Your NPR news source

Security Firm Says Extremely Creepy Mask Cracks iPhone X's Face ID

A video shows the Vietnam-based Bkav apparently bypassing the feature. Apple has touted the function as secure since it was unveiled in September.

SHARE Security Firm Says Extremely Creepy Mask Cracks iPhone X's Face ID

Less than a week after the iPhone X release, a Vietnamese security firm says it has done what others couldn’t — trick the phone’s facial recognition software. How? One very creepy mask.

In a video released by the company Bkav, an employee unshrouds the mask, to which the phone apparently responds to by unlocking. “Face ID on this iPhone X is not as secure as Apple has announced,” the employee says. The employee then unlocks the phone again with his own face.

On its website, Bkav says it made the mask with two- and three-dimensional printers, silicone and “hand-made” skin to “trick Apple’s AI.”

The whole thing cost about $150, the company says.

A feature of the iPhone X, Face ID uses facial recognition rather than a passcode or fingerprint to unlock the phone. It can also be used to confirm identity to make purchases and sign in to other apps.

Of course, a feature like that has attracted a few skeptics.

Wired made an array of deeply creepy masks, hiring a special effects makeup artist who spent 17 hours embedding thousands of eyebrow hairs with a needle — all of which failed to unlock the phone. The Wall Street Journal tried to fool it, and succeeded — but only by using 8-year-old identical triplets.

Apple would not comment on the video for this story. And NPR was not independently able to verify the claims.

When the iPhone X was unveiled in September, Apple marketing executive Philip Schiller said that Face ID’s creators had developed a “neural engine” to process facial recognition that wouldn’t “easily be spoofed by things like photographs,” he said.

“They’ve even gone and worked with professional mask-makers and makeup artists in Hollywood to protect against these attempts to defeat Face ID. ... We require user attention to unlock. That means if your eyes are closed, you’re looking away, it’s not going to unlock,” Schiller said at the time.

Schiller also put the odds of a random person being able to unlock your phone’s Face ID at 1 in 1,000,000.

But Bkav, the security firm, said hacking Face ID wasn’t as hard, pointing out that the software would recognize the owner’s face even if half-covered.

“It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask,” the firm asserted.

Bkav calls its hack proof of concept, “the purpose of which is to prove a principle.”

Marc Rogers, a researcher at the security firm Cloudflare, told Wired that if Bkav has indeed succeeded in hacking Face ID, the most surprising aspect would be the discovery that printed eyes could deceive it — no eye motion needed.

The magazine also notes that Bkav has a history of successfully breaking laptops’ facial recognition tools with nothing more than 2-D images of a face.

Copyright 2017 NPR. To see more, visit


The Latest
One lawsuit claims the hospital allowed the attack to happen because it “failed to implement and maintain reasonable safeguards and failed to comply with industry-standard data security practices, as well as state and federal laws governing data security.”
Cybersecurity firm CrowdStrike said Friday that the issue believed to be behind the outage was not a security incident or cyberattack. It said a fix was on the way.
In a subpoena obtained by WBEZ, the feds wanted a list of county documents about a hack that potentially affected 1.2 million patients here.
Supreme Court Justices heard arguments that could upend Section 230, which has been called the law that created the internet.
TikTok has a reputation for its seemingly bottomless well of dance trends and lip sync videos, but there are as many sides of TikTok as there are users. It has quickly become a forum for cultural conversation, and many Gen Z users even get their news from the app. Reset hears from two fan-favorite TikTokkers about building an audience, keeping people from scrolling away, and what makes the app tick. GUESTS: Chris Vazquez, Associate Producer on the Washington Post TikTok team Jack Corbett, video producer for NPR’s Planet Money