Face unlock on many Android smartphones falls for a photo

Face unlock on many Android smartphones falls for a photo

No 3D-printed heads or realistic masks were needed to trick even a handful of high-end handset models into unlocking their screens

No 3D-printed heads or realistic masks were needed to trick even a handful of high-end handset models into unlocking their screens

A Dutch non-profit has tested facial recognition on 110 smartphones to see just how well their implementations of this method of biometric authentication secure the devices – and found that the picture isn’t pretty.

A “good portrait photo” of the owner’s face was all it took to fool the biometrics on no fewer than 42 handsets. The report, drafted by the Dutch consumer watchdog Consumertenbond (Consumers’ League), is scarce on details concerning the audit’s methods or the photo’s parameters, but the bottom line is that no sophisticated methods, such as 3D-printed heads or realistic masks, were needed to dupe many smartphones.

The list of handsets that failed the test includes mostly budget and, less so, mid-tier offerings from a variety of manufacturers. However, a few pricier devices – such as Sony’s Xperia XZ2 Premium and XZ3 and Huawei P20 Pro – also failed to resist the unsophisticated screen unlock attempt.

Several brands, including Asus, Huawei, Lenovo/Motorola, Nokia, Samsung, Sony, and Xiaomi, had at least two representatives each among the devices that failed the test. The full lists are available here (in Dutch, but Google Chrome, for example, will fetch a machine translation into English with a single click).

That said, most devices were not duped. This mainly includes flagship and/or newer models from Samsung, Honor, HTC, Huawei, Lenovo/Motorola, and OnePlus.

Unsurprisingly, iPhone XR and XS also emerged unscathed from the testing. Apple’s Face ID is known for its resiliency to face-hacking schemes, albeit apparently there is no perfection.

Fool me once … ?

Lastly, there was a third group with devices – mostly made by LG – whose facial recognition was defeated with a photo, but not under all circumstances. More precisely, all came down to the stringency of the handsets’ facial recognition settings.

Most tested devices are available in the Netherlands, with a few specific to other chosen markets, such as the United States, the United Kingdom, and Brazil. Single- and dual-SIM models were treated separately, as were the same models with different storage capacities, which somewhat boosted the number of tested handsets.

Now, the manufacturers of Android-powered smartphones often warn smartphone users that facial recognition isn’t the safest biometrics around. Instead, iris and fingerprint scanning are generally regarded as more reliable and, indeed, should be enough to deter anything less than a dedicated attacker. Both can also be useful to fend off shoulder surfing, an easy and common attack vector.

An old-school PIN code – of at least six digits, however – should also be comparatively safe in most situations; unless, for example, an intruder with an ‘eye for detail’ steals a glance at your screen as you tap those digits. The PIN code has also been proven to be safer than what is probably the most common non-biometric screen lock method – the pattern. The finger squiggle was the option of choice for 40 percent of Android users in the US a few years ago.

Discussion