NEW YORK: A cybersecurity researcher canceled a hacking conference briefing on how he said he could crack biometric facial recognition on Apple Inc. iPhones, at the request of his employer, which called the work “misleading.”
The prospect that Face ID could be defeated is troubling because it is used to lock down functions on tens of millions of iPhones from banking and health care apps to emails, text messages and photos.
There is a one in 1 million chance a random person could unlock a Face ID, versus one in 50,000 chance that would happen with the iPhone’s fingerprint sensor, according to Apple.
Face ID has proven more secure than its predecessor, Touch ID, which uses fingerprint sensors to unlock iPhones. Touch ID was defeated within a few days of its 2013 launch.
China-based researcher Wish Wu was scheduled to present a talk entitled “Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms” at the Black Hat Asia hacking conference in Singapore in March. Wu told Reuters that his employer, Ant Financial, asked him to withdraw the talk from Black Hat, one of the largest and most prestigious organizers of hacking conferences.
Ant Financial’s Alipay payment system is compatible with facial recognition technologies including Face ID.
Nobody has publicly released details on a successful Face ID hack that others have been able to replicate since Apple introduced the feature in 2017 with the iPhone X, according to biometric security experts. The company has introduced three other Face ID phones: iPhone XS, XS Max and XR.
Wu told Reuters that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max.
“In order to ensure the credibility and maturity of the research results, we decided to cancel the speech,” he told Reuters in a message on Twitter.
An Apple spokesman declined comment.
“The research on the face ID verification mechanism is incomplete and would be misleading if presented,” Ant Financial said in a statement.
Black Hat withdrew an abstract of the talk from its website in late December after Ant uncovered problems with the research.
The abstract claimed that Face ID could be hacked with an image printed on an ordinary black-and-white printer and some tape. The only other claim of a Face ID hack was in 2017 by a Vietnamese cybersecurity company Bkav, which posted it on YouTube videos. Other researchers have not been able to replicate that attack.
Apple’s facial recognition uses a combination of cameras and special sensors to capture a three-dimensional scan of a face that allows it to identify spoofs with photographs or determine if the user is asleep or otherwise not looking at the phone.
It is rare for talks to be pulled from cybersecurity conferences such as Black Hat, whose events are attended by professionals looking to understand emerging hacking threats.
Black Hat told Reuters it had accepted Wu’s talk because Wu convinced its review board he could pull off the hack.
“Black Hat accepted the talk after believing the hack could be replicated based on the materials provided by the researcher,” conference spokeswoman Kimberly Samra said.
Anil Jain, a Michigan State University computer science professor who is an expert on facial recognition, said he was surprised by Wu’s claim because Apple has invested heavily in “anti-spoofing” technology that makes such hacks very difficult.
Cyber researcher pulls public talk on hacking Apple’s Face ID
Cyber researcher pulls public talk on hacking Apple’s Face ID
- The prospect that Face ID could be defeated is troubling because it is used to lock down functions on tens of millions of iPhones
- There is a one in 1 million chance a random person could unlock a Face ID
Apple to update EU browser options, make more apps deletable
- iPhone maker came under pressure from regulators to make changes after the EU’s sweeping Digital Markets Act took effect on March 7
- Apple users will be able to select a default browser directly from the choice screen after going through a mandatory list of options
STOCKHOLM: Apple will change how users choose browser options in the European Union, add a dedicated section for changing default apps, and make more apps deletable, the company said on Thursday.
The iPhone maker came under pressure from regulators to make changes after the EU’s sweeping Digital Markets Act took effect on March 7, forcing big tech companies to offer mobile users the ability to select from a list of available web browsers on a “choice screen.”
The new rules require mobile software makers to show the choice screen where users can select a browser, search engine and virtual assistant as they set up their phones, which earlier came with preferred options from Apple and Google.
In an update later this year, Apple users will be able to select a default browser directly from the choice screen after going through a mandatory list of options.
A randomly ordered list of 12 browsers per EU country will be shown to the user with short descriptions, and the chosen one will be automatically downloaded, Apple said. The choice screen will also be available on iPads through an update later this year.
Apple released a previous update in response to the new rules in March, but browser companies criticized the design of its choice screen, and the Commission opened an investigation on March 25 saying it suspected that the measures fell short of effective compliance.
The company said it has been in dialogue with the European Commission and believes the new changes will address regulators’ concerns.
It also plans to introduce a dedicated area for default apps where a user will be able to set defaults for messaging, phone calls, spam filters, password managers and keyboards.
Users will also be able to delete certain Apple-made apps such as App Store, Messages, Camera, Photos and Safari. Only Settings and Phone apps would not be deletable.
