Fake face fools fones

by Lsa Vaas of Sophos

Forbes has added to the ever-growing pantheon of ways to trick biometrics by printing a 3D head and using it to break into Android phones.

We’ve long known how easy it is to spoof static authentication by holding up a 2D picture to a camera, as Google found out after filing a patent to let users unlock their phones by, say, sticking out your tongue or wiggling your eyebrows…

…or, in the case of fingerprints, by making a dummy fingerprint out of wood glue or a 2D inkjet printout.

Google went ahead and filed a patent for “Liveness Checks,” but researchers using the most basic of photo editing tools managed to fool it with just a few minutes of editing and animating photos to make them look like subjects were fluttering their eyelashes.

Similarly, researchers at one point came up with a way to mimic the swipey touch gestures we use to get into our phones. They did it by whipping up a Lego robot and equipping it with a finger sculpted from Play-Doh.

Like these previous methods of bypassing biometrics, Forbes’ head approach is rather, shall we say, crafty. Hell, it’s downright makerspace-intensive, given that you need access to a studio equipped with 50 cameras, a 3D printer, and a boatload of gypsum.

The point was to see how easy it is to break into four of the hottest handsets running Android and iOS with a 3D-printed head. The upshot: the gypsum head tricked all of the Androids. Apple’s phone, however, wasn’t fooled.

The models that Forbes managed to trick, given just the right lighting, a software-enhanced version of Thomas Brewster’s nose that had fallen off/been left behind during the photos capture, and various levels of fast-face scan (not so secure) vs. slow-face scan (better): the LG G7 ThinQ, a Samsung S9, a Samsung Note 8 and a OnePlus 6.

The only one that gypsum-head couldn’t fool: The iPhone X.

So, to recap: All you have to do is to lure a target into a studio where 50 cameras will photograph their head simultaneously, and then wait several days for the fake head to be produced! And then you can break into some, but not all phones! Unless they also have a PIN!

OK, exactly how pie in the sky is this? Should (Android) phone owners really worry about thieving hackers sneaking up on them and dragging them into their well-equipped photo studio lair?

Well, you have to ask yourself this: Who has the resources and motivation to set up a 50-camera photo studio, the ability to cajole or compel a phone owner to enter it and STOP FIDGETING, FOR PETE’S SAKE, and the leisure time to wait a few days until a 3D-printed, hand-tinted, gypsum-powder head is ready to use to break into a phone (with the proper lighting level, that is) that’s already in their possession?

Forget thieves. I’m thinking technology-enthusiastic law enforcement. The 3D head is a steal at the cost.

Think about the San Bernardino shooters’ phone and how the FBI dragged Apple to court over encryption on their iPhone, with the whole thing being rendered moot when the bureau figured out how to get to data on the shooters’ phone, with technology from an undisclosed vendor that costnearly $1m.

Even technology from Apple handset-unlocker Grayshift starts at a cool $15,000, and that’s just for the online, 300-use version. Heck, at the cost of £300 (USD $379), a gypsum head is a steal!

Actually, it would be far preferable for law enforcement to rig up studios and 3D printers to churn out gypsum heads by the truckload, rather than dragging technology companies into court over prosecutors’ fervent desire to break encryption with backdoors.

At the end of the day, we as phone owners can simply avoid the whole, esoteric gypsum-head-phobia security worry by choosing to forego face authentication. Instead, we can choose a PIN. Not only are they tougher to crack, they also tend to fall under Fifth Amendment protection against self-incrimination.