Connect with us

Hi, what are you looking for?


Identity & Access

iPhone X’s Face ID Bypassed by a Mask

Face ID, the facial biometric unlocking technology included in Apple’s recently launched iPhone X, can be bypassed using a mask, security researchers have discovered.

Face ID, the facial biometric unlocking technology included in Apple’s recently launched iPhone X, can be bypassed using a mask, security researchers have discovered.

When revealing the new iPhone X in early September, Apple said that Face ID could recognize its owner with only 1 in 1,000,000 false positives, day or night, and that professional mask makers and makeup artists in Hollywood helped training the artificial intelligence behind the feature to protect from attempts to bypass it.

The feature, however, raised concerns over the use of facial recognition becoming the norm and opening the door to new ways to abuse it. Some even feared that it would result in advertisers and law enforcement being able to track people’s whereabouts much easier.

Simultaneously, many questioned Face ID’s effectiveness against keeping intruders out of the device. And while some previous attempts to trick the security feature appear to have failed, Face ID was successfully bypassed by a mask created by Bkav, a company focused on the network security, software, smartphone manufacturing and smarthome.

“One week after iPhone X officially went on sale, Bkav security experts from Vietnam show that Face ID can be fooled by mask, which means it is not an effective security measure,” the company says.

The mask used by the researchers in their experiment included 3D-printed elements, a nose made by a handmade artist, and 2D printed-elements for some parts. Hand-made skin was also used to trick Apple’s AI. The total cost to produce the mask was $150, the researchers say.

Advertisement. Scroll to continue reading.

“The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID,” Ngo Tuan Anh, Bkav’s Vice President of Cyber Security, said.

The security researchers claim that the purpose of their experiment was to show that facial recognition isn’t mature enough to be used in widely available devices even after 10 years of development. In 2008, Bkav demonstrated that face recognition was not an effective security measure for laptops, after manufacturers started using the technology in their products.

Although they say it’s actually easy to create a mask and beat Face ID, the researchers admit that their knowledge of how Apple’s AI works and what they could do to bypass it helped them in creating a proof of concept. The researchers claim that Apple appears to rely on the Face ID’s AI too much for the recognition process, which allows one to unlock the device even with half of their face covered.

“Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID’s issue. Security units’ competitors, commercial rivals of corporations, and even nations might benefit from our PoC,” Bkav says.

The researchers note that the mask was an experiment meant to prove a point, and that it was a successful experiment. They also revealed that they started working on the mask as soon as they received their iPhone X device on November 5 and that they plan on publishing full details related to how they built the mask.

“As for biometric security, fingerprint is the best,” the company concludes.

Until full details on the experiment are published, some questions remain unanswered, such as whether they used the dimensions of a real person’s face when creating the mask or if the attack was attempted with a fresh unlock.

Further details on how the experiment was set up are also required, such as whether the device was trained with the mask or not, and the number of attempts they used until successfully unlocking the phone.

SecurityWeek reached to Apple for a comment on Bkav’s findings, but the company redirected us to their Knowledge Base article on Face ID, where the additional security measures are detailed. There, Apple explains that setting up Face ID requires a passcode and that the passcode is requested after five unsuccessful attempts to match a face or if the device hasn’t been unlocked for more than 48 hours.

The passcode is also requested if it “hasn’t been used to unlock the device in the last six and a half days and Face ID hasn’t unlocked the device in the last 4 hours,” Apple says.

Related: New iPhone Brings Face Recognition (and Fears) to the Masses

Related: Apple Brings FaceID to New iPhone X 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...