Apple’s new iPhone X hit stores November 3rd. Its most talked about feature is Face ID. Instead of touching your finger to the phone to unlock it, just look at the camera and it recognizes your face. Face ID is more accurate than the old Touch ID. Does that mean it’s more secure?
Taproot Security studied technical specs on Face ID and found potential vulnerabilities. I enumerated these in a private letter to Apple one month ago, along with ten recommendations to improve Face ID security. Apple thanked us politely but took no action. We can now go public.
These are some of the issues we raised to Apple:
iPhone X performs Face ID verification every time you pick it up and look at it. This can make it easy for thieves to unlock a stolen phone; they simply hold it up to the victim’s face. The only defense it to quickly close one’s eyes or look away. The “SOS” button combination won’t help in most situations.
Because iPhone X learns your face over time, it may not reach optimum accuracy for days or weeks.
The way iPhone X relearns your face after a sudden change in your appearance (grow a beard, apply makeup, etc.) may allow a thief to impersonate you to a stolen phone.
The way Apple trained its neural net to recognize faces (both genuine and impostors) has not been shared with independent security researchers.
Unlike previous models, iPhone X doesn’t erase internal encryption keys when locked. Instead it uses Face ID to save them.If keys are compromised, then so is data on the phone.
Face ID may be an improvement over Touch ID. My advice is to wait a while for Apple to work out any bugs with the aid of early adopters before you give it a try. When iPhone X gets its first major iOS update, then it's probably safe to jump in the pool.
If you do try Face ID, use it heavily right away under a variety of lighting conditions, so its neural net can learn your face and grow accurate quickly. If your phone is stolen, look away or close your eyes before the thief can hold it up to your face to unlock it.
UPDATE 11/11/2017: Vietnamese security researchers already hacked Face ID using specially crafted face masks. If confirmed, this result suggests Apple impostor testing may have been inadequate.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.