A cyber security researcher Wish Wu canceled a hacking conference briefing on how he said he could crack biometric facial recognition on Apple iPhones, at the request of his employer, which called the work “misleading.”
Apple’s facial recognition uses a combination of cameras and special sensors to capture a three-dimensional scan of a face that allows it to identify spoofs with photographs or determine if the user is asleep or otherwise not looking at the phone.
The prospect that Face ID could be defeated is troubling because it is used to lock down functions on tens of millions of iPhones from banking and healthcare apps to emails, text messages and photos.
There is a one in 1 million chance a random person could unlock a Face ID, versus one in 50,000 chance that would happen with the iPhone’s fingerprint sensor, according to Apple.
Face ID has proven more secure than its predecessor, Touch ID, which uses fingerprint sensors to unlock iPhones. Touch ID was defeated within a few days of its 2013 launch.
China-based researcher Wish Wu was scheduled to present a talk entitled “Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms” at the Black Hat Asia hacking conference in Singapore in March.
Wu told Reuters that his employer, Ant Financial, asked him to withdraw the talk from Black Hat, one of the largest and most prestigious organizers of hacking conferences.
Ant Financial’s Alipay payment system is compatible with facial recognition technologies including Face ID. Nobody has publicly released details on a successful Face ID hack that others have been able to replicate since Apple introduced the feature in 2017 with the iPhone X, according to biometric security experts. The company has introduced three other Face ID phones: iPhone XS, XS Max and XR.
Wu told Reuters that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max.