Mobile & Gadgets

10-year-old kid succeeds in unlocking his mum’s iPhone X, with just a glance

If you have a spare thousand dollars burning a hole in your pocket you might be tempted to purchase Apple’s latest smartphone, the iPhone X.

The new device comes with a bigger screen than the previous regular incarnation of the iPhone and an improved camera, but what many people are excited about is that Apple has moved from fingerprint-based Touch ID to a new facial recognition system.

But is Apple’s Face ID really as secure as we’re told?

If you believe Apple’s marketing material it seems clear that one technology is better than the other:

“The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID).”

But things may not be quite that clean-cut.

The following YouTube video shows how, in one family at least, Face ID is falling short in terms of security.

In the video Sana Sherwani shows how her ten-year-old son Ammar Malik is able to access her locked iPhone X, just by looking at it.

As Wired describes, a split second after Malik looked at his mother’s iPhone X it was unlocked.

My first thought when seeing the video was that maybe young Ammar (who describes himself as being the owner of a “handsome face”, and performs a ‘dab’ in celebration at his success) might have unintentionally trained the iPhone X to recognise his features.

After all, Apple’s technical paper on Face ID security explains that the technology learns how your face changes over time, handling – for instance – changes in hair style or the growth of a beard.

Some have reported that if different faces are inadvertently used when setting up Face ID, or if passcodes are entered correctly after a face is rejected, it’s possible for the iPhone X to learn a “composite” face that might mix more than one person’s features.

But in this case it doesn’t appear that that is what has occurred.

Apple has already admitted that Face ID’s “one in a million” probability of a random person’s face being able to unlock an iPhone X may not be enough to prevent twins and non-identical family members from unlocking phones without permission, and that in such situations the only solution is to roll-back to older, tried and trusted forms of authentication:

“The statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed. If you’re concerned about this, we recommend using a passcode to authenticate.”

Ammar Malik’s demonstration of how he can unlock his mum’s iPhone X certainly seems a lot more straightforward than the efforts one Vietnamese security firm had to go to, creating a creepy 3D-printed mask to fool the smartphone’s security.

Suddenly, Touch ID doesn’t seem so undesirable. But, of course, Touch ID simply isn’t available on the iPhone X because of the lack of a physical “Home” button, due to the device’s sprawling screen.

If you feel you may be at risk from someone willing to put the resources into breaking into your iPhone X, are an identical twin, or simply have kids… maybe you should be rethinking whether Face ID is really something you should enable.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment

    • Interesting way to look at it. But at the same time passwords aren't everything either: it's a many layered thing, security is. And then there are passphrases and passcodes… And so many other things.

  • My Android phone doesn't have a home button either. But it does have Touch ID, with the sensor on the back of the phone. Apple could have done the same with the iPhone X.

  • This is exactly why I went for iPhone 8 Plus; that and I didn't know it had a bigger screen (and maybe Plus still is larger). Well and the extra cost and the fact it wasn't quite out yet. Now maybe it still has passcode and that's fine then; but this was something I didn't like at all. And I'm not surprised either.

    Because biometrics has its own set of issues. And if I recall Google has already has this problem. But something people tend to forget, ignore or are unaware of is security is a many layered thing; always has been and always will be. The call to get rid of passwords (and maybe passphrases and passcodes? I don't remember that but I'd not be surprised if they're supposedly obsolete) is flawed because it's only one layer. It's a problem made worse because for what most people use them for – websites – it's almost always all you have available. But that doesn't make them obsolete; it makes them a single layer of many others that has its uses. Of course following safer (safer not necessarily safe) password practises would help matters too but nothing is going to make passwords like 12345678, qwerty, password and all the other ridiculous passwords disappear.

  • The important detail in Apple's figure is misleading: one in a million people being able to unlock your phone sounds few and far between, but when you consider that the people closest to you may be the ones who are most likely to share your facial features i.e. your family, it's much more likely that they are that one in a million: therefore, we're likely to find a lot of cases of family unlocking each others' phones. It doesn't make Apple's stat wrong, but we just need to understand that logically it's more possible than we might be led to believe.

    • Correct. Pretty much all organisations and most certainly all politicians abuse the fact that people don't understand maths and more so don't understand statistics. But when it comes to security it's worse: the thing is that the impossible can become possible (this goes for more than security). Not only that but there is this issue: if you're relying on numbers it's just another form of security through obscurity i.e. a false sense of security and not at all security. The user – and this is something a lot of software developers don't understand and being one I don't understand how they miss it (same with a lot of different fields: the so-called learn to 'code' rationale is included here) – doesn't really care why or how something works they only care that it is WORKING. And does anyone really think a victim is going to care about their measly statistics? Of course not.

      Statistics lie so easily. They also can easily minimise other smaller numbers. I've used this analogy before. People say the number of Jews murdered during the Holocaust is 6 million (The records are closer to 5mil if memory serves me right and this is from records whereas the 6mil derives from a census test – but the number is besides the point other than it being a smaller number than some others), right? Okay but how many lost their lives in the Second World War? The number of victims in the Holocaust becomes nothing if you want to talk about statistics. And then what about Black Death? In that case the deaths of the Second World War are insignificant. It's so easy to manipulate numbers and most people are oblivious to it too…

      In the end biometrics is a lot more flawed than many would like to believe. And it ignores the fact that security is a many layered thing. Passwords aren't obsolete – they're just another layer. Yes most people choose really awful passwords, reuse them and often the way they are stored is insecure too. But they become a problem when that's the only layer: which is often for websites. That doesn't make them obsolete but it makes the websites set up not a true security system (for the users logging into the website, anyway).