Samsung Galaxy S10 Facial Recognition Fooled by a Video of the Phone Owner

Experts have proven once again that facial recognition on modern devices remains hilariously insecure and can be bypassed using simple tricks such as showing an image or a video in front of a device's camera. From a report: The latest device to fall victim to such attacks is Samsung Galaxy S10, Samsung's latest top tier phone and considered one of the world's most advanced smartphones to date. Unfortunately, the Galaxy S10's facial recognition feature remains just as weak as the one supported in its previous versions or on the devices of its competitors, according to Lewis Hilsenteger, a smartphone reviewer better known as Unbox Therapy on YouTube. Hilsenteger showed in a demo video uploaded on his YouTube channel last week how putting up a video of the phone owner in front of the Galaxy S10 front camera would trick the facial recognition system into unlocking the device.

3D and IR

[goombah99]

There's a reason apple went with costly 3D imaging. Yes of course there's the prospect of spoofing it with a 3D mask but that's a pretty invasive and premeditated attack. You can't do it on the fly like a video. As has been noted many times, given some preparation it's possible to spoof fingerprint scanners. indeed it seems it's probably easier to spoof fingerprint scanners in many implementations.

Re:

[goombah99]

I thought the reason they used ultrasonic was because it's more compatible with going through the screen. And the reason they used 3D ultrasonics is because it takes more information than the simple ultrasonic reflectance to decode the uniqueness. I don't think it was motivated by disriminating fakes. That was just a nice benefit for making phantom fingers harder to create in hindsight.

Re:

[Freischutz]

This is why they went with a 3D ultrasonic fingerprint scanner. With facial recognition software, you don't need fakes. You just need to wave the phone in front of their face and presto, unlocked! At least with a finger, you have a chance at resisting.

I went with an iPhone 8 rather than one of the X models because of the fingerprint scanner. I can unlock the iPhone 8 without looking at it, whereas with the face recognition I have to hold the thing in front of my face which is annoying.

Re:

[SuperKendall]

I can unlock the iPhone 8 without looking at it

Aren't you going to be looking at it at some point? What value is there in unlocking a phone you do not see.

with the face recognition I have to hold the thing in front of my face which is annoying.

Lots more annoying to have to take gloves off in winter to unlock a device, or even to have to think about unlocking at all. With FaceID I don't think about unlocking, I pull out the phone and it's unlocked by my holding it.

Re:

[FictionPimp]

Yes and no, I can't unlock my phone in the car to change songs (something I could do without face ID). I can't unlock the phone without it being in the right position, with my eyes looking at it, etc. This means I can't unlock my phone in conversation to glance at a push notification. FaceID is a terrible product.

Re:

[Aqualung812]

This means I can't unlock my phone in conversation to glance at a push notification.

I do this all of the time. I just raise the phone and look at it, and it unlocks to view the notification.

Re:

[fluffernutter]

A lot of people don't like looking like dweebs iPhone fanbois in public if they can help it.

Re:

[zlives]

iProbe is on the way, its got all the buzz words 3D, Ultrasonic. self lubing and vibrating models are bit higher in price.
one squeeze and it authenticates the device and no one is going to try stealing that.

Re:

[fluffernutter]

Wow! Does it do the prostate? Prostate massages feel like using an iPhone.

Re:

[BringsApples]

If you are unconscious, your phone can be pointed at your face, or your finger can be used, and the phone is unlocked.

No, I swear by the password when it comes to security. I can't think a way that a password can be stolen, provided I never tell anyone, and no key loggers are installed on the device.

Re:

[kingbilly]

I wish the X supported both. I had the iPhone 6 until this year. There are a number of times per week I have to type in my code because the face recognition won't work.

- Wearing sunglasses in the car - Sitting in my car after I get home at night (too dark) - Wearing my gamma rays and turtle beach while playing games - other things I can't remember With the phone being a completely touchscreen, I was hoping the X would allow my thumb at the bottom. Nope.

Sunglasses should work

[SuperKendall]

Wearing sunglasses in the car

All of the sunglasses I have work fine with the iPhone X, just make sure what you use does not block IR.

Sitting in my car after I get home at night (too dark)

FaceID works in pitch blackness since it uses an IR emitter to illuminate your face. It cannot be "too dark" for it to work. I use it at night in unlit rooms... and also at night in my car.

Wearing my gamma rays and turtle beach while playing games

Why does this not work. FaceID is pretty flexible.

If you really truly n

Wrong for iPhone

[SuperKendall]

With facial recognition software, you don't need fakes. You just need to wave the phone in front of their face and presto, unlocked!

Would not work on an iPhone if the subject had eyes shut, or had triggered the "temporarily disable FaceID" feature before entering an area they thought the phone was at risk.

You seriously think it's HARDER to grab someone's hand and forcibly press one finger on a device? Two people, maybe eve one, could easily manage this with anyone.

You cannot force someone eyes open in a wa

Re:

[Altus]

I'm pretty sure I could get you to put your finger on the sensor after hitting you a few times with a 5 dollar wrench. [xkcd.com]

Re:

[CastrTroy]

Good old Rubber Hose Cryptanalysis [wikipedia.org]

Re:

[goombah99]

getting far fetched. You could also just whack someone with a tire iron and then press their finger on the phone.

The non-equivalence of optical flow and lidar

[goombah99]

The thing that surprised me here is that in the field of 3D resonstruction, passive optical flow methods have come to dominate Lidar or moire patterns in probably all use cases aside from cars. And even in cars, for daylight operations it's arguably better than lidar for many practical issues.

But it's not the same as this example beautifully shows.

Optical flow is the technique of inverting a 3D object by the camera-or-object motion such that the parallax effect gives you the information you need to figure

Re:

[AmiMoJo]

And there is a reason Samsung didn't bother with costly 3D imaging. This isn't supposed to be a super secure system. Someone can unlock your phone by pointing it at your face, perhaps while you are asleep, even with the Apple system.

Face unlock is for people who only want to protect against people they don't know stealing their phone. It stops random thieves from getting their data and makes it much harder for them to factory reset and sell the phone on.

It's for people who are so lazy that even fingerprint

Re:

[shilly]

Someone can unlock your phone by pointing it at your face, perhaps while you are asleep, even with the Apple system.

Confidently wrong. I like your style!

"When a face is detected, Face ID confirms attention and intent to unlock by detecting that your eyes are open and directed at your device"
FaceID security white paper

Re:

[Anubis IV]

Exactly. Moreover, even the 3D mask attacks sound like they only work if you rig the system. The first (only?) 3D mask attack that I've actually seen demonstrated wasn't able to be reproduced by any other researchers (at the time; maybe things have changed since then?), and it was later determined to have only worked for those particular researchers because they inadvertently trained the phone on the mask*. When they attempted to prove their methodology's reproducibility by resetting everything and giving t

Re:

[Solandri]

There's a reason apple went with costly 3D imaging. Yes of course there's the prospect of spoofing it with a 3D mask but that's a pretty invasive and premeditated attack.

Why bother with a mask? The police or a mugger will just hold you down while they point your phone at you.

People forget that signing into a phone is not just validation of your ID, it's also your way of signaling that you actually want to sign in. Passive sign-ins like fingerprint or facial scans allow others to sign in on your behalf

Re:

[goombah99]

Why do people bring up these ludicrous edge cases?

Why is this a surprise?

[Anonymous Coward]

The sensor is a video sensor. It's not exactly human eyes and brain.

It's an ongoing escalating war

[cellocgw]

Consider all the flap about recent AI systems generating artificial head shots that most people can't distinguish from real photos. An algorithm that can create those can, with some existing add-ons, analyze a photo and decide what the Z-axis values are, thus producing a 3-D object. Might be a bit more difficult to fabricate, but I bet these phones can't tell what size the "head" they're looking at is.
If they could capture cicadic movement, that might be cool, but I don't think the cameras have the frame rate to do so.

Another reason not to like "Face ID"

[Les Peters]

Easy to combine this 'feature' with the near-omnipresent surveillance state. No need to be asked to submit your face to unlock your phone: good chance they already have sufficient video to do it themselves.

Re:Another reason not to like "Face ID"

[UnknowingFool]

Apple’s Face ID relies on 3D imaging so a video or photo doesn’t work. Other implementations of facial recognition does not so they are susceptible to different attacks.

Re:

[Locke2005]

Apple's Face ID is easily fooled by people with similar faces, e.g. close relatives... Hopefully you don't have a problem with your siblings being able to unlock your phone.

Re:

[UnknowingFool]

I don’t know if that true that similar faces would fool Face ID; however, that would fool other facial recognition based on photos and videos. My point isn’t that Face ID is infallible. My point was that Face ID isn’t fallible to this particular attack.

Re:

[Locke2005]

Yes, Apple face ID was designed to not be vulnerable to a simple attack using 2D picture of the face; that's the advantage of using 3D imaging. What I'm saying is, how much harder is it to make a 3D image of the face for an attack?

Re:

[Locke2005]

You can fool 3D cameras with 3D models of faces too... I suspect you can fool 2D cameras with still pictures, not just video.

Samsung Doesn't Recommend You Use it

[Paxtez]

They specifically call it a low security type lock. The iris scanner was removed to make the hole punch smaller.

The recommend using the fingerprint for biometrics.

But...

[Locke2005]

Does it recognized dark faces? My personal prediction is that when the robot uprising comes, only the darkies will survive because the robots never figured out how to recognize dark faces...

Use the 3d fingerscanner instead

[Anonymous Coward]

If I recall corectly, Samsung were pretty upfront about this, that the face scanning is less secure than the fingerprint scanner.

It's not a bug, it's by design. :)

Who would have thought

[OneHundredAndTen]

The lesson after all these years of biometrics is that, to a concerningly large extent, security mechanisms based on biometrics can be bypassed, often by ridiculously pedestrian and simple approaches. Trust biometrics at your own peril.

Re:

[Henriok]

Ahem.. It's pretty easy to just watch someone type in their passcode. You can even use a video recording device if you don't trust your ability to discern it at first glance or if you want to do it from a considerable distance. That'd be pretty unintrusive and you won't need physical access to the device or the owner.