Mobile & Gadgets

10-year-old kid succeeds in unlocking his mum’s iPhone X, with just a glance

If you have a spare thousand dollars burning a hole in your pocket you might be tempted to purchase Apple’s latest smartphone, the iPhone X.

The new device comes with a bigger screen than the previous regular incarnation of the iPhone and an improved camera, but what many people are excited about is that Apple has moved from fingerprint-based Touch ID to a new facial recognition system.

But is Apple’s Face ID really as secure as we’re told?

If you believe Apple’s marketing material it seems clear that one technology is better than the other:

“The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID).”

But things may not be quite that clean-cut.

The following YouTube video shows how, in one family at least, Face ID is falling short in terms of security.

In the video Sana Sherwani shows how her ten-year-old son Ammar Malik is able to access her locked iPhone X, just by looking at it.

As Wired describes, a split second after Malik looked at his mother’s iPhone X it was unlocked.

My first thought when seeing the video was that maybe young Ammar (who describes himself as being the owner of a “handsome face”, and performs a ‘dab’ in celebration at his success) might have unintentionally trained the iPhone X to recognise his features.

After all, Apple’s technical paper on Face ID security explains that the technology learns how your face changes over time, handling – for instance – changes in hair style or the growth of a beard.

Some have reported that if different faces are inadvertently used when setting up Face ID, or if passcodes are entered correctly after a face is rejected, it’s possible for the iPhone X to learn a “composite” face that might mix more than one person’s features.

But in this case it doesn’t appear that that is what has occurred.

Apple has already admitted that Face ID’s “one in a million” probability of a random person’s face being able to unlock an iPhone X may not be enough to prevent twins and non-identical family members from unlocking phones without permission, and that in such situations the only solution is to roll-back to older, tried and trusted forms of authentication:

“The statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed. If you’re concerned about this, we recommend using a passcode to authenticate.”

Ammar Malik’s demonstration of how he can unlock his mum’s iPhone X certainly seems a lot more straightforward than the efforts one Vietnamese security firm had to go to, creating a creepy 3D-printed mask to fool the smartphone’s security.

Suddenly, Touch ID doesn’t seem so undesirable. But, of course, Touch ID simply isn’t available on the iPhone X because of the lack of a physical “Home” button, due to the device’s sprawling screen.

If you feel you may be at risk from someone willing to put the resources into breaking into your iPhone X, are an identical twin, or simply have kids… maybe you should be rethinking whether Face ID is really something you should enable.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

  • My Android phone doesn't have a home button either. But it does have Touch ID, with the sensor on the back of the phone. Apple could have done the same with the iPhone X.

  • This is exactly why I went for iPhone 8 Plus; that and I didn't know it had a bigger screen (and maybe Plus still is larger). Well and the extra cost and the fact it wasn't quite out yet. Now maybe it still has passcode and that's fine then; but this was something I didn't like at all. And I'm not surprised either.

    Because biometrics has its own set of issues. And if I recall Google has already has this problem. But something people tend to forget, ignore or are unaware of is security is a many layered thing; always has been and always will be. The call to get rid of passwords (and maybe passphrases and passcodes? I don't remember that but I'd not be surprised if they're supposedly obsolete) is flawed because it's only one layer. It's a problem made worse because for what most people use them for – websites – it's almost always all you have available. But that doesn't make them obsolete; it makes them a single layer of many others that has its uses. Of course following safer (safer not necessarily safe) password practises would help matters too but nothing is going to make passwords like 12345678, qwerty, password and all the other ridiculous passwords disappear.