Leaf&Core

Android Facial Recognition Fooled by 3D Printed Head

Reading Time: 3 minutes.
A 3D printed head being hand detailed by someone. Photo is via the Backface studio in Birminham, U.K.

A 3D printed head from Backface. Photo: Forbes

You can buy a new smartphone for $500 or so. Or, for $200, you can buy a 3D printer that will allow you to print 3D copies of people’s heads and steal their phones. Okay, that’s not really feasible. Most people can’t just 3D print your head, it would take a considerable amount of planning. Way too much for just stealing a smartphone.

Let’s say you want to use a 3D print to steal someone’s phone. You’d have to scan a person’s face without them noticing, then create a printed head that could take hours or even days. Then, after you steal it, you could unlock it with the head you’ve printed. You’d have to pick a target, follow them, find a way to covertly scan then, and steal their phone shortly after they’ve used it to give yourself enough time to bring the phone to your 3D printed head. It’s the kind of theft you’d see in a heist or spy movie.

Furthermore, this hack will only work on Android phones. As it turns out, a 3D printed head can fool all Android face identification unlocks, but the iPhone isn’t so easily fooled.

How to Break into an Android Phone

There are probably more practical ways to steal a target’s smartphone. You could wait until they have to put in their pattern or passcode. Watch over their shoulder, snatch the phone, and run. But let’s pretend that’s not an option. Maybe they’re always careful about entering it. Maybe they only enter their passcode at home and use some kind of face unlock in public. Okay, now it’s time to break out the 3D printer. Scan their face with a variety of cameras and some software or a smartphone app. Then, print the face out on your trusty 3D printer. Snatch the phone, scan the face, and it’s yours!

Which Android phones does this work with? Apparently every single one Thomas Brewster of Forbes tested, but not the iPhone X.

How this was Tested

“For all four Android phones, the spoof face was able to open the phone, though with differing degrees of ease. The iPhone X was the only one to never be fooled.”

– Thomas Brewster, Forbes

Brewster commissioned a 3D printed copy of his own head. He then tested the Samsung Galaxy S9, Galaxy Note 8, LG G7 ThinQ, OnePlus 6, and the iPhone X. The head fooled every Android phone. Interestingly, every Android phone has a warning while setting up facial recognition. It states that the phone will be less secure with facial recognition than with a passcode or fingerprint unlock. In fact, Samsung even admits that it can be unlocked by someone who just looks like you.

The iPhone X, on the other hand, didn’t unlock for the fake head. Apple’s Face ID requires eye attention, which this printed head couldn’t fake. Perhaps the next step is to add some motorized 3D replicas of your targets eyes? How good are you at painting?

How to Break into an iPhone


Actually, it’s easier than creating motorized glass eyes. You don’t need 3D printed heads to break into any smartphone either. Instead, you just need a realistic 3D mask with painted nose and mouth, as well as infrared images of the owners eyes. With this, you can fool an iPhone, and likely an Android phone as well, since they can be fooled by a simple unpainted 3D scan or a doppelgänger.

Face ID vs Touch ID?

Apple brags that Face ID is more secure than Touch ID, but the truth of the matter is that a face is far easier to fake. You can more easily get a photo of a person’s face to steal their phone than you can a 3D mold of their fingerprints. Furthermore, Touch ID required an actual living finger, with a small electric current going through it and blood vessels beneath the surface. Some researchers were able to create extremely complicated fakes, but it was far more involved than a painted 3D printed mask created from images.

If you care about security more than anything else, you should only use a 10+ character password on your phone. Apple’s Face ID is the most secure face scanning option, but it’s still not as secure or as convenient as a good fingerprint scanner. Unfortunately, Android fingerprint scanners differ wildly in security. The fact remains, biometric security alone isn’t secure. Proper security combines something you know, something you have, and something you are. This would be a passcode, key, and biometrics. Since that’s inconvenient, we’re stuck with face scanning, one of the lease secure biometric security locks we can get.

Remember, iPhone owners, you can disable Face ID by pressing and holding the lock and a volume buttons. If you ever feel like you’re in a high-risk situation, you can always disable it quickly. You may have the most secure facial recognition, but that wouldn’t stop someone from pointing your phone at you.

So here’s a tip for all smartphone owners. If you are a high-risk theft target, such as a politician, do not use biometric security. Also, if you notice anyone taking a lot of photos of your face, you may want to turn off the face unlock feature on your phone. Especially if you’re an Android user.


Sources:

Exit mobile version