Skip to content
Naked Security Naked Security

A photo will unlock many Android phones using facial recognition

How easy is it to bypass the average smartphone’s facial recognition security? In the case of Android, a lot easier than owners may think.

How easy is it to bypass the average smartphone’s facial recognition security?

According to the Dutch consumer protection organisation Consumentenbond, in the case of several dozen Android models, it’s a lot easier than most owners probably realise.

Its researchers tested 110 devices, finding that 42 could be beaten by holding up nothing more elaborate than a photograph of a device’s owner.

Consumentenbond offers little detail of its testing methodology but it seems these weren’t high-resolution photographs – almost any would do, including those grabbed from social media accounts or selfies taken on another smartphone.

While users might conclude from this test that it’s not worth turning on facial recognition, the good news is that 68 devices, including Apple’s recent XR and XS models, resisted this simple attack, as did many other high-end Android models from Samsung, Huawei, OnePlus, and Honor.

Confusingly, many of the models that failed were from the same vendors, including Asus, Huawei, Lenovo/Motorola, LG, Nokia, Samsung, BlackBerry, and Xiaomi. In the case of Sony, every model tested failed. A further six – an Honor and six LG models – only passed the test when put into a ‘strict’ mode.

Generally, expensive handsets performed better than cheaper ones but this wasn’t always the case. For example, Sony’s $1,000 Xperia XZ2 Premium (US version) failed while Motorola’s Moto G6 costing less than a third of that price tag passed. A full list of the models that passed the photo test can be found on Consumentenbond’s website.

Apple’s Face ID v the rest

Apple famously made a big deal of its Face ID technology when it launched the iPhone X in 2017 and for good reason – the model X was a premium model that needed to justify its hefty price tag.

The idea was that Face ID wasn’t only a convenient way for owners to unlock their iPhones, but the beginnings of a more sophisticated system capable of authenticating users.

Reliably identifying someone as being who they say they are sets a much higher bar for device security (in Face ID’s case, Apple says it’s a one in a million chance a random person could unlock a device).

That didn’t stop researchers looking for weaknesses in Face ID, which some claimed to have found within days of the iPhone X’s appearance using a naturalistic 3D mask.

Nevertheless, this still puts it way ahead of the same technology on even quite expensive Android handsets, which apparently can be fooled by fake 3D wax heads in ways that Face ID resists.

The bigger question is what expectations smartphone owners should have for their security when using this technology.

Right now, our advice for anyone owning a handset that failed Consumentenbond’s simple photograph test is to use an alternative security mechanism such as PIN or fingerprint.

Despite the advances made by Apple, facial recognition on many of today’s smartphones remains a promising technology that is some way from being reliable.

5 Comments

Which is why I didn’t bother with last year’s new iPhone and bought an 8 Plus instead, which I have kept this year and when I do replace it, will look for a new one of the same model. Prices are ridiculous and getting more so but facial recognition is an absolute deal breaker for me. Don’t want it, won’t ever have a phone with it, even if I have to go back to flip phones.

There’s no need to enable facial recognition. Just about every device I own has features I don’t use. Some of them I have disabled, others I just don’t use. Currently, I’m using a Galaxy Note-9 with facial recognition disabled, even though it did pass the Dutch test.

Apple (and other tech giants) are always making big claims on how protecting the customer’s privacy is a top priority. This is further evidence it isn’t. Profits are a higher priority than security. There is no way the technology can’t be pushed to be more secure, if the proper legislative requirements were in place.

Calling Apple out in an article they did well in seems counterintuitive to me…
Face ID isn’t that foolproof, but it’s a hell of a lot more secure than an easily shoulder surfed 6 digit pin or join-the-dit’s pattern is. What i’d Like is the ability a-la blackberry 10 to set a real password on my phone.

(Also, “six more, an honour and 6 LG models” doesn’t add up)

I can see a biometric (face) replacing something like User Names in the near future – when used in conjunction with a Passcode. But on it’s own it will always be weak. If all it takes is your face to unlock that $1k phone for a thief to cash in, there is nothing saying that face needs to be breathing to unlock the phone. And most certainly you can be restrained in court (or by others) to unlock your phone/Ecloud/home/toaster. Which eliminates that pesky 5th amendment in the US that the government is bothered by.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?