is that the mobile screen unlocks when it detects the face of its owner. But it turns out that it is not always like that. Although anyone could think that it is an infallible security system – "my face is essential to unlock the phone and there is nobody else who has my face" – it turns out that, in most cases, it's as vulnerable as any other biometric system.
The journalist of Forbes Thomas Brewster, specialized in cybersecurity. Brewster ordered an exact copy of his face printed in 3D. Fifty cameras took images of all the angles of his head, they conformed a complete 3D image that, after some adjustments, was ready to be printed. A few days later he had a fairly approximate copy of his own face in real size.
Brewster used the 3D model of his head to try to unlock five different terminals, an iPhone X and four Android devices: an LG G7 ThinQ, a Samsung S9, a Samsung Note 8 and a OnePlus 6. He put his fake head in front of the devices to try to unlock them. The Android opened, although some cost more than others. Only the iPhone X resisted blocked and was not fooled. This is the result of the investment that Apple made in the design of this device: the company worked with a Hollywood studio with the objective of creating realistic masks to test their Face ID system.
The security breach is then demonstrated and the manufacturers are aware of it. When first setting up the LG G7 and Samsung S9 the device warns the user not to activate facial recognition and displays messages stating that "it is a secondary unlocking method that makes the phone less secure" and that the phone could be unlocked by someone or something that resembles the user. "If you only use facial recognition, this will be less safe than using a pattern, PIN or password, "reads the phones." No wonder then that, in the initial tests, the 3D printed head opened immediately, "explains Brewster.
Although it was easy to unlock the four Android mobiles, the OnePlus 6 was clearly the most accessible, according to Brewster. "It did not include the warnings from the other phones or the option of a slower but safer recognition, it opened instantaneously when the false face was put in front of it, and it was undoubtedly the least sure of the devices we tested." In order to answer this question, a spokesperson for OnePlus explains that they always recommend that it be used with other security measures. "For this reason, Face Unlock is not enabled for any secure application such as banking or payments."
This test seems a little surreal: very few people keep such valuable data on their phones that someone makes all these efforts to steal your mobile and access it. Although it is difficult for this to happen, experts still recommend using a strong alphanumeric access code. "The reality with any biometrics is that they can be copied – anyone with enough time, resources and objectives will invest to test and falsify this biometric data," explains Matt Lewis, research director of cybersecurity contractor NCC Group.