Facial recognition technology is likely not as safe as you may have thought. This was illustrated by a recent test where 3D printed busts of peoples’ heads were used to unlock smartphones.
Out of five tested phones, only one refused to open when presented with the fake head.
Other biometric security measures are also showing less resilience to hacking than you might expect. A group of Japanese researchers recently showed it was possible to copy a person’s fingerprints from pictures like the ones many of us post on social media.
Good News for iPhone Owners
The smartphone facial recognition test was carried out by Forbes journalist Thomas Brewster with the help of UK-based company Backface. First, Brewster was scanned by a dome-array of 50 cameras to create a full 3D image of his head. Editing software was used to fix any errors before the finished image was fed to a 3D printer.
January 7, 2018
By Marc Prosser
Once the printing was completed, extra coloring and final touch-ups were added. The whole process took a couple of days and cost around £300 (about $380).
Brewster then registered his own face for facial recognition on five different smartphones and subsequently tested if the 3D head bust could unlock the facial recognition feature. The tested phones were the iPhone X, LG’s G7 ThinQ, a OnePlus 6, Samsung’s Galaxy S9, and the Samsung Galaxy Note 8. Only the iPhone X resisted all attempts, while the four other phones could all, with varying degrees of difficult, be opened using the fake head.
Hackers Coming For Your Head?
So, should you be worried about hackers scanning your face and accessing your phone? The short answer would be no—with a caveat of ‘not just yet’ added.
For one thing, Brewster’s test required him to sit in a dome-array of cameras and have his head scanned from a multitude of angles, and even then, extra work was needed to make the bust more realistic. The whole process took several days, and most of us would realize that our phones were missing quicker than that.
Then there is the added factor that most of the tested phones use the front-facing camera for facial recognition, apart from the iPhone, which uses infrared scanning. Finally, several phone manufacturers explicitly stress that their facial recognition unlocking mechanisms have been designed for speed and convenience instead of solely for security. They also stress that it should be combined with a secondary security measure, such as an alphanumerical code, to make your phone safe against hacking.
All that being said, technology has taught us that something that is complicated and relatively expensive today doesn’t necessarily stay so for very long. For example, the idea of having 360-degree/4K video recording and VR/AR in smartphones would likely have sounded like science fiction just five years ago.
At the same time, other studies and tests illustrate how much of the information that a would-be hacker needed to create a bust of your head might already be floating around in the form of pictures on various social media sites.
Hackers Could Target Peace Signs
In early 2017, stories appeared about a project done by a group of researchers at Japan’s National Institute of Informatics (NII). The researchers had demonstrated that it was possible to recreate fingerprints from photos taken with a digital camera up to three meters (about nine feet) from the subject.
This was especially worrisome news in Japan, where the peace sign is near-ubiquitous in the group photos and selfies that are constantly added to social media.
Isao Echizen, professor at the NII, told the Financial Times that fingerprints were not the only type of biometric information that was in danger of being lifted from photos.
“As camera resolution gets higher, it’s becoming possible to image smaller things like a fingerprint or an iris. […] Once you share them on social media then they’re gone. Unlike a password, you can’t change your fingers, so it’s information you have to protect,” he said.
It’s not the first time fingerprints have been lifted from photos. In 2014, at the annual German Chaos Communication Congress, a hacker reported that he had been able to recreate the fingerprints of German defense minister Ursula von der Leyen from a couple high-definition photos. However, the Financial Times reported that the Japanese study was the first demonstration of the ‘full chain’ from photography to working fingerprint copy capable of fooling a scanner.
The Biometric Privacy Question
The use of fingerprints and other biometric data is on the rise. In 2020, more than a billion smartphones with facial recognition features will be shipped to customers worldwide. By 2023, biometrics will be used to authenticate purchases worth a combined $2 trillion.
We are already starting to use biometrics to unlock cars, and industries like banking seem on the brink of joining airports, schools, offices, and a whole host of others who also use biometric identification systems.
However, cases like the Japanese photos and Thomas Brewster’s head bust illustrate that biometrics on their own may not be safe.
This can, in some cases, prove to be a good thing. For example, biometric data can be used to identify terrorists from pictures and videos, even when they hide their faces and distort their voices.
In other cases, it may put your data privacy in danger.
“It’s no secret that biometrics—your fingerprints and your face—aren’t protected under the Fifth Amendment,” Zack Whittaker writes in TechCrunch.
He goes on to cite Orin Kerr, a professor at USC Gould School of Law, who says that while a warrant would be needed to use gathered biometric data to unlock a phone, a warrant ‘wouldn’t necessarily be a requirement’ to gather the biometric data in the first place.
To keep your data protected, it would seem that several layers of security is the way forward. Thus, rumors of the death of the alphanumeric password have been greatly exaggerated.
About Marc Prosser
Marc is British, Danish, Geekish, Bookish, Sportish, and loves anything in the world that goes ‘booiingg’. He is a freelance journalist and researcher living in Tokyo and writes about all things science and tech. Follow Marc on Twitter (@wokattack1).